EdgeSwitch - CLI Reference Guide
Overview
This article contains the CLI reference guide for EdgeSwitch. Use the content tree below to see the command sections that interest you.
- Applicable to the latest EdgeSwitch firmware on all EdgeSwitch models.
- This article does not apply to the EdgeSwitch X (ES-X) and EdgeSwitch XP (ES-XP) models.
Table of Contents
Management Commands
This section describes the management commands available in the EdgeSwitch CLI.
Network Interface Commands
This section describes the commands you use to configure a logical interface for management access.
network parms This command sets the device’s IP address, subnet mask, and gateway. The IP address and gateway must be on the same subnet. If you specify the none option, the IP address and subnet mask are set to the factory defaults.
network parms {ipaddr netmask [gateway] | none} Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
network mac-address This command sets locally administered MAC addresses. The following rules apply:
- Bit 6 of byte 0 (called the U/L bit) indicates whether the address is universally administered (b’0’) or locally administered (b’1’). - Bit 7 of byte 0 (called the I/G bit) indicates whether the destination address is an individual address (b’0’) or a group address (b’1’). - The second character, of the twelve character macaddr, must be 2, 6, A or E. A locally administered address must have bit 6 On (b’1’) and bit 7 Off (b’0’). network mac-address macaddr Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
network mac-type This command specifies whether the switch uses the burned-in or the locally administered MAC address.
network mac-type {local | burnedin} Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
network javamode This command specifies whether or not the switch should allow access to the Java applet in the header frame of the web interface. When access is enabled, the Java applet can be viewed from the web interface. When access is disabled, the user cannot view the Java applet.
network javamode Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
network protocol Select DHCP, BootP, or None as the network config protocol. Use the none keyword to rollback to the default network configuration. This option also allows you to configure a static IP address. The dhcp client-id option enables the DHCP client to specify the unique client identifier (option 61).
network protocol [ bootp | dhcp {client-id} | none ] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
network protocol static parms Select static network configuration. Configuring an IP address with this command is the same as using network parms command. Use the none keyword to remove all system network configuration.
network protocol static parms [ none | ipaddr netmask gw ] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
show network This command displays configuration settings associated with the switch’s network interface. The network interface is the logical interface used for in-band connectivity with the switch via any of the switch’s front panel ports.
The configuration parameters associated with the switch’s network interface do not affect the configuration of the front panel ports through which traffic is switched or routed. The network interface is always considered to be up, whether or not any member ports are up; therefore, the show network command will always show Interface Status as Up. show network Modes: User / Privileged EXEC
|
Console Port Access Commands
This section describes the commands you use to configure the console port . You can use a serial cable to connect a management host directly to the console port of the switch .
line This command gives you access to the Line Console mode, which allows you to configure various Telnet settings and the console port, as well as to configure console login/enable authentication.
line {console | telnet | ssh} Mode: Global Config Parameters:
|
||||||||||||
serial baudrate This command specifies the communication rate of the terminal interface. The supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200.
serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200} Mode: Line Config Default: 115200 |
||||||||||||
serial timeout This command specifies the maximum connect time (in minutes) without console activity. A value of 0 indicates that a console can be connected indefinitely. The time range is 0 to 160.
serial timeout 0-160 Mode: Line Config Default: 5 |
||||||||||||
show serial This command displays serial communication settings for the switch.
show serial Modes: User / Privileged EXEC Parameters:
|
Telnet Commands
This section describes the commands you use to configure and view Telnet settings. You can use Telnet to manage the device from a remote management host.
ip telnet server enable
Use this command to enable Telnet connections to the system and to enable the Telnet Server Admin Mode. This command opens the Telnet listening port.
ip telnet server enable Mode: Privileged EXEC Default: Disabled |
||||||
transport input telnet This command regulates new Telnet sessions. If enabled, new Telnet sessions can be established until there are no more sessions available. An established session remains active until the session is ended or an abnormal network error ends the session.
transport input telnet Mode: Line Config Default: Disabled |
||||||
telnetcon maxsessions This command specifies the maximum number of Telnet connection sessions that can be established. A value of 0 indicates that no Telnet connection can be established. The range is 0-5.
telnetcon maxsessions 0-5 Mode: Privileged EXEC Default: 5 |
||||||
telnetcon timeout This command sets the Telnet connection session timeout value, in minutes. A session is active as long as the session has not been idle for the value set. The time is a decimal value from 1 to 160.
telnetcon timeout 1-160 Mode: Privileged EXEC Default: 5 |
||||||
show telnetcon This command displays the current inbound Telnet settings. In other words, these settings apply to Telnet connections initiated from a remote system to the switch.
show telnetcon Modes: User / Privileged EXEC Parameters:
|
Secure Shell Commands
This section describes the commands you use to configure Secure Shell (SSH) access to the switch. Use SSH to access the switch from a remote management host.
ip ssh
Use this command to enable SSH access to the system. (This command is the short form of the ip ssh server enable command).
ip ssh Mode: Privileged EXEC Default: Enabled |
||||||||||||||
ip ssh protocol This command is used to set or remove protocol levels (or versions) for SSH. Either SSH1 (1), SSH2 (2), or both SSH 1 and SSH 2 (1 and 2) can be set.
ip ssh protocol [1] [2] Mode: Privileged EXEC Default: 2 |
||||||||||||||
ip ssh server enable This command enables the IP secure shell server.
ip ssh server enable Mode: Privileged EXEC Default: Enabled |
||||||||||||||
sshcon maxsessions This command specifies the maximum number of SSH connection sessions that can be established. A value of 0 indicates that no SSH connection can be established. The range is 0 to 5.
sshcon maxsessions 0-5 Mode: Privileged EXEC Default: 5 |
||||||||||||||
sshcon timeout This command sets the SSH connection session timeout value, in minutes. A session is active as long as the session has been idle for the value set. The time is a decimal value from 1 to 160.
Changing the timeout value for active sessions does not become effective until the session is re accessed. Also, any keystroke activates the new timeout duration. sshcon timeout 1-160 Mode: Privileged EXEC Default: 5 |
||||||||||||||
show ip ssh This command displays the SSH settings.
show ip ssh Mode: Privileged EXEC Parameters:
|
Management Security Commands
This section describes commands you use to generate keys and certificates, which you can do in addition to loading them as before.
crypto certificate generate
Use this command to generate a self-signed certificate for HTTPS. The generated RSA key for SSL has a length of 1024 bits. The resulting certificate is generated with a common name equal to the lowest IP address of the device and a duration of 365 days.
crypto certificate generate Mode: Global Config |
crypto key generate rsa Use this command to generate an RSA key pair for SSH. The new key files will overwrite any existing generated or downloaded RSA key files.
crypto key generate rsa Mode: Global Config |
crypto key generate dsa Use this command to generate a DSA key pair for SSH. The new key files will overwrite any existing generated or downloaded DSA key files.
crypto key generate dsa Mode: Global Config |
Hypertext Transfer Protocol Commands
This section describes the commands you use to configure Hypertext Transfer Protocol (HTTP) and secure HTTP access to the switch. Access to the switch by using a web browser is enabled by default.
ip http accounting exec, ip https accounting exec These commands apply the user exec (start-stop/stop-only) accounting list to the line methods HTTP and HTTPS.
ip {http|https} accounting exec {default | listname} Mode: Global Config |
||||||||||||||||||||||||||
ip http authentication, ip https authentication Use these commands to specify authentication methods for HTTP and HTTPS users. The default configuration is the local user database is checked. This action has the same effect as the command ip http|https authentication local. The additional methods of authentication are used only if the previous method returns an error, not if it fails.
To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. For example, if none is specified as an authentication method after RADIUS, no authentication is used if the RADIUS server is down. ip {http|https} authentication {local | none | radius | tacacs} {method2} Mode: Global Config Default: local Parameters:
|
||||||||||||||||||||||||||
ip http server This command enables access to the switch through the web interface. When access is enabled, the user can login to the switch from the web interface. When access is disabled, the user cannot login to the switch’s web server. Disabling the web interface takes effect immediately. All interfaces are affected.
ip http server Mode: Privileged EXEC Default: Enabled |
||||||||||||||||||||||||||
ip http secure-server This command is used to enable the secure socket layer for secure HTTP.
ip http secure-server Mode: Privileged EXEC Default: Enabled |
||||||||||||||||||||||||||
ip http session hard-timeout This commands configures the hard timeout for insecure HTTP sessions in hours. Configuring this value to zero will give an infinite hard-timeout. When this timeout expires, the user will be forced to re-authenticate. This timer begins on initiation of the web session and is unaffected by the activity level of the connection.
ip http session hard-timeout 1-168 Mode: Privileged EXEC Default: 24 |
||||||||||||||||||||||||||
ip http session maxsessions This command limits the number of allowable insecure HTTP sessions. Zero is the configurable minimum.
ip http session maxsessions 0-16 Mode: Privileged EXEC Default: 16 |
||||||||||||||||||||||||||
ip http session soft-timeout This command configures the soft timeout for insecure HTTP sessions in minutes. Configuring this value to zero will give an infinite soft-timeout. When this timeout expires the user will be forced to re authenticate. This timer begins on initiation of the web session and is restarted with each access to the switch.
ip http session soft-timeout 1-60 Mode: Privileged EXEC Default: 5 |
||||||||||||||||||||||||||
ip http secure-session hard-timeout This command configures the hard timeout for secure HTTP sessions in hours. When this timeout expires, the user is forced to re authenticate. This timer begins on initiation of the web session and is unaffected by the activity level of the connection. The secure-session hard-timeout can not be set to zero (infinite).
ip http secure-session hard-timeout 1-168 Mode: Privileged EXEC Default: 24 |
||||||||||||||||||||||||||
ip http secure-session maxsessions This command limits the number of secure HTTP sessions. Zero is the configurable minimum.
ip http secure-session maxsessions 0-16 Mode: Privileged EXEC Default: 16 |
||||||||||||||||||||||||||
ip http secure-session soft-timeout This command configures the soft timeout for secure HTTP sessions in minutes. Configuring this value to zero will give an infinite soft-timeout. When this timeout expires, you are forced to re-authenticate. This timer begins on initiation of the web session and is restarted with each access to the switch. The secure-session soft-timeout cannot be set to zero (infinite).
ip http secure-session soft-timeout 1-60 Mode: Privileged EXEC Default: 5 |
||||||||||||||||||||||||||
ip http secure-port This command is used to set the SSL port where port can be 1025-65535 and the default is port 443.
ip http secure-port [port-id] Mode: Privileged EXEC Default: 443 |
||||||||||||||||||||||||||
ip http secure-protocol This command is used to set protocol levels (versions). The protocol level can be set to TLS1, SSL3 or to both TLS1 and SSL3.
ip http secure-protocol [SSL3] [TLS1] Mode: Privileged EXEC Default: SSL3 and TLS1 |
||||||||||||||||||||||||||
show ip http This command displays the HTTP settings for the switch.
show ip http Mode: Privileged EXEC Parameters:
|
Access Commands
Use the commands in this section to close remote connections or to view information about connections to the system.
disconnect
Use the disconnect command to close HTTP, HTTPS, Telnet or SSH sessions. Use all to close all active sessions, or use session-id to specify the session ID to close. To view the possible values, use the show loginsession command.
disconnect {session_id | all} Mode: Privileged EXEC |
||||||||||||
show loginsession This command displays current Telnet, SSH and serial port connections to the switch. This command displays truncated user names. Use the show loginsession long command to display the complete usernames.
show loginsession Mode: Privileged EXEC Parameters:
|
||||||||||||
show loginsession long This command displays the complete user names of the users currently logged in to the switch.
show loginsession long Mode: Privileged EXEC |
User Account Commands
This section describes the commands you use to add, manage, and delete system users. The EdgeSwitch software has one default user account: ubnt. The ubnt user can view and configure system settings.
aaa authentication login Use this command to set authentication at login. The default and optional list names created with the command are used with the aaa authentication login command. Create a list by entering the aaa authentication login <list-name> {method} command, where <list-name> is any character string used to name this list. The {method} argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line. For example, if none is specified as an authentication method after RADIUS, no authentication is used if the RADIUS server is down. aaa authentication login {default | list-name} {enable | local | none | radius | tacacs} {method2} Mode: Global Config Default: networkList - Used by Telnet and SSH and only contains the method local. Parameters:
|
||||||||||||||||||||||
aaa authentication enable Use this command to set authentication for accessing higher privilege levels. The default enable list is enableList. It is used by console, telnet and SSH, and contains the method as enable followed by none.
aaa authentication enable {default | list-name} {deny | enable | line | none | radius | tacacs} {method2} Mode: Global Config Default: default Parameters:
|
||||||||||||||||||||||
aaa authorization This command enables access to the switch through the web interface. When access is enabled, the user can login to the switch from the web interface. When access is disabled, the user cannot login to the switch’s web server. Disabling the web interface takes effect immediately. All interfaces are affected.
aaa authorization {commands | exec} {default | list-name} {local | none | radius | tacacs} Mode: Global Config Parameters:
|
||||||||||||||||||||||
show authorization methods This command is used to enable the secure socket layer for secure HTTP.
show authorization methods Mode: Privileged EXEC |
||||||||||||||||||||||
enable authentication Use this command to specify the authentication method list when accessing a higher privilege level from a remote Telnet session.
enable authentication {default | list-name} Mode: Line Config Parameters:
|
||||||||||||||||||||||
username Use the username command in Global Config mode to add a new user to the local user database. The default privilege level is 1. Using the encrypted keyword allows the administrator to transfer local user passwords between devices without having to know the passwords. When the password parameter is used along with encrypted parameter, the password must be exactly 128 hexadecimal characters in length.
If the password strength feature is enabled, this command checks for password strength and returns an appropriate error if it fails to meet the password strength criteria. Giving the optional parameter override-complexity-check disables the validation of the password strength. username name {password password [encrypted [override-complexity-check] | level level [encrypted [override-complexity-check]] | override-complexity-check]} | {level level [override-complexity-check] password} Mode: Global Config Parameters:
|
||||||||||||||||||||||
username name nopassword Use this command to remove an existing user’s password (NULL password).
username [name] nopassword [level level] Mode: Global Config Parameters:
|
||||||||||||||||||||||
username name unlock Use this command to allow a locked user account to be unlocked. Only a user with read/write access can reactivate a locked user account.
username name unlock Mode: Global Config |
||||||||||||||||||||||
show users This command displays the configured user names and their settings. The show users command displays truncated user names. Use the show users long command to display the complete user names. The show users command is only available for users with Read/Write privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.
show users Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show users long This command displays the complete usernames of the configured users on the switch.
show users long Mode: Privileged EXEC |
||||||||||||||||||||||
show users accounts This command displays local user status with respect to user account lockout and password aging. Displayed user names are truncated. Use the show users long command to show the complete user names.
show users accounts [detail] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show users login-history Use this command to display information about the login history of users.
show users login-history {long | username name} Mode: Privileged EXEC |
||||||||||||||||||||||
login authentication Use this command to specify the login authentication method list for a line (console, telnet or SSH) The default configuration uses the default set with the command aaa authentication login.
login authentication {default | list-name} Mode: Line Configuration Parameters:
|
||||||||||||||||||||||
password (User EXEC) Use this command to allow a user to change the password for only that user. This command should be used after the password has aged. The user is prompted to enter the old password and the new password.
password Mode: User EXEC |
||||||||||||||||||||||
password (Line Configuration) Use the password command in Line Configuration mode to specify a password on a line. The default configuration is no password is specified.
password [password [encrypted]] Mode: Line Configuration Parameters:
|
||||||||||||||||||||||
password (aaa IAS User Config) This command is used to configure a password for a user in the IAS database. An optional encrypted parameter is provided to indicate that the password given to the command is already encrypted.
password [password [encrypted]] Mode: aaa IAS User Config Parameters:
|
||||||||||||||||||||||
enable password Use the enable password command to set a local password to control access to the privileged EXEC mode.
enable password [password [encrypted]] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
passwords min-length Use this command to enforce a minimum password length for local users. The value also applies to the enable password. The valid range is 8-64.
passwords min-length [8-64] Mode: Global Config Default: 8 |
||||||||||||||||||||||
passwords history Use this command to set the number of previous passwords that shall be stored for each user account. When a local user changes his or her password, the user will not be able to reuse any password stored in password history. This ensures that users don’t reuse their passwords often. The valid range is 0-10.
passwords history [0-10] Mode: Global Config Default: 0 |
||||||||||||||||||||||
passwords aging Use this command to implement aging on passwords for local users. When a user’s password expires, the user is prompted to change it before logging in again. The valid range is 1-365. The default is 0, or no aging.
passwords aging [1-365] Mode: Global Config Default: 0 |
||||||||||||||||||||||
passwords lock-out Use this command to strengthen the security of the switch by locking user accounts that have failed login due to wrong passwords. When a lockout count is configured, a user that is logged in must enter the correct password within that count. Otherwise the user will be locked out from further switch access.
Only a user with read/write access can reactivate a locked user account. Password lockout does not apply to logins from the serial console. The valid range is 1-5. The default is 0, or no lockout count enforced. passwords lock-out [1-5] Mode: Global Config Default: 0 |
||||||||||||||||||||||
passwords strength-check Use this command to enable the password strength feature. It is used to verify the strength of a password during configuration.
passwords strength-check Mode: Global Config Default: Disabled |
||||||||||||||||||||||
passwords strength maximum consecutive-characters Use this command to set the maximum number of consecutive characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.
passwords strength maximum consecutive-characters [0-15] Mode: Global Config Default: 0 |
||||||||||||||||||||||
passwords strength maximum repeated-characters Use this command to set the maximum number of repeated characters to be used in password strength. The valid range is 0-15. The default is 0. Minimum of 0 means no restriction on that set of characters.
passwords strength maximum repeated-characters [0-15] Mode: Global Config Default: 0 |
||||||||||||||||||||||
passwords strength minimum uppercase-letters Use this command to enforce a minimum number of uppercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
passwords strength minimum uppercase-letters [0-16] Mode: Global Config Default: 2 |
||||||||||||||||||||||
passwords strength minimum lowercase-letters Use this command to enforce a minimum number of lowercase letters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
passwords strength minimum lowercase-letters [0-16] Mode: Global Config Default: 2 |
||||||||||||||||||||||
passwords strength minimum numeric-characters Use this command to enforce a minimum number of numeric characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
passwords strength minimum numeric-characters [0-16] Mode: Global Config Default: 2 |
||||||||||||||||||||||
passwords strength minimum special-characters Use this command to enforce a minimum number of special characters that a password should contain. The valid range is 0-16. The default is 2. Minimum of 0 means no restriction on that set of characters.
passwords strength minimum special-characters [0-16] Mode: Global Config Default: 2 |
||||||||||||||||||||||
passwords strength minimum character-classes Use this command to enforce a minimum number of characters classes that a password should contain. Character classes are uppercase letters, lowercase letters, numeric characters and special characters. The valid range is 0-4. The default is 4.
passwords strength minimum character-classes [0-4] Mode: Global Config Default: 4 |
||||||||||||||||||||||
passwords strength exclude-keyword Use this command to exclude the specified keyword while configuring the password. The password does not accept the keyword in any form (in between the string, case insensitive and reverse) as a substring. You can configure up to a maximum of 3 keywords.
passwords strength exclude-keyword [keyword] Mode: Global Config |
||||||||||||||||||||||
show passwords configuration Use this command to display the configured password management settings.
show passwords configuration Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show passwords result Use this command to specify the login authentication method list for a line (console, telnet or SSH) The default configuration uses the default set with the command aaa authentication login.
show passwords result Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
aaa ias-user username The Internal Authentication Server (IAS) database is a dedicated internal database used for local authentication of users for network access through the IEEE 802.1X feature. Use the aaa ias-user username command in Global Config mode to add the specified user to the internal user database. This command also changes the mode to AAA User Config mode.
aaa ias-user username [user] Mode: Global Config |
||||||||||||||||||||||
aaa session-id Use this command in Global Config mode to specify if the same session-id is used for Authentication, Authorization and Accounting service type within a session.
aaa session-id [common | unique] Mode: Global Config Default: common Parameters:
|
||||||||||||||||||||||
aaa accounting Use this command in Global Config mode to create an accounting method list for user EXEC sessions, user- executed commands, or 802.1X. This list is identified by default or a user-specified list_name.
Accounting records, when enabled for a line-mode, can be sent at both the beginning and at the end (start- stop) or only at the end (stop-only). If none is specified, then accounting is disabled for the specified list. If tacacs is specified as the accounting method, accounting records are notified to a TACACS+ server. If radius is the specified accounting method, accounting records are notified to a RADIUS server. aaa accounting {exec | commands | dot1x} {default | list-name} {start-stop | stop-only | none} {none | radius | tacacs} {method2} Mode: Global Config Notes: - A maximum of five Accounting Method lists can be created for each exec and commands type. Parameters:
|
||||||||||||||||||||||
clear aaa ias-users Use this command to remove all users from the IAS database.
clear aaa ias-users Mode: Privileged Exec |
||||||||||||||||||||||
show aaa ias-users Use this command to display configured IAS users and their attributes. Passwords configured are not shown in the show command output.
show aaa ias-users [username] Mode: Privileged Exec |
||||||||||||||||||||||
accounting Use this command in Line Configuration mode to apply the accounting method list to a line config (Telnet/SSH).
accounting {exec | commands} {default | list-name} Mode: Line Configuration Parameters:
|
||||||||||||||||||||||
show accounting Use this command to display ordered methods for accounting lists.
show accounting Mode: Privileged EXEC |
||||||||||||||||||||||
show accounting methods Use this command to display configured accounting method lists.
show accounting methods Mode: Privileged EXEC |
||||||||||||||||||||||
clear accounting statistics This command clears the accounting statistics.
clear accounting statistics Mode: Privileged EXEC |
SNMP Commands
This section describes the commands you use to configure Simple Network Management Protocol (SNMP) on the switch. You can configure the switch to act as an SNMP agent so that it can communicate with SNMP managers on your network.
snmp-server This command sets the name and the physical location of the switch, and the organization responsible for the network. The parameters name, location, and contact can be up to 255 characters in length.
snmp-server {sysname [name] | location [location] | contact [contact]} Mode: Global Config |
||||||||||||||||||||||||||||||||||||
snmp-server community This command adds (and names) a new SNMP community, and optionally sets the access mode, allowed IP address, and create a view for the community.
Community names in the SNMP Community Table must be unique. When making multiple entries using the same community name, the first entry is kept and processed and all duplicate entries are ignored. snmp-server community community-name [{ro | rw |su }] [ipaddress ip-address] [view view-name] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server community-group This command configures a community access string to permit access via the SNMPv1 and SNMPv2 protocols.
snmp-server community-group community-string group-name [ipaddress ipaddress] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server enable traps violation The Port MAC locking component interprets this command and configures violation action to send an SNMP trap with default trap frequency of 30 seconds. The Global command configures the trap violation mode across all interfaces valid for port-security. There is no global trap mode as such.
snmp-server enable traps violation Modes: Global / Interface Config Default: Disabled |
||||||||||||||||||||||||||||||||||||
snmp-server enable traps This command enables the Authentication Flag.
snmp-server enable traps Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||
snmp trap link-status This command enables link status traps on an interface or range of interfaces. This command is valid only when the Link Up/Down Flag is enabled.
snmp trap link-status Mode: Interface Config |
||||||||||||||||||||||||||||||||||||
snmp trap link-status all This command enables link status traps for all interfaces. This command is valid only when the Link Up/Down Flag is enabled.
snmp trap link-status all Mode: Global Config |
||||||||||||||||||||||||||||||||||||
snmp-server enable traps linkmode This command enables Link Up/Down traps for the entire switch. When enabled, link traps are sent only if the Link Trap flag setting associated with the port is enabled.
snmp-server enable traps linkmode Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||
snmp-server enable traps multiusers This command enables Multiple User traps. When the traps are enabled, a Multiple User Trap is sent when a user logs in to the terminal interface (EIA 232 or Telnet) and there is an existing terminal interface session.
snmp-server enable traps multiusers Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||
snmp-server enable traps stpmode This command enables the sending of new root traps and topology change notification traps.
snmp-server enable traps stpmode Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||
snmp-server engineID local This command configures the SNMP engine ID on the local device. Changing the engine ID will invalidate all SNMP configuration that exists on the box.
snmp-server engineID local {engineid-string | default} Mode: Global Config Default: The engineID is configured automatically, based on the device MAC address. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server filter This command creates a filter entry for use in limiting which traps will be sent to a host.
snmp-server filter filtername oid-tree {included | excluded} Mode: Global Config Default: No filters are created by default. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server group Use this command to remove an existing user’s password (NULL password).
snmp-server group group-name {v1 | v2 | v3 {noauth | auth | priv}} [context context-name] [read read-view] [write write-view] [notify notify-view] Mode: Global Config Default: Generic groups are created for all versions and privileges using the default views. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server host This command configures traps to be sent to the specified host. snmp-server host host-addr {informs [timeout seconds] [retries retries] | traps version {1 | 2} community-string [udp-port port] [filter filter-name] Mode: Global Config Default: No default hosts are configured. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server user This command creates an SNMPv3 user for access to the system.
snmp-server user username groupname [remote engineid-string] [ {auth-md5 password | auth-sha password | auth-md5-key md5-key | auth-sha-key sha-key} [priv-des password | priv-des-key des-key] Mode: Global Config Default: No default users are created. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server view This command creates or modifies an existing view entry that is used by groups to determine which objects can be accessed by a community or user.
snmp-server viewname oid-tree {included | excluded} Mode: Global Config Default: Views are created by default to provide access to the default groups. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmp-server v3-host This command configures traps to be sent to the specified host.
snmp-server v3-host host-addr username [traps | informs [timeout seconds] [retries retries]] [auth | noauth | priv] [udpport port] [filter filter-name] Mode: Global Config Default: No default hosts are configured. Parameters:
|
||||||||||||||||||||||||||||||||||||
snmptrap source-interface Use this command in Global Configuration mode to configure the global source-interface (Source IP address) for all SNMP communication between the SNMP client and the server.
snmptrap source-interface {slot/port | vlan vlan-id} Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||
show snmp This command displays the current SNMP configuration. show snmp Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||
show snmp engineID This command displays the currently configured SNMP engineID.
show snmp engineID Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||
show snmp filters This command displays the configured filters used when sending traps.
show snmp filters [filtername] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||
show snmp group This command displays the configured groups.
show snmp group [groupname] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||
show snmp source-interface Use this command in Privileged EXEC mode to display the configured global source-interface (Source IP address) details used for an SNMP client.
show snmp source-interface Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||
show snmp user This command displays the currently configured SNMPv3 users.
show snmp user [username] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||
show snmp views This command displays the currently configured views.
show snmp views [viewname] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||
show trapflags This command displays trap conditions. The command’s display shows all the enabled OSPFv2 and OSPFv3 trapflags. Configure which traps the switch should generate by enabling or disabling the trap condition. If a trap condition is enabled and the condition is detected, the SNMP agent on the switch sends the trap to all enabled trap receivers.
You do not have to reset the switch to implement the changes. Cold and warm start traps are always generated and cannot be disabled. show trapflags Mode: Privileged EXEC Parameters:
|
RADIUS Commands
This section describes the commands you use to configure the switch to use a Remote Authentication Dial-In User Service (RADIUS) server on your network for authentication and accounting.
radius accounting mode This command is used to enable the RADIUS accounting function.
radius accounting mode Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||
radius server attribute 32 This command sets a custom NAS Identifer attribute for RADIUS authentication.
radius server attribute 32 nas-identifier Mode: Global Config |
||||||||||||||||||||||||||
radius server attribute 4 This command specifies the RADIUS client to use the NAS-IP Address attribute in the RADIUS requests. If the specific IP address is configured while enabling this attribute, the RADIUS client uses that IP address while sending NAS-IP-Address attribute in RADIUS communication.
radius server attribute 4 [ipaddr] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||
radius server host This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type. While configuring the IP address or DNS name for the authenticating or accounting servers, you can also configure the port number and server name. If the authenticating and accounting servers are configured without a name, the command uses the Default_RADIUS_Auth_Server and Default_RADIUS_Acct_ Server as the default names, respectively. The same name can be configured for more than one authenticating servers and the name should be unique for accounting servers. The RADIUS client allows the configuration of a maximum of 32 authenticating and accounting servers.
If you use the auth parameter, the command configures the IP address or hostname to use to connect to a RADIUS authentication server. You can configure up to 3 servers per RADIUS client. If the maximum number of configured servers is reached, the command fails until you remove one of the servers by issuing the no form of the command. If you use the optional port parameter, the command configures the UDP port number to use when connecting to the configured RADIUS server. The port number range is 1-65535, with a default of 1812. If you use the acct parameter, the command configures the IP address or hostname to use for the RADIUS accounting server. You can only configure one accounting server. If an accounting server is currently configured, use the no form of the command to remove it from the configuration. The IP address or hostname you specify must match that of a previously configured accounting server. If you use the optional port parameter, the command configures the UDP port to use when connecting to the RADIUS accounting server. If a port is already configured for the accounting server, the new port replaces the previously configured port. The port value must be in the range 0-65535, with a default of 1813. radius server host {auth | acct} {ipaddr | dnsname} [name servername] [port 0-65535] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||
radius server key This command configures the key to be used in RADIUS client communication with the specified server. Depending on whether the auth or acct keyword is used, the shared secret is configured for the RADIUS authentication or RADIUS accounting server. The IP address or hostname provided must match a previously configured server. When this command is executed, the secret is prompted.
Text-based configuration supports RADIUS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running-config command’s display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format. radius server key {auth | acct} {ipaddr | dnsname} encrypted password Modes: Global Config Parameters:
|
||||||||||||||||||||||||||
radius server msgauth This command enables the message authenticator attribute to be used for the specified RADIUS Authenticating server.
radius server msgauth [ipaddr | dnsname] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||
radius server primary This command specifies a configured server that should be the primary server in the group of servers which have the same server name. Multiple primary servers can be configured for each number of servers that have the same name.
When the RADIUS client has to perform transactions with an authenticating RADIUS server of specified name, the client uses the primary server that has the specified server name by default. If the RADIUS client fails to communicate with the primary server for any reason, the client uses the backup servers configured with the same server name. These backup servers are identified as the Secondary type. radius server primary [ipaddr | dnsname] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||
radius server retransmit This command configures the RADIUS client global parameter that specifies the maximum number of message transmissions before using the fall back server upon unsuccessful communication with the current RADIUS authenticating server. When the maximum number of retries is reached for the RADIUS accounting server and no response is received, the client does not communicate with any other server.
The maximum number of transmission attempts can be set between 1 to 15, with a default of 4 attempts. radius server retransmit retries Mode: Global Config Default: 4 |
||||||||||||||||||||||||||
radius source-interface Use this command to specify the physical or logical interface to use as the RADIUS client source interface (source IP address). If configured, the address of source-interface is used for all RADIUS communications between the RADIUS server and the RADIUS client. The selected source-interface IP address is used for filling the IP header of RADIUS management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.
If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the RADIUS client falls back to its default behavior. radius source-interface {slot/port | vlan vlan-id} Mode: Global Config |
||||||||||||||||||||||||||
radius server timeout This command configures the RADIUS client global parameter that specifies the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received. The timeout value is an integer in the range of 1 to 30.
radius server timeout seconds Mode: Global Config Default: 5 |
||||||||||||||||||||||||||
show radius This command displays the values configured for the global parameters of the RADIUS client. show radius Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show radius servers This command displays the summary and details of the RADIUS authenticating servers configured for the RADIUS client.
show radius servers [{ipaddr | dnsname | name [servername]}] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show radius accounting This command displays a summary of configured RADIUS accounting servers.
show radius accounting name [servername] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show radius accounting statistics This command displays a summary of statistics for the configured RADIUS accounting servers. show radius accounting statistics {ipaddr | dnsname | name servername} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show radius source-interface Use this command in Privileged EXEC mode to display the configured RADIUS client source-interface (Source IP address) information.
show radius source-interface Mode: Privileged EXEC |
||||||||||||||||||||||||||
show radius statistics This command displays the summary statistics of configured RADIUS Authenticating servers. show radius statistics {ipaddr | dnsname | name servername} Mode: Privileged EXEC Parameters:
|
TACACS+ Commands
TACACS+ provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ is based on the TACACS protocol (described in RFC1492) but additionally provides for separate authentication, authorization, and accounting services.
tacacs-server host Use the tacacs-server host command in Global Configuration mode to configure a TACACS+ server. This command enters into the TACACS+ configuration mode. The ip-address|hostname parameter is the IP address or hostname of the TACACS+ server. To specify multiple hosts, multiple tacacs-server host commands can be used.
tacacs-server host ip-address|hostname Mode: Global Config |
||||||||||||
tacacs-server key Use the tacacs-server key command to set the authentication and encryption key for all TACACS+ communications between the switch and the TACACS+ daemon. The key-string parameter has a range of 0-128 characters and specifies the authentication and encryption key for all TACACS communications between the switch and the TACACS+ server. This key must match the key used on the TACACS+ daemon.
Text-based configuration supports TACACS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. The show running-config command displays these secret keys in encrypted format. You cannot show these keys in plain text format. tacacs-server key [key-string | encrypted key-string] Mode: Global Config |
||||||||||||
tacacs-server keystring Use the tacacs-server keystring command to set the global authentication encryption key used for all TACACS+ communications between the TACACS+ server and the client.
tacacs-server keystring Mode: Global Config |
||||||||||||
tacacs-server source-interface Use this command in Global Configuration mode to configure the source interface (Source IP address) for TACACS+ server configuration. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.
If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. tacacs-server source-interface {slot/port | vlan vlan-id} Modes: Global Config |
||||||||||||
tacacs-server timeout Use this command to set the timeout value for communication with the TACACS+ servers. The timeout parameter has a range of 1-30 and is the timeout value in seconds.
tacacs-server timeout timeout Mode: Global Config |
||||||||||||
key (TACACS Config) Use the key command in TACACS Configuration mode to specify the authentication and encryption key for all TACACS communications between the device and the TACACS server. This key must match the key used on the TACACS daemon. The key-string parameter specifies the key name. For an empty string use “ ”. The range is 0-128 characters.
Text-based configuration supports TACACS server’s secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running-config command’s display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format. key [key-string | encrypted key-string] Mode: TACACS Config |
||||||||||||
keystring (TACACS Server Config) Use the keystring command in TACACS Server Configuration mode to set the TACACS+ server-specific authentication encryption key used for all TACACS+ communications between the TACACS+ server and the client.
keystring Mode: TACACS Server Config |
||||||||||||
port (TACACS Config) Use the port command in TACACS Configuration mode to specify a server port number. The server port-number range is 0 - 65535.
port port-number Mode: TACACS Config Default: 49 |
||||||||||||
priority (TACACS Config) Use this command in TACACS Configuration mode to specify the order in which servers are used, where 0 (zero) is the highest priority. The priority parameter specifies the priority for servers. The highest priority is 0 (zero), and the range is 0 - 65535.
priority priority Mode: TACACS Config Default: 0 |
||||||||||||
timeout (TACACS Config) Use this command in TACACS Configuration mode to specify the timeout value in seconds. If no timeout value is specified, the global value is used. The timeout parameter has a range of 1-30 and is the timeout value in seconds. timeout timeout Mode: TACACS Config |
||||||||||||
show tacacs Use this command to display the configuration, statistics, and source interface details of the TACACS+ client.
show tacacs [ip-address|hostname|client|server] Mode: Privileged EXEC Parameters:
|
||||||||||||
show tacacs source-interface Use this command in Global Config mode to display the configured global source interface details used for a TACACS+ client. The IP address of the selected interface is used as source IP for all communications with the server.
show tacacs source-interface Mode: Privileged EXEC |
Configuration Scripting Commands
Configuration Scripting allows you to generate text-formatted script files representing the current configuration of a system. You can apply configuration scripts to one or more switches with no or minor modifications. Use the show running-config command to capture the running configuration into a script. Use the copy command to transfer the configuration script to or from the switch.
Scripts must conform to the following rules:
- The file extension must be .scr.
- A maximum of ten scripts are allowed on the switch.
- The combined size of all script files on the switch shall not exceed 2048 KB.
- The maximum number of configuration file command lines is 2000.
You can type single-line annotations at the command prompt to use when you write test or configuration scripts to improve script readability. The exclamation mark (!) character flags the beginning of a comment. The comment flag character can begin a word anywhere on the command line, and all input following this character is ignored.
script apply This command applies the commands in the script to the switch. The scriptname parameter is the name of the script to apply.
script apply scriptname Mode: Privileged EXEC |
script delete This command deletes a specified script where the scriptname parameter is the name of the script to delete. The all option deletes all the scripts present on the switch.
script delete {scriptname | all} Mode: Privileged EXEC |
script list This command lists all scripts present on the switch as well as the remaining available space.
script list Mode: Privileged EXEC |
script show This command displays the contents of a script file, which is named scriptname.
script show scriptname Mode: Privileged EXEC |
script validate This command validates a script file by parsing each line in the script file where scriptname is the name of the script to validate. The validate option is intended to be used as a tool for script development. Validation identifies potential problems. It might not identify all problems with a given script on any given device.
script validate scriptname Mode: Privileged EXEC |
application This command starts or stops an installed application.
application start | stop filename Mode: Privileged EXEC |
Prelogin Banner, System Prompt, and Host Name Commands
This section describes the commands you use to configure the prelogin banner and the system prompt. The prelogin banner is the text that displays before you login.
copy The copy command includes the option to upload or download the CLI Banner to or from the switch. You can specify local URLs by using TFTP, SFTP, SCP, or Xmodem.
copy tftp://ipaddr/filepath/filename nvram:clibanner copy nvram:clibanner tftp://ipaddr/filepath/filename Mode: Privileged EXEC |
set prompt This command changes the name of the prompt. The length of name may be up to 64 alphanumeric characters.
set prompt prompt_string Mode: Privileged EXEC |
hostname This command sets the system hostname. It also changes the prompt. The length of name may be up to 64 alphanumeric, case-sensitive characters.
hostname hostname Mode: Privileged EXEC |
show clibanner Use this command to display the configured prelogin CLI banner. The prelogin banner is the text that displays before displaying the CLI prompt.
show clibanner Mode: Privileged EXEC |
set clibanner Use this command to configure the prelogin CLI banner before displaying the login prompt. The line parameter sets the banner text where double quote ("") is a delimiting character. The banner message can be up to 2000 characters.
set clibanner line Mode: Global Config |
IPv6 Management Commands
IPv6 Management commands allow a device to be managed via an IPv6 address in a switch or IPv4 routing (i.e., independent from the IPv6 Routing package). For routing/IPv6 builds dual IPv4/IPv6 operation over the service port is enabled.
The EdgeSwitch has capabilities such as:
- Static assignment of IPv6 addresses and gateways for the service/network ports.
- The ability to ping an IPv6 link-local address over the service/network port.
- Using IPv6 management commands, you can send SNMP traps and queries via the service/network port.
- The user can manage a device via the network port.
network ipv6 enable Use this command to enable IPv6 operation on the network port.
network ipv6 enable Mode: Privileged EXEC Default: Enabled |
||||||||||||||
network ipv6 address Use the options of this command to manually configure IPv6 global address, enable/disable stateless global address auto-configuration and to enable/disable DHCPv6 client protocol information for the network port. Multiple IPv6 addresses can be configured on the network port.
network ipv6 address {address/prefix-length [eui64] | autoconfig | dhcp} Mode: Privileged EXEC Parameters:
|
||||||||||||||
network ipv6 gateway Use this command to configure IPv6 default gateway (global or link-local address format) information for the network port.
network ipv6 gateway gateway-address Mode: Privileged EXEC |
||||||||||||||
network ipv6 neighbor Use this command to manually add IPv6 neighbors to the IPv6 neighbor table for this network port. If an IPv6 neighbor already exists in the neighbor table, the entry is automatically converted to a static entry. Static entries are not modified by the neighbor discovery process. They are, however, treated the same for IPv6 forwarding.
Static IPv6 neighbor entries are applied to the kernel stack and to the hardware when the corresponding interface is operationally active. network ipv6 neighbor ipv6-address macaddr Mode: Privileged EXEC Parameters:
|
||||||||||||||
show network ipv6 neighbors Use this command to display the information about the IPv6 neighbor entries cached on the network port. The information is updated to show the type of the entry.
show network ipv6 neighbors Mode: Privileged EXEC Parameters:
|
||||||||||||||
show network ipv6 dhcp statistics Use this command to display information about the IPv6 DHCPv6 client statistics.
show network ipv6 dhcp statistics Mode: Privileged EXEC |
||||||||||||||
ping ipv6 Use this command to determine whether another computer is on the network. Ping provides a synchronous response when initiated from the CLI and browser-based UI interfaces. To use the command, configure the switch for network (in-band) connection. The source and target devices must have the ping utility enabled and running on top of TCP/IP. The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation.
The terminal interface sends three pings to the target station. Use the ipv6-global-address|hostname parameter to ping an interface by using the global IPv6 address of the interface. The argument slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of a slot/port format. Use the optional size keyword to specify the size of the ping packet. You can utilize the ping or traceroute facilities over the service/network ports when using an IPv6 global address ipv6-global-address|hostname. Any IPv6 global address or gateway assignments to these interfaces will cause IPv6 routes to be installed within the IP stack such that the ping or traceroute request is routed out the service/network port properly. When referencing an IPv6 link-local address, you must also specify the service or network port interface by using the network parameter. ping ipv6 {ipv6-global-address|hostname | {interface {slot/port | vlan 1-4093 | network} link-local-address} [size datagram-size]} Modes: User / Privileged EXEC Default: count 1 / interval 3 seconds / size 0 bytes |
||||||||||||||
ping ipv6 interface Use this command to determine whether another computer is on the network. To use the command, configure the switch for network (in-band) connection. The source and target devices must have the ping utility enabled and running on top of TCP/IP. The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation.
The terminal interface sends three pings to the target station. You can use a network port, service port, VLAN, or physical interface as the source. The parameter slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of in a slot/port format. ping ipv6 interface {slot/port | vlan 1-4093 | network} {link-local-address link-local-address | ipv6-address} [size datagram-size] Modes: User / Privileged EXEC Parameters:
|
UNMS, Discovery and Analytics Commands
Use the commands in this section to configure the UNMS, Ubiquiti Discovery and Device Analytics features.
service ubnt-discovery
Use this command to enable or disable the Ubiquiti Discovery responder.
service ubnt-discovery Mode: Global Config Default: Enabled |
service ubnt-discovery-scanner
Use this command to enable or disable the Ubiquiti Discovery scanner.
service ubnt-discovery-scanner Mode: Global Config Default: Enabled |
service ubnt-discovery-active-scan
Use this command to enable or disable the Ubiquiti Discovery active scan feature.
ubnt-discovery-active-scan Mode: Global Config Default: Disabled |
service unms
Use this command to enable or disable the UNMS service.
service unms Mode: Global Config Default: Disabled |
service unms key
Use this command to manually add the UNMS key obtained from the UNMS server.
service unms key key-value Mode: Global Config |
device analytics
Use this command to enable or disable the Ubiquiti Device Analytics feature.
device analytics Mode: Global Config Default: Disabled |
show unms
Use this command to view the UNMS connection status and log entries.
show unms [log] Mode: Privileged EXEC |
show device analytics
Use this command to verify if the Ubiquiti Device Analytics feature is enabled or disabled.
show device analytics Mode: Privileged EXEC |
Utility Commands
This chapter describes the utility commands available in the EdgeSwitch CLI.
AutoInstall Commands
The AutoInstall feature enables the automatic update of the image and configuration of the switch. This feature enables touchless or low-touch provisioning to simplify switch configuration and imaging. AutoInstall includes the following support:
- Downloading an image from TFTP server using DHCP option 125. The image update can result in a downgrade/upgrade of the firmware.
- Automatically downloading a configuration file from a TFTP server when the switch is booted with no saved configuration file.
- Automatically downloading an image from a TFTP server in the following situations:
- When the switch is booted with no saved configuration found.
- When the switch is booted with a saved configuration that has AutoInstall enabled.
When the switch boots and no configuration file is found, it attempts to obtain an IP address from a network DHCP server. The response from the DHCP server includes the IP address of the TFTP server where the image and configuration flies are located.
After acquiring an IP address and the additional relevant information from the DHCP server, the switch downloads the image file or configuration file from the TFTP server. A downloaded image is automatically installed. A downloaded configuration file is saved to non-volatile memory.
AutoInstall from a TFTP server can run on any IP interface, including the network port, service port, and in-band routing interfaces (if supported). To support AutoInstall, the DHCP client is enabled operationally on the service port, if it exists, or the network port, if there is no service port.
boot autoinstall Use this command to operationally start or stop the AutoInstall process on the switch. The command is non-persistent and is not saved in the startup or running configuration file.
boot autoinstall {start | stop} Mode: Privileged EXEC Default: Stopped |
boot host retrycount Use this command to set the number of attempts to download a configuration file from the TFTP server.
boot host retrycount [1-3] Mode: Privileged EXEC Default: 3 |
boot host dhcp Use this command to enable AutoInstall on the switch for the next reboot cycle. The command does not change the current behavior of AutoInstall and saves the command to NVRAM.
boot host dhcp Mode: Privileged EXEC Default: Disabled |
boot host autosave Use this command to automatically save the downloaded configuration file to the startup-config file on the switch. When autosave is disabled, you must explicitly save the downloaded configuration to non-volatile memory by using the write memory or copy system:running-config nvram:startup-config command.
If the switch reboots and the downloaded configuration has not been saved, the AutoInstall process begins, if the feature is enabled. boot host autosave Mode: Privileged EXEC Default: Disabled |
boot host autoreboot Use this command to allow the switch to automatically reboot after successfully downloading an image. When auto reboot is enabled, no administrative action is required to activate the image and reload the switch.
boot host autoreboot Mode: Privileged EXEC Default: Enabled |
erase startup-config Use this command to erase the text-based configuration file stored in non-volatile memory. If the switch boots and no startup-config file is found, the AutoInstall process automatically begins.
erase startup-config Modes: Privileged EXEC |
erase factory-defaults Use this command to erase the text-based factory-defaults file stored in non-volatile memory.
erase factory-defaults Modes: Privileged EXEC |
erase application Use this command to erase an application file stored in non-volatile memory.
erase application filename Modes: Privileged EXEC |
show autoinstall This command displays the current status of the AutoInstall process.
show autoinstall Modes: Privileged EXEC |
Dual Image Commands
The EdgeSwitch software supports a dual image feature that allows the switch to have two software images in the permanent storage. You can specify which image is the active image to be loaded in subsequent reboots. This feature allows reduced down-time when you upgrade or downgrade the software.
delete This command deletes the backup image file from the permanent storage.
delete backup Mode: Privileged EXEC |
boot system This command activates the specified image. It will be the active-image for subsequent reboots and will be loaded by the boot loader. The current active-image is marked as the backup-image for subsequent reboots. If the specified image doesn’t exist on the system, this command returns an error message.
boot system {active | backup} Mode: Privileged EXEC |
show bootvar This command displays the version information and the activation status for the current active and backup images. The command also displays any text description associated with an image. This command displays the switch activation status.
show bootvar Mode: Privileged EXEC |
filedescr This command associates a given text description with an image. Any existing description will be replaced.
filedescr {active | backup} text-description Mode: Privileged EXEC |
update bootcode This command updates the bootcode (boot loader) on the switch. The bootcode is read from the active-image for subsequent reboots.
update bootcode Mode: Privileged EXEC |
System Information and Statistics Commands
This section describes the commands you use to view information about system features, components, and configurations.
show arp switch This command displays the contents of the IP stack’s Address Resolution Protocol (ARP) table. The IP stack only learns ARP entries associated with the management interfaces – network or service ports. ARP entries associated with routing interfaces are not listed.
show arp switch Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show eventlog This command displays the event log, which contains error messages from the system. The event log is not cleared on a system reset. The unit is the switch identifier.
show eventlog [unit] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show hardware This command displays inventory information for the switch.
show hardware Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show reload This command displays whether the reload in command was previously set and the time before the switch will be restarted.
show reload Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show environment This command displays the temperature and fan information (if applicable) for the switch.
show environment Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show version This command displays inventory information for the switch.
show version Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show platform vpd This command displays vital product data for the switch.
show platform vpd Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interface This command displays a summary of statistics for a specific interface or a count of all CPU traffic based upon the argument.
show interface {slot/port | switchport} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interfaces status Use this command to display interface information, including the description, port state, speed and auto- neg capabilities. The command is similar to show port all but displays additional fields like interface description and port-capability.
The description of the interface is configurable through the existing command description <name> which has a maximum length of 64 characters that is truncated to 28 characters in the output. The long form of the description can be displayed using show port description. The interfaces displayed by this command are physical interfaces, LAG interfaces and VLAN routing interfaces. show interfaces status [slot/port] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interfaces traffic Use this command to display interface traffic information.
show interfaces traffic [slot/port] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interface counters This command reports key summary statistics for all the ports (physical, port-channel, and CPU).
show interface counters Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interface ethernet This command displays detailed statistics for a specific interface or for all CPU traffic based upon the argument.
show interface ethernet {slot/port | switchport | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interface ethernet switchport This command displays the private VLAN mapping information for the switch interfaces.
show interface ethernet interface-id switchport Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show interface lag Use this command to display configuration information about the specified LAG interface.
show interface lag lag-intf-num Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show fiber-ports optical-transceiver This command displays the diagnostics information of the SFP like Temp, Voltage, Current, Input Power, Output Power, Tx Fault, and LOS. The values are derived from the SFP’s A2 (Diagnostics) table using the I2C interface.
show fiber-ports optical-transceiver {all | slot/port} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show fiber-ports optical-transceiver-info This command displays the SFP vendor-related information such as the vendor name, SFP serial number, and SFP part number. The values are derived from the SFP’s A0 table using the I2C interface.
show fiber-ports optical-transceiver-info {all | slot/port} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show mac-addr-table This command displays the forwarding database entries. These entries are used by the transparent bridging function to determine how to forward a received frame. Enter all or no parameters to display the entire table. Enter a MAC Address and VLAN ID to display the table entry for the requested MAC address on the specified VLAN. Enter the count parameter to view summary information about the forwarding database table. Use the interface slot/port parameter to view MAC addresses on a specific interface.
The lag lag-intf-num can also be used as an alternate way to specify the LAG interface. Use the vlan vlan_id parameter to display information about MAC addresses on a specified VLAN. show mac-addr-table [{macaddr vlan_id | all | count | interface slot/port | vlan vlan_id}] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
process cpu threshold Use this command to configure the CPU utilization thresholds. The Rising and Falling thresholds are specified as a percentage of CPU resources. The utilization monitoring time period can be configured from 5 seconds to 86400 seconds in multiples of 5 seconds. The CPU utilization threshold configuration is saved across a switch reboot. Configuring the falling utilization threshold is optional. If the falling CPU utilization parameters are not configured, then they take the same value as the rising CPU utilization parameters.
process cpu threshold type total rising 1-100 interval Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show process app-list This command displays the user and system applications.
show process app-list Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show process app-resource-list This command displays the configured and in-use resources of each application.
show process app-resource-list Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show process cpu This command provides the percentage utilization of the CPU by different tasks.
show process cpu Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show process proc-list This application displays the processes started by applications created by the Process Manager.
show process proc-list Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show running-config Display the currently running (active) configuration. To display or capture the commands with settings and configurations that are equal to the default value, include the all option.
The optional interface parameter can be used to display the configuration of an physical, LAG or VLAN interface. If the optional scriptname parameter is used with a file name .scr extension, the output is redirected to a script file. show running-config [all | interface | scriptname] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show startup-config Display the startup (boot) configuration.
show startup-config Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show backup-config Display the backup configuration if present.
show backup-config Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show factory-defaults Display the factory default configuration.
show factory-defaults Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show sysinfo This command displays switch information.
show sysinfo Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show tech-support Use the show tech-support command to display system and configuration information when you contact technical support. Only share the output of the tech-support file with trusted parties as the contents may contain sensitive information on your environment/network.
show tech-support Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show mbuf This command displays the memory mbuf information for the switch.
show mbuf [ detail | total ] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
length Use this command to set the pagination length to value number of lines for the sessions specified by configuring on different Line Config modes (Telnet/SSH) and is persistent.
length value Mode: Line Config Default: 24 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
terminal length Use this command to set the pagination length to value number of lines for the current session. This command configuration takes an immediate effect on the current session and is not persistent.
terminal length value Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show terminal length Use this command to display all the configured terminal length values.
show terminal length Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
memory free low-watermark processor Use this command to get notifications when the CPU free memory falls below the configured threshold. A notification is generated when the free memory falls below the threshold. Another notification is generated once the available free memory rises to 10 percent above the specified threshold.
To prevent generation of excessive notifications when the CPU free memory fluctuates around the configured threshold, only one Rising or Falling memory notification is generated over a period of 60 seconds. The threshold is specified in kilobytes. The CPU free memory threshold configuration is saved across a switch reboot. memory free low-watermark processor 1-256392 Mode: Global Config Default: 0 (Disabled) |
Logging Commands
This section describes the commands used to configure system logging, and to view logs and logging settings.
logging buffered This command enables logging to memory. You can specify the severitylevel value as an integer from 0 to 7.
logging buffered [severitylevel] Mode: Global Config Default: Enabled |
||||||||||||||||||||||||
logging buffered wrap This command enables wrapping of in-memory logging when the log file reaches full capacity. Otherwise when the log file reaches full capacity, logging stops.
logging buffered wrap Mode: Global Config Default: Enabled |
||||||||||||||||||||||||
logging cli-command This command enables the CLI command logging feature, which enables the EdgeSwitch software to log all CLI commands issued on the system.
logging cli-command Mode: Global Config Default: Disabled |
||||||||||||||||||||||||
logging traps This command sets the severity at which SNMP traps are logged and sent in an email. Specify the severitylevel value as an integer from 0 to 7.
logging traps severitylevel Mode: Global Config Default: 6 (Info) |
||||||||||||||||||||||||
logging console This command enables logging to the console. You can specify the severitylevel value as an integer from 0 to 7.
logging console [severitylevel] Mode: Global Config Default: Disabled |
||||||||||||||||||||||||
logging host This command configures the logging host parameters. You can configure up to eight hosts.
logging host {hostaddress|hostname} addresstype {port severitylevel} Mode: Global Config Default: Disabled Parameters:
|
||||||||||||||||||||||||
logging host reconfigure This command enables logging host reconfiguration. The hostindex is the logging host index for which to change the IP address. The index value can be displayed with the show logging hosts command.
logging host reconfigure hostindex Mode: Global Config |
||||||||||||||||||||||||
logging host remove This command disables logging to host. The hostindex is the logging host index that should be deleted. The index value can be displayed with the show logging hosts command.
logging host remove hostindex Mode: Global Config |
||||||||||||||||||||||||
logging port This command sets the local port number of the LOG client for logging messages. The portid can be in the range from 1 to 65535.
logging port portid Mode: Global Config Default: 514 |
||||||||||||||||||||||||
logging syslog This command enables syslog logging.
logging syslog Mode: Global Config Default: Disabled |
||||||||||||||||||||||||
logging syslog port This command enables syslog logging. The portid parameter is an integer with a range of 1-65535.
logging syslog port portid Mode: Global Config Default: 514 |
||||||||||||||||||||||||
logging syslog source-interface This command configures the syslog source-interface (source IP address) for syslog server configuration. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch. If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address.
logging syslog source-interface {slot/port | {vlan vlan-id}} Mode: Global Config |
||||||||||||||||||||||||
show logging This command displays logging configuration information.
show logging Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
show logging buffered This command displays buffered logging (system startup and system operation logs).
show logging buffered Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
show logging hosts This command displays all configured logging hosts.
show logging hosts Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
show logging persistent This command displays display persistent log entries.
show logging persistent Mode: Privileged EXEC |
||||||||||||||||||||||||
show logging traplogs This command displays SNMP trap events and statistics.
show logging traplogs Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
clear logging buffered This command clears buffered logging (system startup and system operation logs).
clear logging buffered Mode: Privileged EXEC |
Email Alerting and Mail Server Commands
This section describes the commands used to configure Email Alerting and other mail server commands.
logging email This command enables email alerting and sets the lowest severity level for which log messages are emailed. If you specify a severity level, log messages at or above this severity level, but below the urgent severity level, are emailed in a non-urgent manner by collecting them together until the log time expires. The severitylevel value is specified as an integer from 0 to 7.
logging email [severitylevel] Mode: Global Config Default: Disabled |
||||||||||||||||
logging email urgent This command sets the lowest severity level at which log messages are emailed immediately in a single email message. The severitylevel value is specified as an integer from 0 to 7. Specify none to indicate that log messages are collected and sent in a batch email at a specified interval.
logging email urgent {severitylevel | none} Mode: Global Config Default: 1 (Alert) |
||||||||||||||||
logging email message-type to-addr This command configures the email address to which messages are sent. The message types supported are urgent, non-urgent, and both. For each supported severity level, multiple email addresses can be configured. The to-email-addr variable is a standard email address.
logging email message-type {urgent|non-urgent|both} to-addr to-email-addr Mode: Global Config |
||||||||||||||||
logging email from-addr This command configures the email address of the sender (the switch).
logging email from-addr from-email-addr Mode: Global Config |
||||||||||||||||
logging email message-type subject This command configures the subject line of the email for the specified type.
logging email message-type {urgent |non-urgent |both} subject subject Mode: Global Config |
||||||||||||||||
logging email logtime This command configures how frequently non-urgent email messages are sent. Non-urgent messages are collected and sent in a batch email at the specified interval. The valid range is every 30-1440 minutes.
logging email logtime minutes Mode: Global Config Default: 30 minutes |
||||||||||||||||
logging email test message-type This command sends an email to the SMTP server to test the email alerting function.
logging email test message-type {urgent |non-urgent |both} message-body message-body Mode: Global Config |
||||||||||||||||
show logging email config This command displays information about the email alert configuration.
show logging email config Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show logging email statistics This command displays email alerting statistics.
show logging email statistics Mode: Privileged EXEC Parameters:
|
||||||||||||||||
clear logging email statistics This command resets the email alerting statistics.
clear logging email statistics Mode: Privileged EXEC |
||||||||||||||||
mail-server This command configures the SMTP server to which the switch sends email alert messages and changes the mode to Mail Server Configuration mode. The server address can be in the IPv4, IPv6, or DNS name format.
mail-server {ip-address | ipv6-address | hostname} Mode: Global Config
|
||||||||||||||||
security (Mail Server Config) This command sets the email alerting security protocol by enabling the switch to use TLS authentication with the SMTP Server. If the TLS mode is enabled on the switch but the SMTP sever does not support TLS mode, no email is sent to the SMTP server.
security {tlsv1 | none} Mode: Mail Server Config Default: none
|
||||||||||||||||
port (Mail Server Config) This command configures the TCP port to use for communication with the SMTP server. The recommended port for TLSv1 is 465, and for no security (i.e. none) it is 25. However, any nonstandard port in the range 1 to 65535 is also allowed.
port {465 | 25 | 1–65535} Mode: Mail Server Config Default: 25 |
||||||||||||||||
username (Mail Server Config) This command configures the login ID the switch uses to authenticate with the SMTP server.
username name Mode: Mail Server Config Default: admin |
||||||||||||||||
password (Mail Server Config) This command configures the password the switch uses to authenticate with the SMTP server.
password password Mode: Mail Server Config Default: admin |
||||||||||||||||
show mail-server config This command displays information about the email alert configuration.
show mail-server {ip-address | hostname | all} config Mode: Privileged EXEC Parameters:
|
System Utility and Clear Commands
This section describes the commands that you can use to start configuring the switch, troubleshoot connectivity issues ,and to restore various configurations to their factory defaults.
help
Display help for various special keys.
help Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
no
Use the no form to reverse the action of a command or reset a value back to its default. For example, the no shutdown configuration command reverses the previously entered shutdown command on an interface.
no command Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
enable
This command gives you access to the Privileged EXEC mode. From the Privileged EXEC mode, you can configure the network interface.
enable Mode: User EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
do This command executes Privileged EXEC mode commands from any of the configuration modes.
do Modes: Global / Interface / VLAN Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
write memory Use this command to save running configuration changes to NVRAM so that changes will persist across a reboot. This command is the same as copy system:running-config nvram:startup-config. Use the confirm keyword to directly save the configuration to NVRAM without prompting for confirmation.
write memory [confirm] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
configure
This command gives you access to the Global Config mode. From the Global Config mode, you can configure a variety of system settings, including user accounts. From the Global Config mode, you can enter other command modes, including Line Config mode.
configure Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dir Use this command to list the files in the directory /mnt/fastpath in flash from the CLI.
dir Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
traceroute Use this command to discover the routes that IPv4 or IPv6 packets actually take when traveling to their destination through the network on a hop-by-hop basis. Traceroute continues to provide a synchronous response when initiated from the CLI.
traceroute {ip-address | [ipv6] {ipv6-address | hostname}} [initTtl initTtl] [maxTtl maxTtl] [maxFail maxFail] [interval interval] [count count] [port port] [size size] [source {ip-address | ipv6-address | slot/port}] Mode: Privileged EXEC Default: count: 3 probes / interval: 3 seconds / size: 0 bytes / port: 33434 / maxTtl: 30 hops / maxFail: 5 probes / initTtl: 1 hop Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear config This command resets the configuration to the factory defaults without powering off the switch. When you issue this command, a prompt appears to confirm that the reset should proceed. When you enter y, you automatically reset the current configuration on the switch to the default values. It does not reset the switch.
clear config Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear eventlog This command clears entries from the persistent event log.
clear eventlog Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear mac-addr-table This command clears a specific dynamic MAC address entry or all entries. You can match on specific interface or VLAN when clearing a MAC address.
clear mac-addr-table [all | interface slot/port | vlan vlan-id | macaddr Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear pass This command resets all user passwords to the factory defaults without powering off the switch. You are prompted to confirm that the password reset should proceed.
clear pass Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear traplog This command clears the trap log.
clear traplog Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear vlan This command resets VLAN configuration parameters to the factory defaults.
When the VLAN configuration is reset to the factory defaults, there are some scenarios regarding GVRP and MVRP that happen due to this: - Static VLANs are deleted. - GVRP is restored to the factory default as a result of handling the VLAN RESTORE NOTIFY event. - Since GVRP is disabled by default, this means that GVRP should be disabled and all of its dynamic VLANs should be deleted. clear vlan Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
logout This command closes the current Telnet/SSH connection or resets the current serial connection.
logout Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ping Use this command to determine whether another computer is on the network. Ping provides a synchronous response when initiated from the CLI and web interfaces.
ping {address | hostname | {ipv6 {interface {slot/port | vlan 1-4093 | network} link-local-address} | ipv6-address | hostname} [count count] [interval 1-60] [size size] [source ip-address | ipv6-address | {slot/port | vlan 1-4093 | network}] Modes: User / Privileged EXEC Default: count: 3 / interval: 3 seconds / size: 0 bytes Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
quit This command closes the current Telnet/SSH connection or resets the current serial connection. The system asks you whether to save configuration changes before quitting.
quit Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
reload This command restarts the switch. Use the optional in parameter to restart the switch after a specified interval. The configuration keyword allows you to gracefully reload a configuration file or script.
reload [in hh:mm] [configuration] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
copy The copy command uploads and downloads files to and from the switch. You can also use the copy command to manage the dual images (active and backup) on the file system. To upload and download files from a server you can use FTP, TFTP, Xmodem, Ymodem, or Zmodem. If FTP is used, a password is required.
The verify and noverify parameters are only available if the image/configuration verify options feature is enabled. The verify parameter specifies that digital signature verification will be performed for the specified downloaded image or configuration file. The noverify parameter specifies that no verification will be performed. copy source destination {verify | noverify} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
file verify This command enables digital signature verification while an image and/or configuration file is downloaded to the switch.
file verify {all | image | none | script} Mode: Global Config Parameters:
|
Simple Network Time Protocol Commands
This section describes the commands you use to automatically configure the system time and date using Simple Network Time Protocol (SNTP).
sntp broadcast client poll-interval This command sets the poll interval for SNTP broadcast clients in seconds as a power of two where poll-interval can be a value from 6-10.
sntp broadcast client poll-interval poll-interval Mode: Global Config Default: 6 |
||||||||||||||||||||||||||||||
sntp client mode This command enables Simple Network Time Protocol (SNTP) client mode and may set the mode to either broadcast or unicast.
sntp client mode [broadcast | unicast] Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||
sntp client port This command sets the SNTP client port ID to a value from 1-65535. The default value is 0, which means that the SNTP port is not configured by the user. In the default case, the actual client port value used in SNTP packets is assigned by the underlying OS.
sntp client port portid Mode: Global Config Default: 0 |
||||||||||||||||||||||||||||||
sntp unicast client poll-interval This command sets the poll interval for SNTP unicast clients in seconds as a power of two where poll-interval can be a value from 6-10.
sntp unicast client poll-interval poll-interval Mode: Global Config Default: 6 |
||||||||||||||||||||||||||||||
sntp unicast client poll-timeout This command will set the poll timeout for SNTP unicast clients in seconds to a value from 1 to 30.
sntp unicast client poll-timeout poll-timeout Mode: Global Config Default: 5 |
||||||||||||||||||||||||||||||
sntp unicast client poll-retry This command will set the poll retry for SNTP unicast clients to a value from 0 to 10.
sntp unicast client poll-retry poll-retry Mode: Global Config Default: 1 |
||||||||||||||||||||||||||||||
sntp source-interface Use this command to specify the physical or logical interface to use as the source interface (source IP address) for SNTP unicast server configuration. If configured, the address of source Interface is used for all SNTP communications between the SNTP server and the SNTP client. The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch.
If a source-interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the SNTP client falls back to its default behavior. sntp source-interface {slot/port | vlan vlan-id} Mode: Global Config Default: 6 |
||||||||||||||||||||||||||||||
sntp server This command configures an SNTP server (a maximum of three). The server address can be either an IPv4 address or an IPv6 address. The optional priority can be a value of 1-3, the version a value of 1-4, and the port-id a value of 1-65535.
sntp server {ipaddress | ipv6address | hostname} [priority [version [port-id]]] Mode: Global Config |
||||||||||||||||||||||||||||||
show sntp This command is used to display SNTP settings and status.
show sntp Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show sntp client This command is used to display SNTP client settings.
show sntp client Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show sntp server This command is used to display SNTP server settings and configured servers.
show sntp server Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show sntp source-interface Use this command to display the SNTP client source interface configured on the switch.
show sntp source-interface Mode: Privileged EXEC Parameters:
|
Time Zone Commands
Use the Time Zone commands to configure system time and date, time zone and summer time (daylight saving time). Summer time can be recurring or non-recurring.
clock set This command sets the system time and date.
clock set hh:mm:ss clock set mm/dd/yyyy Mode: Global Config |
||||||||||||
clock summer-time date Use this command to set the summer-time offset to Coordinated Universal Time (UTC). If the optional parameters are not specified, they are read as either 0 or \0, as appropriate.
clock summer-time date {date month year hh:mm date month year hh:mm} [offset offset] [zone acronym] Mode: Global Config Parameters:
|
||||||||||||
clock summer-time recurring This command sets the summer-time recurring parameters.
clock summer-time recurring {week day month hh:mm week day month hh:mm} [offset offset] [zone acronym] Mode: Global Config Parameters:
|
||||||||||||
clock timezone Use this command to set the offset to Coordinated Universal Time (UTC). If the optional parameters are not specified, they will be read as either 0 or \0 as appropriate.
clock timezone {hours} [minutes minutes] [zone acronym] Mode: Global Config Parameters:
|
||||||||||||
show clock Use this command to display the time and date from the system clock.
show clock Mode: Privileged EXEC |
||||||||||||
show clock detail Use this command to display the detailed system time along with the time zone and the summer-time configuration.
show clock detail Mode: Privileged EXEC |
DHCP Server Commands
This section describes the commands you to configure the DHCP server settings for the switch. DHCP uses UDP as its transport protocol and supports a number of features that facilitate in administration address allocations.
ip dhcp pool This command configures a DHCP address pool name on a DHCP server and enters DHCP pool configuration mode.
ip dhcp pool name Mode: Global Config |
||||||||||||||||||||||
client-identifier (DHCP Pool Config) This command specifies the unique identifier for a DHCP client. The unique-identifier is a valid notation in hexadecimal format. The unique-identifier is a concatenation of the media type and the MAC address, where 01 represents the Ethernet media type.
client-identifier unique-identifier Mode: DHCP Pool Config |
||||||||||||||||||||||
client-name (DHCP Pool Config) This command specifies the name for a DHCP client. Name is a string consisting of standard ASCII characters.
client-name name Mode: DHCP Pool Config |
||||||||||||||||||||||
default-router (DHCP Pool Config) This command specifies the default router address(es) for the DHCP pool. Up to 8 addresses can be specified.
default-router address Mode: DHCP Pool Config |
||||||||||||||||||||||
dns-server (DHCP Pool Config) This command specifies the DNS server address(es) for the DHCP pool. Up to 8 addresses can be specified.
dns-server address Mode: DHCP Pool Config |
||||||||||||||||||||||
hardware-address (DHCP Pool Config) This command specifies the hardware address of a DHCP client. Hardware-address is the MAC address of the hardware platform of the client consisting of 6 bytes in dotted hexadecimal format. The type parameter indicates the protocol of the hardware platform. It is 1 for 10 MB Ethernet (default) and 6 for IEEE 802.
hardware-address hardwareaddress type Mode: DHCP Pool Config |
||||||||||||||||||||||
host (DHCP Pool Config) This command specifies the IP address and network mask for a manual binding to a DHCP client.
host address [{mask | prefix-length}] Mode: DHCP Pool Config |
||||||||||||||||||||||
lease (DHCP Pool Config) This command configures the duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client. The overall lease time should be between 1-86400 minutes. If you specify infinite, the lease is set for 60 days. You can specify a lease duration in days (0-59), hours (0-23), and minutes (0-59).
lease [{days [hours] [minutes] | infinite}] Mode: DHCP Pool Config Default: 1 day (1 0 0) |
||||||||||||||||||||||
network (DHCP Pool Config) This command configures the network (for example 192.168.1.0) and mask for a DHCP address pool on the server.
network network [{mask | prefixlength}] Mode: DHCP Pool Config |
||||||||||||||||||||||
bootfile (DHCP Pool Config) This command specifies the name (filename parameter) of the default boot image for a DHCP client.
bootfile filename Mode: DHCP Pool Config |
||||||||||||||||||||||
domain-name (DHCP Pool Config) This command specifies the domain name (domain parameter) for a DHCP client.
domain-name domain Mode: DHCP Pool Config |
||||||||||||||||||||||
domain-name enable This command enables the domain name functionality.
domain-name enable [name name] Mode: Global Config |
||||||||||||||||||||||
netbios-name-server (DHCP Pool Config) This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to DHCP clients. You can specify up to eight addresses.
netbios-name-server address Mode: DHCP Pool Config |
||||||||||||||||||||||
netbios-node-type (DHCP Pool Config) The command configures the NetBIOS node type for Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
The type specifies the NetBIOS node type. Valid types are: - b-node: Broadcast - p-node: Peer-to-peer - m-node: Mixed - h-node: Hybrid (recommended) netbios-node-type type Mode: DHCP Pool Config Default: None |
||||||||||||||||||||||
next-server (DHCP Pool Config) This command configures the next server in the boot process of a DHCP client.The address parameter is the IP address of the next server in the boot process, which is typically a TFTP server.
next-server address Mode: DHCP Pool Config |
||||||||||||||||||||||
option (DHCP Pool Config) This command configures DHCP Server options. The code parameter specifies the DHCP option code and ranges from 1-254. The ascii parameter specifies an NVT ASCII character string.
ASCII character strings that contain white space must be delimited by quotation marks. The hex parameter specifies hexadecimal data. In hexadecimal, character strings are two hexadecimal digits. option code {ascii string | hex string | ip address Mode: DHCP Pool Config |
||||||||||||||||||||||
ip dhcp excluded-address This command specifies the IP addresses that a DHCP server should not assign to DHCP clients.
ip dhcp excluded-address low-address high-address Mode: Global Config |
||||||||||||||||||||||
ip dhcp ping packets Use this command to specify the number, in a range from 2-10, of packets a DHCP server sends to a pool address as part of a ping operation. By default the number of packets sent to a pool address is 2, which is the smallest allowed number when sending packets. Setting the number of packets to 0 disables this command.
ip dhcp ping packets 0,2-10 Mode: Global Config Default: 2 |
||||||||||||||||||||||
service dhcp This command enables the DHCP server.
service dhcp Mode: Global Config Default: Disabled |
||||||||||||||||||||||
ip dhcp bootp automatic This command enables allocation of addresses to the bootp client from the automatic address pool.
ip dhcp bootp automatic Mode: Privileged EXEC Default: Disabled |
||||||||||||||||||||||
ip dhcp conflict logging This command enables conflict logging on DHCP server.
ip dhcp conflict logging Mode: Privileged EXEC Default: Enabled |
||||||||||||||||||||||
clear ip dhcp binding This command deletes an automatic address binding from the DHCP server database. If an asterisk (*) is specified for the address parameter, the bindings corresponding to all the addresses are deleted.
clear ip dhcp binding {address | *} Mode: Privileged EXEC |
||||||||||||||||||||||
clear ip dhcp server statistics This command clears DHCP server statistics counters.
clear ip dhcp server statistics Mode: Privileged EXEC |
||||||||||||||||||||||
clear ip dhcp conflict The command is used to clear an address conflict from the DHCP Server database. The server detects conflicts using a ping. The DHCP server clears all conflicts if an asterisk (*) is used as the address parameter.
clear ip dhcp conflict {address | *} Mode: Privileged EXEC |
||||||||||||||||||||||
show ip dhcp binding This command displays address bindings for the specific IP address on the DHCP server. If no IP address is specified, the bindings corresponding to all the addresses are displayed.
show ip dhcp binding [address] Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||
show ip dhcp global configuration This command displays address bindings for the specific IP address on the DHCP server. If no IP address is specified, the bindings corresponding to all the addresses are displayed.
show ip dhcp global configuration Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||
show ip dhcp pool configuration This command displays pool configuration. If all is specified, configuration for all the pools is displayed.
show ip dhcp pool configuration {name | all} Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||
show ip dhcp server statistics This command displays DHCP server statistics.
show ip dhcp server statistics Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||
show ip dhcp conflict This command displays address conflicts logged by the DHCP Server. If no IP address is specified, all the conflicting addresses are displayed.
show ip dhcp conflict [ip-address] Modes: User / Privileged EXEC Parameters:
|
DNS Client Commands
These commands are used in the Domain Name System (DNS), an Internet directory service. DNS is how domain names are translated into IP addresses. When enabled, the DNS client provides a hostname lookup service to other components of the EdgeSwitch software.
ip domain lookup Use this command to enable the DNS client.
ip domain lookup Mode: Global Config Default: Enabled |
||||||||||||||||
ip domain name Use this command to define a default domain name that EdgeSwitch software uses to complete unqualified host names (names with a domain name). By default, no default domain name is configured in the system. The name may not be longer than 255 characters and should not include an initial period. This name should be used only when the default domain name list, configured using the ip domain list command, is empty.
ip domain name name Mode: Global Config |
||||||||||||||||
ip domain list Use this command to define a list of default domain names to complete unqualified names. By default, the list is empty. Each name must be no more than 256 characters, and should not include an initial period. The default domain name, configured using the ip domain name command, is used only when the default domain name list is empty. A maximum of 32 names can be entered in to this list.
ip domain list name Mode: Global Config |
||||||||||||||||
ip name-server Use this command to configure the available name servers. Up to eight servers can be defined in one command or by using multiple commands. The parameter server-address is a valid IPv4 or IPv6 address of the server. The preference of the servers is determined by the order they are entered.
ip name-server server-address1 [server-address2...server-address8] Mode: Global Config |
||||||||||||||||
ip name source-interface Use this command to specify the physical or logical interface to use as the DNS client (IP name) source interface (source IP address) for DNS client management application. If configured, the source interface address is used for all DNS communications between the DNS server and the DNS client.
The selected source-interface IP address is used for filling the IP header of management protocol packets. This allows security devices (firewalls) to identify the source packets coming from the specific switch. If a source interface is not specified, the primary IP address of the originating (outbound) interface is used as the source address. If the configured interface is down, the DNS client falls back to its default behavior. ip name source-interface {slot/port | vlan vlan-id} Mode: Global Config |
||||||||||||||||
ip host Use this command to define static host name-to-address mapping in the host cache. The parameter name is the hostname and ipaddress is the IP address of the host. The host name can include 1-158 alphanumeric characters, periods, hyphens, underscores, and non-consecutive spaces. Hostnames that include one or more space must be enclosed in quotation marks.
ip host name ipaddress Mode: Global Config |
||||||||||||||||
ipv6 host Use this command to define static host name-to-IPv6 address mapping in the host cache. The name is the hostname and v6address is the IPv6 address of the host. The hostname can include 1-158 alphanumeric characters, periods, hyphens, and spaces. Hostnames that include one or more space must be enclosed in quotation marks.
ipv6 host name v6address Mode: Global Config |
||||||||||||||||
ip domain retry Use this command to specify the number of times to retry sending Domain Name System (DNS) queries. The number indicates the number of times to retry sending a DNS query to the DNS server, and ranges from 0-100.
ip domain retry number Mode: Global Config Default: 2 |
||||||||||||||||
ip domain timeout Use this command to specify the amount of time to wait for a response to a DNS query. The seconds specifies the time, in seconds, to wait for a response to a DNS query, and ranges from 0-3600.
ip domain timeout seconds Mode: Global Config Default: 3 |
||||||||||||||||
clear host Use this command to delete entries from the host name-to-address cache. This command clears the entries from the DNS cache maintained by the software. This command clears both IPv4 and IPv6 entries.
clear host {name | all} Mode: Privileged EXEC |
||||||||||||||||
show hosts Use this command to display the default domain name, a list of name server hosts, the static and the cached list of host names and addresses. The parameter name ranges from 1-255 characters. This command displays both IPv4 and IPv6 entries.
show hosts name Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||
show ip name source-interface Use this command to display the configured source interface details used for a DNS client. The IP address of the selected interface is used as source IP for all communications with the server.
show ip name source-interface Mode: Privileged EXEC |
IP Address Conflict Commands
The commands in this section help troubleshoot IP address conflicts.
ip address-conflict-detect run This command triggers the switch to run active address conflict detection by sending gratuitous ARP packets for IPv4 addresses on the switch.
ip address-conflict-detect run Mode: Global Config |
||||||||
show ip address-conflict This command displays the status information corresponding to the last detected address conflict.
show ip address-conflict Modes: User / Privileged EXEC Parameters:
|
||||||||
clear ip address-conflict-detect This command clears the detected address conflict status information.
clear ip address-conflict-detect Modes: User / Privileged EXEC |
Serviceability Packet Tracing Commands
These commands improve the capability of network engineers to diagnose conditions affecting the EdgeSwitch. Use the debug commands with caution, as the output can be long and may adversely affect system performance.
capture start Use this command capture start to manually start capturing CPU packets for packet trace. The packet capture operates in three modes: capture file, remote capture, and capture line. The command is not persistent across a reboot cycle.
capture start [{all|receive|transmit}] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
capture stop Use the command capture stop to manually stop capturing CPU packets for packet trace.
capture stop Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
capture sniffer Use the command start or stop the capture sniffer.
capture sniffer start | stop Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
capture file|remote|line Use this command to configure file capture options. The command is persistent across a reboot cycle.
capture {file|remote|line} Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||
capture remote port Use this command to configure file capture options. The command is persistent across a reboot cycle.
capture remote port portid Mode: Global Config |
||||||||||||||||||||||||||||||
capture file size Use this command to configure file capture options. The command is persistent across a reboot cycle.
capture file size max-file-size Mode: Global Config |
||||||||||||||||||||||||||||||
capture line wrap This command enables wrapping of captured packets in line mode when the captured packets reach full capacity.
capture line wrap Mode: Global Config |
||||||||||||||||||||||||||||||
show capture packets Use this command to display packets captured and saved to RAM. It is possible to capture and save into RAM, packets that are received or transmitted through the CPU. A maximum 128 packets can be saved into RAM per capturing session. A maximum 128 bytes per packet can be saved into the RAM.
If a packet holds more than 128 bytes, only the first 128 bytes are saved; data more than 128 bytes is skipped and cannot be displayed in the CLI. Capturing packets is stopped automatically when 128 packets are captured and have not yet been displayed during a capture session. Captured packets are not retained after a reload cycle. show capture packets Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug aaa accounting This command is useful to debug accounting configuration and functionality in User Manager.
debug aaa accounting Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug aaa authorization Use this command to enable the tracing for AAA in User Manager. This is useful to debug authorization configuration and functionality in the User Manager. Each of the parameters are used to configure authorization debug flags.
debug aaa authorization commands|exec Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug arp Use this command to enable ARP debug protocol messages.
debug arp Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug authentication This command displays either the debug trace for either a single event or all events for an interface
debug authentication packet {all | event} interface Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug auto-voip Use this command to enable Auto VOIP debug messages. Use the optional parameters to trace H323, SCCP, or SIP packets respectively.
debug auto-voip [H323|SCCP|SIP|oui] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug clear This command disables all previously enabled “debug” traces.
debug clear Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug console This command enables the display of debug trace output on the login session in which it is executed. Debug console display must be enabled in order to view any trace output. The output of debug trace commands will appear on all login sessions for which debug console has been enabled. The configuration of this command remains in effect for the life of the login session. The effect of this command is not persistent across reboots.
debug console Mode: Privileged EXEC Default: Disabled |
||||||||||||||||||||||||||||||
debug crashlog Use this command to view information contained in the crash log file that the system maintains when it experiences an unexpected reset.
The crash log file contains the following information: - Call stack information in both primitive and verbose forms - Log Status - Buffered logging - Event logging - Persistent logging - System Information (output of sysapiMbufDump) - Message Queue Debug Information - Memory Debug Information - Memory Debug Status - OS Information (output of osapiShowTasks) - /proc information (meminfo, cpuinfo, interrupts, version and net/sockstat) debug crashlog {[kernel] crashlog-number [upload url] | proc | verbose | deleteall} Mode: Privileged EXEC Default: Disabled Parameters:
|
||||||||||||||||||||||||||||||
debug debug-config Use this command to download or upload the debug-config.ini file. This file executes CLI commands (including devshell and drivshell commands) on specific predefined events. The debug config file is created manually and downloaded to the switch.
debug debug-config {download url | upload url} Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug dhcp packet This command displays debug information about DHCPv4 client activities and traces DHCPv4 packets to and from the local DHCPv4 client.
debug dhcp packet [transmit | receive] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug dot1x packet Use this command to enable 802.1X packet debug trace.
debug dot1x packet Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug igmpsnooping packet This command enables tracing of IGMP Snooping packets received and transmitted by the switch.
debug igmpsnooping packet Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug igmpsnooping packet transmit This command enables tracing of IGMP Snooping packets transmitted by the switch. Snooping should be enabled on the device and the interface in order to monitor packets for a particular interface.
debug igmpsnooping packet transmit Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug igmpsnooping packet receive This command enables tracing of IGMP Snooping packets received by the switch. Snooping should be enabled on the device and the interface in order to monitor packets for a particular interface.
debug igmpsnooping packet receive Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug ip acl Use this command to enable debug of IP Protocol packets matching the ACL criteria.
debug ip acl acl-number Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug ipv6 dhcp This command displays “debug” information about DHCPv6 client activities and traces DHCPv6 packets to and from the local DHCPv6 client.
debug ipv6 dhcp Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug lacp packet This command enables tracing of LACP packets received and transmitted by the switch.
debug lacp packet Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug ping packet This command enables tracing of ICMP echo requests and responses. The command traces pings on the network port or service port for switching packages. For routing packages, pings are traced on the routing ports as well.
debug ping packet Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug spanning-tree bpdu This command enables tracing of spanning tree BPDUs received and transmitted by the switch.
debug spanning-tree bpdu Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug spanning-tree bpdu receive This command enables tracing of spanning tree BPDUs received by the switch. Spanning tree should be enabled on the device and on the interface in order to monitor packets for a particular interface.
debug spanning-tree bpdu receive Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug spanning-tree bpdu transmit This command enables tracing of spanning tree BPDUs transmitted by the switch. Spanning tree should be enabled on the device and on the interface in order to monitor packets on a particular interface.
debug spanning-tree bpdu transmit Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
debug tacacs Use the debug tacacs packet command to turn on TACACS+ debugging.
debug tacacs {packet {receive | transmit}} | accounting | authentication Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
debug transfer This command enables debugging for file transfers.
debug transfer Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
show debugging Use the show debugging command to display enabled packet tracing configurations.
show debugging Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
exception protocol Use this command to specify the protocol used to store the core dump file.
exception protocol {nfs | tftp | none} Mode: Global Config Default: none |
||||||||||||||||||||||||||||||
exception dump tftp-server Use this command to configure the IP address of a remote TFTP server in order to dump core files to an external server.
exception dump tftp-server {ip-address} Mode: Global Config |
||||||||||||||||||||||||||||||
exception dump nfs Use this command to configure an NFS mount point in order to dump core file to the NFS file system.
exception dump nfs ip-address/dir Mode: Global Config |
||||||||||||||||||||||||||||||
exception dump filepath Use this command to configure a file-path to dump core file to a TFTP server, NFS mount or USB device subdirectory.
exception dump filepath dir Mode: Global Config |
||||||||||||||||||||||||||||||
exception core-file Use this command to configure a prefix for a core-file name. If hostname is configured the core file name takes the hostname, otherwise the core-file names uses the MAC address when generating a core dump file. The prefix length is 15 characters. exception core-file {file-name-prefix | [hostname] | [time-stamp]} Mode: Global Config Default: Core |
||||||||||||||||||||||||||||||
exception switch-chip-register This command enables or disables the switch-chip-register dump in case of an exception. The switch-chip- register dump is taken only for a master unit and not for member units
exception switch-chip-register {enable | disable} Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||
write core Use the write core command to generate a core dump file on demand. The write core test command is helpful when testing the core dump setup. For example, if the TFTP protocol is configured, write core test communicates with the TFTP server and informs the user if the TFTP server can be contacted.
Similarly, if protocol is configured as nfs, this command mounts and unmounts the file system and informs the user of the status. Write core reloads the switch which is useful when the device malfunctions, but has not crashed. For write core test, the destination file name is used for the TFTP test. Optionally, you can specify the destination file name when the protocol is configured as TFTP. write core [test [dest_file_name]] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
show exception Use this command to display the configuration parameters for generating a core dump file.
show exception Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
mbuf Use this command to configure memory buffer (MBUF) threshold limits and generate notifications when MBUF limits have been reached.
mbuf {falling-threshold | rising-threshold | severity} Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||
show mbuf Use this command to display the memory buffer (MBUF) Utilization Monitoring parameters.
show mbuf Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show mbuf total Use this command to display memory buffer (MBUF) information.
show mbuf total Mode: Privileged EXEC Parameters:
|
Cable Test Command
The cable test feature enables you to determine the cable connection status on a selected port.
The cable test feature is supported only for copper cable. It is not supported for optical fiber cable. If the port has an active link while the cable test is run, the link can go down for the duration of the test.
cablestatus This command returns the status of the specified port.
cablestatus slot/port Mode: Privileged EXEC Parameters:
|
Remote Monitoring Commands
Remote Monitoring (RMON) is a method of collecting a variety of data about network traffic. RMON supports 64- bit counters (RFC 3273) and High Capacity Alarm Table (RFC 3434).
There is no configuration command for ether stats and high capacity ether stats. The data source for ether stats and high capacity ether stats are configured during initialization.
rmon alarm This command sets the RMON alarm entry in the RMON alarm MIB group.
rmon alarm alarm-number variable sample-interval {absolute|delta} rising-threshold value [rising-event-index] falling-threshold value Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
rmon hcalarm This command sets the RMON hcalarm entry in the High Capacity RMON alarm MIB group.
rmon hcalarm alarm-number variable sample-interval {absolute|delta} rising-threshold high value low value status {positive|negative} [rising-event-index] falling-threshold high value low value status {positive|negative} [falling-event-index] [startup {rising|falling|rising-falling}] [owner string] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
rmon event This command sets the RMON event entry in the RMON event MIB group.
rmon event event-number [description string|log|owner string|trap community] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
rmon collection history This command sets the history control parameters of the RMON historyControl MIB group. This command is not supported on interface range. Each RMON history control collection entry can be configured on only one interface. If you try to configure on multiple interfaces, DUT displays an error. rmon collection history index-number [buckets number | interval interval-in-sec | owner string] Mode: Interface Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon This command displays the entries in the RMON alarm table.
show rmon {alarms | alarm alarm-index} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon collection history This command displays the entries in the RMON history control table.
show rmon collection history [interfaces slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon events This command displays the entries in the RMON event table.
show rmon events Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon history This command displays the specified entry in the RMON history table.
show rmon history index {errors [period seconds] | other [period seconds] | throughput [period seconds]} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon log This command displays the entries in the RMON log table.
show rmon log [event-index] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon statistics interfaces This command displays the RMON statistics for the given interfaces.
show rmon statistics interfaces slot/port Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
show rmon hcalarms This command displays the entries in the RMON high-capacity alarm table.
show rmon {hcalarms | hcalarm alarm-index} Mode: Privileged EXEC Parameters:
|
Statistics Application Commands
The statistics application gives you the ability to query for statistics on port utilization, flow-based and packet reception on programmable time slots. The statistics application collects the statistics at a configurable time range. You can specify the port number(s) or a range of ports for statistics to be displayed.
The configured time range applies to all ports. Detailed statistics are collected between a specified time range in date and time format. You can define the time range as having an absolute time entry and/or a periodic time. For example, you can specify the statistics to be collected and displayed between 9:00 12 NOV 2011 (START) and 21:00 12 NOV 2012 (END) or schedule it on every Mon, Wed, and Fri 9:00 (START) to 21:00 (END).
You can receive the statistics in the following ways:
- User requests through the CLI for a set of counters.
- Configuring the device to display statistics using syslog or email alert. The alerts are sent by the statistics application at END time.
You can configure the device to display statistics on the console. The collected statistics are presented on the console at END time.
stats group This command creates a new group with the specified id or name and configures the time range and the reporting mechanism for that group.
stats group group-id|name timerange time-range-name reporting list-of-reporting-methods Mode: Global Config Parameters:
|
||||||||||||||||||||
stats flow-based This command configures flow based statistics rules for the given parameters over the specified time range. Only an IPv4 address is allowed as source and destination IP address.
stats flow-based rule-id timerange time-range-name [{srcip ip-address} {dstip ip-address} {srcmac mac-address} {dstmac mac-address} {srctcpport portid} {dsttcpport portid} {srcudpport portid} {dstudpport portid}] Mode: Global Config Parameters:
|
||||||||||||||||||||
stats flow-based reporting This command configures the reporting mechanism for all the flow-based rules configured on the system. There is no per flow-based rule reporting mechanism. Setting the reporting method to none resets all the reporting methods.
stats flow-based reporting list-of-reporting-methods Mode: Global Config |
||||||||||||||||||||
stats group This command applies the group specified on an interface or interface-range.
stats group group-id|name Mode: Interface Config |
||||||||||||||||||||
stats flow-based This command applies the flow-based rule specified by the ID on an interface or interface-range.
stats flow-based rule-id Mode: Interface Config |
||||||||||||||||||||
show stats group This command displays the configured time range and the interface list for the group specified and shows collected statistics for the specified time-range name on the interface list after the time-range expiry.
show stats group group-id|name Mode: Privileged EXEC |
||||||||||||||||||||
show stats flow-based This command displays the configured time range, flow-based rule parameters, and the interface list for the flow specified.
show stats flow-based rule-id|all Mode: Privileged EXEC |
Switching Commands
This chapter describes the switching commands available in the EdgeSwitch CLI.
Port Configuration Commands
This section describes the commands you use to view and configure port settings.
interface This command gives access to Interface Config mode, which lets you enable or modify the operation of an interface (port). You can also specify a range of ports to configure by specifying a starting slot/port and an ending slot/port, separated by a hyphen.
interface {slot/port | slot/port-slot/port} Mode: Interface Config |
||||||||||||||||
auto-negotiate This command enables automatic negotiation on a port or range of ports.
auto-negotiate Mode: Interface Config |
||||||||||||||||
auto-negotiate all This command enables automatic negotiation on all ports.
auto-negotiate all Mode: Global Config |
||||||||||||||||
description Use this command to create an alphanumeric description of an interface or range of interfaces.
description description Mode: Interface Config |
||||||||||||||||
mtu Use this command to set the maximum transmission unit (MTU) size, in bytes, for frames that ingress or egress the interface. You can use the mtu command to configure jumbo frame support for physical and port-channel (LAG) interfaces. For the standard EdgeSwitch implementation, the MTU size is a valid integer between 1522–9216 for tagged packets and a valid integer between 1518–9216 for untagged packets.
mtu 1518-9216 Mode: Interface Config Default: 1518 (untagged) |
||||||||||||||||
shutdown This command disables a port or range of ports.
shutdown Mode: Interface Config |
||||||||||||||||
shutdown all This command disables all ports.
shutdown all Mode: Global Config |
||||||||||||||||
speed Use this command to enable or disable auto-negotiation and set the speed that will be advertised by that port. The half-duplex and full-duplex parameters allow you to set the advertised speed for half-duplex and full-duplex modes.
Use the auto keyword to enable auto-negotiation on the port and optionally set the preferred speed. speed {auto {10G | 1000 | 100 | 10} [10G | 1000 | 100 | 10] [half-duplex | full-duplex] | {| 10G | 1000 | 100 | 10} {half-duplex | full-duplex}} Mode: Interface Config Default: auto |
||||||||||||||||
speed all This command sets the speed and duplex setting for all interfaces.
speed all {100 | 10} {half-duplex | full-duplex} Mode: Global Config |
||||||||||||||||
show port This command displays port information.
show port {intf-range | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show port advertise Use this command to display the local administrative link advertisement configuration, local operational link advertisement, and the link partner advertisement for an interface. It also displays priority Resolution for speed and duplex as per 802.3 Annex 28B.3. It displays the Auto negotiation state, Phy Master/Slave Clock configuration, and Link state of the port.
If the link is down, the Clock is displayed as No Link, and a dash is displayed against the Oper Peer advertisement, and Priority Resolution. If Auto negotiation is disabled, then the admin Local Link advertisement, operational local link advertisement, operational peer advertisement, and Priority resolution fields are not displayed. If this command is executed without the optional slot/port parameter, then it displays the Auto- negotiation state and operational Local link advertisement for all the ports. Operational link advertisement will display speed only if it is supported by both local as well as link partner. If auto-negotiation is disabled, then operational local link advertisement is not displayed. show port advertise [slot/port] Mode: Privileged EXEC |
||||||||||||||||
show port description This command displays the interface description.
show port description slot/port Mode: Privileged EXEC |
Spanning Tree Protocol Commands
This section describes the commands you use to configure Spanning Tree Protocol (STP). STP helps prevent network loops, duplicate messages, and network instability. STP is enabled on the switch and on all ports and LAGs by default. If STP is disabled, the system does not forward BPDU messages.
spanning-tree This command sets the spanning-tree operational mode to enabled.
spanning-tree Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree auto-edge Use this command to allow the interface to become an edge port if it does not receive any BPDUs within a given amount of time.
spanning-tree auto-edge Mode: Interface Config Default: Enabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree bpdumigrationcheck Use this command to force a transmission of rapid spanning tree (RSTP) and multiple spanning tree (MSTP) BPDUs. Use the slot/port parameter to transmit a BPDU from a specified interface, or use the all keyword to transmit RST or MST BPDUs from all interfaces.
spanning-tree bpdumigrationcheck {slot/port | all} Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree configuration name This command sets the Configuration Identifier Name for use in identifying the configuration that this switch is currently using. The name is a string of up to 32 characters.
spanning-tree configuration name name Mode: Global Config Default: Base MAC address in hexadecimal notation |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree configuration revision This command sets the Configuration Identifier Revision Level for use in identifying the configuration that this switch is currently using. The Configuration Identifier Revision Level is a number in the range of 0 to 65535.
spanning-tree configuration revision 0-65535 Mode: Global Config Default: 0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree cost Use this command to configure the external path cost for port used by a MST instance. When the auto keyword is used, the path cost from the port to the root bridge is automatically determined by the speed of the interface. To configure the cost manually, specify a cost value from 1–200000000.
spanning-tree cost {cost | auto} Mode: Interface Config Default: auto |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree edgeport This command specifies that an interface (or range of interfaces) is an Edge Port within the common and internal spanning tree. This allows this port to transition to Forwarding State without delay.
spanning-tree edgeport Mode: Interface Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree forceversion This command sets the Force Protocol Version parameter to a new value.
spanning-tree forceversion {802.1d | 802.1s | 802.1w} Mode: Global Config Default: 802.1s Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree forward-time This command sets the Bridge Forward Delay parameter to a new value for the common and internal spanning tree. The value in seconds ranges from 4 to 30, with the value being greater than or equal to (Bridge Max Age / 2) + 1.
spanning-tree forward-time 4-30 Mode: Global Config Default: 15 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree max-age This command sets the Bridge Max Age parameter to a new value for the common and internal spanning tree. The value is in seconds range from 6 to 40, with the value being less than or equal to 2 x (Bridge Forward Delay - 1).
spanning-tree max-age 6-40 Mode: Global Config Default: 20 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree max-hops This command sets the Bridge Max Hops parameter to a new value for the common and internal spanning tree.
spanning-tree max-hops 6-40 Mode: Global Config Default: 20 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree mst This command sets the Path Cost or Port Priority for this port within the multiple spanning tree instance or in the common and internal spanning tree. If you specify an mstid parameter that corresponds to an existing multiple spanning tree instance, the configurations are done for that multiple spanning tree instance. If you specify 0 (defined as the default CIST ID) as the mstid, the configurations are done for the common and internal spanning tree instance.
If you specify the cost option, the command sets the path cost for this port within a multiple spanning tree instance or the common and internal spanning tree instance, depending on the mstid parameter. You can set the path cost as a number in the range of 1 to 200000000 or auto. If you select auto the path cost value is set based on Link Speed. If you specify the port-priority option, this command sets the priority for this port within a specific multiple spanning tree instance or the common and internal spanning tree instance, depending on the mstid parameter. The port-priority value is a number in the range of 0 to 240 in increments of 16. spanning-tree mst mstid {{cost 1-200000000 | auto} | port-priority 0-240} Mode: Interface Config Default: cost: auto / port-priority: 128 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree mst instance This command adds a multiple spanning tree instance to the switch. The parameter mstid is a number within a range of 1 to 4094, that corresponds to the new instance ID to be added. The maximum number of multiple instances supported by the switch is 4.
spanning-tree mst instance mstid Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree mst priority This command sets the bridge priority for a specific multiple spanning tree instance. The parameter mstid is a number that corresponds to the desired existing multiple spanning tree instance. The priority value is a number within a range of 0 to 4094.
If you specify 0 (defined as the default CIST ID) as the mstid, this command sets the Bridge Priority parameter to a new value for the common and internal spanning tree. The bridge priority value is a number within a range of 0 to 4094. The twelve least significant bits are masked according to the 802.1s specification. This causes the priority to be rounded down to the next lower valid priority. spanning-tree mst priority mstid 0-4094 Mode: Global Config Default: 32768 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree mst vlan This command adds an association between a multiple spanning tree instance and one or more VLANs so that the VLAN(s) are no longer associated with the common and internal spanning tree. The parameter mstid is a multiple spanning tree instance identifier, in the range of 0 to 4094, that corresponds to the desired existing multiple spanning tree instance. The vlanid can be specified as a single VLAN, a list, or a range of values.
To specify a list of VLANs, enter a list of VLAN IDs in the range 1 to 4093, each separated by a comma with no spaces in between. To specify a range of VLANs, separate the beginning and ending VLAN ID with a dash (-). Spaces and zeros are not permitted. The VLAN IDs may or may not exist in the system. spanning-tree mst vlan mstid vlanid Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree port mode This command sets the Administrative Switch Port State for this port to enabled for use by spanning tree.
spanning-tree port mode Mode: Interface Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree port mode all This command sets the STP port mode for all ports to enabled.
spanning-tree port mode all Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree tcnguard Use this command to enable TCN guard on the interface. When enabled, TCN Guard restricts the interface from propagating any topology change information received through that interface.
spanning-tree tcnguard Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spanning-tree transmit This command sets the Bridge Transmit Hold Count parameter (0-10).
spanning-tree transmit hold-count Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree This command displays spanning tree settings for the common and internal spanning tree.
show spanning-tree Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree brief This command displays spanning tree settings for the bridge.
show spanning-tree brief Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree interface This command displays the settings and parameters for a specific switch port within the common and internal spanning tree.
show spanning-tree interface slot/port | lag lag-intf-num Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree mst detailed This command displays the detailed settings for an MST instance.
show spanning-tree mst detailed mstid Modes: User / Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree mst port detailed This command displays the detailed settings and parameters for a specific switch port within a particular multiple spanning tree instance. The parameter mstid is a number that corresponds to the desired existing multiple spanning tree instance.
show spanning-tree mst port detailed mstid slot/port | lag lag-intf-num Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree mst port summary This command displays the settings of one or all ports within the specified multiple spanning tree instance. The parameter mstid indicates a particular MST instance. If you specify 0 (defined as the default CIST ID) as the mstid, the status summary displays for one or all ports within the common and internal spanning tree. show spanning-tree mst port summary mstid {slot/port | lag lag-intf-num | all} Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree mst port summary active This command displays settings for the ports within the specified multiple spanning tree instance that are active links.
show spanning-tree mst port summary mstid active Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree mst summary This command displays summary information about all multiple spanning tree instances in the switch.
The following information is listed for each MSTID: - Associated FIDs - Associated VLANs - List of forwarding database identifiers associated with this instance. - List of VLAN IDs associated with this instance. show spanning-tree mst summary Modes: User / Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree summary This command displays spanning tree settings and parameters for the switch.
show spanning-tree summary Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show spanning-tree vlan This command displays the association between a VLAN and a multiple spanning tree instance.
show spanning-tree vlan vlanid Modes: User / Privileged EXEC |
VLAN Commands
This section describes the commands you use to configure VLAN settings.
vlan database This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics.
vlan database Mode: Privileged EXEC |
||||||||||||||||||||||||||
network mgmt_vlan This command configures the Management VLAN ID.
network mgmt_vlan 1-4093 Mode: Privileged EXEC Default: VLAN1 |
||||||||||||||||||||||||||
vlan (VLAN Database Config) This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-4093.
vlan 2-4093 Mode: VLAN Database Config |
||||||||||||||||||||||||||
vlan acceptframe This command sets the frame acceptance mode on an interface or range of interfaces. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port.
For Admit Untagged Only mode, only untagged frames are accepted on this interface; tagged frames are discarded. With any option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification. vlan acceptframe {admituntaggedonly | vlanonly | all} Modes: Interface Config Default: all Parameters:
|
||||||||||||||||||||||||||
vlan ingressfilter This command enables ingress filtering on an interface or range of interfaces. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
vlan ingressfilter Mode: Interface Config Default: Enabled (on v1.9.0+ firmware) |
||||||||||||||||||||||||||
vlan allow dei-frame This command allows or denies frames with the DEI flag.
vlan allow dei-frame Mode: Global Config Default: Enabled |
||||||||||||||||||||||||||
vlan internal allocation Use this command to configure which VLAN IDs to use for port-based routing interfaces. When a port-based routing interface is created, an unused VLAN ID is assigned internally.
vlan internal allocation {base vlan-id | policy ascending | policy descending} Mode: Global Config Default: Descending Parameters:
|
||||||||||||||||||||||||||
vlan makestatic (VLAN Database Config) This command changes a dynamically created VLAN (created by GVRP registration) to a static VLAN (one that is permanently configured and defined). The ID is a valid VLAN identification number. VLAN range is 2-4093.
vlan makestatic 2-4093 Mode: VLAN Database Config |
||||||||||||||||||||||||||
vlan name (VLAN Database Config) This command changes the name of a VLAN. The name is an alphanumeric string of up to 32 characters, and the ID is a valid VLAN identification number. ID range is 1-4093.
vlan name 1-4093 name Mode: VLAN Database Config |
||||||||||||||||||||||||||
vlan participation This command configures the degree of participation for a specific interface or range of interfaces in a VLAN. The ID is a valid VLAN identification number, and the interface is a valid interface number.
vlan participation {exclude | include | auto} 1-4093 Mode: Interface Config Default: VLAN1: include / VLAN2-4093: auto Parameters:
|
||||||||||||||||||||||||||
switchport mode general This command sets a interface to use the general-style VLAN configuration method.
switchport mode general Mode: Interface Config Default: general |
||||||||||||||||||||||||||
switchport mode access This command sets a interface to use the Cisco-style VLAN configuration method and defines the port as access.
switchport mode access Mode: Interface Config Default: general |
||||||||||||||||||||||||||
switchport mode trunk This command sets a interface to use the Cisco-style VLAN configuration method and defines the port as trunk.
switchport mode trunk Mode: Interface Config Default: general |
||||||||||||||||||||||||||
switchport access vlan This command defines the access VLAN when using the Cisco-style VLAN configuration method.
switchport access vlan 1-4093 Mode: Interface Config
|
||||||||||||||||||||||||||
switchport trunk allowed vlan This command defines the allowed VLANs on the trunk when using the Cisco-style VLAN configuration method.
switchport trunk allowed vlan [ vlan-range | add vlan-range | except vlan-range | remove vlan-range | all ] Mode: Interface Config Parameters:
|
||||||||||||||||||||||||||
switchport trunk native vlan This command defines the native VLAN on the trunk when using the Cisco-style VLAN configuration method.
switchport trunk native vlan 1-4093 Mode: Interface Config |
||||||||||||||||||||||||||
vlan participation all This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.
vlan participation all {exclude | include | auto} 1-4093 Mode: Global Config Parameters:
|
||||||||||||||||||||||||||
vlan participation all This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.
vlan participation all {exclude | include | auto} 1-4093 Mode: Global Config Default: all Parameters:
|
||||||||||||||||||||||||||
vlan port ingressfilter all This command enables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
vlan port ingressfilter all Mode: Global Config Default: Enabled (on v1.9.0+ firmware) |
||||||||||||||||||||||||||
vlan port pvid all This command changes the VLAN ID for all interface.
vlan port pvid all 1-4093 Mode: Global Config Default: VLAN1 |
||||||||||||||||||||||||||
vlan port tagging all This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.
vlan port tagging all 1-4093 Mode: Global Config |
||||||||||||||||||||||||||
vlan pvid This command changes the VLAN ID on an interface or range of interfaces.
vlan pvid 1-4093 Mode: Interface Config Default: VLAN1 |
||||||||||||||||||||||||||
vlan tagging This command configures the tagging behavior for a specific interface or range of interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.
vlan tagging 1-4093 Mode: Interface Config |
||||||||||||||||||||||||||
vlan association (VLAN Database Config) This command associates a MAC address or OUI to a certain VLAN.
vlan association [ mac macaddr vlanid ] [ oui oui-prefix vlanid ] Mode: VLAN Database Config |
||||||||||||||||||||||||||
show vlan association This command displays the configured MAC address or OUI associations.
show vlan association [ mac macaddr ] [ oui ] Mode: Privileged EXEC |
||||||||||||||||||||||||||
show vlan This command displays information about the configured private VLANs, including primary and secondary VLAN IDs, type (community, isolated, or primary) and the ports which belong to a private VLAN.
show vlan {vlanid | private-vlan [type]} Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show vlan internal usage This command displays information about the VLAN ID allocation on the switch.
show vlan internal usage Modes: User / Privileged EXEC |
||||||||||||||||||||||||||
show vlan brief This command displays a list of all configured VLANs.
show vlan brief Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show interfaces switchport general This command displays the VLANs for ports that are configured with the general-style VLAN configuration method.
show interfaces switchport general slot/port Mode: Privileged EXEC |
||||||||||||||||||||||||||
show interfaces switchport access This command displays the VLAN for access ports that are configured with the Cisco-style VLAN configuration method.
show interfaces switchport access slot/port Mode: Privileged EXEC
|
||||||||||||||||||||||||||
show interfaces switchport trunk This command displays the VLANs for trunk ports that are configured with the Cisco-style VLAN configuration method.
show interfaces switchport trunk slot/port Mode: Privileged EXEC |
||||||||||||||||||||||||||
show vlan port This command displays VLAN port information.
show vlan port {slot/port | all} Modes: User / Privileged EXEC Parameters:
|
Private VLAN Commands
This section describes the commands you use for private VLANs. Private VLANs provides Layer-2 isolation between ports that share the same broadcast domain. In other words, it allows a VLAN broadcast domain to be partitioned into smaller point-to-multipoint subdomains. The ports participating in a private VLAN can be located anywhere in the Layer-2 network.
switchport private-vlan This command defines a private-VLAN association for an isolated or community port or a mapping for a promiscuous port.
switchport private-vlan {host-association primary-vlan-id secondary-vlan-id | mapping primary-vlan-id {add | remove} secondary-vlan-list} Mode: Interface Config Parameters:
|
||||||||||||||
switchport mode private-vlan This command configures a port as a promiscuous or host private VLAN port. Note that the properties of each mode can be configured even when the switch is not in that mode. However, they will only be applicable once the switch is in that particular mode.
switchport mode private-vlan {host|promiscuous} Mode: Interface Config Parameters:
|
||||||||||||||
private-vlan (VLAN Config) This command configures the private VLANs and configures the association between the primary private VLAN and secondary VLANs.
private-vlan {association [add|remove] community | isolated | primary} Mode: VLAN Config Parameters:
|
Voice VLAN Commands
This section describes the commands you use for Voice VLAN. Voice VLAN enables switch ports to carry voice traffic with defined priority so as to enable separation of voice and data traffic coming onto the port. The benefits of using Voice VLAN is to ensure that the sound quality of an IP phone could be safeguarded from deteriorating when the data traffic on the port is high.
Also the inherent isolation provided by VLANs ensures that inter-VLAN traffic is under management control and that network- attached clients cannot initiate a direct attack on voice components. QoS-based on IEEE 802.1P class of service (CoS) uses classification and scheduling to sent network traffic from the switch in a predictable manner. The system uses the source MAC of the traffic traveling through the port to identify the IP phone data flow.
voice vlan (Global Config) Use this command to enable the Voice VLAN capability on the switch.
voice vlan Mode: Global Config |
||||||||||||||
voice vlan (Interface Config) Use this command to enable the Voice VLAN capability on the interface or range of interfaces.
voice vlan {vlan-id id | dot1p priority | none | untagged} Mode: Interface Config Parameters:
|
||||||||||||||
voice vlan data priority Use this command to either trust or untrust the data traffic arriving on the Voice VLAN interface or range of interfaces being configured.
voice vlan data priority {untrust | trust} Mode: Interface Config Default: trust |
||||||||||||||
show voice vlan Display the Voice VLAN global or interface configuration settings.
show voice vlan [interface {slot/port | all}] Mode: Privileged EXEC Parameters:
|
Provisioning (IEEE 802.1p) Commands
This section describes the commands you use to configure provisioning (IEEE 802.1p,) which allows you to prioritize ports.
vlan port priority all This command configures the port priority assigned for untagged packets for all ports presently plugged into the device. The range for the priority is 0-7. Any subsequent per port configuration will override this configuration setting.
vlan port priority all priority Mode: Global Config |
vlan priority This command configures the default 802.1p port priority assigned for untagged packets for a specific interface. The range for the priority is 0–7.
vlan priority priority Mode: Interface Config Default: 0 |
Protected Ports Commands
This section describes commands you use to configure and view protected ports on a switch. Protected ports do not forward traffic to each other, even if they are on the same VLAN. However, protected ports can forward traffic to all unprotected ports in their group. Unprotected ports can forward traffic to both protected and unprotected ports. Ports are unprotected by default.
If an interface is configured as a protected port, and you add that interface to a Port Channel or Link Aggregation Group (LAG), the protected port status becomes operationally disabled on the interface, and the interface follows the configuration of the LAG port. However, the protected port configuration for the interface remains unchanged. Once the interface is no longer a member of a LAG, the current configuration for that interface automatically becomes effective.
switchport protected (Global Config) Use this command to create a protected port group. The groupid parameter identifies the set of protected ports. Use the name parameter to assign an optional name to the protected port group. The name can be up to 32 alphanumeric characters long, including blanks. The default is blank. Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports. switchport protected groupid name name Mode: Global Config |
||||||
switchport protected (Interface Config) Use this command to add an interface to a protected port group. The groupid parameter identifies the set of protected ports to which this interface is assigned. You can only configure an interface as protected in one group. Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports. switchport protected groupid Mode: Interface Config |
||||||
show switchport protected This command displays the status of all the interfaces, including protected and unprotected interfaces.
show switchport protected groupid Modes: User / Privileged EXEC Parameters:
|
||||||
show interfaces switchport This command displays the status of the interface (protected/unprotected) under the group ID.
show interfaces switchport slot/port groupid Modes: User / Privileged EXEC Parameters:
|
GARP Commands
This section describes the commands you use to configure Generic Attribute Registration Protocol (GARP) and view GARP status. The commands in this section affect both GARP VLAN Registration Protocol (GVRP) and GARP Multicast Registration Protocol (GMRP). GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GVMP).
set garp timer join This command sets the GVRP join time per GARP for one interface, a range of interfaces, or all interfaces. Join time is the interval between the transmission of GARP Protocol Data Units (PDUs) registering (or re-registering) membership for a VLAN or multicast group. This command has an effect only when GVRP is enabled. The time is set in hundreds of a second, ranging from 10 to 100. A value of 20 for example equals to 0.2 seconds.
set garp timer join 10-100 Modes: Global / Interface Config Default: 20 |
||||
set garp timer leave This command sets the GVRP leave time for one interface, a range of interfaces, or all interfaces or all ports and only has an effect when GVRP is enabled. Leave time is the time to wait after receiving an unregister request for a VLAN or a multicast group before deleting the VLAN entry. This can be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service.
The leave time is set in hundreds of a second, ranging from 20 to 600. A value of 60 for example, equals to 0.6 seconds. The leave time must be greater than or equal to three times the join time. set garp timer leave 20-600 Modes: Global / Interface Config Default: 60 |
||||
set garp timer leaveall This command sets how frequently Leave All PDUs are generated. A Leave All PDU indicates that all registrations will be unregistered. Participants would need to rejoin in order to maintain registration. The value applies per port and per GARP participation. The time is set in hundreds of a second, ranging from 200 to 6000. A value of 1000 for example, equals to 10 seconds.
You can use this command on all ports (Global Config mode), a single port or a range of ports (Interface Config mode) and it only has an effect only when GVRP is enabled. The leave all time must be greater than the leave time. set garp timer leaveall 200-6000 Modes: Global / Interface Config Default: 1000 |
||||
show garp This command displays GARP information.
show garp Modes: User / Privileged EXEC Parameters:
|
GVRP Commands
This section describes the commands you use to configure and view GARP VLAN Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN configuration information, which allows GVRP to provide dynamic VLAN creation on trunk ports and automatic VLAN pruning. If GVRP is disabled, the system does not forward GVRP messages.
set gvrp adminmode This command enables GVRP on the system.
set gvrp adminmode Mode: Privileged EXEC Default: Disabled |
||||||||||
set gvrp interfacemode This command enables GVRP on a single port (Interface Config mode), a range of ports (Interface Range mode), or all ports (Global Config mode).
set gvrp interfacemode Modes: Global / Interface Config Default: Disabled |
||||||||||
show gvrp configuration This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.
show gvrp configuration {slot/port | all} Modes: User / Privileged EXEC Parameters:
|
GMRP Commands
This section describes the commands you use to configure and view GARP Multicast Registration Protocol (GMRP) information. Like IGMP Snooping, GMRP helps control the flooding of multicast packets. GMRP-enabled switches dynamically register and deregister group membership information with the MAC networking devices attached to the same segment.
GMRP also allows group membership information to propagate across all networking devices in the bridged LAN that support Extended Filtering Services. If GMRP is disabled, the system does not forward GMRP messages.
set gmrp adminmode This command enables GARP Multicast Registration Protocol (GMRP) on the system.
set gmrp adminmode Mode: Privileged EXEC Default: Disabled |
||||||||||
set gmrp interfacemode This command enables GARP Multicast Registration Protocol on a single interface (Interface Config mode), a range of interfaces, or all interfaces (Global Config mode). If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality is disabled on that interface. GARP functionality is subsequently re-enabled if routing is disabled and port-channel (LAG) membership is removed from an interface that has GARP enabled.
set gmrp interfacemode Modes: Global / Interface Config Default: Disabled |
||||||||||
show gmrp configuration This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.
show gmrp configuration {slot/port | all} Modes: User / Privileged EXEC Parameters:
|
||||||||||
show mac-address-table gmrp This command displays the GMRP entries in the Multicast Forwarding Database (MFDB) table.
show mac-address-table gmrp Mode: Privileged EXEC Parameters:
|
Port-Based Network Access Control Commands
This section describes the commands you use to configure port-based network access control (IEEE 802.1X). Port-based network access control allows you to permit access to network services only to and devices that are authorized and authenticated.
aaa authentication dot1x default Use this command to configure the authentication method for port-based access to the switch. The additional methods of authentication are used only if the previous method returns an error, not if there is an authentication failure.
The possible methods are as follows: - ias Uses the internal authentication server users database for authentication. This method can be used in conjunction with any one of the existing methods like local, radius, etc. - local Uses the local username database for authentication. - none Uses no authentication. - radius Uses the list of all RADIUS servers for authentication. aaa authentication dot1x default {[ias]|[method1 [method2 [method3]]]} Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear dot1x statistics This command resets the 802.1X statistics for the specified port or for all ports.
clear dot1x statistics {slot/port | all} Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear dot1x authentication-history This command clears the authentication history table captured during successful and unsuccessful authentication on all interface or the specified interface.
clear dot1x authentication-history [slot/port] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
clear radius statistics This command is used to clear all RADIUS statistics.
clear radius statistics Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x eapolflood Use this command to enable EAPOL flood support on the switch.
dot1x eapolflood Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x guest-vlan This command configures VLAN as guest vlan on an interface or a range of interfaces. The command specifies an active VLAN as an IEEE 802.1X guest VLAN. The range is 1 to the maximum VLAN ID supported by the platform.
dot1x guest-vlan vlan-id Mode: Interface Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x initialize This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is auto or MAC-based. If the control mode is not auto or MAC-based, an error will be returned.
dot1x initialize slot/port Mode: Global Interface Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x max-req This command sets the maximum number of times the authenticator state machine on an interface or range of interfaces will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The count value must be in the range 1–10.
dot1x max-req count Mode: Interface Config Default: 2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x max-users Use this command to set the maximum number of clients supported on an interface or range of interfaces when MAC-based 802.1X authentication is enabled on the port. The maximum users supported per port is dependent on the product. The count value is in the range 1–48.
dot1x max-users count Mode: Interface Config Default: 16 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x port-control This command sets the authentication mode to use on the specified interface or range of interfaces. Use the force-unauthorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Use the force-authorized parameter to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Use the auto parameter to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based 802.1X authentication is enabled on the port.
dot1x port-control {force-unauthorized | force-authorized | auto | mac-based} Mode: Interface Config Default: auto |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x port-control all This command sets the authentication mode to use on all ports. Select force-unauthorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Select auto to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server. If the mac-based option is specified, then MAC-based 802.1X authentication is enabled on the port.
dot1x port-control all {force-unauthorized | force-authorized | auto | mac-based} Mode: Global Config Default: auto |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x mac-auth-bypass If the 802.1X mode on the interface is mac-based, you can optionally use this command to enable MAC Authentication Bypass (MAB) on an interface. MAB is a supplemental authentication mechanism that allows 802.1X unaware clients – such as printers, fax machines, and some IP phones – to authenticate to the network using the client MAC address as an identifier.
dot1x mac-auth-bypass Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x re-authenticate This command begins the re-authentication sequence on the specified port. This command is only valid if the control mode for the specified port is auto or mac-based. If the control mode is not auto or mac-based, an error will be returned.
dot1x re-authenticate slot/port Mode: Privileged EXEC |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x re-authentication This command enables re-authentication of the supplicant for the specified interface or range of interfaces.
dot1x re-authentication Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x system-auth-control Use this command to enable the 802.1X authentication support on the switch. While disabled, the 802.1X configuration is retained and can be changed, but is not activated.
dot1x system-auth-control Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x system-auth-control monitor Use this command to enable the 802.1X monitor mode on the switch. The purpose of Monitor mode is to help troubleshoot port-based authentication configuration issues without disrupting network access for hosts connected to the switch. In Monitor mode, a host is granted network access to an 802.1X-enabled port even if it fails the authentication process. The results of the process are logged for diagnostic purposes.
dot1x system-auth-control monitor Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x timeout This command sets the value, in seconds, of the timer used by the authenticator state machine on an interface or range of interfaces. Depending on the parameter used and the value (in seconds) passed, various timeout configurable parameters are set.
dot1x timeout {{guest-vlan-period seconds} | {reauth-period seconds} | {quiet-period seconds} | {tx-period seconds} | {supp-timeout seconds} | {server-timeout seconds}} Mode: Interface Config Default: guest-vlan-period: 90 seconds / reauth-period: 3600 seconds / quiet-period: 60 seconds / tx-period: 30 seconds / supp-timeout: 30 seconds / server-timeout: 30 seconds Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x unauthenticated-vlan Use this command to configure the unauthenticated VLAN associated with the specified interface or range of interfaces. The unauthenticated VLAN ID can be a valid VLAN ID from 0 to the maximum supported VLAN ID (4093 for EdgeSwitch). The unauthenticated VLAN must be statically configured in the VLAN database to be operational. By default, the unauthenticated VLAN is 0; i.e., invalid and not operational.
dot1x unauthenticated-vlan vlan-id Mode: Interface Config Default: 0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
dot1x user This command adds the specified user to the list of users with access to the specified port or all ports. The user parameter must be a configured user.
dot1x user user {slot/port | all} Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show authentication methods Use this command to display information about the authentication methods.
show authentication methods Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show dot1x This command is used to show a summary of the global 802.1X configuration, summary information of the 802.1X configuration for a specified port or all ports, the detailed 802.1X configuration for a specified port and the 802.1X statistics for a specified port, depending on the tokens used.
show dot1x [{summary {slot/port | all} | detail slot/port | statistics slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show dot1x authentication-history This command displays 802.1X authentication events and information during successful and unsuccessful 802.1X authentication process for all interfaces or the specified interface. Use the optional keywords to display only failure authentication events in summary or in detail.
show dot1x authentication-history {slot/port | all} [failed-auth-only] [detail] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show dot1x clients This command displays 802.1X client information. This command also displays information about the number of clients that are authenticated using Monitor mode and using 802.1X.
show dot1x clients {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show dot1x users This command displays 802.1X port security user information for locally configured users.
show dot1x users slot/port Mode: Privileged EXEC
|
802.1X Supplicant Commands
EdgeSwitch supports 802.1X (“dot1x”) supplicant functionality on point-to-point ports. The administrator can configure the user name and password used in authentication and capabilities of the supplicant port.
dot1x pae This command sets the port’s 802.1X role. The port can serve as either a supplicant or an authenticator.
dot1x pae {supplicant | authenticator} Mode: Interface Config |
||||||||||||||||||||||||
dot1x supplicant port-control This command sets the ports authorization state (Authorized or Unauthorized) either manually or by setting the port to auto-authorize upon startup. By default all the ports are authenticators. If the port’s attribute needs to be moved from authenticator to supplicant or from supplicant to authenticator, use this command.
dot1x supplicant port-control {auto | force-authorized | force_unauthorized} Mode: Interface Config Parameters:
|
||||||||||||||||||||||||
dot1x supplicant max-start This command configures the number of attempts that the supplicant makes to find the authenticator before the supplicant assumes that there is no authenticator.
dot1x supplicant max-start 1-10 Mode: Interface Config Default: 3 |
||||||||||||||||||||||||
dot1x supplicant timeout start-period This command configures the start-period timer interval to wait for the EAP identity request from the authenticator.
dot1x supplicant timeout start-period 1-65535 Mode: Interface Config Default: 30 |
||||||||||||||||||||||||
dot1x supplicant timeout held-period This command configures the held period timer interval to wait for the next authentication on previous authentication fail.
dot1x supplicant timeout held-period 1-65535 Mode: Interface Config Default: 60 |
||||||||||||||||||||||||
dot1x supplicant timeout auth-period This command configures the authentication period timer interval to wait for the next EAP request challenge from the authenticator.
dot1x supplicant timeout auth-period 1-65535 Mode: Interface Config Default: 30 |
||||||||||||||||||||||||
dot1x supplicant user Use this command to map the given user to the port.
dot1x supplicant user Mode: Interface Config |
||||||||||||||||||||||||
show dot1x statistics This command displays the 802.1X port statistics in detail.
show dot1x statistics slot/port Modes: User / Privileged EXEC Parameters:
|
Storm-Control Command
This section describes commands you use to configure storm-control and view storm-control configuration information. A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Storm-Control feature protects against this condition.
The EdgeSwitch provides broadcast, multicast, and unicast story recovery for individual interfaces. Unicast Storm-Control protects against traffic whose MAC addresses are not known by the system. For broadcast, multicast, and unicast storm-control, if the rate of traffic ingressing on an interface increases beyond the configured threshold for that type, the traffic is dropped.
To configure storm-control, you will enable the feature for all interfaces or for individual interfaces, and you will set the threshold (storm-control level) beyond which the broadcast, multicast, or unicast traffic will be dropped. The Storm-Control feature allows you to limit the rate of specific types of packets through the switch on a per- port, per-type, basis.
Configuring a storm-control level also enables that form of storm-control. Disabling a storm-control level (using the no form of the command) sets the storm-control level back to the default value and disables that form of storm- control. Using the no form of the storm-control command (not stating a “level”) disables that form of storm-control but maintains the configured “level” (to be active the next time that form of storm-control is enabled.)
The actual rate of ingress traffic required to activate storm-control is based on the size of incoming packets and the hard-coded average packet size of 512 bytes – used to calculate a packet-per-second (pps) rate – as the forwarding-plane requires pps versus an absolute rate kbps. For example, if the configured limit is 10%, this is converted to ~25000 pps, and this pps limit is set in forwarding plane (hardware). You get the approximate desired output when 512-byte packets are used.
storm-control broadcast Use this command to enable broadcast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, broadcast storm recovery is active and, if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold.
storm-control broadcast Modes: Interface / Global Config Default: Disabled |
||||||||||||
storm-control broadcast level Use this command to configure the broadcast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed and enable broadcast storm recovery. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the configured threshold.
storm-control broadcast level 0-100 Modes: Interface / Global Config Default: 5 |
||||||||||||
storm-control broadcast rate Use this command to configure the broadcast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the configured threshold.
storm-control broadcast rate 0-33554431 Modes: Interface / Global Config Default: 0 |
||||||||||||
storm-control multicast This command enables multicast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.
storm-control multicast Modes: Interface / Global Config Default: Disabled |
||||||||||||
storm-control multicast level This command configures the multicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed and enables multicast storm recovery mode. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.
storm-control multicast level 0-100 Modes: Interface / Global Config Default: 5 |
||||||||||||
storm-control multicast rate Use this command to configure the multicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of multicast traffic is limited to the configured threshold.
storm-control multicast rate 0-33554431 Modes: Interface / Global Config Default: 0 |
||||||||||||
storm-control unicast This command enables unicast storm recovery mode for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode). If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.
storm-control unicast Modes: Interface / Global Config Default: Disabled |
||||||||||||
storm-control unicast level This command configures the unicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) as a percentage of link speed, and enables unicast storm recovery. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.This command also enables unicast storm recovery mode for an interface.
storm-control unicast level 0-100 Modes: Interface / Global Config Default: 5 |
||||||||||||
storm-control unicast rate Use this command to configure the unicast storm recovery threshold for all interfaces (Global Config mode) or one or more interfaces (Interface Config mode) in packets per second. If the mode is enabled, unicast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of unicast traffic is limited to the configured threshold.
storm-control unicast rate 0-33554431 Modes: Interface / Global Config Default: 0 |
||||||||||||
show storm-control This command displays the configured storm control settings. show storm-control [all | slot/port] Modes: Privileged EXEC Parameters:
|
Port-Channel/LAG (802.3ad)Commands
This section describes the commands you use to configure port-channels, which is defined in the 802.3ad specification, and that are also known as link aggregation groups (LAGs). Link aggregation allows you to combine multiple full-duplex Ethernet links into a single logical link. Network devices treat the aggregation as if it were a single link, which increases fault tolerance and provides load sharing. The LAG feature initially load shares traffic based upon the source and destination MAC address. Assign the port-channel (LAG) VLAN membership after you create a port-channel. If you do not assign VLAN membership, the port-channel might become a member of the management VLAN which can result in learning and switching issues.
A port-channel (LAG) interface can be either static or dynamic, but not both. All members of a port channel must participate in the same protocols.) A static port-channel interface does not require a partner system to be able to aggregate its member ports. If you configure the maximum number of dynamic port-channels (LAGs) that your platform supports, additional port-channels that you configure are automatically static.
port-channel This command configures a new port-channel (LAG) and generates a logical slot/port number for the port-channel. The name field is a character string which can contain alphanumeric characters and “-” (dash character).
port-channel name Mode: Global Config |
||||||||||||||||||||||
addport This command adds a physical port to a port-channel (LAG).
addport {slot/port | lag lag-intf_num} Mode: Interface Config |
||||||||||||||||||||||
deleteport (Interface Config) This command deletes a port or a range of ports from a port-channel (LAG).
deleteport {slot/port | lag lag-intf_num} Mode: Interface Config |
||||||||||||||||||||||
deleteport (Global Config) This command deletes all configured ports from the port-channel (LAG). The interface is a logical slot/port number of a configured port-channel.
deleteport slot/port all Mode: Global Config |
||||||||||||||||||||||
lacp admin key Use this command to configure the administrative value of the key for the port-channel. The value range of key is 0–65535.
lacp admin key key Mode: LAG Interface Config Default: 0x8000 / 32768 |
||||||||||||||||||||||
lacp collector max-delay Use this command to configure the port-channel collector max delay. This command can be used to configure a single interface or a range of interfaces.The valid range of delay is 0–65535.
lacp collector max delay delay Mode: LAG Interface Config Default: 0x8000 / 32768 |
||||||||||||||||||||||
lacp actor admin key Use this command to configure the administrative value of the LACP actor admin key on an interface or range of interfaces. The valid range for key is 0–65535.
lacp actor admin key key Mode: LAG Interface Config Default: Internal Interface Number of the Physical Port |
||||||||||||||||||||||
lacp actor admin state individual Use this command to set LACP actor admin state to individual.
lacp actor admin state individual Mode: Interface Config |
||||||||||||||||||||||
lacp actor admin state longtimeout Use this command to set LACP actor admin state to longtimeout.
lacp actor admin state longtimeout Mode: Interface Config |
||||||||||||||||||||||
lacp actor admin state passive Use this command to set the LACP actor admin state to passive.
lacp actor admin state passive Mode: Interface Config |
||||||||||||||||||||||
lacp actor admin state Use this command to configure the administrative value of actor state as transmitted by the Actor in LACPDUs. This command can be used to configure a single interfaces or a range of interfaces.
lacp actor admin state {individual | longtimeout | passive} Mode: Interface Config |
||||||||||||||||||||||
lacp actor port priority Use this command to configure the priority value assigned to the Aggregation Port for an interface or range of interfaces. The valid range for priority is 0 to 65535.
lacp actor port priority 0-65535 Mode: Interface Config Default: 0x80 /128 |
||||||||||||||||||||||
lacp partner admin key Use this command to configure the administrative value of the Key for the protocol partner. This command can be used to configure a single interface or a range of interfaces. The valid range for key is 0 to 65535.
lacp partner admin key key Mode: Interface Config Default: 0x0 / 0 |
||||||||||||||||||||||
lacp partner admin state individual Use this command to set LACP partner admin state to individual.
lacp partner admin state individual Mode: Interface Config |
||||||||||||||||||||||
lacp partner admin state longtimeout Use this command to set LACP partner admin state to long timeout.
lacp partner admin state longtimeout Mode: Interface Config |
||||||||||||||||||||||
lacp partner admin state passive Use this command to set the LACP partner admin state to passive.
lacp partner admin state passive Mode: Interface Config |
||||||||||||||||||||||
lacp partner port id Use this command to configure the LACP partner port ID. This command can be used to configure a single interface or a range of interfaces. The valid range for port-id is 0 to 65535.
lacp partner port-id port-id Mode: Interface Config Default: 0x80 / 128 |
||||||||||||||||||||||
lacp partner port priority Use this command to configure the LACP partner port priority. This command can be used to configure a single interface or a range of interfaces. The valid range for priority is 0 to 65535.
lacp partner port priority priority Mode: Interface Config |
||||||||||||||||||||||
lacp partner system-id Use this command to configure the 6-octet MAC Address value representing the administrative value of the Aggregation Port’s protocol Partner’s System ID. This command can be used to configure a single interface or a range of interfaces. The valid range of system-id is 00:00:00:00:00:00 to FF:FF:FF:FF:FF.
lacp partner system-id system-id Mode: Interface Config Default: 00:00:00:00:00:00 |
||||||||||||||||||||||
lacp partner system priority Use this command to configure the administrative value of the priority associated with the Partner’s System ID. This command can be used to configure a single interface or a range of interfaces. The valid range for priority is 0 to 65535.
lacp partner system priority 0-65535 Mode: Interface Config Default: 0x0 / 0 |
||||||||||||||||||||||
interface lag Use this command to enter Interface configuration mode for the specified LAG.
interface lag lag-interface-number Mode: Global Config |
||||||||||||||||||||||
port-channel static This command enables the static mode on a port-channel (LAG) interface or range of interfaces. By default the static mode for a new port-channel is enabled, which means the port-channel is static. If the maximum number of allowable dynamic port-channels are already present in the system, the static mode for a new port-channel is enabled, which means the port-channel is static. You can only use this command on port-channel interfaces.
port-channel static Mode: Interface Config Default: Disabled (on v1.7.4+ firmware) |
||||||||||||||||||||||
port lacpmode This command enables Link Aggregation Control Protocol (LACP) on a port or range of ports.
port lacpmode Mode: Interface Config |
||||||||||||||||||||||
port lacpmode enable all This command enables Link Aggregation Control Protocol (LACP) on all ports.
port lacpmode enable all Mode: Global Config |
||||||||||||||||||||||
port lacptimeout (Interface Config) This command sets the timeout on a physical interface or range of interfaces of a particular device type (actor or partner) to either long or short timeout.
port lacptimeout {actor | partner} {long | short} Mode: Interface Config Default: long |
||||||||||||||||||||||
port lacptimeout (Global Config) This command sets the timeout for all interfaces of a particular device type (actor or partner) to either long or short timeout.
port lacptimeout {actor | partner} {long | short} Mode: Global Config Default: long |
||||||||||||||||||||||
port-channel adminmode all This command enables all configured port-channels with the same administrative mode setting.
port-channel adminmode all Mode: Global Config |
||||||||||||||||||||||
port-channel linktrap This command enables link trap notifications for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel. The option all sets every configured port-channel to the same administrative mode setting.
port-channel linktrap {logical slot/port | all} Mode: Global Config |
||||||||||||||||||||||
port-channel load-balance This command selects the load-balancing option used on a port-channel (LAG). Traffic is balanced on a port-channel (LAG) by selecting one of the links in the channel over which to transmit specific packets. The link is selected by creating a binary pattern from selected fields in a packet, and associating that pattern with a particular link.
port-channel load-balance {1 | 2 | 3 | 4 | 5 | 6} {slot/port | all} Modes: Global / LAG Interface Config Parameters:
|
||||||||||||||||||||||
port-channel local-preference This command enables the local-preference mode on a port-channel (LAG) interface or range of interfaces. By default, the local-preference mode for a port-channel is disabled.
port-channel local-preference Mode: LAG Interface Config Default: Disabled |
||||||||||||||||||||||
port-channel min-links This command configures the port-channel’s minimum amount of links.
port-channel min-links 1-8 Mode: LAG Interface Config |
||||||||||||||||||||||
port-channel name This command defines a name for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel, and name is an alphanumeric string up to 15 characters.
port-channel name {logical slot/port} name Mode: Global Config |
||||||||||||||||||||||
port-channel system priority Use this command to configure port-channel system priority. The valid range of priority is 0-65535.
port-channel system priority priority Mode: Global Config Default: 0x8000 / 32768 |
||||||||||||||||||||||
show lacp actor Use this command to display LACP actor attributes.
show lacp actor {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show lacp partner Use this command to display LACP partner attributes.
show lacp partner {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show port-channel brief This command displays the static capability of all port-channel (LAG) interfaces on the device.
show port-channel brief Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show port-channel This command displays an overview of all port-channels (LAGs) on the switch.
show port-channel {slot/port | lag lag-intf-num} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show port-channel system priority Use this command to display the port-channel system priority.
show port-channel system priority Mode: Privileged EXEC |
||||||||||||||||||||||
show port-channel counters Use this command to display port-channel counters for the specified port.
show port-channel slot/port counters Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
clear port-channel counters Use this command to clear and reset specified port-channel and member flap counters for the specified interface.
clear port-channel {lag lag-intf-num | slot/port} counters Mode: Privileged EXEC |
||||||||||||||||||||||
clear port-channel all counters Use this command to clear and reset all port-channel and member flap counters for the specified interface.
clear port-channel all counters Mode: Privileged EXEC |
Port Mirroring Commands
Port mirroring, which is also known as port monitoring, selects network traffic that you can analyze with a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe.
monitor session This command configures a probe port and a monitored port for monitor session (port monitoring). Use the source interface parameter to specify the interface to monitor. Use rx to monitor only ingress packets, or use tx to monitor only egress packets. If you do not specify an {rx|tx} option, the destination port monitors both ingress and egress packets. A VLAN can be configured as the source to a session (all member ports of that VLAN are monitored). An IP/MAC ACL can be attached to a session. Use destination interface to specify the interface to receive the monitored traffic. Use the mode parameter to enable the administrative mode of the session. If enabled, the probe port monitors all the traffic received and transmitted on the physical monitored port. Use the filter parameter to filter a specified access group either by IP address or MAC address. Remote port mirroring is configured by adding the RSPAN VLAN ID. At the source switch, the destination is configured as the RSPAN VLAN and at the destination switch, the source is configured as the RSPAN VLAN. The reflector-port is configured at the source switch. The port forwards the mirrored traffic towards the destination switch. monitor session session-id { source {interface slot/port | vlan vlan-id | remote vlan vlan-id} [rx|tx] | destination {interface slot/port | remote vlan vlan-id reflector-port slot/port} | mode | filter {ip access-group {acl-id|acl-name} | mac access-group acl-name} } Mode: Global Config |
||||||||||
show monitor session This command displays the Port monitoring information for a particular mirroring session. The session-id parameter is an integer value used to identify the session.
show monitor session session-id Mode: Privileged EXEC Parameters:
|
||||||||||
show vlan remote-span This command displays the configured RSPAN VLAN.
show vlan remote-span Mode: Privileged EXEC |
Static MAC Filtering Commands
The commands in this section describe how to configure static MAC filtering. Static MAC filtering allows you to configure destination ports for a static multicast MAC filter irrespective of the platform.
macfilter This command adds a static MAC filter entry for the MAC address macaddr on the VLAN vlanid. The value of the macaddr parameter is a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The restricted MAC Addresses are: 00:00:00:00:00:00, 01:80:C2:00:00:00 to 01:80:C2:00:00:0F, 01:80:C2:00:00:20 to 01:80:C2:00:00:21, and FF:FF:FF:FF:FF:FF. The vlanid parameter must identify a valid VLAN.
The number of static MAC filters supported on the system is different for MAC filters where source ports are configured and MAC filters where destination ports are configured: - For unicast MAC address filters and multicast MAC address filters with source port lists, the maximum number of static MAC filters supported is 20. - For multicast MAC address filters with destination ports configured, the maximum number of static filters supported is 256. - can configure the following combinations: - Unicast MAC and source port (max = 20) - Multicast MAC and source port (max = 20) - Multicast MAC and destination port (only) (max = 256) - Multicast MAC and source ports and destination ports (max = 20) macfilter macaddr vlanid Mode: Global Config |
||||||||||
macfilter adddest Use this command to add the interface or range of interfaces to the destination filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN. Configuring a destination port list is only valid for multicast MAC addresses.
macfilter adddest macaddr vlanid Mode: Interface Config |
||||||||||
macfilter adddest all This command adds all interfaces to the destination filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN. Configuring a destination port list is only valid for multicast MAC addresses.
macfilter adddest all macaddr vlanid Mode: Global Config |
||||||||||
macfilter addsrc Use this command to add the interface or range of interfaces to the source filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN.
macfilter addsrc macaddr vlanid Mode: Interface Config |
||||||||||
macfilter addsrc all This command adds all interfaces to the source filter set for the MAC filter with the given macaddr and VLAN of vlanid. The macaddr parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The vlanid parameter must identify a valid VLAN.
macfilter addsrc all macaddr vlanid Mode: Global Config |
||||||||||
show mac-address-table static This command displays the Static MAC Filtering information for all Static MAC Filters. If you specify all, all the Static MAC Filters in the system are displayed. If you supply a value for macaddr, you must also enter a value for vlanid, and the system displays Static MAC Filter information only for that MAC address and VLAN.
show mac-address-table static {macaddr vlanid | all} Mode: Privileged EXEC Parameters:
|
||||||||||
show mac-address-table staticfiltering This command displays the Static Filtering entries in the Multicast Forwarding Database (MFDB) table.
show mac-address-table staticfiltering Mode: Privileged EXEC Parameters:
|
DHCP Client Commands
The EdgeSwitch can include vendor and configuration information in DHCP client requests relayed to a DHCP server. This information is included in DHCP Option 60, Vendor Class Identifier. The information is a string of 128 octets.
dhcp client vendor-id-option This command enables the inclusion of DHCP Option-60, Vendor Class Identifier included in the requests transmitted to the DHCP server by the DHCP client operating in the EdgeSwitch.
dhcp client vendor-id-option string Mode: Global Config |
dhcp client vendor-id-option-string This parameter sets the DHCP Vendor Option-60 string to be included in the requests transmitted to the DHCP server by the DHCP client operating in the EdgeSwitch.
dhcp client vendor-id-option-string string Mode: Global Config |
show dhcp client vendor-id-option This command displays the configured administration mode of the vendor-id-option and the vendor-id string to be included in Option-43 in DHCP requests.
show dhcp client vendor-id-option Mode: Privileged EXEC |
DHCP Snooping Configuration Commands
This section describes commands you use to configure DHCP Snooping.
ip dhcp snooping Use this command to enable DHCP Snooping globally.
ip dhcp snooping Mode: Global Config Default: Disabled |
||||||||||||
ip dhcp snooping vlan Use this command to enable DHCP Snooping on a list of comma-separated VLAN ranges.
ip dhcp snooping vlan vlan-list Mode: Global Config Default: Disabled |
||||||||||||
ip dhcp snooping verify mac-address Use this command to enable verification of the source MAC address with the client hardware address in the received DCHP message.
ip dhcp snooping verify mac-address Mode: Global Config Default: Enabled |
||||||||||||
ip dhcp snooping database Use this command to configure the persistent location of the DHCP Snooping database. This can be local or a remote file on a given IP machine.
ip dhcp snooping database {local|tftp://hostIP/filename} Mode: Global Config Default: local |
||||||||||||
ip dhcp snooping database write-delay Use this command to configure the interval in seconds at which the DHCP Snooping database will be persisted. The interval value ranges from 15 to 86400 seconds.
ip dhcp snooping database write-delay interval Mode: Global Config Default: 300 |
||||||||||||
ip dhcp snooping binding Use this command to configure static DHCP Snooping binding.
ip dhcp snooping binding mac-address vlan vlan-id ip address interface interface-id Mode: Global Config |
||||||||||||
ip dhcp filtering trust Use this command to enable trusted mode on the interface.
ip dhcp filtering trust interface-id Mode: Global Config |
||||||||||||
ip dhcp snooping limit Use this command to control the rate at which the DHCP Snooping messages come on an interface or range of interfaces. By default, rate limiting is disabled. When enabled, the rate can range from 0 to 300 packets per second. The burst level range is 1 to 15 seconds.
ip dhcp snooping limit {rate pps [burst interval seconds]} Mode: Interface Config Default: Disabled |
||||||||||||
ip dhcp snooping log-invalid Use this command to control the logging DHCP messages filtration by the DHCP Snooping application. This command can be used to configure a single interface or a range of interfaces.
ip dhcp snooping log-invalid Mode: Interface Config Default: Disabled |
||||||||||||
ip dhcp snooping trust Use this command to configure an interface or range of interfaces as trusted.
ip dhcp snooping trust Mode: Interface Config Default: Disabled |
||||||||||||
show ip dhcp snooping Use this command to display the DHCP Snooping global configurations and per port configurations.
show ip dhcp snooping Modes: User / Privileged EXEC Parameters:
|
||||||||||||
show ip dhcp snooping binding Use this command to display the DHCP Snooping binding entries.
show ip dhcp snooping binding [{static|dynamic}] [interface slot/port] [vlanid] Modes: User / Privileged EXEC Parameters:
|
||||||||||||
show ip dhcp snooping database Use this command to display the DHCP Snooping configuration related to the database persistency.
show ip dhcp snooping database Modes: User / Privileged EXEC Parameters:
|
||||||||||||
show ip dhcp snooping interfaces Use this command to show the DHCP Snooping status of the interfaces.
show ip dhcp snooping interfaces Mode: Privileged EXEC |
||||||||||||
show ip dhcp snooping statistics Use this command to list statistics for DHCP Snooping security violations on untrusted ports.
show ip dhcp snooping statistics Modes: User / Privileged EXEC Parameters:
|
||||||||||||
clear ip dhcp snooping binding Use this command to clear all DHCP Snooping bindings on all interfaces or on a specific interface.
clear ip dhcp snooping binding [interface slot/port] Modes: User / Privileged EXEC |
||||||||||||
clear ip dhcp snooping statistics Use this command to clear all DHCP Snooping statistics.
clear ip dhcp snooping statistics Modes: User / Privileged EXEC |
IGMP/MLD Snooping Commands
This section describes the commands you use to configure IGMP and MLD Snooping. The EdgeSwitch software supports IGMP Versions 1, 2, and 3. The IGMP Snooping feature can help conserve bandwidth because it allows the switch to forward IP multicast traffic only to connected hosts that request multicast traffic. IGMPv3 adds source filtering capabilities to IGMP versions 1 and 2.
Many of the IGMP/MLD Snooping commands are available both in the Interface and VLAN modes. Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN.
set igmp This command enables IGMP Snooping on the system (Global Config Mode), an interface, or a range of interfaces. This command also enables IGMP Snooping on a particular VLAN (VLAN Config Mode) and can enable IGMP Snooping on all interfaces participating in a VLAN.
If IGMP Snooping is enabled on an interface, enabling routing on the interface or giving the interface port- channel (LAG) membership disables the interface’s IGMP Snooping functionality. IGMP Snooping functionality is restored if routing is disabled or if port-channel (LAG) membership is removed from the interface. The IGMP application supports the following activities: - Validation of the IP header checksum (as well as the IGMP header checksum) and discarding of the frame upon checksum error. - Maintenance of the forwarding table entries based on the MAC address versus the IP address. - Flooding of unregistered multicast data packets to all ports in the VLAN. The optional vlan_id parameter is supported only in VLAN Database Config mode. set igmp [vlan_id] Modes: Global / Interface / VLAN Database Config |
||||||||||||||||||||||
set igmp interfacemode This command enables IGMP Snooping on all interfaces. If IGMP Snooping is enabled on an interface, enabling routing on the interface or giving it membership in a port-channel (LAG), disables the interface’s IGMP Snooping functionality. IGMP Snooping functionality is restored if routing is disabled or if port-channel (LAG) membership is removed from the interface.
set igmp interfacemode Mode: Global Config Default: Disabled |
||||||||||||||||||||||
set igmp fast-leave This command enables or disables IGMP Snooping fast-leave admin mode on a selected interface, a range of interfaces, or a VLAN. Enabling fast-leave allows the switch to immediately remove the Layer-2 LAN interface from its forwarding table entry upon receiving an IGMP leave message for that multicast group without first sending out MAC-based general queries to the interface.
You should enable fast-leave admin mode only on VLANs where only one host is connected to each Layer-2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same Layer-2 LAN port but were still interested in receiving multicast traffic directed to that group. Also, fast-leave processing is supported only with IGMP version 2 hosts. The optional vlan_id parameter is supported only in VLAN Config mode. set igmp fast-leave [vlan_id] Modes: Interface / VLAN Database Config Default: Disabled |
||||||||||||||||||||||
set igmp groupmembership-interval This command sets the IGMP Group Membership Interval time on a VLAN, one interface, a range of interfaces, or all interfaces. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry. This value must be greater than the IGMPv3 Maximum Response time value. The range is 2 to 65535 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.
set igmp groupmembership-interval [vlan_id] 2-65535 Modes: Global / Interface / VLAN Database Config Default: 260 |
||||||||||||||||||||||
set igmp maxresponse This command sets the IGMP Maximum Response time for the system, on a particular interface or VLAN, or on a range of interfaces. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the IGMP Query Interval time value. The range is 1 to 25 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.
set igmp maxresponse [vlan_id] 1-25 Modes: Global / Interface / VLAN Database Config |
||||||||||||||||||||||
set igmp mcrtrexpiretime This command sets the Multicast Router Present Expiration time. The time is set for the system, on a particular interface or VLAN, or on a range of interfaces. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached. The range is 0 to 3600 seconds. A value of 0 indicates an infinite timeout; i.e., no expiration. The optional vlan_id parameter is supported only in VLAN Config mode.
set igmp mcrtrexpiretime [vlan_id] 0-3600 Modes: Global / Interface / VLAN Database Config Default: 0 |
||||||||||||||||||||||
set igmp mrouter This command configures the VLAN ID (vlan_id) that has the multicast router mode enabled.
set igmp mrouter vlan_id Mode: Interface Config |
||||||||||||||||||||||
set igmp mrouter interface This command configures the interface or range of interfaces as a multicast router interface. When configured as a multicast router interface, the interface is treated as a multicast router interface in all VLANs.
set igmp mrouter interface Mode: Interface Config |
||||||||||||||||||||||
set igmp report-suppression Use this command to suppress the IGMP reports on a given VLAN ID. In order to optimize the number of reports traversing the network with no added benefits, a Report Suppression mechanism is implemented. When more than one client responds to an MGMD query for the same Multicast Group address within the max-response-time, only the first response is forwarded to the query and others are suppressed at the switch.
set igmp report-suppression vlan_id Mode: VLAN Database Config Default: Disabled |
||||||||||||||||||||||
show igmpsnooping This command displays IGMP Snooping information for a given port or VLAN. Configured information is displayed whether or not IGMP Snooping is enabled.
show igmpsnooping [slot/port | vlan_id] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show igmpsnooping mrouter interface This command displays information about statically configured ports.
show igmpsnooping mrouter interface slot/port Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show igmpsnooping mrouter vlan This command displays information about statically configured ports.
show igmpsnooping mrouter vlan slot/port Mode: Privileged EXEC |
||||||||||||||||||||||
show igmpsnooping ssm This command displays information about Source Specific Multicasting (SSM) by entry, group, or statistics. SSM delivers multicast packets to receivers that originated from a source address specified by the receiver. SSM is only available with IGMPv3 and MLDv2.
show igmpsnooping ssm {entries | groups | stats} Mode: Privileged EXEC |
||||||||||||||||||||||
show mac-address-table igmpsnooping This command displays the IGMP Snooping entries in the MFDB table.
show mac-address-table igmpsnooping Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
set mld This command enables MLD Snooping on the system (Global Config Mode), an interface, or a range of interfaces. This command also enables MLD Snooping on a particular VLAN (VLAN Config Mode) and can enable MLD Snooping on all interfaces participating in a VLAN.
set mld [vlan_id] Modes: Global / Interface / VLAN Database Config |
||||||||||||||||||||||
set mld interfacemode This command enables MLD Snooping on all interfaces.
set mld interfacemode Mode: Global Config Default: Disabled |
||||||||||||||||||||||
set mld fast-leave This command enables or disables MLD Snooping fast-leave admin mode on a selected interface, a range of interfaces, or a VLAN. Enabling fast-leave allows the switch to immediately remove the Layer-2 LAN interface from its forwarding table entry upon receiving an MLD leave message for that multicast group without first sending out MAC-based general queries to the interface.
You should enable fast-leave admin mode only on VLANs where only one host is connected to each Layer-2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same Layer-2 LAN port but were still interested in receiving multicast traffic directed to that group. Also, fast-leave processing is supported only with MLD version 2 hosts. The optional vlan_id parameter is supported only in VLAN Config mode. set mld fast-leave [vlan_id] Modes: Interface / VLAN Database Config Default: Disabled |
||||||||||||||||||||||
set mld groupmembership-interval This command sets the MLD Group Membership Interval time on a VLAN, one interface, a range of interfaces, or all interfaces. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry. This value must be greater than the MLDv3 Maximum Response time value. The range is 2 to 65535 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.
set mld groupmembership-interval [vlan_id] 2-65535 Modes: Global / Interface / VLAN Database Config Default: 260 |
||||||||||||||||||||||
set mld maxresponse This command sets the MLD Maximum Response time for the system, on a particular interface or VLAN, or on a range of interfaces. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the MLD Query Interval time value. The range is 1 to 65 seconds. The optional vlan_id parameter is supported only in VLAN Config mode.
set mld maxresponse [vlan_id] 1-65 Modes: Global / Interface / VLAN Database Config Default: 10 |
||||||||||||||||||||||
set mld mcrtrexpiretime This command sets the Multicast Router Present Expiration time. The time is set for the system, on a particular interface or VLAN, or on a range of interfaces. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached. The range is 0 to 3600 seconds. A value of 0 indicates an infinite timeout; i.e., no expiration. The optional vlan_id parameter is supported only in VLAN Config mode.
set mld mcrtrexpiretime [vlan_id] 0-3600 Modes: Global / Interface / VLAN Database Config Default: 0 |
||||||||||||||||||||||
set mld mrouter This command configures the VLAN ID (vlan_id) that has the multicast router mode enabled.
set mld mrouter vlan_id Mode: Interface Config |
||||||||||||||||||||||
set mld mrouter interface This command configures the interface or range of interfaces as a multicast router interface. When configured as a multicast router interface, the interface is treated as a multicast router interface in all VLANs.
set mld mrouter interface Mode: Interface Config |
||||||||||||||||||||||
show mldsnooping This command displays MLD Snooping information for a given port or VLAN. Configured information is displayed whether or not MLD Snooping is enabled.
show mldsnooping [slot/port | vlan_id] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show mldsnooping mrouter interface This command displays information about statically configured ports.
show mldsnooping mrouter interface slot/port Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show mldsnooping mrouter vlan This command displays information about statically configured ports.
show mldsnooping mrouter vlan slot/port Mode: Privileged EXEC |
||||||||||||||||||||||
show mac-address-table mldsnooping This command displays the MLD Snooping entries in the MFDB table.
show mac-address-table mldsnooping Mode: Privileged EXEC Parameters:
|
IGMP/MLD Snooping Querier Commands
IGMP and MLD Snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the IGMP/MLD Querier. The query responses, known as reports, keep the switch updated with the current multicast group membership on a port- by-port basis. If the switch does not receive updated membership information in a timely fashion, it will stop forwarding multicasts to the port where the end device is located.
This section describes commands used to configure and display information on IGMP and MLD Snooping Queriers on the network and, separately, on VLANs.
Many of the IGMP/MLD Snooping commands are available both in the Interface and VLAN modes. Operationally the system chooses or prefers the VLAN configured values over the Interface configured values for most configurations when the interface participates in the VLAN.
set igmp querier Use this command to enable IGMP Snooping Querier on the system, using Global Config mode, or on a VLAN. Using this command, you can specify the IP Address that the Snooping Querier switch should use as the source address while generating periodic queries. The Querier IP Address assigned for a VLAN takes precedence over global configuration. The IGMP Snooping Querier application supports sending periodic general queries on the VLAN to solicit membership reports. set igmp querier [vlan-id] [address ipv4_address] Modes: Global / VLAN Database Config Default: Disabled |
||||||||||||||||||||||||||
set igmp querier query-interval Use this command to set the IGMP Querier Query Interval time. It is the amount of time in seconds that the switch waits before sending another general query.
set igmp querier query-interval 1-1800 Mode: Global Config Default: 60 |
||||||||||||||||||||||||||
set igmp querier timer expiry Use this command to set the IGMP Querier timer expiration period. It is the time period that the switch remains in Non-Querier mode once it has discovered that there is a Multicast Querier in the network.
set igmp querier timer expiry 60-300 Mode: Global Config Default: 125 |
||||||||||||||||||||||||||
set igmp querier version Use this command to set the IGMP version of the query that the snooping switch is going to send periodically.
set igmp querier version 1-2 Mode: Global Config Default: 1 |
||||||||||||||||||||||||||
set igmp querier election participate Use this command to enable the Snooping Querier to participate in the Querier Election process when it discovers the presence of another Querier in the VLAN. When this mode is enabled, if the Snooping Querier finds that the other Querier’s source address is better (less) than the Snooping Querier’s address, it stops sending periodic queries. If the Snooping Querier wins the election, then it will continue sending periodic queries.
set igmp querier election participate Mode: VLAN Database Config Default: Disabled |
||||||||||||||||||||||||||
show igmpsnooping querier Use this command to display IGMP Snooping Querier information. Configured information is displayed whether or not IGMP Snooping Querier is enabled.
show igmpsnooping querier [{detail | vlan vlanid}] Mode: Privileged EXEC
|
||||||||||||||||||||||||||
set mld querier Use this command to enable MLD Snooping Querier on the system, using Global Config mode, or on a VLAN. Using this command, you can specify the IPv6 Address that the Snooping Querier switch should use as the source address while generating periodic queries. The Querier IPv6 Address assigned for a VLAN takes precedence over global configuration. The MLD Snooping Querier application supports sending periodic general queries on the VLAN to solicit membership reports. set mld querier [vlan-id] [address ipv6_address] Modes: Global / VLAN Database Config Default: Disabled |
||||||||||||||||||||||||||
set mld querier query-interval Use this command to set the MLD Querier Query Interval time. It is the amount of time in seconds that the switch waits before sending another general query.
set mld querier query-interval 1-1800 Mode: Global Config Default: 60 |
||||||||||||||||||||||||||
set mld querier timer expiry Use this command to set the MLD Querier timer expiration period. It is the time period that the switch remains in Non-Querier mode once it has discovered that there is a Multicast Querier in the network.
set mld querier timer expiry 60-300 Mode: Global Config Default: 60 |
||||||||||||||||||||||||||
set mld querier election participate Use this command to enable the Snooping Querier to participate in the Querier Election process when it discovers the presence of another Querier in the VLAN. When this mode is enabled, if the Snooping Querier finds that the other Querier’s source address is better (less) than the Snooping Querier’s address, it stops sending periodic queries. If the Snooping Querier wins the election, then it will continue sending periodic queries.
set mld querier election participate Mode: VLAN Database Config Default: Disabled |
||||||||||||||||||||||||||
show mldsnooping querier Use this command to display MLD Snooping Querier information. Configured information is displayed whether or not MLD Snooping Querier is enabled.
show mldsnooping querier [{detail | vlan vlanid}] Mode: Privileged EXEC
|
Port Security Commands
This section describes the command you use to configure Port Security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.
port-security This command enables port locking on an interface, a range of interfaces, or at the system level.
port-security Modes: Global / Interface Config Default: Disabled |
||||||||||
port-security max-dynamic This command sets the maximum number of dynamically locked MAC addresses allowed on a specific port. The valid range is 0–600.
port-security max-dynamic maxvalue Mode: Interface Config Default: 600 |
||||||||||
port-security max-static This command sets the maximum number of statically locked MAC addresses allowed on a port. The valid range is 0–20.
port-security max-static maxvalue Mode: Interface Config |
||||||||||
port-security mac-address This command adds a MAC address to the list of statically locked MAC addresses for an interface or range of interfaces. The vid parameter is the VLAN ID.
port-security mac-address mac-address vid Mode: Interface Config |
||||||||||
port-security mac-address move This command converts dynamically locked MAC addresses to statically locked addresses for an interface or range of interfaces.
port-security mac-address move Mode: Interface Config |
||||||||||
port-security mac-address sticky This command enables sticky mode Port MAC Locking on a port. If accompanied by a MAC address and a VLAN ID (for Interface Config mode only), it adds a sticky MAC address to the list of statically locked MAC addresses. These sticky addresses are converted back to dynamically locked addresses if sticky mode is disabled on the port. The vid parameter is the VLAN ID. The Global command applies the sticky mode to all valid interfaces (physical and LAG). Dynamically learned sticky addresses will appear in show running-config output as port-security mac-address sticky mac-address vid entries. This distinguishes them from static entries. port-security mac-address sticky [mac-address vid] Modes: Global / Interface Config |
||||||||||
show port-security This command displays the port-security settings for the port(s). If you do not use a parameter, the command displays the Port Security Administrative mode. Use the optional parameters to display the settings on a specific interface or on all interfaces.
show port-security [{slot/port | all}] Mode: Privileged EXEC Parameters:
|
||||||||||
show port-security dynamic This command displays the dynamically locked MAC addresses for the port.
show port-security dynamic slot/port Mode: Privileged EXEC |
||||||||||
show port-security static This command displays the statically locked MAC addresses for port.
show port-security static slot/port Mode: Privileged EXEC |
||||||||||
show port-security violation This command displays the source MAC address of the last packet discarded on a locked port.
show port-security violation slot/port Mode: Privileged EXEC |
LLDP (802.1AB) Commands
This section describes the command you use to configure Link Layer Discovery Protocol (LLDP), which is defined in the IEEE 802.1AB specification. LLDP allows stations on an 802 LAN to advertise major capabilities and physical descriptions. The advertisements allow a network management system (NMS) to access and display this information.
lldp transmit Use this command to enable the LLDP advertise capability on an interface or a range of interfaces.
lldp transmit Mode: Interface Config Default: Enabled (on v1.8.0+ firmware) |
||||||||||||||||||||||||||
lldp receive Use this command to enable the LLDP receive capability on an interface or a range of interfaces.
lldp receive Mode: Interface Config Default: Enabled (on v1.8.0+ firmware) |
||||||||||||||||||||||||||
lldp timers Use this command to set the timing parameters for local data transmission on ports enabled for LLDP.
lldp timers [interval interval-seconds] [hold hold-value] [reinit reinit-seconds] Mode: Global Config Default: interval: 30 seconds / hold: 4 / reinit: 2 seconds Parameters:
|
||||||||||||||||||||||||||
lldp transmit-tlv Use this command to specify which optional type length values (TLVs) in the 802.1AB basic management set are transmitted in the LLDPDUs from an interface or range of interfaces.
lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc] [port-vlan] [power-mdi] Mode: Interface Config Default: port-vlan TLV is included Parameters:
|
||||||||||||||||||||||||||
lldp transmit-mgmt Use this command to include transmission of the local system management address information in the LLDPDUs.
lldp transmit-mgmt Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||
lldp notification Use this command to enable remote data change notifications on an interface or a range of interfaces.
lldp notification Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||
lldp notification-interval Use this command to configure how frequently the system sends remote data change notifications. The interval parameter is the number of seconds to wait between sending notifications. The valid interval range is 5-3600 seconds.
lldp notification-interval interval Mode: Global Config Default: 5 |
||||||||||||||||||||||||||
clear lldp statistics Use this command to reset all LLDP statistics, including MED-related information.
clear lldp statistics Mode: Privileged EXEC |
||||||||||||||||||||||||||
clear lldp remote-data Use this command to delete all information from the LLDP remote data table, including MED-related information.
clear lldp remote-data Mode: Privileged EXEC |
||||||||||||||||||||||||||
show lldp Use this command to display a summary of the current LLDP configuration.
show lldp Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show lldp interface Use this command to display a summary of the current LLDP configuration for a specific interface or for all interfaces.
show lldp interface {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show lldp statistics Use this command to display the current LLDP traffic and remote table statistics for a specific interface or for all interfaces.
show lldp statistics {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show lldp remote-device Use this command to display summary information about remote devices that transmit current LLDP data to the system. You can show information about LLDP remote data received on all ports or on a specific port.
show lldp remote-device {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show lldp remote-device detail Use this command to display detailed information about remote devices that transmit current LLDP data to an interface on the system.
show lldp remote-device detail slot/port Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||
show lldp local-device Use this command to display summary information about the advertised LLDP local data. This command can display summary information or detail for each interface.
show lldp local-device {slot/port | all} Mode: Privileged EXEC |
||||||||||||||||||||||||||
show lldp local-device detail Use this command to display detailed information about the LLDP data a specific interface transmits.
show lldp local-device detail slot/port Mode: Privileged EXEC Parameters:
|
LLDP-MED Commands
Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) (ANSI-TIA-1057) provides an extension to the LLDP standard. Specifically, LLDP-MED provides extensions for network configuration and policy, device location, Power over Ethernet (PoE) management and inventory management.
lldp med confignotification Use this command to configure an interface or a range of interfaces to send the topology change notification.
lldp med confignotification Mode: Interface Config Default: Disabled |
||||||||
lldp med transmit-tlv Use this command to specify which optional Type Length Values (TLVs) in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs) from this interface or a range of interfaces.
lldp med transmit-tlv [capabilities] [inventory] [network-policy] [ubnt-ex-pse] Mode: Interface Config Default: capabilities, network-policy and inventory TLVs are enabled Parameters:
|
||||||||
lldp med confignotification all Use this command to configure all the ports to send the topology change notification.
lldp med confignotification all Mode: Global Config Default: Disabled |
||||||||
lldp med faststartrepeatcount Use this command to set the value of the fast start repeat count. The count is the number of LLDP PDUs that will be transmitted when the product is enabled. The range is 1 to 10.
lldp med faststartrepeatcount [count] Mode: Global Config Default: 3 |
||||||||
lldp med transmit-tlv all Use this command to specify which optional Type Length Values (TLVs) in the LLDP MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs).
lldp med transmit-tlv all [capabilities] [inventory] [network-policy] [ubnt-ex-pse] Mode: Global Config Default: capabilities, network-policy and inventory TLVs are enabled Parameters:
|
||||||||
show lldp med Use this command to display a summary of the current LLDP MED configuration.
show lldp med Mode: Privileged EXEC |
||||||||
show lldp med interface Use this command to display a summary of the current LLDP MED configuration for a specific interface.
show lldp med interface {slot/port | all} Mode: Privileged EXEC |
||||||||
show lldp med local-device detail Use this command to display detailed information about the LLDP MED data that a specific interface transmits.
show lldp med local-device detail slot/port Mode: Privileged EXEC |
||||||||
show lldp med remote-device Use this command to display the summary information about remote devices that transmit current LLDP MED data to the system. You can show information about LLDP MED remote data received on all valid LLDP interfaces or on a specific physical interface.
show lldp med remote-device {slot/port | all} Mode: Privileged EXEC Parameters:
|
||||||||
show lldp med remote-device detail Use this command to display detailed information about remote devices that transmit current LLDP MED data to an interface on the system.
show lldp med remote-device detail slot/port Mode: Privileged EXEC |
Denial of Service Commands
This section describes the commands you use to configure Denial of Service (DoS) Control. The EdgeSwitch software provides support for classifying and blocking specific types of Denial of Service attacks.
You can configure your system to monitor and block these types of attacks:
- SIP = DIP: Source IP address = Destination IP address.
- First Fragment: TCP Header size smaller then configured value.
- TCP Fragment: IP Fragment Offset = 1.
- TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence
- Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
- L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.
- ICMP: Limiting the size of ICMP Ping packets.
- SMAC = DMAC: Source MAC address = Destination MAC address.
- TCP Port: Source TCP Port = Destination TCP Port.
- UDP Port: Source UDP Port = Destination UDP Port.
- TCP Flag & Sequence: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP
- Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
- TCP Offset: TCP Header Offset = 1.
- TCP SYN: TCP Flag SYN set.
- TCP SYN & FIN: TCP Flags SYN and FIN set.
- TCP FIN & URG & PSH: TCP Flags FIN and URG and PSH set and TCP Sequence Number = 0.
- ICMP V6: Limiting the size of ICMPv6 Ping packets.
- ICMP Fragment: Checks for fragmented ICMP packets.
dos-control all This command enables Denial of Service protection checks globally.
dos-control all Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control sipdip This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SIP = DIP, the packets will be dropped if the mode is enabled.
dos-control sipdip Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control firstfrag This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size smaller then the configured value, the packets will be dropped if the mode is enabled. The default is disabled. If you enable dos-control firstfrag, but do not provide a Minimum TCP Header Size, the system sets that value to 20.
dos-control firstfrag [0-255] Mode: Global Config Default: Disabled, 20 if enabled. |
||||||||||||||||||||||||||||||||||
dos-control tcpfrag This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is enabled.
dos-control tcpfrag Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpflag This command enables TCP Flag Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attacks. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.
dos-control tcpflag Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control l4port This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/ UDP Port Number, the packets will be dropped if the mode is enabled. Some applications mirror source and destination L4 ports – RIP for example uses 520 for both. If you enable dos-control l4port, applications such as RIP may experience packet loss which would render the application inoperable. dos-control l4port Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control smacdmac This command enables Source MAC address = Destination MAC address (SMAC = DMAC) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SMAC = DMAC, the packets will be dropped if the mode is enabled.
dos-control smacdmac Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpport This command enables TCP L4 source = destination port number (Source TCP Port = Destination TCP Port) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source TCP Port = Destination TCP Port, the packets will be dropped if the mode is enabled.
dos-control tcpport Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control udpport This command enables UDP L4 source = destination port number (Source UDP Port = Destination UDP Port) DoS protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source UDP Port = Destination UDP Port, the packets will be dropped if the mode is enabled.
dos-control udpport Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpflagseq This command enables TCP Flag and Sequence Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.
dos-control tcpflagseq Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpoffset This command enables TCP Offset Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Header Offset equal to one (1), the packets will be dropped if the mode is enabled.
dos-control tcpoffset Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpsyn This command enables TCP SYN and L4 source = 0-1023 Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flag SYN set and an L4 source port from 0 to 1023, the packets will be dropped if the mode is enabled.
dos-control tcpsyn Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpsynfin This command enables TCP SYN and FIN Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flags SYN and FIN set, the packets will be dropped if the mode is enabled.
dos-control tcpsynfin Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control tcpfinurgpsh This command enables TCP FIN and URG and PSH and SEQ = 0 checking Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP FIN, URG, and PSH all set and TCP Sequence Number set to 0, the packets will be dropped if the mode is enabled.
dos-control tcpfinurgpsh Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||
dos-control icmpv4 This command enables Maximum ICMPv4 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv4 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.
dos-control icmpv4 0-16376 Mode: Global Config Default: Disabled, 512 if enabled |
||||||||||||||||||||||||||||||||||
dos-control icmpv6 This command enables Maximum ICMPv6 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv6 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.
dos-control icmpv6 0-16376 Mode: Global Config Default: Disabled, 512 if enabled |
||||||||||||||||||||||||||||||||||
dos-control icmpfrag This command enables ICMP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having fragmented ICMP packets, the packets will be dropped if the mode is enabled.
dos-control icmpfrag Mode: Global Config |
||||||||||||||||||||||||||||||||||
show dos-control This command displays Denial of Service configuration information.
show dos-control Mode: Privileged EXEC Parameters:
|
MAC Database Commands
This section describes the commands you use to configure and view information about the MAC databases.
bridge aging-time This command configures the forwarding database address aging timeout in seconds. The seconds parameter must be within the range of 10 to 1,000,000 seconds.
bridge aging-time 10-1000000 Mode: Global Config Default: 300 |
||||||||||||||
show forwardingdb agetime This command displays the timeout for address aging.
show forwardingdb agetime Mode: Privileged EXEC Parameters:
|
||||||||||||||
show mac-address-table multicast This command displays the Multicast Forwarding Database (MFDB) information. If you enter the command with no parameter, the entire table is displayed. You can display the table entry for one MAC address by specifying the MAC address as an optional parameter.
show mac-address-table multicast [macaddr] Mode: Privileged EXEC Parameters:
|
||||||||||||||
show mac-address-table stats This command displays the Multicast Forwarding Database (MFDB) statistics.
show mac-address-table stats Mode: Privileged EXEC Parameters:
|
Power over Ethernet (PoE) Commands
This section lists the available PoE commands on the EdgeSwitch.
poe opmode This command sets the PoE operational mode on specific port(s).
poe opmode {auto | passive24V | shutdown} Mode: Interface Config Default: auto Parameters:
|
||||||||||||||
poe powerkeeper This command enables or disables the PoE powerkeeper feature, which keeps the PoE output power on during a software initiated reboot (reload).
poe powerkeeper Mode: Global Config Default: Enabled
|
||||||||||||||
poe reset This command turns the PoE off and on using a specified timer between 1 and 60 seconds.
poe reset 1-60 Mode: Interface Config
|
||||||||||||||
poe watchdog This command configures the PoE watchdog feature, which verifies the reachability of a certain host and power cycles the port when reachability is lost.
poe watchdog [ address ipaddr|hostname | failure-count 1-3600 | interval 1-3600 | off-delay 1-60 | start-delay 1-65535 ] Mode: Interface Config Parameters:
|
||||||||||||||
show poe counters This command displays the related counters of PoE status on the port(s).
show poe counters {all | intf-range} Mode: Privileged EXEC Parameters:
|
||||||||||||||
clear poe counters This command clears the related counter of PoE status on specific port(s).
clear poe counters {all | intf-range} Mode: Privileged EXEC |
||||||||||||||
show poe port This command displays the PoE configuration of specific ports.
show poe port {all | intf-range} Mode: Privileged EXEC Parameters:
|
||||||||||||||
show poe status This command displays the PoE status on specific ports.
show poe status {all | intf-range} Mode: Privileged EXEC Parameters:
|
DHCP L2 Relay Commands
This section describes the commands you use for the DHCP L2 Relay feature.
dhcp l2relay (Global Config) Use this command to enable DHCP L2 Relay feature globally.
dhcp l2relay Mode: Global Config Default: Disabled |
dhcp l2relay (Interface Config) Use this command to enable DHCP L2 Relay feature on the port.
dhcp l2relay Mode: Interface Config Default: Disabled |
dhcp l2relay trust Use this command to enable this interface to be trusted for L2 Relay (Option 82).
dhcp l2relay trust Mode: Interface Config |
dhcp l2relay circuit-id Use this command to enable the circuit-id suboption of DHCP Option 82 on the specified VLAN.
dhcp l2relay circuit-id vlan vlan-id Mode: Global Config |
dhcp l2relay remote-id Use this command to enable the remote-id suboption of DHCP Option-82 on the specified VLAN.
dhcp l2relay remote-id string vlan vlan-id Mode: Global Config |
dhcp l2relay vlan Use this command to enable the DHCP L2 Relay feature on the specified VLAN(s).
dhcp l2relay vlan vlan-range Mode: Global Config |
show dhcp l2relay Display DHCP L2 Relay configuration for a certain VLAN or interface.
show dhcp l2relay [all | agent-option vlan vlan-range | circuit-id vlan vlan-range | remote-id vlan vlan-range | interface {all | slot/port} | vlan vlan-range | stats {interface {all | slot/port}} ] Mode: Privileged EXEC |
Dynamic ARP Inspection (DAI) and IP Source Guard Commands
This section describes the commands you use for the Dynamic ARP Inspection (DAI) and IP Source Guard features.
ip arp inspection vlan Use this command to enable DAI on a VLAN or range of VLANs and optionally enable logging of invalid ARP packets.
ip arp inspection vlan vlan-list [logging] Mode: Global Config Default: Disabled |
ip arp inspection validate Enable additional DAI validation based on source, destination MAC addresses and/or IP addresses.
ip arp inspection validate [src-mac | dst-mac | ip] Mode: Global Config |
ip arp inspection filter Apply an ARP Access-List to a VLAN or range of VLANs. The static keyword specifies if the ARP ACL filter is static on a VLAN.
ip arp inspection filter arp-acl vlan vlan-list [static] Mode: Global Config |
arp access-list Use this command to create an ARP Access-List.
arp access-list name Mode: Global Config |
permit (ARP Access-List Config) Use this command to add a rule for a valid IP address and MAC address combination.
permit ip host ipaddr mac host macaddr Mode: ARP Access-List Config |
ip arp inspection trust Use this command to configure a port as trusted for DAI.
ip arp inspection trust Mode: Interface Config Default: Untrusted |
ip arp inspection limit rate Use this command to configure the DAI rate limit and burst interval values for an interface.
ip arp inspection limit rate rate Mode: Interface Config |
show ip arp inspection vlan Use this command to display the Dynamic ARP Inspection (DAI) configuration for a VLAN or range of VLANs.
show ip arp inspection vlan vlan-range Mode: Privileged EXEC |
show ip arp inspection interfaces Use this command to display DAI configuration on an interface.
show ip arp inspection interfaces slot/port Mode: Privileged EXEC |
show ip arp inspection statistics Use this command to display the statistics of the ARP packets that are processed by DAI.
show ip arp inspection statistics [vlan vlan-range] Mode: Privileged EXEC |
show ip arp inspection Use this command to show the global DAI configuration.
show ip arp inspection Mode: Privileged EXEC |
ip verify binding Use this command to add a static IP Source Guard binding entry.
ip verify binding macaddr vlan vlan ipaddr interface slot/port Mode: Global Config |
ip verify source Use this command to enable IP Source Guard verification on an interface. The port-security keyword also enabled MAC source verification.
ip verify source [port-security] Mode: Interface Config |
show ip verify Use this command to display the IP Source Guard entries.
show ip verify [ interface slot/port | source {interface slot/port} ] Mode: Privileged EXEC |
IPv6 ND RA Guard Commands
This section describes the commands you use for the IPv6 ND RA Guard feature.
ipv6 nd raguard attach-policy Use this command to configure the IPv6 RA GUARD host mode on an interface. Apply on ports that connect to hosts that should not be allowed to send Router Advertisements (RAs).
ipv6 nd raguard attach-policy Mode: Interface Config |
show ip verify Use this command to display the interfaces where the IPv6 ND RA Guard feature is enabled.
show ipv6 nd raguard policy Mode: Privileged EXEC |
Routing Commands
This chapter describes the routing commands available in the EdgeSwitch CLI.
Address Resolution Protocol Commands
This section describes the commands you use to configure Address Resolution Protocol (ARP) and to view ARP information on the switch. ARP associates IP addresses with MAC addresses and stores the information as ARP entries in the ARP cache.
arp This command creates an ARP entry. The value for ipaddress is the IP address of a device on a subnet attached to an existing routing interface. The parameter macaddr is a unicast MAC address for that device.
arp ipaddress macaddr Mode: Global Config |
||||||||||||||||||||||||
arp cachesize This command configures the ARP cache size.
arp cachesize value Mode: Global Config |
||||||||||||||||||||||||
arp dynamicrenew This command enables the ARP component to automatically renew dynamic ARP entries when they age out. When an ARP entry reaches its maximum age, the system must decide whether to retain or delete the entry. If the entry has recently been used to forward data packets, the system will renew the entry by sending an ARP request to the neighbor. If the neighbor responds, the age of the ARP cache entry is reset to 0 without removing the entry from the hardware. Traffic to the host continues to be forwarded in hardware without interruption. If the entry is not being used to forward data packets, then the entry is deleted from the ARP cache, unless the dynamic renew option is enabled.
If the dynamic renew option is enabled, the system sends an ARP request to renew the entry. When an entry is not renewed, it is removed from the hardware and subsequent data packets to the host trigger an ARP request. Traffic to the host may be lost until the router receives an ARP reply from the host. Gateway entries, entries for a neighbor router, are always renewed. The dynamic renew option applies only to host entries. The disadvantage of enabling dynamic renew is that once an ARP cache entry is created, that cache entry continues to take space in the ARP cache as long as the neighbor continues to respond to ARP requests, even if no traffic is being forwarded to the neighbor. In a network where the number of potential neighbors is greater than the ARP cache capacity, enabling dynamic renew could prevent some neighbors from communicating because the ARP cache is full. arp dynamicrenew Mode: Global Config Default: Disabled |
||||||||||||||||||||||||
arp purge This command causes the specified IP address to be removed from the ARP cache. Only entries of type dynamic or gateway are affected by this command.
arp purge ipaddr Mode: Privileged EXEC |
||||||||||||||||||||||||
arp resptime This command configures the ARP request response timeout.
arp resptime 1-10 Mode: Global Config Default: 1 |
||||||||||||||||||||||||
arp retries This command configures the ARP count of maximum request for retries.
arp retries 0-10 Mode: Global Config Default: 4 |
||||||||||||||||||||||||
arp timeout This command configures the ARP entry ageout time in seconds.
arp timeout 15-21600 Mode: Global Config Default: 1200 |
||||||||||||||||||||||||
clear arp-cache This command causes all ARP entries of type dynamic to be removed from the ARP cache. If the gateway keyword is specified, the dynamic entries of type gateway are purged as well.
clear arp-cache [gateway] Mode: Privileged EXEC |
||||||||||||||||||||||||
clear arp-switch Use this command to clear the contents of the switch’s Address Resolution Protocol (ARP) table that contains entries learned through the Management port.
clear arp-switch Mode: Privileged EXEC |
||||||||||||||||||||||||
show arp This command displays the Address Resolution Protocol (ARP) cache. The displayed results are not the total ARP entries. To view the total ARP entries, the operator should view the show arp results in conjunction with the show arp switch results.
show arp Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
show arp brief This command displays the brief Address Resolution Protocol (ARP) table information.
show arp brief Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||
show arp switch This command displays the contents of the switch’s Address Resolution Protocol (ARP) table.
show arp switch Mode: Privileged EXEC Parameters:
|
IP Routing Commands
This section describes the commands you use to enable and configure IP routing on the switch.
routing This command enables IP routing for an interface or range of interfaces.
routing Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||||||
ip routing This command enables the IP Router Admin Mode for the master switch.
ip routing Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||
ip address This command configures an IP address on an interface or range of interfaces. You can also use this command to configure one or more secondary IP addresses on the interface by specifying the secondary option.
ip address ipaddr {subnetmask | /masklen} [secondary] Mode: Interface Config |
||||||||||||||||||||||||||||||
ip address dhcp This command enables the DHCPv4 client on an in-band interface so that it can acquire network information, such as the IP address, subnet mask, and default gateway, from a network DHCP server. When DHCP is enabled on the interface, the system automatically deletes all manually configured IPv4 addresses on the interface.
ip address dhcp [client-id] Mode: Global Config |
||||||||||||||||||||||||||||||
ip default-gateway This command manually configures a default gateway for the switch. Only one default gateway can be configured. The system installs a default IPv4 route with the gateway address as the next hop address. The route preference is 253. A default gateway configured with this command is more preferred than a default gateway learned from a DHCP server. ip default-gateway ipaddr Mode: Global Config |
||||||||||||||||||||||||||||||
release dhcp Use this command to force the DHCPv4 client to release the leased address from the specified interface or VLAN.
release dhcp slot/port | vlan vlanid Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
renew dhcp Use this command to force the DHCPv4 client to immediately renew an IPv4 address lease on the specified interface, VLAN, or the network/management interface.
renew dhcp [ slot/port | vlan vlanid | network-port ] Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
ip route This command configures a static route. The ipaddr parameter is a valid IP address, and subnetmask is a valid subnet mask. The nexthopip parameter is a valid IP address of the next hop router. Specifying Null0 for the nexthopip parameter adds a discard route.
The optional preference parameter is an integer value (from 1 to 255) that allows you to specify the preference/distance value of an individual static route. The default preference is 1. ip route ipaddr subnetmask [nexthopip | Null0] [preference] Mode: Global Config |
||||||||||||||||||||||||||||||
ip route default This command configures a static route. The nexthopip parameter is a valid IP address of the next hop router. The optional preference parameter is an integer value (from 1 to 255) that allows you to specify the preference/distance value of an individual static route. The default preference is 1.
ip route default nexthopip [preference] Mode: Global Config |
||||||||||||||||||||||||||||||
ip route distance This command sets the default distance (preference) for newly added static routes. Changing the default distance does not update the distance of existing static routes.
ip route distance 1-255 Mode: Global Config Default: 1 |
||||||||||||||||||||||||||||||
ip netdirbcast This command enables the forwarding of network-directed broadcasts on an interface or range of interfaces. When enabled, network directed broadcasts are forwarded. When disabled, they are dropped.
ip netdirbcast Mode: Interface Config Default: Disabled |
||||||||||||||||||||||||||||||
ip mtu This command sets the IP Maximum Transmission Unit (MTU) in bytes on a routed interface. The IP MTU size refers to the maximum size of the IP packet (IP header + IP payload). It does not include any extra bytes that may be required for Layer-2 headers. To receive and process packets, the Ethernet MTU must take into account the size of the Ethernet header. ip mtu 68-9198 Mode: Interface Config Default: 1500 |
||||||||||||||||||||||||||||||
show dhcp lease This command displays a list of IPv4 addresses currently leased from a DHCP server on a specific in-band interface or all in-band interfaces.
show dhcp lease [interface slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show ip brief This command displays all the summary information of the IP, including the ICMP rate limit configuration and the global ICMP Redirect configuration.
show ip brief Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show ip interface This command displays all pertinent information about the IP interface or routed VLAN.
show ip interface {slot/port | vlan 1-4093} Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show ip interface brief This command displays summary information about IP configuration settings for all ports in the router, and indicates how each IP address was assigned.
show ip interface brief Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show ip route This command displays the routing table. When you use the longer-prefixes keyword, the ip-address and mask pair becomes the prefix, and the command displays the routes to the addresses that match that prefix. Use the protocol parameter to specify the protocol that installed the routes. The value for protocol can be connected or static. Use the all parameter to display all routes including best and nonbest routes.
show ip route [{ip-address [protocol] | {ip-address mask [longer-prefixes] [protocol] | protocol} [all] | all}] Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
show ip route summary This command displays a summary of the state of the routing table. When the optional all keyword is given, some statistics, such as the number of routes from each source, include counts for alternate routes.
show ip route summary [all] Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||
clear ip route counters The command resets to zero the IPv4 routing table counters. The command only resets event counters Counters that report the current state of the routing table, such as the number of routes of each type, are not reset.
clear ip route counters Mode: Privileged EXEC |
||||||||||||||||||||||||||||||
show ip route preferences This command displays detailed information about the route preferences for each type of route.
show ip route preferences Modes: User / Privileged EXEC |
||||||||||||||||||||||||||||||
show ip stats This command displays IP statistical information.
show ip stats Modes: User / Privileged EXEC |
||||||||||||||||||||||||||||||
show routing heap summary This command displays a summary of the memory allocation from the routing heap. The routing heap is a chunk of memory set aside when the system boots for use by the routing applications.
show routing heap summary Mode: Privileged EXEC Parameters:
|
Router Discovery Protocol Commands
This section describes the commands you use to view and configure Router Discovery Protocol (IRDP) settings on the switch. The Router Discovery Protocol enables a host to discover the IP address of routers on the subnet.
ip irdp This command enables router discovery on an interface or range of interfaces.
ip irdp Mode: Interface Config Default: Disabled |
ip irdp address This command configures the address that the interface uses to send the router discovery advertisements. The valid values for ipaddr are 224.0.0.1, which is the all-hosts IP multicast address, and 255.255.255.255, which is the limited broadcast address.
ip irdp address ipaddr Mode: Interface Config Default: 224.0.0.1 |
ip irdp holdtime This command configures the value, in seconds, of the holdtime field of the router advertisement sent from this interface. The holdtime range is 4 to 9000 seconds.
ip irdp holdtime 4-9000 Mode: Interface Config Default: 3 * maxinterval |
ip irdp maxadvertinterval This command configures the maximum time, in seconds, allowed between sending router advertisements from the interface. The range is 4 to 1800 seconds.
ip irdp maxadvertinterval 4-1800 Mode: Interface Config Default: 600 |
ip irdp minadvertinterval This command configures the minimum time, in seconds, allowed between sending router advertisements from the interface. The range is 3–1800 seconds.
ip irdp minadvertinterval 3-1800 Mode: Interface Config Default: 0.75 * maxadvertinterval |
ip irdp multicast This command configures the destination IP address for router advertisements as 224.0.0.1, which is the default address. The no form of the command configures the IP address as 255.255.255.255 to send router advertisements to the limited broadcast address.
ip irdp multicast ip-address Mode: Interface Config |
ip irdp preference This command configures the preferability of the address as a default router address, relative to other router addresses on the same subnet.
ip irdp preference -2147483648 to 2147483647 Mode: Interface Config Default: 0 |
show ip irdp This command displays the router discovery information for all interfaces, a specified interface, or specified VLAN.
show ip irdp {slot/port | vlan 1-4093 | all} Modes: User / Privileged EXEC |
Virtual LAN Routing Commands
This section describes the commands you use to view and configure VLAN routing and to view VLAN routing status information.
vlan routing (VLAN Database) This command enables routing on a VLAN. The vlanid value has a range of 1-4093. The interface- ID value has a range of 1-128. The ID is configured automatically if not specified.
vlan routing vlanid [interface-ID] Mode: VLAN Database Config |
||||||||||
interface vlan Use this command to enter interface configuration mode for the specified VLAN. The valid vlan-id range is from 1 to 4093.
interface vlan vlan-id Mode: Global Config |
||||||||||
show ip vlan This command displays the VLAN routing information for all VLANs with routing enabled.
show ip vlan Modes: User / Privileged EXEC Parameters:
|
IP Helper Commands
This section describes the commands to configure and monitor the IP Helper agent. IP Helper relays DHCP and other broadcast UDP packets from a local client to one or more servers which are not on the same network at the client.
The IP Helper feature provides a mechanism that allows a router to forward certain configured UDP broadcast packets to a particular IP address. This allows various applications to reach servers on nonlocal subnets, even if the application was designed to assume a server is always on a local subnet and uses broadcast packets (with either the limited broadcast address 255.255.255.255, or a network directed broadcast address) to reach the server.
The network administrator can configure relay entries both globally and on routing interfaces. Each relay entry maps an ingress interface and destination UDP port number to a single IPv4 address (the helper address). The network administrator may configure multiple relay entries for the same interface and UDP port, in which case the relay agent relays matching packets to each server address. Interface configuration takes priority over global configuration. That is, if a packet’s destination UDP port matches any entry on the ingress interface, the packet is handled according to the interface configuration. If the packet does not match any entry on the ingress interface, the packet is handled according to the global IP helper configuration.
The network administrator can configure discard relay entries, which direct the system to discard matching packets. Discard entries are used to discard packets received on a specific interface when those packets would otherwise be relayed according to a global relay entry. Discard relay entries may be configured on interfaces, but are not configured globally.
In addition to configuring the server addresses, the network administrator also configures which UDP ports are forwarded. Certain UDP port numbers can be specified by name in the UI as a convenience, but the network administrator can configure a relay entry with any UDP port number. The network administrator may configure relay entries that do not specify a destination UDP port.
The system limits the number of relay entries to four times the maximum number of routing interfaces. The network administrator can allocate the relay entries as he likes. There is no limit to the number of relay entries on an individual interface, and no limit to the number of servers for a given {interface, UDP port} pair.
The relay agent relays DHCP packets in both directions. It relays broadcast packets from the client to one or more DHCP servers, and relays to the client packets that the DHCP server unicasts back to the relay agent. For other protocols, the relay agent only relays broadcast packets from the client to the server. Packets from the server back to the client are assumed to be unicast directly to the client. Because there is no relay in the return direction for protocols other than DHCP, the relay agent retains the source IP address from the original client packet. The relay agent uses a local IP address as the source IP address of relayed DHCP client packets.
When a switch receives a broadcast UDP packet on a routing interface, the relay agent checks if the interface is configured to relay the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise, the relay agent checks if there is a global configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. Note that if the packet matches a discard relay entry on the ingress interface, then the packet is not forwarded, regardless of the global configuration.
The relay agent only relays packets that meet the following conditions:
- The destination MAC address must be the all-ones broadcast address (FF:FF:FF:FF:FF:FF)
- The destination IP address must be the broadcast address (255.255.255.255) or a directed broadcast address for the receive interface.
- The IP time-to-live (TTL) must be greater than 1.
- The protocol field in the IP header must be UDP (17).
- The destination UDP port must match a configured relay entry.
ip helper-address (Global Config) Use this command to configure the relay of certain UDP broadcast packets received on any interface. This command can be invoked multiple times, either to specify multiple server addresses for a given UDP port number or to specify multiple UDP port numbers handled by a specific server.
ip helper-address server-address [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbios-dgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Mode: Global Config Parameters:
|
||||||||||||||||||||||
ip helper-address (Interface Config) Use this command to configure the relay of certain UDP broadcast packets received on a specific interface, routed VLAN interface or range of interfaces. This command can be invoked multiple times on a routing interface, either to specify multiple server addresses for a given port number or to specify multiple port numbers handled by a specific server.
ip helper-address server-address [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbios-dgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Mode: Interface Config Parameters:
|
||||||||||||||||||||||
ip helper enable Use this command to enable relay of UDP packets. This command can be used to temporarily disable IP helper without deleting all IP helper addresses. This command replaces the bootpdhcprelay enable command, but affects not only relay of DHCP packets, but also relay of any other protocols for which an IP helper address has been configured.
ip helper enable Mode: Global Config Default: Disabled |
||||||||||||||||||||||
show ip helper-address Use this command to display the IP helper address configuration. The argument slot/port corresponds to a physical routing interface or VLAN routing interface. The keyword vlan is used to specify the VLAN ID of the routing VLAN directly instead of a slot/port format.
show ip helper-address [{slot/port | vlan 1-4093}] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
show ip helper statistics Use this command to display the number of DHCP and other UDP packets processed and relayed by the UDP relay agent.
show ip helper statistics Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||
clear ip helper statistics Use this command to reset to zero the statistics displayed in the show ip helper statistics command.
clear ip helper statistics Mode: Privileged EXEC |
ICMP Throttling Commands
This section describes the commands you use to configure options for the transmission of various types of ICMP messages.
ip unreachables Use this command to enable the generation of ICMP Destination Unreachable messages.
ip unreachables Mode: Interface Config Default: Enabled |
ip redirects Use this command to enable the generation of ICMP Redirect messages on a specific interface or all interfaces (Global Config).
ip redirects Modes: Global / Interface Config Default: Enabled |
ip icmp echo-reply Use this command to enable the generation of ICMP Echo Reply messages.
ip icmp echo-reply Mode: Global Config |
ip icmp error-interval Use this command to limit the rate at which IPv4 ICMP error messages are sent. The rate limit is configured as a token bucket, with two configurable parameters. The burst-interval specifies how often the token bucket is initialized with burst-size tokens and supports a range from 0 to 2147483647 milliseconds (msec). The burst-size is the number of ICMP error messages that can be sent during one burst-interval. The range is from 1 to 200 messages. To disable ICMP rate limiting, set burst-interval to zero (0).
ip icmp error-interval burst-interval [burst-size] Mode: Global Config Default: burst-interval: 1000 msec / burst-size: 100 messages |
Quality of Service Commands
This chapter describes the Quality of Service (QoS) commands available in the EdgeSwitch CLI.
Class of Service Commands
This section describes the commands you use to configure and view Class of Service (CoS) settings for the switch. The commands in this section allow you to control the priority and transmission rate of traffic.
classofservice dot1p-mapping This command maps an 802.1p priority to an internal traffic class. The userpriority value can range from 0-7. The trafficclass value range from 0 to 6.
classofservice dot1p-mapping userpriority trafficclass Modes: Global / Interface Config |
||||||||||||||||
classofservice ip-dscp-mapping This command maps an IP DSCP value to an internal traffic class. The ipdscp value is specified as either an integer from 0 to 63, or symbolically using one of the keywords such as af11 or ef. The trafficclass values can range from 0-6.
classofservice ip-dscp-mapping ipdscp trafficclass Mode: Global Config |
||||||||||||||||
classofservice ip-precedence-mapping This command maps an IP Precedence value to an internal traffic class for a specific interface.
classofservice ip-precedence-mapping [0-7] Mode: Global Config |
||||||||||||||||
classofservice trust This command sets the class of service trust mode of an interface or range of interfaces. You can set the mode to trust the Dot1p (802.1p) or IP DSCP packet markings. You can also set the interface mode to untrusted.
classofservice trust {dot1p | ip-dscp | untrusted} Modes: Global / Interface Config Default: dot1p |
||||||||||||||||
cos-queue max-bandwidth This command specifies the maximum transmission bandwidth guarantee for each interface queue on an interface, a range of interfaces, or all interfaces. A value from 0-100 (percentage of link rate) must be specified for each supported queue, with 0 indicating no maximum bandwidth. The sum of all values entered must not exceed 100.
cos-queue max-bandwidth bw-0 bw-1...bw-n Modes: Global / Interface Config |
||||||||||||||||
cos-queue min-bandwidth This command specifies the minimum transmission bandwidth guarantee for each interface queue on an interface, a range of interfaces, or all interfaces. A value from 0-100 (percentage of link rate) must be specified for each supported queue, with 0 indicating no guaranteed minimum bandwidth. The sum of all values entered must not exceed 100.
cos-queue min-bandwidth bw-0 bw-1...bw-n Modes: Global / Interface Config |
||||||||||||||||
cos-queue random-detect This command activates weighted random early discard (WRED) for each specified queue on the interface. Specific WRED parameters are configured using the random-detect queue-parms and the random-detect exponential-weighting-constant commands.
cos-queue random-detect queue-id-1 [queue-id-2...queue-id-n] Modes: Global / Interface Config |
||||||||||||||||
cos-queue strict This command activates the strict priority scheduler mode for each specified queue for an interface queue on an interface, a range of interfaces, or all interfaces.
cos-queue strict queue-id-1 [queue-id-2...queue-id-n] Modes: Global / Interface Config |
||||||||||||||||
random-detect This command is used to enable WRED on the specific interface or on all interfaces (Global Config).
random-detect Modes: Global / Interface Config |
||||||||||||||||
random-detect exponential weighting-constant This command is used to configure the WRED decay exponent for a CoS queue interface.
random-detect exponential-weighting-constant 0-15 Mode: Interface Config |
||||||||||||||||
random-detect queue-parms This command is used to configure WRED parameters for each drop precedence level supported by a queue. It is used only when per-COS queue configuration is enabled (using the cos-queue random-detect command).
random-detect queue-parms queue-id-1 [queue-id-2...queue-id-n] min-thresh thresh-prec-1...thresh-prec-n max-thresh thresh-prec-1...thresh-prec-n drop-probability prob-prec-1...prob-prec-n Modes: Global / Interface Config Parameters:
|
||||||||||||||||
traffic-shape This command specifies the maximum transmission bandwidth limit for the interface as a whole. The bandwidth values are from 0-100 in increments of 1. You can also specify this value for a range of interfaces or all interfaces. Also known as rate shaping, traffic shaping has the effect of smoothing temporary traffic bursts over time so that the transmitted traffic rate is bounded.
traffic-shape bw Modes: Global / Interface Config |
||||||||||||||||
show classofservice dot1p-mapping This command displays the current Dot1p (802.1p) priority mapping to internal traffic classes for a specific interface or the global settings.
show classofservice dot1p-mapping [slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show classofservice ip-dscp-mapping This command displays the current IP DSCP mapping to internal traffic classes for the global configuration settings.
show classofservice ip-dscp-mapping Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show classofservice ip-precedence-mapping This command displays the current IP Precedence mapping to internal traffic classes for a specific interface or the global settings.
show classofservice ip-precedence-mapping [slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show classofservice trust This command displays the current trust mode setting for a specific interface or the global settings.
show classofservice trust [slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show interfaces cos-queue This command displays the class-of-service queue configuration for the specified interface or the global settings.
show interfaces cos-queue [slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show interfaces random-detect This command displays the global WRED settings for each CoS queue. If you specify the slot/port, the command displays the WRED settings for each CoS queue on the specified interface.
show interfaces random-detect [slot/port] Mode: Privileged EXEC Parameters:
|
||||||||||||||||
show interfaces tail-drop-threshold This command displays the tail drop threshold information. If you specify the slot/port, the command displays the tail drop threshold information for the specified interface.
show interfaces tail-drop-threshold [slot/port] Mode: Privileged EXEC |
Differentiated Services Commands
This section describes the commands you use to configure QOS Differentiated Services (DiffServ). You configure DiffServ in several stages by specifying three DiffServ components:
- Class > Creating and deleting classes > Defining match criteria for a class.
- Policy > Creating and deleting policies > Associating classes with a policy > Defining policy statements for a policy/class combination
- Service > Adding and removing a policy to/from an inbound interface
The DiffServ class defines the packet filtering criteria. The attributes of a DiffServ policy define the way the switch processes packets. You can define policy attributes on a per-class instance basis. The switch applies these attributes when a match occurs. Packet processing begins when the switch tests the match criteria for a packet. The switch applies a policy to a packet when it finds a class match within that policy.
The following rules apply when you create a DiffServ class:
- Each class can contain a maximum of one referenced (nested) class
- Class definitions do not support hierarchical service policies
A given class definition can contain a maximum of one reference to another class. You can combine the reference with other match criteria. The referenced class is truly a reference and not a copy since additions to a referenced class affect all classes that reference it. Changes to any class definition currently referenced by any other class must result in valid class definitions for all derived classes, otherwise the switch rejects the change. You can remove a class reference from a class definition. The only way to remove an individual match criterion from an existing class definition is to delete the class and re-create it.
diffserv This command sets the DiffServ operational mode to active. While disabled, the DiffServ configuration is retained and can be changed, but it is not activated. When enabled, DiffServ services are activated.
diffserv Mode: Global Config Default: Disabled |
DiffServ Class Commands
Use the DiffServ class commands to define traffic classification. To classify traffic, you specify Behavior Aggregate (BA), based on DSCP and Multi-Field (MF) classes of traffic (name, match criteria). This set of commands consists of class creation/deletion and matching, with the class match commands specifying Layer 3, Layer 2, and general match criteria.
The class match criteria are also known as class rules, with a class definition consisting of one or more rules to identify the traffic that belongs to the class. Once you create a class match criterion for a class, you cannot change or delete the criterion. To change or delete a class match criterion, you must delete and re-create the entire class.
class-map This command defines a DiffServ class of type match-all. When used without any match condition, this command enters the class-map mode. The class-map-name is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying an existing DiffServ class. Note that the class-map-name default is reserved and must not be used. The class type of match-all indicates all of the individual match conditions must be true for a packet to be considered a member of the class. This command may be used without specifying a class type to enter the Class- Map Config mode for an existing DiffServ class. class-map match-all class-map-name [ipv4 | ipv6] Mode: Global Config |
class-map rename This command changes the name of a DiffServ class. The class-map-name is the name of an existing DiffServ class. The new-class-map-name parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the class.
class-map rename class-map-name new-class-map-name Mode: Global Config |
match ethertype This command adds to the specified class definition a match condition based on the value of the ethertype. The ethertype value is specified as one of the following keywords: appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp; or as a custom EtherType value in the range of 0x0600-0xFFFF. Use the not option to negate the match condition.
match [not] ethertype {keyword | custom 0x0600-0xFFFF} Mode: Class-Map Config |
match any This command adds to the specified class definition a match condition whereby all packets are considered to belong to the class. Use the not option to negate the match condition.
match [not] any Mode: Class-Map Config |
match class-map This command adds to the specified class definition the set of match conditions defined for another class. The refclassname is the name of an existing DiffServ class whose match conditions are being referenced by the specified class definition. - The parameters refclassname and class-map-name cannot be the same. match class-map refclassname Mode: Class-Map Config |
match cos This command adds to the specified class definition a match condition for the Class of Service value (the only tag in a single tagged packet or the first or outer 802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7. Use the not option to negate the match condition.
match [not] cos 0-7 Mode: Class-Map Config |
match secondary-cos This command adds to the specified class definition a match condition for the secondary Class of Service value (the inner 802.1Q tag of a double VLAN tagged packet). The value may be from 0 to 7. Use the not option to negate the match condition.
match [not] secondary-cos 0-7 Mode: Class-Map Config |
test This command adds to the specified class definition a match condition based on the destination MAC address of a packet. The macaddr parameter is any Layer-2 MAC address formatted as six 2-digit hexadecimal numbers separated by colons (e.g., 00:11:22:dd:ee:ff). The macmask parameter is a Layer-2 MAC address bit mask, which need not be contiguous, and is formatted as six 2-digit hexadecimal numbers separated by colons (e.g., ff:07:23:ff:fe:dc). Use the not option to negate the match condition.
match [not] destination-address mac macaddr macmask Mode: Class-Map Config |
match dstip This command adds to the specified class definition a match condition based on the destination IP address of a packet. The ipaddr parameter specifies an IP address. The ipmask parameter specifies an IP address bit mask and must consist of a contiguous set of leading 1 bits. Use the not option to negate the match condition.
match [not] dstip ipaddr ipmask Mode: Class-Map Config |
match dstl4port This command adds to the specified class definition a match condition based on the destination Layer-4 port of a packet using a single keyword or numeric notation. To specify the match condition as a single keyword, the value for portkey is one of the supported port name keywords. The currently supported portkey values are: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these translates into its equivalent port number. To specify the match condition using a numeric notation, one Layer-4 port number is required. The port number is an integer from 0 to 65535. Use the not option to negate the match condition.
match [not] dstl4port {portkey | 0-65535} Mode: Class-Map Config |
match ip dscp This command adds to the specified class definition a match condition based on the value of the IP DiffServ Code Point (DSCP) field in a packet, which is defined as the high-order six bits of the Service Type octet in the IP header (the low-order two bits are not checked). The dscpval value is specified as either an integer from 0 to 63, or symbolically through a keyword such as af23 or ef. Use the not option to negate the match condition.
match [not] ip dscp dscpval Mode: Class-Map Config |
match ip precedence This command adds to the specified class definition a match condition based on the value of the IP Precedence field in a packet, which is defined as the high-order three bits of the Service Type octet in the IP header (the low- order five bits are not checked). The precedence value is an integer from 0 to 7. Use the not option to negate the match condition.
match [not] ip precedence 0-7 Mode: Class-Map Config |
match ip tos This command adds to the specified class definition a match condition based on the value of the IP TOS field in a packet, which is defined as all eight bits of the Service Type octet in the IP header. The value of tosbits is a 2-digit hexadecimal number from 00-ff. The value of tosmask is a two-digit hexadecimal number from 00-ff. The tosmask denotes the bit positions in tosbits that are used for comparison against the IP TOS field in a packet. For example, to check for an IP TOS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use a tosbits value of a0 (hex) and a tosmask of a2 (hex). Use the not option to negate the match condition.
match [not] ip tos tosbits tosmask Mode: Class-Map Config |
match protocol This command adds to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation. To specify the match condition using a single keyword notation, the value for protocol-name is one of the supported protocol name keywords. The currently supported values are: icmp, igmp, ip, tcp, udp. A value of ip matches all protocol number values. To specify the match condition using a numeric value notation, the protocol number is a standard value assigned by IANA and is interpreted as an integer from 0 to 255. Use the not option to negate the match condition. match [not] protocol {protocol-name | 0-255} Mode: Class-Map Config |
match signature This command maps the available signatures from the rules file to the AppIQ class. When the appiq class is created, this menu displays an index number and its signature pattern. A single signature can be mapped using a number or multiple signatures can be selected and mapped to a class. Using this command without an index value maps all the available signatures to the same class.
match signature [StartIndex-EndIndex] Mode: Class-Map Config |
match source-address mac This command adds to the specified class definition a match condition based on the source MAC address of a packet. The address parameter is any Layer-2 MAC address formatted as six 2-digit hexadecimal numbers separated by colons (e.g., 00:11:22:dd:ee:ff). The macmask parameter is a Layer-2 MAC address bit mask, which may not be contiguous, and is formatted as six 2-digit hexadecimal numbers separated by colons (e.g., ff:07:23:ff:fe:dc). Use the not option to negate the match condition.
match [not] source-address mac address macmask Mode: Class-Map Config |
match srcip This command adds to the specified class definition a match condition based on the source IP address of a packet. The ipaddr parameter specifies an IP address. The ipmask parameter specifies an IP address bit mask and must consist of a contiguous set of leading 1 bits. Use the not option to negate the match condition.
match [not] srcip ipaddr ipmask Mode: Class-Map Config |
match srcl4port This command adds to the specified class definition a match condition based on the source Layer-4 port of a packet using a single keyword or numeric notation. To specify the match condition as a single keyword notation, the value for portkey is one of the supported port name keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these translates into its equivalent port number, which is used as both the start and end of a port range. To specify the match condition as a numeric value, one Layer-4 port number is required. The port number is an integer from 0 to 65535. Use the not option to negate the match condition.
match [not] srcl4port {portkey | 0-65535} Mode: Class-Map Config |
match src port This command adds a match condition for a range of Layer-4 source ports. If an interface receives traffic that is within the configured range of Layer-4 source ports, then only the appiq class is in effect. The portvalue parameter specifies a single source port.
match src port {portstart-portend | portvalue} Mode: Class-Map Config |
match vlan This command adds to the specified class definition a match condition based on the value of the Layer-2 VLAN Identifier field (the only tag in a single tagged packet or the first or outer tag of a double VLAN tagged packet). The VLAN ID is an integer from 0-4093. Use the not option to negate the match condition.
match [not] vlan 0-4093 Mode: Class-Map Config |
match secondary-vlan This command adds to the specified class definition a match condition based on the value of the Layer-2 secondary VLAN Identifier field (the inner 802.1Q tag of a double VLAN-tagged packet). The secondary VLAN ID is an integer from 0-4093. Use the not option to negate the match condition.
match [not] secondary-vlan 0-4093 Mode: Class-Map Config |
DiffServ Policy Commands
Use the DiffServ policy commands to specify traffic conditioning actions, such as policing and marking, to apply to traffic classes. Use the policy commands to associate a traffic class that you define by using the class command set with one or more QoS policy attributes. Assign the class/policy association to an interface to form a service. Specify the policy name when you create the policy.
Each traffic class defines a particular treatment for packets that match the class definition. You can associate multiple traffic classes with a single policy. When a packet satisfies the conditions of more than one class, preference is based on the order in which you add the classes to the policy. The first class you add has the highest precedence.
This set of commands consists of policy creation/deletion, class addition/removal, and individual policy attributes. The only way to remove an individual policy attribute from a class instance within a policy is to remove the class instance and re-add it to the policy. The values associated with an existing policy attribute can be changed without removing the class instance.
assign-queue This command modifies the queue id to which the associated traffic stream is assigned. The queueid is an integer from 0 to n-1, where n is the number of egress queues supported by the device.
assign-queue queueid Mode: Policy-Class-Map Config Incompatibilities: Drop |
drop This command specifies that all packets for the associated traffic stream are to be dropped at ingress.
drop Mode: Policy-Class-Map Config Incompatibilities: Assign Queue, Mark (all forms), Mirror, Police, Redirect |
mirror This command specifies that all incoming packets for the associated traffic stream are copied to a specific egress interface (physical port or LAG).
mirror slot/port Mode: Policy-Class-Map Config Incompatibilities: Drop, Redirect |
redirect This command specifies that all incoming packets for the associated traffic stream are redirected to a specific egress interface (physical port or port-channel).
redirect slot/port Mode: Policy-Class-Map Config Incompatibilities: Drop, Mirror |
conform-color Use this command to enable color-aware traffic policing and define the conform-color class map. Used only in conjunction with the police command where the fields for the conform level are specified. The parameter class-map-name is the name of an existing DiffServ class map.
conform-color class-map-name Mode: Policy-Class-Map Config |
class This command creates an instance of a class definition within the specified policy for the purpose of defining treatment of the traffic class through subsequent policy attribute statements. The classname is the name of an existing DiffServ class. This command causes the specified policy to create a reference to the class definition.
class classname Mode: Policy Map Config |
mark cos This command marks all packets for the associated traffic stream with the specified class of service (CoS) value in the priority field of the 802.1p header (the only tag in a single tagged packet or the first or outer 802.1Q tag of a double VLAN tagged packet). If the packet does not already contain this header, one is inserted. The CoS value is an integer from 0 to 7.
mark-cos 0-7 Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police |
mark secondary-cos This command marks the outer VLAN tags in the packets for the associated traffic stream as secondary CoS.
mark secondary-cos 0-7 Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police |
mark cos-as-sec-cos This command marks outer VLAN tag priority bits of all packets as the inner VLAN tag priority, marking Cos as Secondary CoS. This essentially means that the inner VLAN tag CoS is copied to the outer VLAN tag CoS.
mark cos-as-sec-cos Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark IP DSCP, IP Precedence, Police |
mark ip-dscp This command marks all packets for the associated traffic stream with the specified IP DSCP value. The dscpval value is specified as either an integer from 0 to 63, or symbolically through one a keywords such as af11 or ef.
mark ip-dscp dscpval Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark CoS, Mark IP Precedence, Police |
mark ip-precedence This command marks all packets for the associated traffic stream with the specified IP Precedence value. The IP Precedence value is an integer from 0 to 7.
mark ip-precedence 0-7 Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark CoS, Mark IP DSCP, Police |
police-simple This command is used to establish the traffic policing style for the specified class. The simple form of the police command uses a single data rate and burst size, resulting in two outcomes: conform and violate. The conforming data rate is specified in kilobits-per-second (Kbps) and is an integer from 1 to 4294967295. The conforming burst size is specified in kilobytes (KB) and is an integer from 1 to 128.
police-simple {1-4294967295 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]} Mode: Policy-Class-Map Config Incompatibilities: Drop, Mark (all forms) |
police-single-rate his command is the single-rate form of the police command and is used to establish the traffic policing style for the specified class.
police-single-rate {1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos-transmit | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]} Mode: Policy-Class-Map Config |
police-two-rate This command is the two-rate form of the police command and is used to establish the traffic policing style for the specified class. In this two-rate form of the police command, the conform action defaults to transmit, the exceed action defaults to drop, and the violate action defaults to drop. These actions can be set with this command once the style has been configured.
police-two-rate {1-4294967295 1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos | set-cos-transmit 0-7 | set-sec-cos-transmit 0-7 | set- prec-transmit 0-7 | set-dscp-transmit 0-63 | transmit}]} Mode: Policy-Class-Map Config |
policy-map This command establishes a new DiffServ policy. The policyname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy.
policy-map policyname in Mode: Global Config |
policy-map rename This command changes the name of a DiffServ policy. The policyname is the name of an existing DiffServ class. The newpolicyname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy.
policy-map rename policyname newpolicyname Mode: Global Config |
DiffServ Service Commands
Use the DiffServ service commands to assign a DiffServ traffic conditioning policy, which you specified by using the policy commands, to an interface in the incoming direction.
service-policy This command attaches a policy to a specific interface or all interfaes in the inbound direction.
service-policy in policymapname Modes: Global / Interface Config |
DiffServ Show Commands
Use the DiffServ show commands to display configuration and status information for classes, policies, and services. You can display DiffServ information in summary or detailed formats. The status information is only shown when the DiffServ administrative mode is enabled.
show class-map This command displays all configuration information for the specified class.
show class-map [class-name] Modes: User / Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show diffserv This command displays the DiffServ General Status Group information, which includes the current administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables.
show diffserv Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show policy-map This command displays all configuration information for the specified policy.
show policy-map [policyname] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show diffserv service This command displays policy service information for the specified interface and direction.
show diffserv service slot/port in Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show diffserv service brief This command displays all interfaces in the system to which a DiffServ policy has been attached.
show diffserv service brief [in] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show policy-map interface This command displays policy-oriented statistics information for the specified interface and direction.
show policy-map interface slot/port [in] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show service-policy This command displays a summary of policy-oriented statistics information for all interfaces in the specified direction.
show service-policy in Mode: Privileged EXEC Parameters:
|
MAC Access Control List Commands
This section describes the commands you use to configure MAC Access Control List (ACL) settings . MAC ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources .
mac access-list extended This command creates a MAC Access Control List (ACL) identified by name, consisting of classification fields defined for the Layer-2 header of an Ethernet frame. The name parameter is a case-sensitive alphanumeric string of 1-31 characters uniquely identifying the MAC access list. The rate-limit attribute configures the committed rate and the committed burst size. If a MAC ACL by this name already exists, this command enters Mac-Access-List config mode to allow updating the existing MAC ACL. mac access-list extended name Mode: Global Config |
||||||||||||||||||||||||||||||||||||||
mac access-list extended rename This command changes the name of a MAC Access Control List (ACL). The name parameter is the name of an existing MAC ACL. The newname parameter is a case-sensitive alphanumeric string of 1-31 characters uniquely identifying the MAC access list.
mac access-list extended rename name newname Mode: Global Config |
||||||||||||||||||||||||||||||||||||||
deny | permit (MAC Access-List Config) This command creates a new rule for the current MAC access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.
{deny|permit} {srcmac | any} {dstmac | any} [ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095}] [cos 0-7] [[log] [time-range time-range-name] [assign-queue queue-id]] [{mirror | redirect} slot/port] [rate-limit rate burst-size] Mode: Mac-Access-List Config Parameters:
Ethertype Parameters:
|
||||||||||||||||||||||||||||||||||||||
mac access-group This command either attaches a specific MAC Access Control List (ACL) identified by name to an interface or all interfaces (Global Config), or associates it with a VLAN ID. The vlan keyword is only valid for the global configuration command.
mac access-group name in [vlan vlan-id in] [sequence 1–4294967295] Modes: Global / Interface Config Parameters:
|
||||||||||||||||||||||||||||||||||||||
show mac access-lists This command displays a MAC access list and all of the rules that are defined for the MAC ACL.
show mac access-lists [name] Mode: Privileged EXEC Parameters:
|
IP Access Control List Commands
This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
access-list This command creates an IP Access Control List (ACL) that is identified by the access list number, which is 1-99 for standard ACLs or 100-199 for extended ACLs.
access-list 1-99 {deny | permit} {every | srcip srcmask} [log] [time-range time-range-name] [assign-queue queue-id] [{mirror | redirect} slot/port] access-list 100-199 {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask|any|host srcip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] {dstip dstmask|any|host dstip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size] Mode: Global Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip access-list This command creates an extended IP Access Control List (ACL) identified by name, consisting of classification fields defined for the IP header of an IPv4 frame. The name parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list.
ip access-list name Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip access-list rename This command changes the name of an IP Access Control List (ACL). The name parameter specifies the names of an existing IP ACL. The newname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IP access list.
ip access-list rename name newname Mode: Global Config |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
deny | permit (IPv4 Access-List Config) This command creates a new rule for the current IP access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.
{deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask|any|host srcip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] {dstip dstmask|any|host dstip} [range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size] Mode: IPv4-Access-List Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip access-group This command either attaches a specific IP Access Control List (ACL) identified by accesslistnumber or name to an interface, all interfaces (Global Config), or associates it with a VLAN ID.
ip access-group {accesslistnumber|name} in | [vlan vlan-id in] [sequence 1-4294967295] Modes: Global / Interface Config Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acl-trapflags This command enables the ACL trap mode.
acl-trapflags Mode: Global Config Default: Disabled |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show ip access-lists Use this command to view summary information about all IP ACLs configured on the switch.
show ip access-lists [accesslistnumber | name] Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show access-lists This command displays IP ACLs, IPv6 ACLs, and MAC access control lists information for a designated interface and direction.
show access-lists interface slot/port in Mode: Privileged EXEC Parameters:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
show access-lists vlan This command displays Access List information for a particular VLAN ID. The vlan-id parameter is the VLAN ID of the VLAN with the information to view.
show access-lists vlan vlan-id in Mode: Privileged EXEC Parameters:
|
IPv6 Access Control List Commands
This section describes the commands you use to configure IPv6 Access Control List (ACL) settings. IPv6 ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
ipv6 access-list This command creates an IPv6 Access Control List (ACL) identified by name, consisting of classification fields defined for the IP header of an IPv6 frame.
ipv6 access-list name Mode: Global Config |
||||||||||||||||||||||||||||||||||||
ipv6 access-list rename This command changes the name of an IPv6 ACL. The name parameter is the name of an existing IPv6 ACL. The newname parameter is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the IPv6 access list.
ipv6 access-list rename name newname Mode: Global Config |
||||||||||||||||||||||||||||||||||||
deny | permit (IPv6 Access-List Config) This command creates a new rule for the current IPv6 access list. Each rule is appended to the list of configured rules for the list. A rule may either deny or permit traffic according to the specified classification fields.
{deny | permit} {every | {{icmpv6 | ipv6 | tcp | udp | 0-255} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address} [{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey|0-65535}] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address} [{range {portkey|startport} {portkey|endport} | {eq | neq | lt | gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst] [+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [flow-label value] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [routing] [fragments] [dscp dscp]}} [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-limit rate burst-size] Mode: IPv6-Access-List Config Parameters:
|
||||||||||||||||||||||||||||||||||||
ipv6 traffic-filter This command either attaches a specific IPv6 ACL identified by name to an interface or range of interfaces, or associates it with a VLAN ID in a given direction. This command specified in Interface Config mode only affects a single interface, whereas the Global Config mode setting is applied to all interfaces. The vlan keyword is only valid in the Global Config mode.
ipv6 traffic-filter name in | [vlan vlan-id in] [sequence 1-4294967295] Modes: Global / Interface Config |
||||||||||||||||||||||||||||||||||||
show ipv6 access-lists This command displays an IPv6 access list and all of the rules that are defined for the IPv6 ACL.
show ipv6 access-lists [name] Mode: Privileged EXEC Parameters:
|
Time Range Commands for Time-Based ACLs
Time-based ACLs allow one or more rules within an ACL to be based on time. Each ACL rule within an ACL except for the implicit deny all rule can be configured to be active and operational only during a specific time period. The time range commands allow you to define specific times of the day and week in order to implement time-based ACLs. The time range is identified by a name and can then be referenced by an ACL rule defined within an ACL.
time-range Use this command to create a time range identified by name, consisting of one absolute time entry and/or one or more periodic time entries.
time-range name Mode: Global Config |
||||||||||||||
absolute Use this command to add an absolute time entry to a time range. Only one absolute time entry is allowed per time-range. The time parameter is based on the currently configured time zone.
absolute [start time date] [end time date] Mode: Time-Range Config |
||||||||||||||
periodic Use this command to add a periodic time entry to a time range. The time parameter is based off of the currently configured time zone. The first occurrence of the days-of-the-week argument is the starting day(s) from which the configuration that referenced the time range starts going into effect. The second occurrence is the ending day or days from which the configuration that referenced the time range is no longer in effect.
periodic days-of-the-week time to time Mode: Time-Range Config |
||||||||||||||
show time-range Use this command to display a time range and all the absolute/periodic time entries that are defined for the time range.
show time-range [name] Mode: Privileged EXEC Parameters:
|
Auto-Voice over IP Commands
This section describes the commands you use to configure Auto-Voice over IP (VoIP) commands. The Auto-VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class-of-service than ordinary traffic. When you enable the Auto-VoIP feature on an interface, the interface scans incoming traffic for the Session Initiation Protocol (SIP), H.323 and Skinny Client Control Protocol (SCCP) call-control protocols. When a call-control protocol is detected, the switch assigns the traffic in that session to the highest CoS queue, which is generally used for time-sensitive traffic.
auto-voip Use this command to configure auto VoIP mode. The supported modes are protocol-based and oui-based. Protocol-based auto VoIP prioritizes the voice data based on the Layer-4 port used for the voice session. OUI-based auto VoIP prioritizes the phone traffic based on the known OUI of the phone.
When both modes are enabled, if the connected phone OUI is one of the configured OUI, then the voice data is prioritized using OUI Auto VoIP, otherwise protocol-based auto VoIP is used to prioritize the voice data. Active sessions are cleared if protocol-based auto VoIP is disabled on the port. auto-voip [protocol-based | oui-based] Modes: Global / Interface Config Default: oui-based |
||||||||||
auto-voip oui Use this command to configure an OUI for Auto VoIP. The traffic from the configured OUI will get the highest priority over the other traffic. The oui-prefix is a unique OUI that identifies the device manufacturer or vendor. The OUI is specified in three octet values (each octet represented as two hexadecimal digits) separated by colons. The string is a description of the OUI that identifies the manufacturer or vendor associated with the OUI.
auto-voip oui oui-prefix oui-desc string Mode: Global Config |
||||||||||
auto-voip oui-based priority Use this command to configure the global OUI based auto VoIP (802.1p) priority.
auto-voip oui-based priority priority-value Mode: Global Config Default: 7 |
||||||||||
auto-voip protocol-based Use this command to configure the global protocol-based auto VoIP remarking priority or traffic-class. If remark priority is configured, the voice data of the session is remarked with the priority configured through this command. The remark-priority is the 802.1p priority used for protocol-based VoIP traffic. The tc value is the traffic class used for protocol-based VoIP traffic. auto-voip protocol-based {remark remark-priority | traffic-class tc} Mode: Global Config Default: 7 |
||||||||||
auto-voip vlan Use this command to configure the global Auto VoIP VLAN ID. The VLAN behavior is depend on the configured auto VoIP mode. The auto-VoIP VLAN is the VLAN used to segregate VoIP traffic from other non-voice traffic. All VoIP traffic that matches a value in the known OUI list gets assigned to this VoIP VLAN.
auto-voip vlan vlan-id Mode: Global Config |
||||||||||
show auto-voip Use this command to display the auto VoIP settings on the interface or interfaces of the switch.
show auto-voip {protocol-based|oui-based} interface {slot/port|all} Mode: Privileged EXEC Parameters:
|
||||||||||
show auto-voip oui-table Use this command to display the VoIP OUI table information.
show auto-voip oui-table Mode: Privileged EXEC Parameters:
|
Related Articles
EdgeSwitch - Configuration and Administration Guides
Intro to Networking - How to Establish a Connection Using SSH