config cli

Avaya WLAN 8100 Configuration - WC 8180(CLI)

1.0.0.0NN47251-500, 01.01

August 20, 2010

© 2010 Avaya Inc.

All Rights Reserved.

Notice

While reasonable efforts have been made to ensure that theinformation in this document is complete and accurate at the time ofprinting, Avaya assumes no liability for any errors. Avaya reserves theright to make changes and corrections to the information in thisdocument without the obligation to notify any person or organization ofsuch changes.

Documentation disclaimer

Avaya shall not be responsible for any modifications, additions, ordeletions to the original published version of this documentation unlesssuch modifications, additions, or deletions were performed by Avaya.End User agree to indemnify and hold harmless Avaya, Avaya's agents,servants and employees against all claims, lawsuits, demands andjudgments arising out of, or in connection with, subsequentmodifications, additions or deletions to this documentation, to theextent made by End User.

Link disclaimer

Avaya is not responsible for the contents or reliability of any linked Websites referenced within this site or documentation(s) provided by Avaya.Avaya is not responsible for the accuracy of any information, statementor content provided on these sites and does not necessarily endorsethe products, services, or information described or offered within them.Avaya does not guarantee that these links will work all the time and hasno control over the availability of the linked pages.

Warranty

Avaya provides a limited warranty on this product. Refer to your salesagreement to establish the terms of the limited warranty. In addition,Avaya’s standard warranty language, as well as information regardingsupport for this product, while under warranty, is available to Avayacustomers and other parties through the Avaya Support Web site: http://www.avaya.com/support. Please note that if you acquired theproduct from an authorized Avaya reseller outside of the United Statesand Canada, the warranty is provided to you by said Avaya reseller andnot by Avaya.

Licenses

THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYAWEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ AREAPPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/ORINSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITHAVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESSOTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOESNOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINEDFROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR ANAVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THERIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONEELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE.BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, ORAUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OFYOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,DOWNLOADING OR USING THE SOFTWARE (HEREINAFTERREFERRED TO INTERCHANGEABLY AS “YOU” AND “END USER”),AGREE TO THESE TERMS AND CONDITIONS AND CREATE ABINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THEAPPLICABLE AVAYA AFFILIATE (“AVAYA”).

Copyright

Except where expressly stated otherwise, no use should be made ofmaterials on this site, the Documentation(s) and Product(s) providedby Avaya. All content on this site, the documentation(s) and theproduct(s) provided by Avaya including the selection, arrangement anddesign of the content is owned either by Avaya or its licensors and is

protected by copyright and other intellectual property laws including thesui generis rights relating to the protection of databases. You may notmodify, copy, reproduce, republish, upload, post, transmit or distributein any way any content, in whole or in part, including any code andsoftware. Unauthorized reproduction, transmission, dissemination,storage, and or use without the express written consent of Avaya canbe a criminal, as well as a civil, offense under the applicable law.

Third-party components

Certain software programs or portions thereof included in the Productmay contain software distributed under third party agreements (“ThirdParty Components”), which may contain terms that expand or limitrights to use certain portions of the Product (“Third Party Terms”).Information regarding distributed Linux OS source code (for thoseProducts that have distributed the Linux OS source code), andidentifying the copyright holders of the Third Party Components and theThird Party Terms that apply to them is available on the Avaya SupportWeb site: http://www.avaya.com/support/Copyright/.

Trademarks

The trademarks, logos and service marks (“Marks”) displayed in thissite, the documentation(s) and product(s) provided by Avaya are theregistered or unregistered Marks of Avaya, its affiliates, or other thirdparties. Users are not permitted to use such Marks without prior writtenconsent from Avaya or such third party which may own the Mark.Nothing contained in this site, the documentation(s) and product(s)should be construed as granting, by implication, estoppel, or otherwise,any license or right in and to the Marks without the express writtenpermission of Avaya or the applicable third party.

Avaya is a registered trademark of Avaya Inc.

All other trademarks are the property of their respective owners.

Downloading documents

For the most current versions of documentation, see the Avaya SupportWeb site: http://www.avaya.com/support

Contact Avaya Support

Avaya provides a telephone number for you to use to report problemsor to ask questions about your product. The support telephone numberis 1-800-242-2121 in the United States. For additional supporttelephone numbers, see the Avaya Web site: http://www.avaya.com/support

2 Avaya WLAN 8100 Configuration - WC 8180 (CLI) August 20, 2010

http://www.avaya.com/support

http://www.avaya.com/support/LicenseInfo

http://www.avaya.com/support/Copyright/




Contents

Chapter 1: Command Line Interface workflows.....................................................................7Basic controller configuration............................................................................................................................7Enabling traps and logs.....................................................................................................................................8Displaying system logs......................................................................................................................................9Troubleshooting client-related issues................................................................................................................9Troubleshooting AP-related issues.................................................................................................................10Troubleshooting Layer 2 and 3 issues............................................................................................................10

Chapter 2: Command Line Interface Configuration.............................................................13Configuring WLAN options..............................................................................................................................13

Managing wireless communications.......................................................................................................13Configuring wireless communications....................................................................................................16

Configuring system options.............................................................................................................................26General switch administration................................................................................................................26Using Simple Network Time Protocol.....................................................................................................38Real time clock configuration..................................................................................................................41Custom Autonegotiation Advertisements...............................................................................................43Connecting to another switch.................................................................................................................44Domain Name Server (DNS) Configuration............................................................................................45Changing switch software.......................................................................................................................48Configuration files in CLI........................................................................................................................49Terminal setup........................................................................................................................................52Setting the default management interface..............................................................................................53Setting Telnet access..............................................................................................................................53Setting boot parameters.........................................................................................................................55Defaulting to BootP-when-needed..........................................................................................................56shutdown command...............................................................................................................................57reload command.....................................................................................................................................58CLI Help..................................................................................................................................................59Clearing the default TFTP server with CLI.............................................................................................59Configuring a default TFTP server with CLI...........................................................................................59Configuring default clock source............................................................................................................59Configuring daylight savings time with CLI.............................................................................................60Configuring Dual Agent..........................................................................................................................61Configuring local time zone with CLI......................................................................................................62Customizing CLI banner with CLI...........................................................................................................63Displaying the default TFTP server with CLI..........................................................................................64Displaying complete GBIC information...................................................................................................65Displaying hardware information............................................................................................................65Enabling Autosave..................................................................................................................................65Setting the server for Web-based management with CLI.......................................................................66Setting the read-only and read-write passwords....................................................................................66Enabling and disabling passwords.........................................................................................................67Configuring RADIUS authentication.......................................................................................................68

Configuring system security............................................................................................................................70Configuring MAC address-based security using CLI..............................................................................70Configuring RADIUS authentication using CLI.......................................................................................78SNMP configuration using CLI...............................................................................................................80

Avaya WLAN 8100 Configuration - WC 8180 (CLI) August 20, 2010 3

Configuring TACACS+ using CLI..........................................................................................................100Configuring IP Manager using CLI.......................................................................................................103Configuring password security using CLI.............................................................................................105Displaying CLI Audit log using CLI.......................................................................................................106Configuring Secure Socket Layer services using CLI..........................................................................107Configuring Secure Shell protocol using CLI........................................................................................108

Configuring VLANs and Link Aggregation.....................................................................................................114Configuring VLANs using CLI...............................................................................................................114Configuring STP using CLI...................................................................................................................125Configuring MLT using CLI...................................................................................................................135Configuring LACP and VLACP using CLI.............................................................................................137

Configuring IP routing...................................................................................................................................146IP routing configuration using CLI........................................................................................................146Static route configuration using CLI......................................................................................................152DHCP relay configuration using CLI.....................................................................................................155Directed broadcasts configuration using CLI........................................................................................161Static ARP and Proxy ARP configuration using CLI.............................................................................162IGMP snooping configuration using CLI...............................................................................................165

Configuring Access Lists...............................................................................................................................180Assigning ports to an access list..........................................................................................................180Removing an access list assignment...................................................................................................181Creating an IP access list.....................................................................................................................181Removing an IP access list..................................................................................................................182Creating a Layer 2 access list..............................................................................................................183Removing a Layer 2 access list............................................................................................................184

Configuring Elements, Classifiers, and Classifier Blocks..............................................................................184Configuring IP classifier element entries..............................................................................................185Viewing IP classifier entries..................................................................................................................186Removing IP classifier entries..............................................................................................................186Adding Layer 2 elements......................................................................................................................186Viewing Layer 2 elements....................................................................................................................188Removing Layer 2 elements.................................................................................................................188Linking IP and L2 classifier elements...................................................................................................188Removing classifier entries...................................................................................................................189Combining individual classifiers............................................................................................................189Removing classifier block entries.........................................................................................................190

Configuring wired Quality of Service.............................................................................................................190Displaying QoS Parameters.................................................................................................................191Displaying QoS capability policy configuration.....................................................................................195QoS Agent configuration......................................................................................................................196Configuring Default Buffering Capabilities............................................................................................198Configuring the CoS-to-Queue Assignments.......................................................................................199Configuring QoS Interface Groups.......................................................................................................200Configuring DSCP and 802.1p and Queue Associations.....................................................................201Configuring QoS system-element.........................................................................................................203Configuring QoS Actions......................................................................................................................205Configuring QoS Interface Action Extensions......................................................................................207Configuring QoS Meters.......................................................................................................................208Configuring QoS Interface Shaper.......................................................................................................210Configuring QoS Policies......................................................................................................................211QoS Generic Filter set configuration....................................................................................................213


Configuring User Based Policies..........................................................................................................215Maintaining the QoS Agent...................................................................................................................218Configuring DoS Attack Prevention Package.......................................................................................221

Configuring Serviceability..............................................................................................................................222Configuring RMON with the CLI...........................................................................................................223Configuring IPFIX using CLI.................................................................................................................228

Configuring diagnostics and graphing...........................................................................................................232System diagnostics and statistics using CLI.........................................................................................232Network monitoring configuration using CLI.........................................................................................234


Chapter 1: Command Line Interfaceworkflows

The following section provides workflows for commonly used Command Line Interface procedures. Thissection contains the following topics:

• Basic controller configuration on page 7

• Enabling traps and logs on page 8

• Displaying system logs on page 9

• Troubleshooting client-related issues on page 9

• Troubleshooting AP-related issues on page 10

• Troubleshooting Layer 2 and 3 issues on page 10

Basic controller configurationPerform the following procedure to place a basic configuration on a WC 8180 device:

1. Log into the controller. If this is the first time accessing the device, connect a consolecable and start a terminal session using the guidelines provided in thedocumentation.

2. Press CTRL + Y on the keyboard to enter the CLI.

3. Enter Privileged mode using the enable command.

4. Enter General Configuration mode using the configure terminal command.

5. Specify the system IP address, subnet mask, and default gateway using the ipaddress command. This command has the following syntax:ip address <ip_address> netmask <subnet_mask> default-gateway <default_gateway>

6. Enable SNMP services using the command snmp-server enable.

7. Disable SNMP user lists using the command no ipmgr snmp.

8. Enable IP routing capabilities using the ip routing command.

9. Enter Wireless Configuration mode using the wireless command.


10. Specify the wireless IP address using the command interface-ip<ip_address> command.

11. Enable wireless capabilities using the enable command.

12. Enable MDC capability using the controller mdc-capable.

13. Enter the domain password at the prompt.

Enabling traps and logsPerform the following procedure to enable SNMP trap and logging functionality.

1. Log into the controller.

2. Press CTRL + Y on the keyboard to enter the console menu.

3. Select Command Line Interface from the menu.

4. Type the enable command to enter Privileged mode.

5. Type the configure terminal command to enter Configuration mode.

6. Set the logging level using the command logging level {critical |informational | serious | none}.

7. Enable logging using the command logging enable.

8. Set the remote logging level using the command logging remote level{critical | informational | serious | none}.

9. Set the IP address of the remote log server using the command logging remoteaddress <ip_address>.

10. Enable remote logging using the command logging remote enable.

11. Enable individual SNMP traps using the command snmp-servernotification-control <snmp_trap>. For a list of available SNMP traps usethe command show snmp-server notification-control. Repeat this stepfor all traps that must be enabled.

12. Set the IP address of the SNMP server using the command snmp-server host<ip_address>.

Command Line Interface workflows


Displaying system logsPerform the following procedure to display system logs.





5. Use the command show logging system to display logs concerning Layer 2and Layer 3 operations.

6. Use the command show logging wireless-controller volatile todisplay logs concerning controller operation.

Troubleshooting client-related issuesPerform the following procedure to troubleshoot client-related issues.





5. Use the command show wireless ap status to view the overall status of allregistered access points.

6. Use the command show wireless ap status <ap_mac_address> detailto view detailed information about individual access points.

7. Use the command show wireless ap-profile network to view informationabout the correlation between network and AP profiles.

8. Use the command show wireless network-profile <profile_number>detail to view detailed information about a network profile.

9. Use the command show wireless switch vlan-map to view informationabout the correlation between wired and wireless VLANs.

Displaying system logs


10. Use the command show wireless security {mac-db | radius | user-db | wids-wips} to display information about wireless security settings.

11. Use the command show wireless client status to display information aboutthe current status of wireless clients.

Troubleshooting AP-related issuesPerform the following procedure to troubleshoot AP-related issues.





5. Use the command show wireless to view the overall status of the wirelesssystem.

6. Use the command show wireless domain ap database to view informationabout the access points configured for the wireless domain.

7. Use the command show wireless domain ap discovered to view anyaccess points that have been discovered. Access points listed here need to beadded to main access point database to be used by the domain.

8. Use the command show wireless ap status to display all of the access pointsthat are part of the wireless domain and under which controller it falls.

9. Use the command show wireless ap status detail command to displaydetailed information about each AP that is part of the wireless domain.

10. Use the command show wireless controller status to determine thecurrent status of the wireless controller. This command should indicate the controlleris either the Active or Backup MDC.

Troubleshooting Layer 2 and 3 issuesPerform the following procedure to troubleshoot Layer 2 and 3 issues.





3. Select IP Configuration/Setup from the console menu to check the controller IPconfiguration.

4. Press CTRL + R to return to the console menu.

5. Select SNMP Configuration from the console menu to check the controller SNMPconfiguration.


7. Select Switch Configuration from the console menu.

8. Use the options in this menu to track the various aspects of switch configuration.


10. Select Spanning Tree Configuration from the console menu.

11. Use the options in this menu to track the various aspects of the spanning treeconfiguration.




15. Use the command show ip to view the IP address configuration.

16. Use the command ping <ip_address> to ping another device on the network.

17. Use the command show wireless to view the overall status of the wirelesssystem.

Troubleshooting Layer 2 and 3 issues


Chapter 2: Command Line InterfaceConfiguration

The following sections provide information and procedures for the configuration of the WLAN Controller8180 (WC 8180).

Configuring WLAN optionsThis section describes the procedures for the management and configuration of WLANController 8180 (WC 8180) wireless options.

Navigation

• Managing wireless communications on page 13• Configuring wireless communications on page 16

Managing wireless communicationsThe procedures in this section are used for the management of the various aspects of wirelesscommunications.

Navigation

• Managing AP operations on page 13

• Managing automatic radio frequency operations on page 14

• Managing portals on page 14

• Managing clients on page 15

• Managing wireless controller actions on page 15

• Managing wireless domains on page 16

•

Managing AP operations

Use the following procedure to manage access point operations


1. Enter Privileged mode of the CLI.

2. Use the command wireless ap channel <ap_mac_address><radio_interface> <channel_number> to manage access point channeloptions.

3. Use the command wireless ap image-update <ap_mac_address> toupdate the access point's software image.

4. Use the command wireless ap power <ap_mac_address><radio_interface> <power_percentage> to adjust the access point radiotransmit power.

5. Use the command wireless ap reset to reset a managed access point.

6. Use the command wireless radio-profile clone<source_profile_id> <target_profile_id> to clone an existing radioprofile to the targeted radio profile.

7. Use the command wireless ap tech-dump <ap_mac_address><tftp_ip_address> filename <file_name> to save the current APconfiguration information to the specified TFTP server.

Managing automatic radio frequency operations

This following procedure is used to manage automatic radio frequency functionality.


2. Use the command wireless auto-rf channel-plan {a-n | b/g-n}start to run the channel adjustment algorithm.

3. Use the command wireless auto-rf channel-plan {a-n | b/g-n}apply to apply the proposed channel adjustment plan.

4. Use the command wireless auto-rf power-plan start to run the powerplanning algorithm.

5. Use the command wireless auto-rf power-plan apply to apply theproposed power plan.

Managing portals

The following procedure is used to manage captive portals.

Command Line Interface Configuration



2. Use the command wireless captive-portal certificate-generate togenerate HTTPS certificates.

3. Use the command wireless captive-portal client-deauthenticate<client_mac_address> to revoke authentication from a client.

Managing clients

This procedure is used to manage clients.


2. Use the command wireless client disassociate<client_mac_address> to remove a client from an access point.

Managing wireless controller actions

The following procedure is used to manage wireless controller actions.


2. Use the command wireless controller ap image-update start toupdate the software image of all controlled access points. This action can bestopped at any time with the wireless controller ap image-update stopcommand.

3. Use the command wireless controller ap reset to reset all controlledaccess points.

4. Use the command wireless controller config-sync to synchronizeconfigurations with other controllers in the domain.

5. Use the command wireless controller join-domain domain-name<domain_name> mdc-address <ip_address> to join a domain.

6. Use the command wireless controller leave-domain to remove acontroller from its current domain.

7. Use the command wireless peer-controller ap image-update<ip_address> start to update the images of all controlled access points on a

Configuring WLAN options


peer controller. This action can be stopped at any time using the commandwireless peer-controller ap image-update <ip_address> stop.

Managing wireless domains

This procedure is used to manage wireless domains.


2. Use the command wireless domain ap image-update start to update thesoftware image of all access points in a domain. This action can be stopped at anytime using the command wireless domain ap image-update stop.

3. Use the command wireless domain ap rebalance start to rebalance theaccess point distribution among all of the domain controllers. This action can bestopped at any time using the command wireless domain ap rebalancestop.

4. Use the command wireless domain ap redistribute start to rebalancethe access point distribution to their preferred domain controllers. This action canbe stopped at any time using the command wireless domain apredistribute stop.

5. Use the command wireless domain ap reset to reset all domain accesspoints.

6. Use the command wireless domain discovered-ap <ap_mac_address>{approve | discard} to take action on a discovered access point.

7. Use the command wireless domain purge-controller<controller_ip_address> to purge a controller from a domain.

8. Use the command wireless domain purge-stale-controllers to purgeall stale controllers from the domain.

Configuring wireless communicationsThe procedures in this section are used for the configuraton of the various aspects of wirelesscommunications.

Navigation

• Configuring general controller options on page 17• Configuring wireless profiles on page 18



• Configuring automatic radio frequency options on page 22• Configuring portals on page 22• Configuring domain options on page 23• Configuring wireless security on page 24

Configuring general controller options

The following procedure is used to configure general wireless controller options.

1. Enter Wireless Configuration mode of the CLI.

2. Use the command controller mdc-capable to mark a controller as availableto be a Mobility Domain Controller.

3. Use the command interface-ip <ip_address> to set the wireless systeminterface IP address.

4. Use the command tcp-udp-base-port <49152 - 64983> to set the wirelesssystem base port.

5. Use the command diffserv classifierblock <block_name> to configurea classifier block for the controller.This command has the options listed in the following table.

Command Option Descriptiondiffservclassifierblock<block_name>

match all Match all packets.

match cos Match CoS.

match ds-field Match IP DSCP.

match dst-ip Match destination IPaddress.

match dst-mac Match destination MACaddress.

match dstport Match destination Layer 4port.

match ethertype Match Ethernet Type.

match precedence Match IP precedence.

match protocol Match IP protocol.

match src-ip Match source IP address.

match src-mac Match source MACaddress.



Command Option Descriptionmatch srcport Match source Layer 4

port

match tos Match ToS.

end End Classifier Block.

exit Exit Classifier Block.

6. Use the command diffserv policy <policy_name> to configure a policy forthe controller.This command has the options listed in the following table.

Command Option Descriptiondiffserv policy<policy_name>

allow Allow packets.

drop Drop packets.

remark-cos Remark CoS.

remark-dscp Remark DSCP.

remark-precedence

Remark precedence.

7. Use the command switch vlan-map <mobility_vlan_name> l3-mobility server to set the mobility role to server.

8. Use the command switch vlan-map <mobility_vlan_name> l3-mobility none to set the mobility role to none.

9. Use the command switch vlan-map <mobility_vlan_name> lvid <1 -4094> to set the local VLAN ID.

10. Use the command switch vlan-map <mobility_vlan_name> track<port_list> to track a set of ports.

11. Use the command switch vlan-map <mobility_vlan_name> weight <1- 7> to set the VLAN server preference.

12. Use the command enable to enable wireless operations on the device.

Configuring wireless profiles

The following procedure is used to configure wireless profiles.




2. Use the command ap-profile <1 - 32> to create an access point profile.

3. Use the command network-profile <1 - 64> to create a network profile.This command has the options listed in the following table.

Command Option Descriptionnetwork profile<1 — 64>

arp-suppression Enable wireless ARPsuppression.

captive-portal Configure captive portalmapping.

client-qos Configure client QoSsettings.

cos2wmm WMM values for CoSsettings.

default Set default networkprofile settings.

dot1x Configure 802.1xparameters.

end End configuration.

exit Exit configuration.

hide-ssid Enable SSID hiding innetwork beacons.

mac-validation Enable clientauthentication throughclient MAC addresses.

mobility-vlan Configure the defaultmobility VLAN.

probe-response Enable response tobroadcast probe request.

profile-name Configure the networkprofile name.

radius Configure RADIUSrelated parameters.

security-mode Configure the securitymode.

ssid Configure the networkSSID.



Command Option Descriptionuser-group Configure the local user

group.

user-validation Configure user validationmethod if captive portal isenabled.

wep Configure WEP-relatedparameters.

wmm2cos CoS mapping for WMM.

wpa2 Configure WPA2settings.

4. Use the command radio-profile <1 - 64> to create a radio profile.This command has the options listed in the following table.

Command Options Descriptionradio-profile <1— 64>

apsd Enable auto powersavedelivery mode.

beacon-interval Set the beacon interval.

channel Configure radio channelsettings.

data-rates Configure basic/supported data rates.

default Set default profileparameters.

dot11–mode Configure the physicalmode of the radio.

dot11n Set the 802.11nconfiguration.

dot11n-protection-mode

Configure the 802.11nprotection mode.

dtim-period Configure the DeliveryTraffic Indication Map.

end End configuration.

exit Exit configuration.

fragmentation-threshold

Configure packetfragmentation threshold.



Command Options Descriptionincorrect-frame-no-ack

Enable No-Ack forincorrectly receivedframes on radio.

load-balance Configure load balancingparameters.

max-clients Configure the maximumnumber of simultaneousclients.

multicast-tx-rate

Configure the multicasttransfer rate.

no Disable the radio profile.

power Configure the radiopower settings.

profile-name Set the radio profilename.

qos Configure radio QoSqueues.

rate-limit Configure the broadcastand multicast rates.

rf-scan Configure the RF scanmode parameters.

rrm Enable Radio ResourceMeasurement.

rts-threshold Configure the thresholdbelow which MPDU RTS/CTS is not performed.

station-isolation

Enable station isolation.

tspec Configure TSPECsettings.

wmm-mode Enable WMM mode.

5. Use the command captive-portal profile <1 - 10> to create a captiveportal profile.



Configuring automatic radio frequency options

This procedure is used to configure automatic radio frequency options


2. Use the command auto-rf channel-plan {a-n | bg-n} history-depth <0 - 10> to set the number of saved historical channel plans.

3. Use the command auto-rf channel-plan {a-n | bg-n} interval <6 -24> to set the channel adjustment interval in hours.

4. Use the command auto-rf channel-plan {a-n | bg-n} mode{interval | manual | time} to set the channel adjustment mode.

5. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm>to set the time of day to perform channel adjustment.

6. Use the command auto-rf power-plan interval <15 - 1440> to set thepower adjustment interval in minutes.

7. Use the command auto-rf power-plan {interval | manual} to set thepower adjustment mode.

Configuring portals

The following procedure is used to configure portal options.


2. Use the command captive-portal auth-timeout <60 - 600> to set theauthentication timeout value in seconds.

3. Use the command captive-portal http-port <0 - 65535> to configurethe portal HTTP port.

4. Use the command captive-portal https-portal <0 - 65535> toconfigure the portal HTTPS port.

5. Use the command captive-portal stats-report-interval <15 -3600> to configure the statistics reporting interval in seconds.

6. Use the command captive portal profile <profile_number> block toblock profile traffic.



7. Use the command captive portal profile <profile_number> idle-timeout to set the session idle timeout value.

8. Use the command captive portal profile <profile_number> localeto set the portal locale settings.

9. Use the command captive portal profile <profile_number> max-bandwidth to configure the maximum transmit and receive bandwidth limits.

10. Use the command captive portal profile <profile_number> max-octets to configure the maximum session octets.

11. Use the command captive portal profile <profile_number>profile-name to set the profile name.

12. Use the command captive portal profile <profile_number>protocol-mode to the protocol mode.

13. Use the command captive portal profile <profile_number>session-timeout to set the session timeout value.

14. Use the command captive portal profile <profile_number> user-logout to enable user logout.

15. Use the command captive-portal enable to enable the captive portal.

16.

Configuring domain options

The following procedure is used to configure domain options.


2. Use the command domain ap-client-qos to enable access point QoSoperations for clients.

3. Use the command domain auto-promote-discovered-ap to enable autopromotion of discovered access points.

4. Use the command domain client-roam-agetime <1 - 120> to configurethe client roaming timeout value in seconds.

5. Use the command domain country-code <country_code> to configure acode for domain operation.

6. Use the command domain tspec-violation-report-interval <0 -900> to configure the reporting interval in seconds.



7. Use the command domain ap image-update download-group-size <1 -100> to configure the percentage of access points forming a group.

8. Use the command domain ap lb-metric {least-load | local-CBF |local-CBFS | roundrobin} to set the domain load balancing metric.

9. Use the command domain ap reset-group-size <1 - 100> to configurethe percentage of access points in the domain that will be reset.

10. Use the command domain ap <ap_mac> alternate-controller toconfigure an alternate wireless controller.

11. Use the command domain ap <ap_mac> label to configure the AP label.

12. Use the command domain ap <ap_mac> location to configure the APlocation.

13. Use the command domain ap <ap_mac> model to configure the AP model.

14. Use the command domain ap <ap_mac> preferred-controller toconfigure the preferred AP controller.

15. Use the command domain ap <ap_mac> profile-id to assign the appropriateAP profile ID.

16. Use the command domain ap <ap_mac> radio to configure the AP radio.

17. Use the command domain ap <ap_mac> serial to configure the AP serialnumber.

18. Use the command domain mobility-vlan <vlan_name> to create a newmobility VLAN.

19. Use the command domain e911 address <ip_address> enable to enablethe E911 server.

Configuring wireless security

The following procedure is used to configure wireless security options.


2. Use the command security to enter Security Configuration mode.

3. Use the command mac-db blacklist <mac_address> to add a device to theMAC address black list.

4. Use the command mac-db whitelist <mac_address> to add a device to theMAC address white list.



5. Use the command user-db group <group_name> to create a new userdatabase group.

6. Use the following commands to create a new user database entry:

• user-db user-name <member_name> start-date <yyyy-mm-dd>• user-db user-name <member_name> end-date <yyyy-mm-dd>• user-db user-name <member_name> idle-timeout <0 - 900>• user-db user-name <member_name> max-bandwidth-down<down_bps>

• user-db user-name <member_name> max-bandwidth-up <up_bps>• user-db user-name <member_name> max-input-octets <octets>• user-db user-name <member_name> max-output-octets<octets>

• user-db user-name <member_name> max-total-octets <octets>• user-db user-name <member_name> password <password>• user-db user-name <member_name> session-timeout<timeout_value>

7. Use the command user-db membership <member_name> <group_name> toadd a member to an existing group.

8. Use the following commands to configure Wireless Intrusion Detection (WIDS)timeout settings:

• wids ageout adhoc-clients <0 - 10080>• wids ageout ap-failure <0 - 10080>• wids ageout detected-clients <0 - 10080>• wids ageout rf-scan <0 - 10080>

9. Use the following commands to configure WIDS known access point settings:

• wids known-ap <mac_address> channel <0 - 216>• wids known-ap <mac_address> security {any | open | wep |wpa}

• wids known-ap <mac_address> ssid <ssid_string>• wids known-ap <mac_address> type {known-foreign | local-enterprise | other}

• wids known-ap <mac_address> wds-mode {any | bridge |normal}

• wids known-ap <mac_address> wired-mode {allowed | not-allowed}



10. Use the following commands to configure WIDS rogue access point settings:

• wids rogue-ap ack {all | rogue_mac_address}• wids rogue-ap trap-interval <60 - 3600>• wids rogue-ap wired-detection-interval <1 - 3600>

11. Use the command wips mitigation ap-threat to enable access threatmitigation.

12. Use the command wips mitigation client-threat to enable client threatmitigation.

13. Use the command radius server-retries to configure RADIUS server retries.

14. Use the command radius server-timeout to configure the RADIUS servertimeout.

15. Use the command radius profile to configure global RADIUS profiles.

16. Use the command radius server to configure global RADIUS servers.

Configuring system optionsThis section describes the system configuration procedures for the WLAN Controller 8180 (WC8180).

General switch administrationThis section outlines the Command Line Interface commands used in general switchadministration. It contains information about the following topics:

• Multiple switch configurations on page 27• Assigning and clearing IP addresses on page 27• Displaying interfaces on page 30• Setting port speed on page 31• Testing cables with the Time Domain Reflectometer on page 33• Enabling Autotopology on page 34• Enabling rate-limiting on page 37• Using Simple Network Time Protocol on page 38• Real time clock configuration on page 41• Custom Autonegotiation Advertisements on page 43



• Connecting to another switch on page 44• Domain Name Server (DNS) Configuration on page 45

Multiple switch configurations

The following CLI commands are used to configure and use multiple switch configuration:

show nvram block command This command shows the configurations currently stored on theswitch. The syntax for this command is: show nvram blockThis command is executed in the Global Configuration command mode.

copy config nvram block command This command copies the current configuration to one ofthe flash memory spots. The syntax for this command is: copy config nvram block<1-2> name <block_name>The following table outlines the parameters for this command.

Table 1: copy config nvram block parameters

Parameter Descriptionblock <1-2> The flash memory location to store the configuration.

name <block_name> The name to attach to this block. Names can be up to40 characters in length with no spaces.

This command is executed in the Global Configuration command mode.

copy nvram config block command This command copies the configuration stored in flashmemory at the specified location and makes it the active configuration. The syntax for thiscommand is: copy nvram config block <1-2>Substitute <1-2> with the configuration file to load.

This command causes the switch to reset so that the new configuration can be loaded.


Assigning and clearing IP addresses

You can assign, clear, and view IP addresses and gateway addresses with CLI. The commandsdiscussed in this section are used to perform these tasks.

Note:Users should not change the Wireless System IP address of the controller after the controllerjoins a domain. Do the following if a change is required after the controller joins a domain:

1. Remove the controller from the mobility domain.2. Disable wireless operations.

Configuring system options


3. Change the IP address.4. Join the controller to the domain.

ip address commandThe ip address command sets the IP address and subnet mask for the switch.

The syntax for the ip address command is: ip address <A.B.C.D> [netmask<A.B.C.D>] [default-gateway <A.B.C.D.DX>]The ip address command is executed in the Global Configuration command mode.

The following table describes the parameters for the ip address command.

Table 2: ip address parameters

Parameters DescriptionA.B.C.D Denotes the IP address in dotted-decimal notation; netmask

is optional.

netmask Signifies the IP subnet mask.

Default Gateway A.B.C.D Displays the IP address of the default gateway. Enter the IPaddress of the default IP gateway.

Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Webcan be lost.

ip address source commandIf you want to automatically obtain an IP address, subnet mask and default gateway, you canuse the ip address command with the source parameter. When you use DHCP, the switch canalso obtain up to three DNS server IP addresses.

The syntax for the ip address source command is: ip address source {bootp-always | bootp-last-address | bootp-when-needed | configured-address| dhcp-always | dhcp-last-address | dhcp-when-needed}Execute the ip address source command in the Global Configuration command mode.

The following table describes the variables for the ip address source command:

Table 3: ip address source command parameters

Parameter Descriptionbootp-always Always use the bootp server.

bootp-last-address Use the last bootp server.

bootp-when-needed Use bootp server when needed.

dhcp-always Always use the DHCP server.

dhcp-last-address Use the last DHCP server.

dhcp-when-needed Use DHCP client when needed.



no ip address commandThe no ip address command clears the IP address and subnet mask for a switch. Thiscommand sets the IP address and subnet mask for a switch to all zeros (0).

The syntax for the no ip address command is: no ip address switchThe no ip address command is executed in the Global Configuration command mode.

Note: When the IP address or subnet mask is changed, connectivity to Telnet and the WebInterface can be lost. Any new Telnet connection can be disabled and is required to connectto the serial console port to configure a new IP address.

ip default-gateway commandThe ip default-gateway command sets the default IP gateway address for a switch to use.

The syntax for the ip default-gateway command is: ip default-gateway <A.B.C.D>The ip default-gateway command is executed in the Global Configuration commandmode.

The following table describes the parameters for the ip default-gateway command.

Table 4: ip default-gateway command parameters

Parameters DescriptionA.B.C.D Enter the dotted-decimal IP address of the default IP gateway.

Note: When the IP gateway is changed, connectivity to Telnet and the Web Interface can belost.

show ip commandThe show ip command displays the IP configurations, BootP/DHCP mode, switch address,subnet mask, and gateway address. This command displays these parameters for what isconfigured, what is in use, and the last BootP/DHCP.

The syntax for the show ip command is: show ip [bootp] [dhcp] [default-gateway] [address]The show ip command is executed in the User EXEC command mode.

If you do not enter any parameters, this command displays all IP-related configurationinformation.

The following table describes the parameters for the show ip command.

Parameters Descriptionbootp Displays BootP/DHCP-related IP information. The

possibilities for status returned are:

• BootP Always

• Disabled

• BootP or Last Address



Parameters Description

• BootP When Needed

• DHCP Always

• DHCP or Last Address

• DHCP When Needed

dhcp client lease Displays DHCP client lease information. Thecommand displays information about configured leasetime and lease time granted by the DHCP server.

default-gateway Displays the IP address of the default gateway.

address Displays the current IP address.

address source Displays the BootP or DHCP clientinformation.Assigning and clearing IP addresses forspecific units

• DHCP always

• DHCP when needed

• DHCP or last address

• Disabled

• BootP always

• BootP when needed

• BootP or last address

Displaying interfaces

The status of all interfaces on the switch can be viewed, including Multi-Link Trunkmembership, link status, autonegotiation and speed using the following command.

show interfaces commandThe show interfaces command displays the current configuration and status of allinterfaces.

The syntax for the show interfaces command is: show interfaces [names][<portlist>]The show interfaces command is executed in the User EXEC command mode.

Table 5: show interfaces command parameters

Parameters Descriptionnames <portlist> Displays the interface names; enter specific ports if you

want to see only those.



Setting port speed

To set port speed and duplexing with CLI, refer to the following:

• speed command on page 31• default speed command on page 31• duplex command on page 32• default duplex command on page 32

speed commandThe speed command sets the speed of the port.

The syntax for the speed command is: speed [port <portlist>] {10 | 100 | 1000| auto}The speed command is executed in the Interface Configuration command mode.

The following table describes the parameters for the speed command.

Table 6: speed command parameters

Parameters Descriptionport <portlist> Specifies the port numbers for which to

configure the speed. Enter the port numbersyou want to configure.Note: If you omit this parameter, the systemuses the port number you specified in theinterface command.

10|100|1000|auto Sets speed to:

• 10—10Mb/s

• 100— 100 Mb/s

• 1000— 1000 Mb/s or 1GB/s

• auto— autonegotiation

Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplexoperation.When you set the port speed for autonegotiation, ensure that the other side of thelink is also set for autonegotiation.

default speed commandThe default speed command sets the speed of the port to the factory default speed.

The syntax for the default speed command is: default speed [port <portlist>]The default speed command is executed in the Interface Configuration command mode.

The following table describes the parameters for this command.



Parameters Descriptionport <portlist> Specifies the port numbers to set the speed to factory

default. Enter the port numbers you want to set.Note: If you omit this parameter, the system uses theport number you specified in the interface command.

duplex commandThe duplex command specifies the duplex operation for a port.

The syntax for the duplex command is: duplex [port <portlist>] {full | half| auto}The duplex command is executed in the Interface Configuration command mode.


Parameters Descriptionport <portlist> Specifies the port numbers for which to reset the

duplex mode to factory default values. Enter the portnumber you want to configure. The default value isautonegotiation.Note: If you omit this parameter, the system uses theports you specified in the interface command.

full | half | auto Sets duplex to:

• full— full-duplex mode

• half —half-duplex mode

• auto—autonegotiation

Note: Enabling/disabling autonegotiation for speed also enables/disables it for duplexoperation.When you set the duplex mode for autonegotiation, ensure that the other side of thelink is also set for autonegotiation.

default duplex commandThe default duplex command sets the duplex operation for a port to the factory defaultduplex value.

The syntax for the default duplex command is: default duplex [port<portlist>]The default duplex command is executed in the Interface Configuration command mode.


Parameters Descriptionport <portlist> Specifies the port numbers to reset the duplex mode to

factory default values. Enter the port numbers you wantto configure. The default value is autonegotiation.



Parameters DescriptionNote: If you omit this parameter, the system uses theports you specified in the interface command.

Testing cables with the Time Domain Reflectometer

The WC 8180 is equipped with a Time Domain Reflectometer (TDR). The TDR provides adiagnostic capability to test connected cables for defects (such as short pin and pin open). Youcan obtain TDR test results from CLI or Device Manager.

The cable diagnostic tests only apply to Ethernet copper ports; fiber ports cannot be tested.

You can initiate a test on multiple ports at the same time.

When you test a cable with the TDR, if the cable has a 10/100 MB/s link, the link is brokenduring the test and restored only when the test is complete. If the cable has a 10/100 MB/slink, the test results may be incomplete as the test does not test all of the pins in the connector.Use of the TDR does not affect 1 GB/s links.

See the Troubleshooting Guide (NN47251-700) for more information on troubleshooting cablesand for connector pin tables.

Note: The accuracy margin of cable length diagnosis is between three to five meters. Avayasuggests the shortest cable for length information be five meters long.

With the following CLI commands, you can initiate a TDR cable diagnostic test and obtain testreports.

• tdr test command on page 33• show tdr command on page 33

tdr test commandThe tdr test command initiates a TDR test on a port or ports.

The syntax for this command is: tdr test <portlist>where <portlist> specifies the ports to be tested.

The tdr test command is in the privExec command mode.

show tdr commandThe show tdr command displays the results of a TDR test.

The syntax for this command is: show tdr <portlist>where <portlist> specifies the ports for which to display the test results.

The show tdr command is in the privExec command mode.



Enabling Autotopology

The Optivity Autotopology protocol can be configured with CLI.

To enable autotopology with CLI, refer to the following:

• autotopology command on page 34• no autotopology command on page 34• default autotopology command on page 34• show autotopology settings command on page 34• show autotopology nmm-table command on page 34

autotopology commandThe autotopology command enables the Autotopology protocol.

The syntax for the autotopology command is: autotopologyThe autotopology command is executed in the Global Configuration command mode.

no autotopology commandThe no autotopology command disables the Autotopology protocol.

The syntax for the no autotopology command is: no autotopologyThe no autotopology command is executed in the Global Configuration command mode.

default autotopology commandThe default autotopology command enables the Autotopology protocol.

The syntax for the default autotopology command is: default autotopologyThe default autotopology command is executed in the Global Configuration commandmode.

show autotopology settings commandThe show autotopology settings command displays the global autotopology settings.

The syntax for the show autotopology settings command is: show autotopologysettingsThe show autotopology settings command is executed in the Privileged EXECcommand mode.

show autotopology nmm-table commandThe show autotopology nmm-table command displays the Autotopology networkmanagement module (NMM) table.

The syntax for the show autotopology nmm-table command is: show autotopology nmm-table



The show autotopology nmm-table command is executed in the Privileged EXECcommand mode.

Enabling flow control

Gigabit Ethernet, when used with the WC 8180, can control traffic on this port using theflowcontrol command.

To enable flow control with CLI, refer to the following:

• flow control command on page 35• no flowcontrol command on page 35• default flowcontrol command on page 36

flow control commandThe flowcontrol command is used only on Gigabit Ethernet ports and controls the trafficrates during congestion.

The syntax for the flowcontrol command is: flowcontrol [port <portlist>]{asymmetric | symmetric | auto | disable}The flowcontrol command is executed in the Interface Configuration mode.


Table 7: flowcontrol command parameters

Parameters Descriptionport <portlist> Specifies the port numbers to configure for flow control.

Note: If you omit this parameter, the system uses theports you specified in the interface command but onlythose ports which have speed set to 1000/full.

asymmetric | symmetric | auto |disable

Sets the mode for flow control:

• asymmetric- PAUSE frames can only flow in onedirection.

• symmetric- PAUSE frames con flow in eitherdirection.

• auto- sets the port to automatically determine the flowcontrol mode (default)

• disable- disables flow control

no flowcontrol commandThe no flowcontrol command is used only on Gigabit Ethernet ports and disables flowcontrol.

The syntax for the no flowcontrol command is: no flowcontrol [port<portlist>]



The no flowcontrol command is executed in the Interface Configuration mode.


Table 8: no flowcontrol command parameters

Parameters Descriptionport <portlist> Specifies the port numbers for which to

disable flow control.Note: If you omit this parameter, the systemuses the ports you specified in theinterface command, but only those portsthat have speed set to 1000/full.

default flowcontrol commandThe default flowcontrol command is used only on Gigabit Ethernet ports and sets theflow control to auto, which automatically detects the flow control.

The syntax for the default flowcontrol command is: default flowcontrol [port<portlist>]The default flowcontrol command is executed in the Interface Configuration mode.


Parameters Descriptionport <portlist> Specifies the port numbers to default to auto flow control.

Note: If you omit this parameter, the system uses the portnumber you specified in the interface command.

default rate-limit commandThe default rate-limit command restores the rate-limiting value for the specified portto the default setting.

The syntax for the default rate-limit command is: default rate-limit [port<portlist>]The default rate-limit command is executed in the Interface Configuration commandmode.


Table 9: default rate-limit command parameters

Parameters Descriptionport <portlist> Specifies the port numbers on which to reset rate-limiting to

factory default. Enter the port numbers on which to set rate-limiting to default.Note: If you omit this parameter, the system uses the port numberyou specified in the interface command.



Enabling rate-limiting

The percentage or packets per seconds of multicast traffic, or broadcast traffic, or both can belimited with CLI. For details, refer to the following:

• show rate-limit command on page 37• rate-limit command on page 37• no rate-limit command on page 38• default rate-limit command on page 36

show rate-limit commandThe show rate-limit command displays the rate-limiting settings and statistics.

The syntax for the show rate-limit command is: show rate-limitThe show rate-limit command is executed in the Privileged EXEC command mode.

rate-limit commandThe rate-limit command configures rate-limiting on the port.

The syntax for the rate-limit command is: rate-limit {multicast | broadcast| both} {percent <0-10>}The rate-limit command is executed in the Interface Configuration command mode.


Table 10: rate-limit command parameters

Parameters Descriptionmulticast | broadcast | both Applies rate-limiting to the type of traffic.

• multicast--applies rate-limiting to multicastpackets

• broadcast--applies rate-limiting tobroadcast packets

• both--applies rate-limiting to both multicastand broadcast packets

percent <0-10> Specifies the mode for setting the rates of theincoming traffic.

percent <0-10>--enter and integer from 1to 10 to set the rate-limiting percentage.

For 10 Gb/s links, the default value forlimiting both broadcast and multicast is 10percent.Rate limiting using packet per seconds canonly be configured using CLI.



no rate-limit commandThe no rate-limit command disables rate-limiting on the port.

The syntax for the no rate-limit command is: no rate-limit [port <portlist>]The no rate-limit command is executed in the Interface Configuration command mode.


Table 11: no rate-limit command parameters

Parameters Descriptionport <portlist> Specifies the port numbers to disable for rate-limiting. Enter the

port numbers you want to disable.Note: If you omit this parameter, the system uses the port numberyou specified in the interface command.

Using Simple Network Time ProtocolThe Simple Network Time Protocol (SNTP) feature synchronizes the Universal CoordinatedTime (UCT) to an accuracy within 1 second. This feature adheres to the IEEE RFC 2030 (MIB isthe s5agent). With this feature, the system can obtain the time from any RFC 2030-compliant NTP/SNTP server.

Note: If you have trouble using this feature, try various NTP servers. Some NTP servers canbe overloaded or currently inoperable.The system retries connecting with the NTP server amaximum of three times, with 5 minutes between each retry.

Using SNTP provides a real-time timestamp for the software, shown as Greenwich Mean Time(GMT).

If SNTP is enabled, the system synchronizes with the configured NTP server at boot-up andat user-configurable periods thereafter (the default synchronization interval is 24 hours). Thefirst synchronization is not performed until network connectivity is established.

SNTP supports primary and secondary NTP servers. The system tries the secondary NTPserver only if the primary NTP server is unresponsive.

To configure SNTP, refer to the following commands:

• show SNTP command on page 39• show sys-info command on page 39• SNTP enable command on page 39• no SNTP enable command on page 39• SNTP server primary address command on page 39• SNTP server secondary address command on page 40• no SNTP server command on page 40



• SNTP sync-now command on page 41• SNTP sync-interval command on page 41

show SNTP command

The show SNTP command displays the SNTP information, as well as the configured NTPservers.

The syntax for the show SNTP command is: show sntpThe show SNTP command is executed in the Privileged EXEC command mode.

show sys-info command

The show sys-info command displays the current system characteristics.

The syntax for the show sys-info command is: show sys-infoThe show sys-info command is executed in the Privileged EXEC command mode.

Note: You must have SNTP enabled and configured to display GMT time.

SNTP enable command

The SNTP enable command enables SNTP.

The syntax for the SNTP enable command is: sntp enableThe SNTP enable command is executed in the Global Configuration command mode.

Note: The default setting for SNTP is disabled.

no SNTP enable command

The no SNTP enable command disables SNTP.

The syntax for the no SNTP enable command is: no sntp enableThe no SNTP enable command is executed in the Global Configuration command mode.

SNTP server primary address command

The SNTP server primary address command specifies the IP addresses of the primaryNTP server.



The syntax for the SNTP server primary address command is: sntp serverprimary address <A.B.C.D>The SNTP server primary address command can be executed in the GlobalConfiguration command mode.


Table 12: sntp server primary address command parameters

Parameters Description<A.B.C.D> Enter the IP address of the primary NTP server in dotted-

decimal notation.

SNTP server secondary address command

The SNTP server secondary address command specifies the IP addresses of thesecondary NTP server.

The syntax for the SNTP server secondary address command is: sntp serversecondary address <A.B.C.D>The SNTP server secondary address command is executed in the Global Configurationcommand mode.


Table 13: sntp server secondary address command parameters

Parameters Description<A.B.C.D> Enter the IP address of the secondary NTP server in

dotted-decimal notation.

no SNTP server command

The no SNTP server command clears the NTP server IP addresses. The command clearsthe primary and secondary server addresses.

The syntax for the no SNTP server command is: no sntp server {primary |secondary}The no SNTP server command is executed in the Global Configuration command mode.




Table 14: no sntp server command parameters

Parameters Descriptionprimary Clear primary SNTP server address.

secondary Clear secondary SNTP server address.

SNTP sync-now command

The SNTP sync-now command forces a manual synchronization with the NTP server.

The syntax for the SNTP sync-now command is: sntp sync-nowThe SNTP sync-now command is executed in the Global Configuration command mode.

Note: SNTP must be enabled before this command can take effect.

SNTP sync-interval command

The SNTP sync-interval command specifies recurring synchronization with the secondaryNTP server in hours relative to initial synchronization.

The syntax for the SNTP sync-interval command is: sntp sync-interval <0-168>The SNTP sync-interval command is executed in the Global Configuration commandmode.


Table 15: sntp sync-interval command parameters

Parameters Descriptions<0-168> Enter the number of hours for periodic synchronization with

the NTP server.Note: 0 is boot-time only, and 168 is once a week.

Real time clock configurationIn addition to SNTP time configuration, a real-time clock (RTC) is available to provide the switchwith time information. This RTC provides the switch information in the instance that SNTP timeis not available.

Use the following commands to view and configure the RTC:

• clock set command on page 42• Clock sync rtc-with-SNTP enable command on page 42



• no clock sync-rtc-with-SNTP enable command on page 42• Default clock sync-rtc-with-SNTP enable command on page 42• Clock source command on page 43• default clock source command on page 43

clock set command

This command is used to set the RTC. The syntax of the clock set command is: clockset {<LINE> | <hh:mm:ss>}The following table outlines the parameters for this command.

Table 16: clock set command parameters

Parameters Description<LINE> A string in the format of mmddyyyyhhmmss that

defines the current local time.

<hh:mm:ss> Numeric entry of the current local time in the mannerspecified.

This command is executed in the Privileged EXEC command mode.

Clock sync rtc-with-SNTP enable command

This command enables the synching of the RTC with the SNTP clock when the SNTP clocksynchronizes.

The syntax for this command is: clock sync-rtc-with-sntp enableThis command is executed in the Global Configuration command mode.

no clock sync-rtc-with-SNTP enable command

This command disables the synching of the RTC with the SNTP clock when the SNTP clocksynchronizes.

The syntax for this command is: no clock sync-rtc-with-sntp enableThis command is executed in the Global Configuration command mode.

Default clock sync-rtc-with-SNTP enable command

This command sets the synchronizing of the RTC with the SNTP clock to factory defaults.

The syntax for this command is: default clock sync-rtc-with-sntp enable




Clock source command

This command sets the default clock source for the switch.

The syntax for this command is: clock source {sntp | rtc | sysUpTime}Substitute {sntp | rtc | sysUpTime} with the clock source selection.


default clock source command

This command sets the clock source to factory defaults. The syntax of this command is:default clock sourceThis command is executed in the Global Configuration command mode.

Custom Autonegotiation AdvertisementsCustom Autonegotiation Advertisement (CANA) customizes the capabilities that areadvertised. It also controls the capabilities that are advertised by the WC 8180 as part of theauto-negotiation process.

The following sections describe configuring CANA with CLI:

• Configuring CANA on page 43• Viewing current autonegotiation advertisements on page 43• Setting default auto-negotiation-advertisements on page 44• no auto-negotiation-advertisements command on page 44

Configuring CANA

Use the auto-negotiation-advertisements command to configure CANA.

To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter thefollowing command line: auto-negotiation-advertisements port 5 10-full

Viewing current autonegotiation advertisements

To view the autonegotiation advertisements for the device, enter the following command: showauto-negotiation-advertisements [port <portlist>]



Setting default auto-negotiation-advertisements

The default auto-negotiation-advertisements command makes a port advertiseall its auto-negotiation-capabilities.

The syntax for the default auto-negotiation-advertisements command is:default auto-negotiation-advertisements [port <portlist>]To set default advertisements for port 5 of the device, enter the following command line:default auto-negotiation-advertisements port 5The default auto-negotiation-advertisements command can be executed in theInterface Configuration mode.

no auto-negotiation-advertisements command

The no auto-negotiation-advertisements command makes a port silent.

The syntax for the no auto-negotiation-advertisements command is: no auto-negotiation-advertisements [port <portlist>]The no auto-negotiation-advertisements command can be executed in the InterfaceConfiguration mode.

Connecting to another switchUsing the Command Line Interface (CLI), it is possible to communicate with another switchwhile maintaining the current switch connection. This is accomplished with the familiar pingand telnet commands.

ping command

Use the ping command to determine if communication with another switch can be established.The syntax for this command is: ping<dns_host_name> [datasize <64-4096>[{count <1-999>} | continuous] [{timeout | -t} <1-120>] [interval<1-60] [debug]Substitute <dns_host_name> with the DNS host name of the unit to test.

Run this command in User EXEC command mode or any of the other command modes.




Table 17: ping command parameters

Parameters Description<dns_host_name> The DNS host name of the unit to test.

datasize <64–4096> Specify the size of the ICMP packet to be sent. Thedata size range is from 64 to 4096 bytes.

count <1–9999> | continuous Set the number of ICMP packets to be sent. Thecontinuous mode sets the ping running until theuser interrupts it by entering Ctrl+C.

timeout | -t | <1–120> Set the timeout using either the timeout with the -tparameter followed by the number of seconds theswitch must wait before timing out.

interval <1–60> Specify the number of seconds betweentransmitted packets.

debug Provide additional output information such as theICMP sequence number and the trip time.

telnet command

Use the telnet command to establish communications with another switch during the currentCLI session. Communication can be established to only one external switch at a time usingthe telnet command.

The syntax for this command is: telnet <dns_host_name>Substitute <dns_host_name> with the DNS hostname of the unit with which to communicate.

This command is executed in the User EXEC command mode.

Domain Name Server (DNS) ConfigurationDomain name servers are used when the switch needs to resolve a domain name to an IPaddress. The following commands allow for the configuration of the switch domain nameservers:

• show ip dns command on page 46• ip domain-name command on page 46• no ip domain-name command on page 46• default ip domain-name command on page 46• ip name-server command on page 47• no ip name-server command on page 47



show ip dns command

The show ip dns command is used to display DNS-related information. This informationincludes the default switch domain name and any configured DNS servers.

The syntax for this command is: show ip dnsThis command is executed in the User EXEC command mode.

ip domain-name command

The ip domain-name command is used to set the default DNS domain name for the switch.This default domain name is appended to all DNS queries or commands that do not alreadycontain a DNS domain name.

The syntax for this command is: ip domain-name <domain_name>Substitute <domain_name> with the default domain name to be used. A domain name isdetermined to be valid if it contains alphanumeric characters and contains at least one period(.).


no ip domain-name command

The no ip domain-name command is used to clear a previously configured default DNSdomain name for the switch.

The syntax for this command is: no ip domain-nameThis command is executed in the Global Configuration command mode.

default ip domain-name command

The default ip domain-name command is used to set the system default switch domainname. Because this default is an empty string, this command has the same effect as the noip domain-name command.

The syntax for this command is: default ip domain-nameThis command is executed in the Global Configuration command mode.



ip name-server command

The ip name-server command is used to set the domain name servers the switch uses toresolve a domain name to an IP address. A switch can have up to three domain name serversspecified for this purpose.

The syntax of this command is:

ip name-server <ip_address_1> ip name-server <ip_address_2> ip name-server <ip_address_3>Note: To enter all three server addresses you must enter the command three times, each with adifferent server address.

The following table outlines the parameters for this command.

Table 18: ip name-server command parameters

Parameters Description<ip_address_1> The IP address of the domain name server used by the switch.

<ip_address_2> Optional. The IP address of a domain name server to add tothe list of servers used by the switch.

<ip_address_3> Optional. The IP address of a domain name server to add tothe list of servers used by the switch.


no ip name-server command

The no ip name-server command is used to remove domain name servers from the listof servers used by the switch to resolve domain names to an IP address.

The syntax for this command is:

no ip name-server <ip_address_1> no ip name-server [<ip_address_2>]no ip name-server [<ip_address_2>]Note: To remove all three server addresses you must enter the command three times, eachwith a different server address.


Parameters Description<ip_address_1> The IP address of the domain name server to remove.

<ip_address_2> Optional. The IP address of a domain name server toremove from the list of servers used by the switch.



Parameters Description<ip_address_3> Optional. The IP address of a domain name server to

remove from the list of servers used by the switch.


Changing switch softwareThe software download process occurs automatically without user intervention. This processdeletes the contents of the flash memory and replaces it with the desired software image. Donot interrupt the download process. Depending on network conditions, this process make takeup to 10 minutes.

When the download process is complete, the switch automatically resets unless the no-resetparameter was used. The software image initiates a self-test and returns a message when theprocess is complete. An example of this message is illustrated in the following table.

Table 19: Software download message output

Download Image [/] Saving Image [-] Finishing UpgradingImage

During the download process the switch is not operational.

The progress of the download process can be tracked by observing the front panel LEDs.

To change the software version running on the switch with CLI, follow this procedure:

1. Access CLI through the Telnet protocol or a Console connection.

2. From the command prompt, use the download command with the followingparameters to change the software version: download [address <a.b.c.d>]{primary | secondary} {image <image name> | image-if-newer<image name> | diag <image name>} [no-reset] [usb]The following table explains the parameters for the download command.

Table 20: download command parameters

Parameter Descriptionaddress <a.b.c.d> This parameter is the IP address of the

TFTP server to be used. The address<ip> parameter is optional and ifomitted the switch defaults to theTFTP server specified by the tftp-server command unless software



Parameter Descriptiondownload is to take place using a USBMass Storage Device.

primary | secondary This parameter determines if theimage is the primary or secondaryimage.

image <image name> This parameter is the name of thesoftware image to be downloadedfrom the TFTP server.

image-if-newer <image name> This parameter is the name of thesoftware image to be downloadedfrom the TFTP server if newer than thecurrently running image.

diag <image name> This parameter is the name of thediagnostic image to be downloadedfrom the TFTP server.

no-reset This parameter forces the switch tonot reset after the software downloadis complete.

usb In the WC 8180, this parameterspecifies that the software downloadis performed using a USB MassStorage Device and the front panelUSB port.

3. Press Enter.

Configuration files in CLICLI provides many options for working with configuration files. Through CLI, configuration filescan be displayed, stored, and retrieved.

For details, refer to the following:

• Displaying the current configuration on page 50• Storing the current configuration on page 50• copy tftp config command on page 51• copy usb config command on page 51• Saving the current configuration on page 51• save config command



Importing action commands

The import and export of action commands in ASCII configuration files is not supported in thisrelease. This includes commands such as radius secret and mdc-join. Actioncommands that are part of a device configuration before an export operation will be excludedduring the export operation. Subsequent imports of the configuration file will not contain theexcluded commands. Excluded commands must be manually executed after the importprocess.

This is very important to keep in mind especially in regards to configuring a new device orupdating a device that has been returned to factory defaults. Note the action commands thatwere part of the pre-export configuration so they can be manually executed after theconfiguration file is imported.

Displaying the current configuration

The show running-config command displays the current configuration of switch.

The syntax for the show running-config command is:

show running-configThis command only can be executed in the Privileged EXEC mode and takes no parameters.

Storing the current configuration

The copy running-config command copies the contents of the current configuration fileto another location for storage. For all switches in the 8100 Series, the configuration file canbe saved to a TFTP server. The WC 8180 also provide the ability to save the configurationfile to a USB Mass Storage Device through the front panel USB drive.

The syntax for the copy running-config command is:

copy running-config {tftp | (usb) [u2] } address <A.B.C.D> filename<name>The following table outlines the parameters for this command.

Table 21: copy running-config parameters

Parameters Description{tftp | usb} This parameter specifies the general location in which

the configuration file is saved.

address <A.B.C.D> If a TFTP server is to be used, this parameter signifiesthe IP address of the server to be used.



Parameters Descriptionfilename <name> The name of the file that is created when the

configuration is saved to the TFTP server or USB MassStorage Device.

The copy running-config command only can be executed in the Privileged EXEC mode.

copy tftp config command

Use this command to restore a configuration file stored on a TFTP server.


copy tftp config address <A.B.C.D> filename <name>The following table outlines the parameters for this command.

Table 22: copy tftp config command parameters

Parameter Descriptionaddress <A.B.C.D> The IP address of the TFTP server to be used.

filename <name> The name of the file to be retrieved.

copy usb config command

Use this command to restore a configuration file stored on a USB Mass Storage Device. Thesyntax is:

copy usb config filename <name>The only parameter for this command is the name of the file to be retrieved from the USBdevice.

Saving the current configuration

The configuration currently in use on a switch is regularly saved to the flash memoryautomatically. However, you can manually initiate this process using the copy confignvram command. This command takes no parameters and you must run it in Privileged EXECmode. If you have disabled the AutosaveToNvramEnabled function by removing the defaultcheck in the AutosaveToNvRamEnabled field, the configuration is not automatically saved tothe flash memory.



Automatically downloading a configuration file with CLI

This feature is enabled through CLI by using the configure network command. This commandenables a script to be loaded and executed immediately as well as configure parameters toautomatically download a configuration file when the switch is booted.

The syntax for the configure network command is: configure network load-on-boot{disable | use-bootp | use-config} address <A.B.C.D> filename <name>The following table outlines the parameters for this command.

Table 23: configure network command parameters

Parameter Descriptionload-on-boot {disable | use-bootp | useconfig}

Specifies the settings for automaticallyloading a configuration file when the systemboots:

• disable - disables the automatic loading ofconfig file

• use-bootp - specifies loading the ASCIIconfiguration file at boot and using BootPto obtain values for the TFTP address andfilename

• use-config - specifies loading the ASCIIconfiguration file at boot and using thelocally configured values for the TFTPaddress and filename

Note: If you omit this parameter, the systemimmediately downloads and runs the ASCIIconfig file.

address <A.B.C.D> The IP address of the desired TFTP server.

filename <name> The name of the configuration file to use inthis process

This command must be run in the Privileged EXEC mode.

The current switch settings relevant to this process can be viewed using the show config-network command. This command takes no parameters and must be executed in PrivilegedEXEC mode.

Terminal setupSwitch terminal settings can be customized to suit the preferences of a switch administrator.This operation must be performed in CLI.



The terminal command configures terminal settings. These settings are transmit and receivespeeds, terminal length, and terminal width.

The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 |19200 | 38400} length <0-132> width <1-132>The terminal command is executed in the User EXEC command mode.


Table 24: terminal command parameters

Parameters Descriptionspeed {2400|4800|19200|38400} Sets the transmit and receive baud rates for

the terminal. The speed can be set at one ofthe five options shown; the default is 9600.

length Sets the length of the terminal display inlines; the default is 23.Note: If the terminal length is set to a valueof 0, the pagination is disabled and thedisplay continues to scroll without stopping.

width Sets the width of the terminal display incharacters; the default is 79.

The show terminal command can be used at any time to display the current terminalsettings. This command takes no parameters and is executed in the EXEC command mode.

Setting the default management interfaceYou can set the default management interface with CLI to suit the preferences of the switchadministrator. This selection is stored in NVRAM. When the system is started, the bannerdisplays and prompts the user to enter Ctrl+Y. After these characters are entered, the systemdisplays either a menu or the command line interface prompt, depending on previouslyconfigured defaults. When using the console port, you must log out for the new mode to display.When using Telnet, all subsequent Telnet sessions display the selection.

To change the default management interface, use the cmd-interface command. The syntax ofthis command is: cmd-interface {cli | menu}The cmd-interface command must be executed in the Privileged EXEC command mode.

Setting Telnet accessCLI can be accessed through a Telnet session. To access CLI remotely, the management portmust have an assigned IP address and remote access must be enabled.



Note: Multiple users can access CLI system simultaneously, through the serial port, Telnet,and modems. The maximum number of simultaneous users is four. All users can configuresimultaneously.

For details on viewing and changing the Telnet-allowed IP addresses and settings, refer to thefollowing:

• telnet-access command on page 54• no telnet-access command• default telnet-access command on page 55

telnet-access command

The telnet-access command configures the Telnet connection that is used to manage theswitch. The telnet-access command is executed through the console serial connection.

The syntax for the telnet-access command is:

telnet-access [enable | disable] [login-timeout <1-10>][retry<1-100>] [inactive-timeout <0-60>] [logging {none | access |failures | all}] [source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>]Execute the telnet-access command in the Global Configuration command mode.

The following table describes the parameters for the telnet-access command.

Table 25: telnet-access command parameters

Parameters Descriptionenable | disable Enables or disables Telnet connection.

login-timeout <1-10> Specify in minutes the time to wait for Telnetand Console login before the connectioncloses. Enter an integer between 1 and 10.

retry <1-100> Specify the number of times the user canenter an incorrect password before closingthe connection. Enter an integer between 1and 100.

inactive-timeout <0-60> Specify in minutes the duration for aninactive session to be terminated.

logging {none | access | failures | all} Specify the events whose details you want tostore in the event log:

• none-do not save access events in the log

• access-save only successful accessevents in the log




• failure-save failed access events in the log

• all-save all access events in the log

[source-ip <1-50> <A.B.C.D> [mask<A.B.C.D>] [source-ip <WORD>

Specify the source IP address from whichconnections are allowed. Enter the IPaddress in dotted-decimal notation. Maskspecifies the subnet mask from whichconnections are allowed; enter IP mask indotted-decimal notation.

default telnet-access command

The default telnet-access command sets the Telnet settings to the default values.

The syntax for the default telnet-access command is:

default telnet-accessThe default telnet-access command is executed in the Global Configuration commandmode.

Setting boot parametersThe command outlined in this section is used for booting the switch as well as setting bootparameters.

boot command

The boot command performs a soft-boot of the switch.

The syntax for the boot command is:

boot [default] [partial default]The boot command is executed in the Privileged EXEC command mode.

The following table describes the parameters for the boot command.

Table 26: boot command parameters

Parameters Descriptiondefault Reboot the switch and use the factory default

configurations



Parameters Descriptionpartial-default Reboot the switch and use partial factory default

configurations

Note: When you reset to factory defaults, the switch retains the last reset count and reason forlast reset; these two parameters do not default to factory defaults.

Defaulting to BootP-when-neededThe BootP default value is BootP-when-needed. This enables the switch to be booted and thesystem to automatically seek a BootP server for the IP address.

If an IP address is assigned to the device and the BootP process times out, the BootP moderemains in the default mode of BootP-when-needed.

However, if the device does not have an assigned IP address and the BootP process timesout, the BootP mode automatically changes to BootP disabled. But this change to BootPdisabled is not stored, and the BootP reverts to the default value of BootP-when-needed afterrebooting the device.

When the system is upgraded, the switch retains the previous BootP value. When the switchis defaulted after an upgrade, the system moves to the default value of BootP-when-needed.

Refer to the following commands to configure BootP parameters:

• ip bootp server command on page 56• no ip bootp server command on page 57• default ip bootp server command on page 57

ip bootp server command

The ip bootp server command configures BootP on the current instance of the switch orserver. This command is used to change the value of BootP from the default value, which isBootP-when-needed.

The syntax for the ip bootp server command is:

ip bootp server {always | disable | last | needed}The ip bootp server command is executed in the Global Configuration command mode.


Table 27: ip bootp server command parameters

Parameters Descriptionalways | disable | last | needed Specifies when to use BootP:




• always-Always use BootP

• disable-never use BootP

• last-use BootP or the last known address

• needed-use BootP only when needed

Note: The default value is to use BootP whenneeded.

no ip bootp server command

The no ip bootp server command disables the BootP server.

The syntax for the no ip bootp server command is:

no ip bootp serverThe no ip bootp server command is executed in the Global Configuration command mode.

default ip bootp server command

The default ip bootp server command uses BootP when needed.

The syntax for the default ip bootp server command is:

default ip bootp serverThe default ip bootp server command is executed in the Global Configurationcommand mode.

shutdown commandThe shutdown command proves a mechanism for safely shutting down a switch withoutinterfering with device processes or corrupting the software image. After this command isissued, the configuration is saved, auto-save functionality is temporarily disabled, andconfiguration changes are not allowed until the switch restarts. If the shutdown is cancelled,auto-save functionality returns to the state in which it was previously functioning.

The shutdown command has the following syntax: shutdown [force] [minutes-to-wait <1-60>] [cancel]The following table describes the parameters of the shutdown command.



Table 28: shutdown command parameter

Parameters Descriptionforce This parameter forces the shutdown without

confirmation.

minutes-to-wait <1-60> This parameter represents the number of minutes towait before the shutdown occurs. If no value isspecified, the default value of 10 minutes is used.

cancel This parameter cancels a scheduled shutdown anytime during the time period specified by theminutes-to-wait parameter.

reload commandThe reload command operates in a similar fashion to the shutdown command. However, thereload command is intended more to be used by system administrators using the commandfunctionality to configure remote devices and reset them when the configuration is complete.

The reload command differs from the shutdown command in that the configuration is notexplicitly saved after the command is issued. This means that any configuration changes mustbe explicitly saved before the switch reloads.

The reload command does temporarily disable auto-save functionality until the reload occurs.Cancelling the reload returns auto-save functionality to any previous setting.

The reload command has the following syntax: reload [force] [minutes-to-wait<1-60>] [cancel]The following table describes the parameters of the reload command.

Table 29: reload command parameters

Parameter Descriptionforce This parameter forces the reload without confirmation.

minutes-to-wait <1-60> This parameter represents the number of minutes towait before the reload occurs. If no value is specified,the default value of 10 minutes is used.

cancel This parameter cancels a scheduled reload any timeduring the time period specified by the minutes-to-waitparameter.



CLI HelpTo obtain help on the navigation and use of Command Line Interface (CLI), use the followingcommand: help {commands | modes}Use help commands to obtain information about the commands available in CLI organized bycommand mode. A short explanation of each command is also included.

Use help modes to obtain information about command modes available and CLI commandsused to access them.

These commands are available in any command mode.

Clearing the default TFTP server with CLIThe default TFTP server can be cleared from the switch and reset to 0.0.0.0 with the followingtwo commands:

• no tftp-server• default tftp-server

Configuring a default TFTP server with CLIThe switch processes that make use of a TFTP server often give the switch administrator theoption of specifying the IP address of a TFTP server to be used. Instead of entering this addressevery time it is needed, a default IP address can be stored on the switch.

A default TFTP server for the switch is specified with the tftp-server command. The syntax ofthis command is: tftp-server <A.B.C.D>To complete the command, replace <A.B.C.D> with the IP address of the default TFTP server.This command must be executed in the Privileged EXEC command mode.

Configuring default clock sourceThis command sets the default clock source for the switch.

The syntax for this command is: clock source {rtp | sntp | sysUpTime}Substitute {rtp | sntp | sysUpTime}with the clock source selection.

Run this command in Global Configuration command mode.



Configuring daylight savings time with CLIUse the following procedure to configure the daylight savings time adjustment with CLI:

1. In CLI, set the Global Configuration command mode.configure

2. Enable sntp server.

3. Set the date to change to daylight savings time.clock summer-time zone date day month year hh:mm day monthyear hh:mm [offset]

Job aid

The following table defines the variables for the clock summer-time command:

Table 30: clock summer-time command parameters

Parameters Descriptiondate Indicates that daylight savings time should

start and end on the specified days everyyear.

day Date to start daylight savings time.

month Month to start daylight savings time.

year Year to start daylight savings time.

hh:mm Hour and minute to start daylight savingstime.

day Date to end daylight savings time.

month Month to end daylight savings time.

year Year to end daylight savings time.

hh:mm Hour and minute to end daylight savingstime.

offset Number of minutes to add during the summertime.

zone The time zone acronym to be displayed whendaylight savings time is in effect. If it is



Parameters Descriptionunspecified, it defaults to the time zoneacronym set when the time zone was set.

Configuring Dual AgentUse the following commands to configure the Dual Agent feature with CLI:

• Enhanced download command on page 61• toggle next boot image command on page 62• boot secondary command on page 62• Show agent images on page 62

Enhanced download command

You can update either active image or non-active image. Once the image download is done,the unit resets and restarts with the new image regardless of the value of the Next Boot imageindicator. In case of image download without reset, the new image in the flash will be the NextBoot image.

Use the download command to specify the download target image. The syntax for thiscommand is:

download [address <a.b.c.d>] {primary | secondary} {image <imagename> | image-if-newer <image name> | diag <image name>} [no-reset][usb]The following table defines the parameters for the download command.

Table 31: download command parameters

Parameters Variablea.b.c.d IP address in dot notation.

primary | secondary Choose which image to download.

image <image name> Download the specified image.

image-if-newer <image name> Only download the image if the version is newerthan the installed version.

diag <image name> Download the specified diagnostic image.

no-reset Do not reset the switch.

usb Download the image from the USB drive.

Note: Dual Agent supports the WLAN switches NBUs through AAUR.



toggle next boot image command

You can use CLI commands to change the next boot image of the device.

Use the toggle-next-boot-image command to toggle the next boot image.


toggle-next-boot-imageYou must restart the switch after this command to use the next boot image as the new primaryimage.

boot secondary command

You can use CLI commands to change the next boot image of the device.

Use the boot secondary command to use the secondary boot image. The syntax for thiscommand is:

boot secondaryThe switch will restart automatically with the new image.

Show agent images

You can use CLI commands to list the following information about the agent images stored inflash memory:

• Primary image version• Secondary image name• Active image version

Use the show boot image command to show the agent image information for agent imagesstored in the flash memory. They syntax for this command is:

show boot image

Configuring local time zone with CLISNTP uses Coordinated Universal Time (UTC) for all time synchronizations so it is not affectedby different time zones. To have the switch report the time in your local time zone, you needto use the clock commands to set the local time zone.

You must enable SNTP before you set the time zone. If SNTP is not enabled, this commandhas no effect. If you enable SNTP and do not specify a time zone, UTC is shown by default.

Use the following procedure to configure your switch for your local time zone with CLI:



1. In CLI, set the Global Configuration command mode.configure

2. Enable sntp server.

3. Set clock time zone using the clock command.clock time-zone zone hours [minutes]

Job aid

The following table defines the variables for the clock time-zone command:

Table 32: clock time-zone command

Variables Descriptionzone Time zone acronym to be displayed when showing

system time (up to 4 characters).

hours Difference from UTC in hours. This can be any valuebetween -12 and +12.

minutes Optional: This is the number of minutes difference fromUTC. Minutes can be any value between 0 and 59.

Customizing CLI banner with CLI

show banner command

The show banner command displays the banner.

The syntax for the show banner command is:

show banner [static | custom]The show banner command is executed in the Privileged EXEC command mode.


Table 33: show banner command parameters

Parameters Descriptionstatic | custom Displays which banner is currently set to display:




• static

• custom

banner command

The banner command specifies the banner displayed at startup; either static or custom.

The syntax for the banner command is:

banner {static | custom} <line number> "<LINE>"The following table outlines the parameters for this command.

Table 34: banner command parameters

Parameters Descriptionstatic | custom Sets the display banner as:

• static

• custom

line number Enter the banner line number you are setting.The range is 1 to 19.

LINE Specifies the characters in the line number.

This command is executed in the Privileged EXEC command mode.

no banner command

The no banner command clears all lines of a previously stored custom banner. Thiscommand sets the banner type to the default setting (STATIC).

Displaying the default TFTP server with CLI

no bannerThe no banner command is executed in the Privileged EXEC command mode.

Displaying the default TFTP server with CLIThe default TFTP server configured for the switch can be displayed in CLI at any time by usingthe show tftp-server command. This command has no parameters and is executed in thePrivileged EXEC mode.



Displaying complete GBIC informationComplete information can obtained for a GBIC port using the following command: showinterfaces gbic-info <port-list>Substitute <port-list> with the GBIC ports for which to display information. If no GBIC isdetected, this command does not show any information.

This command is available in all command modes.

Displaying hardware informationTo display a complete listing of information about the status of switch hardware in CLI, use thefollowing command: show system [verbose]The inclusion of the [verbose] option displays additional information about fan status, powerstatus, and switch serial number.

Switch hardware information is displayed in a variety of locations in Web-based managementand Device Manager. No special options are needed in these interfaces to display theadditional information.

Enabling AutosaveWith autosave enabled the system checks every minute to see if there is any new configurationdata. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AURfeature should perform normally.

Use the following command to enable the autosave feature.

autosave enable command

The autosave enable command is used to enable the autosave feature.


autosave enableThe autosave enable command is executed in Global Configuration command mode.



Setting the server for Web-based management with CLISetting the server for Web-based management with CLI You can use CLI to enable or disable aweb server for use with Web-based management. For details, refer to the following:

• web-server command on page 66• no web-server command on page 66

web-server command

The web-server command enables or disables the web server used for Web-basedmanagement.

The syntax for the web-server command is:

web-server {enable | disable}The web-server command is executed in the Global Configuration command mode.


Table 35: web-server command parameters

Parameter Descriptionenable | disable Enables or disables the web server.

no web-server command

The no web-server command disables the web server used for Web-based management.

The syntax for the no web-server command is:

no web-serverThe no web-server command is executed in the Global Configuration command mode.

Setting the read-only and read-write passwordsThe first step to requiring password authentication when the user logs in to the switch is to editthe password settings. To set the read-only and read-write passwords, perform the followingprocedure.




2. From the command prompt, use the cli password command to change the desiredpassword.cli password {read-only | read-write} <password>The following table describes the parameters for this command.

Table 36: cli password command parameters

Parameter Description{read-only | read-write} This parameter specifies if the

password change is for read-onlyaccess or read-write access.

<password> If password security is disabled, thelength can be 1-15 chars. If passwordsecurity is enabled, the range for lengthis 10-15 chars.

3. Press Enter.

Enabling and disabling passwordsAfter the read-only and read-write passwords are set, they can be individually enabled ordisabled for the various switch access methods. When enabled, password security promptsyou for a password and the value is hidden. To enable or disable passwords, perform thefollowing procedure:


2. From the command prompt, use the cli password command to enable or disablethe desired password.cli password {telnet | serial} {none | local | radius |tacacs}The following table describes the parameters for this command.

Table 37: cli password parameters

Parameter Description{telnet | serial} This parameter specifies if the

password is enabled or disabled fortelnet or the console. Telnet and webaccess are tied together so that



Parameter Descriptionenabling or disabling passwords forone enables or disables it for the other.

{none | local | radius | tacacs} This parameter specifies if thepassword is to be disabled (none), or ifthe password to be used is the locallystored password created in theprevious procedure, or if RADIUSauthentication or TACACS +AAAservices is used.

3. Press Enter.

Configuring RADIUS authenticationThe Remote Authentication Dial-In User Service (RADIUS) protocol is a means to authenticateusers through the use of a dedicated network resource. This network resource contains a listingof eligible user names and passwords and their associated access rights. When RADIUS isused to authenticate access to a switch, the user supplies a user name and, when prompted, apassword. The password value is hidden when entered. This information is checked againstthe preexisting list. If the user credentials are valid they can access the switch.

If RADIUS Authentication was selected when enabling passwords through CLI, the RADIUSserver settings must be specified to complete the process. Ensure that Global Configurationmode is entered in CLI before beginning this task.

To enable RADIUS authentication through CLI, follow these steps:


2. From the command prompt, use the radius-server command to configure theserver settings.radius-server host <address> [secondary-host <address>] port<num> key <string> [password fallback]The following table describes the parameters for this command.

Table 38: radius-server parameters

Parameter Descriptionhost <address> This parameter is the IPv6 or IPv4

address of the RADIUS server that isused for authentication.

[secondary-host <address>] The secondary-host <address>address> parameter is optional. If a



Parameter Descriptionbackup RADIUS server is to bespecified, include this parameter withthe IPv6 or IPv4 address of the backupserver.

port <num> This parameter is the UDP port numberthe RADIUS server uses to listen forrequests.

key This parameter prompts you to supplya secret text string or password that isshared between the switch and theRADIUS server. Enter the secret string,which is a string up to 16 characters inlength. The password is hidden whenentered.

[password fallback] This parameter is optional and enablesthe password fallback feature on theRADIUS server. This option is disabledby default.

3. Press Enter.

Related RADIUS Commands

During the process of configuring RADIUS authentication, there are three other CLI commandsthat can be useful to the process. These commands are:

1. show radius-serverThe command takes no parameters and displays the current RADIUS serverconfiguration.

2. no radius-serverThis command takes no parameters and clears any previously configured RADIUSserver settings.

3. radius-server password fallbackThis command takes no parameters and enables the password fallback RADIUSoption if it was not done when the RADIUS server was configured initially.



Configuring system securityThis chapter describes the methods and procedures necessary to configure system security.

Depending on the scope and usage of the commands listed in this chapter, you can needdifferent command modes to execute them.

Navigation

• Configuring MAC address-based security using CLI on page 70• Configuring RADIUS authentication using CLI on page 78• SNMP configuration using CLI on page 80• Configuring RADIUS accounting using CLI• Configuring TACACS+ using CLI on page 100• Configuring IP Manager using CLI on page 103• Configuring password security using CLI on page 105• Displaying CLI Audit log using CLI on page 106• Configuring Secure Socket Layer services using CLI on page 107• Configuring Secure Shell protocol using CLI on page 108• IP Source Guard configuration using CLI

Configuring MAC address-based security using CLIThe following CLI commands allow for the configuration of the BaySecureapplication usingMedia Access Control (MAC) addresses.

The CLI commands in this section are used to configure and manage MAC address security.

CLI commands for MAC address security

The CLI commands in this section are used to configure and manage MAC address security.

• show mac-security command on page 71• show mac-security mac-da-filter command on page 71• mac-security command on page 72• mac-security mac-address-table address command on page 73• show mac-security mac-address-table command on page 73• mac-security security-list command on page 74



• no mac-security security-list command on page 74• mac-security command for specific ports on page 74• show mac-security command on page 75• mac-security mac-da-filter command on page 75• CLI commands for MAC address auto-learning on page 75• mac-security auto-learning aging-time command on page 76• no mac-security auto-learning aging-time command on page 76• default mac-security auto-learning aging-time command on page 76• mac-security auto-learning port command on page 76• no mac-security auto-learning command on page 77• default mac-security auto-learning command on page 77

show mac-security command

The show mac-security command displays configuration information for the BaySecureapplication.

The syntax for the show mac-security command is:

show mac-security {config|mac-address-table [address <macaddr>] |port|security-lists}The following table outlines the parameters for this command.

Table 39: show mac-security command parameters

Parameter Descriptionconfig Displays general BaySecure configuration.

mac-address-table [address <madaddr>] Displays contents of BaySecure table ofallowed MAC addresses:

address—specifies a single MAC addressto display; enter the MAC address

port Displays the BaySecure status of all ports.

security-lists Displays port membership of all security lists.

The show mac-security command is executed in the Privileged EXEC command mode.

show mac-security mac-da-filter command

The show mac-security mac-da-filter command displays configuration informationfor filtering MAC destination addresses (DA). Packets can be filtered from up to 10 MAC DAs.

Configuring system security


The syntax for the show mac-security mac-da-filter command is

show mac-security mac-da-filterThe show mac-security mac-da-filter command is executed in the Privileged EXECcommand mode.

The show mac-security mac-da-filter command has no parameters or variables.

mac-security command

The mac-security command modifies the BaySecure configuration.

The syntax for the mac-security command is

mac-security [disable|enable] [filtering {enable|disable}][intrustion-detect {enable|disable|forever}] [intrusion-timer<1-65535>] [learning-ports <portlist>] [learning {enable|disable}][snmp-lock {enable|disable}] [snmp-trap {enable|disable}]The following table outlines the parameters for this command.

Table 40: mac-security parameters

Parameter Descriptiondisable|enable Disables or enables MAC address-based

security.

filtering {enable|disable} Enables or disables DA filtering on intrusiondetected.

intrusion-detect {enable|disable|forever} Specifies partitioning of a port when anintrusion is detected:

• enable—port is partitioned for a period oftime

• disabled—port is not partitioned ondetection

• forever—port is partitioned until manuallychanged

intrustion-timer <1-65535> Specifies, in seconds, length of time a port ispartitioned when an intrusion is detected;enter the number of seconds desired.

learning-ports <portlist> Specifies MAC address learning. Learnedaddresses are added to the table of allowedMAC addresses. Enter the ports to learn; asingle port, a range of ports, several ranges,all ports, or no ports can be entered.

learning {enable|disable} Specifies MAC address learning:



Parameter Description

• enable—enables learning by ports

• disable—disables learning by ports

snmp-lock {enable|disable} Enables or disables a lock on SNMP write-access to the BaySecure MIBs.

snmp-trap {enable|disable} Enables or disables trap generation uponintrusion detection.

The mac-security command is executed in the Global Configuration mode.

mac-security mac-address-table address command

The mac-security mac-address-table address command assigns either a specificport or a security list to the MAC address. This removes the previous assignment to thespecified MAC address and creates an entry in the BaySecure table of allowed MACaddresses.

The syntax for the mac-security mac-address-table address command is

mac-security mac-address-table address <H.H.H.> {port <portlist>|security-list <1-32>}The following table outlines the parameters for this command.

Table 41: no mac-security mac-address-table parameters

Parameter Description<H.H.H> Enter the MAC address in the form of H.H.H.

port <portlist> Enter the port number.

security-list <1-32> Enter the security list number.

The no mac-security mac-address-table command executes in the GlobalConfiguration mode.

show mac-security mac-address-table command

The show mac-security mac-address-table command displays the current global MAC Addresssecurity table. The syntax for this command is

show mac-security mac-address-table.This command executes in the Privileged EXEC command mode.



mac-security security-list command

The mac-security security-list command assigns a list of ports to a security list.

The syntax for the mac-security security-list command is:

mac-security security-list <1-32> <portlist>The following table outlines the parameters for this command.

Table 42: mac-security security-list parameters

Parameter Description<1-32> Enter the number of the security list you want to use.

<portlist> Enter the port number.

The mac-security security-list command executes in the Global Configuration mode.

no mac-security security-list command

The no mac-security security-list command clears the port membership of asecurity list.

The syntax for the no mac-security security-list command is:

no mac-security security-list <1-32>Substitute the <1-32> with the number of the security list to be cleared.

The no mac-security security-list command executes in the Global Configurationmode.

mac-security command for specific ports

The mac-security command for specific ports configures the BaySecure status of specificports.

The syntax for the mac-security command for specific ports is

mac-security [port <portlist>] {disable|enable|learning}The following table outlines the parameters for this command.

Table 43: mac-security parameters

Parameter Descriptionport <portlist> Enter the port numbers.



Parameter Descriptiondisable|enable|learning Directs the specific port

• disable—disables BaySecure on the specifiedport and removes the port from the list of portsfor which MAC address learning is beingperformed

• enable—enables BaySecure on the specifiedport and removes the port from the list of portsfor which MAC address learning is beingperformed

• learning—disables BaySecure on the specifiedport and adds these port to the list of ports forwhich MAC address learning is being performed

The mac-security command for specific ports executes in the Interface Configuration mode.

show mac-security command

The show mac-security command displays the current MAC Address security table for theports entered. The syntax for this command is

show mac-security port <portlist>Substitute <portlist> with the ports to be displayed.

This command executes in the Privileged EXEC command mode.

mac-security mac-da-filter command

The mac-security mac-da-filter command allows packets to be filtered from up to tenspecified MAC DAs. This command also allows you to delete such a filter and then receivepackets from the specified MAC DA.

The syntax for the mac-security mac-da-filter command is

mac-security mac-da-filter {add|delete} <H.H.H>Substitute the {add|delete} <H.H.H> with either the command to add or delete a MACaddress and the MAC address in the form of H.H.H.

The mac-security mac-da-filter command executes in the Global Configuration mode.

CLI commands for MAC address auto-learning

The CLI commands in this section are used to configure and manage MAC auto-learning.



mac-security auto-learning aging-time command

The mac-security auto-learning aging-time command sets the aging time for theauto-learned addresses in the MAC Security Table.

The syntax for the command is

mac-security auto-learning aging-time <0-65535>Substitute <0-65535> with the aging time in minutes. An aging time of 0 means that thelearned addresses never age out. The default is 60 minutes.

The mac-security auto-learning aging-time command executes in the GlobalConfiguration mode.

no mac-security auto-learning aging-time command

The no mac-security auto-learning aging-time command sets the aging time forthe auto-learned addresses in the MAC Security Table to 0. In this way, it disables the removalof auto-learned MAC addresses.


no mac-security auto-learning aging-timeThe no mac-security aging-time command executes in the Global Configuration mode.

default mac-security auto-learning aging-time command

The default mac-security auto-learning aging-time command sets the agingtime for the auto-learned addresses in the MAC Security Table to the default of 60 minutes.


default mac-security auto-learning aging-timeThe default mac-security auto-learning aging-time command executes in theGlobal Configuration mode.

mac-security auto-learning port command

The mac-security auto-learning port command configures MAC security auto-learning on the ports.


mac-security auto-learning port <portlist> disabledisable|{enable[max-addrs <1-25>}




Table 44: mac-security auto-learning parameters

Parameter Description<portlist> The ports to configure for auto-learning.

disable|enable Disables or enables auto-learning on the specified ports.The default is disabled.

max-addrs <1-25> Sets the maximum number of addresses the port learns.The default is 2.

The mac-security auto-learning command executes in the Interface Configurationmode.

no mac-security auto-learning command

This command disables MAC security auto-learning for the specified ports on the switch. Thesyntax for this command is

no mac-security auto-learning port <portlist>The no mac-security auto-learning command executes in the Interface Configurationmode.

default mac-security auto-learning command

The default mac-security auto-learning command sets the default MAC securityauto-learning on the switch.


default mac-security auto-learning port <portlist> [enable] [max-addrs]The following table outlines the parameters for this command.

Table 45: default mac-security auto-learning parameters

Parameters Description<portlist> The ports to configure for auto-learning.

enable Sets to default the auto-learning status forthe port. The default is disabled.

max-addrs Sets to default the maximum number ofaddresses the port learns. The default is 2.



The default mac-security auto-learning command executes in the InterfaceConfiguration mode.

Configuring RADIUS authentication using CLIConfigure RADIUS to perform authentication services for system users by doing the following:

• Configure the RADIUS server itself. For specific configuration procedures, see the vendordocumentation. In particular, ensure that you set the appropriate Service-Type attributein the user accounts:

- for read-write access, Service-Type = Administrative- for read-only access, Service-Type = NAS-Prompt

• Configure RADIUS server settings on the switch (see “Configuring RADIUS serversettings” (page 100)).

• (Optional) Enable the RADIUS password fallback feature (see “Enabling RADIUSpassword fallback” (page 101)).

Use the following commands to configure RADIUS authentication:

• Configuring RADIUS server settings on page 78• Enabling RADIUS password fallback on page 79• Viewing RADIUS information on page 80

Configuring RADIUS server settings

Add a RADIUS server using the following command in Global or Interface Configuration mode:

radius-serverThe following table describes the parameters for this command.

Table 46: radius-server command parameters

Parameter Descriptionhost <IPaddr> Specifies the IP address of the primary

server you want to add or configure.

key <key> Specifies the secret authentication andencryption key used for all communicationsbetween the NAS and the RADIUS server.The key, also referred to as the sharedsecret, must be the same as the one definedon the server. You are prompted to enter andconfirm the key.



Parameter Description[port <port>] Specifies the UDP port for RADIUS.

<port> is an integer in the range 0–65535. The default port number is 1812.

[secondary-host <IPaddr>] Specifies the IP address of the secondaryserver. The secondary server is used only ifthe primary server does not respond.

[timeout <timeout>] Specifies the number of seconds before theservice request times out. RADIUS allowsthree retries for each server (primary andsecondary).<timeout>is an integer in the range 1–60. The defaulttimeout interval is 2 seconds.

Delete a RADIUS server and restore default RADIUS settings by using one of the followingcommands in Global or Interface Configuration mode:

no radius-serverdefault radius-server

Enabling RADIUS password fallback

Enable the RADIUS password fallback feature by using the following command in Global orInterface Configuration mode:

radius-server password fallbackWhen RADIUS password fallback is enabled, users can log on to the switch using the localpassword if the RADIUS server is unavailable or unreachable.The default is disabled.

After you enable RADIUS password fallback, you cannot disable it without erasing all otherRADIUS server settings.

Important:You can use the Console Interface to disable the RADIUS password fallback without erasingother RADIUS server settings. From the main menu, choose Console/Comm PortConfiguration, then toggle the RADIUS Password Fallback field to No.

Disable the RADIUS password fallback feature by using one of the following commands inGlobal or Interface Configuration mode:

no radius-serverdefault radius-serverThe command erases settings for the RADIUS primary and secondary servers and secret key,and restores default RADIUS settings.



Viewing RADIUS information

Display RADIUS configuration status by using the following command from any mode:

show radius-server

SNMP configuration using CLIThis section describes how you can configure SNMP using CLI, to monitor devices runningsoftware that supports the retrieval of SNMP information.

Use the following commands to configure SNMP:

• Configuring SNMP v1, v2c, v3 Parameters using CLI on page 81• SNMPv3 table entries stored in NVRAM on page 82• show snmp-server command on page 82• snmp-server authentication-trap command on page 83• no snmp-server authentication-trap command on page 83• default snmp-server authentication-trap command on page 83• snmp-server community for read or write command on page 84• snmp-server community command on page 84• no snmp-server community command on page 85• default snmp-server community command on page 86• no snmp-server contact command on page 86• default snmp-server contact command on page 86• snmp-server command on page 87• no snmp-server command on page 87• snmp-server host command on page 87• show snmp-server host command on page 89• no snmp-server host command on page 89• default snmp-server host command on page 90• snmp-server location command on page 90• no snmp-server location command on page 91• default snmp-server location command on page 91• snmp-server name command on page 91• no snmp-server name command on page 92• default snmp-server name command on page 92



• snmp-server user command on page 92• no snmp-server user command on page 94• snmp-server view command on page 94• no snmp-server view command on page 95• snmp-server bootstrap command on page 95• show snmp-server notification-control on page 96• snmp-server notification-control command on page 97• no snmp-server notification-control on page 97• default snmp-server notification-control on page 98• spanning-tree rstp traps command on page 98• no spanning-tree rstp traps command on page 99• default spanning-tree rstp traps command on page 99• show spanning-tree rstp traps config conmmand on page 99

Configuring SNMP v1, v2c, v3 Parameters using CLI

Earlier releases of SNMP used a proprietary method for configuring SNMP communities andtrap destinations for specifying SNMPv1 configuration that included:

• A single read-only community string that can only be configured using the console menus.• A single read-write community string that can only be configured using the console

menus.• Up to four trap destinations and associated community strings that can be configured

either in the console menus, or using SNMP Set requests on the s5AgTrpRcvrTableWith the WLAN 8100 Series support for SNMPv3, you can configure SNMP using the newstandards-based method of configuring SNMP communities, users, groups, views, and trapdestinations.

Important:You must configure views and users using CLI before SNMPv3 can be used.

Important:You must have the secure version of the software image installed on your switch before youcan configure SNMPv3.

The WLAN 8100 Series also supports the previous proprietary SNMP configuration methodsfor backward compatibility.

All the configuration data configured in the proprietary method is mapped into the SNMPv3tables as read-only table entries. In the new standards-based SNMPv3 method of configuringSNMP, all processes are configured and controlled through the SNMPv3 MIBs. The CommandLine Interface commands change or display the single read-only community, read-write



community, or four trap destinations of the proprietary method of configuring SNMP. Otherwise,the commands change or display SNMPv3 MIB data.

The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES andDES encryption.

The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support forSNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1communities. SNMPv3 support introduces industrial-grade user authentication and messagesecurity. This includes MD5 and SHA-based user authentication and message integrityverification, as well as AES- and DES-based privacy encryption.

Export restrictions on SHA and DES necessitate support for domestic and non-domesticexecutable images or defaulting to no encryption for all customers.

The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1,v2, or v3), the system formats the traps in the v1 format. A community string can be entered ifthe system requires one.

SNMPv3 table entries stored in NVRAM

The following list shows the number of nonvolatile entries (entries stored in NVRAM) allowedin the SNMPv3 tables. The system does not allow you to create more entries markednonvolatile when you reach these limits:

• snmpCommunityTable: 20• vacmViewTreeFamilyTable: 60• vacmSecurityToGroupTable: 40• vacmAccessTable: 40• usmUserTable: 20• snmpNotifyTable: 20• snmpTargetAddrTabel: 20• snmpTargetParamsTable: 20

show snmp-server command

The show snmp-server command displays SNMP configuration.

The syntax for the show snmp-server command is

show snmp-server {host|user|view}The show snmp-server command executes in the Privileged EXEC command mode.




Table 47: show snmp-server command parameters

Parameter Descriptionhost Displays the trap receivers configured in the SNMPv3

MIBs.

user Displays the SNMPv3 users, including views accessibleto each user.

view Displays SNMPv3 views.

snmp-server authentication-trap command

The snmp-server authentication-trap command enables or disables the generationof SNMP authentication failure traps.

The syntax for the snmp-server authentication-trap command is

snmp-server authentication-trap {enable|disable}The snmp-server authentication-trap command executes in the Global Configurationmode.


Table 48: snmp-server authentication-trap command parameters

Parameter Descriptionenable|disable Enables or disables the generation of authentication failure

traps.

no snmp-server authentication-trap command

The no snmp-server authentication-trap command disables generation of SNMPauthentication failure traps.

The syntax for the no snmp-server authentication-trap command is

no snmp-server authentication-trapThe no snmp-server authentication-trap command executes in the GlobalConfiguration mode.

default snmp-server authentication-trap command

The default snmp-server authentication-trap command restores SNMPauthentication trap configuration to the default settings.



The syntax for the default snmp-server authentication-trap command is

default snmp-server authentication-trapThe default snmp-server authentication-trap command executes in the GlobalConfiguration mode.

snmp-server community for read or write command

This command configures a single read-only or a single read-write community. A communityconfigured using this command does not have access to any of the SNMPv3 MIBs. Thecommunity strings created by this command are controlled by the SNMP Configuration screenin the console interface. These community strings have a fixed MIB view.

The snmp-server community command for read/write modifies the community strings forSNMPv1 and SNMPv2c access.

The syntax for the snmp-server community for read/write command is

snmp-server community [ro|rw]The snmp-server community for read/write command executes in the Global Configurationmode.


Table 49: snmp-server community for read/write command

Parameter Descriptionro|rw (read-only I read-write) Specifies read-only or read-write access. Stations

with ro access can only retrieve MIB objects, andstations with rw access can retrieve and modify MIBobjects. If ro nor rw are not specified, ro is assumed(default).

snmp-server community command

The snmp-server community command allows you to create community strings withvarying levels of read, write, and notification access based on SNMPv3 views. Thesecommunity strings are separate from those created using the snmp-server community for read/write command.

This command affects community strings stored in the SNMPv3 snmpCommunity Table, whichallows several community strings to be created. These community strings can have any MIBview.

The syntax for the snmp-server community command is

snmp-server community {read-view <view-name>|write-view <view-name>|notify-view <view-name>}



The snmp-server community command executes in the Global Configuration mode.


Table 50: snmp-server community command parameters


read-view <view-name> Changes the read view used by the new communitystring for different types of SNMP operations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

write-view <view-name> Changes the write view used by the new communitystring for different types of SNMP operations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

notify-view <view-name> Changes the notify view settings used by the newcommunity string for different types of SNMPoperations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

no snmp-server community command

The no snmp-server community command clears the snmp-server communityconfiguration.

The syntax for the no snmp-server community command is

no snmp-server community {ro|rw|<community-string>}The no snmp-server community command is executed in the Global Configuration mode.

If you do not specify a read-only or read-write community parameter, all community strings areremoved, including all the communities controlled by the snmp-server communitycommand and the snmp-server community for read-write command.

If you specify read-only or read-write, then just the read-only or read-write community isremoved. If you specify the name of a community string, then the community string with thatname is removed.


Table 51: no snmp-server community command parameters

Parameters Descriptionro |rw|<community-string> Changes the settings for SNMP:




• ro|rw—sets the specified old-style communitystring value to NONE, thereby disabling it.

• community-string—deletes the specifiedcommunity string from the SNMPv3 MIBs (thatis, from the new-style configuration).

default snmp-server community command

The default snmp-server community command restores the community stringconfiguration to the default settings.

The syntax for the default snmp-server community command is

default snmp-server community [ro|rw]The default snmp-server community command executes in the Global Configurationmode.

If the read-only or read-write parameter is omitted from the command, then all communitiesare restored to their default settings. The read-only community is set to Public, the read-write community is set to Private, and all other communities are deleted.


Table 52: default snmp-server community command parameters

Parameters Descriptionro|rw Restores the read-only community to Public, or the read-

write community to Private.

no snmp-server contact command

The no snmp-server contact command clears the sysContact value.

The syntax for the no snmp-server contact command is

no snmp-server contactThe no snmp-server contact command executes in the Global Configuration mode.

default snmp-server contact command

The default snmp-server contact command restores sysContact to the default value.

The syntax for the default snmp-server contact command is



default snmp-server contactThe default snmp-server contact command executes in the Global Configurationmode.

snmp-server command

The snmp-server command enables or disables the SNMP server.

The syntax for the snmp-server command is:

snmp-server {enable|disable}The following table describes the parameters for this command.

Table 53: snmp-server command parameters

Parameter Descriptionenable|disable Enables or disables the SNMP server.

no snmp-server command

The no snmp-server command disables SNMP access.

The syntax for the no snmp-server command is

no snmp-serverThe no snmp-server command executes in the Global Configuration mode.

The no snmp-server command has no parameters or variables.

Important:If you disable SNMP access to the switch, you cannot use Device Manager for the switch.

snmp-server host command

The snmp-server host command adds a trap receiver to the trap-receiver table.

In the proprietary method, the table has a maximum of four entries, and these entries cangenerate only SNMPv1 traps. This command controls the contents of the s5AgTrpRcvrTable,which is the set of trap destinations controlled by the SNMP Configuration screen in the consoleinterface.

The proprietary method syntax for the snmp-server host for command is

snmp-server host <host-ip> <community-string>



Using the new standards-based SNMP method, you can create several entries in SNMPv3MIBs. Each can generate v1, v2c, or v3 traps.

Important:Before using the desired community string or user in this command, ensure that it isconfigured with a notify-view.

The new standards-based method syntax for the snmp-server host command is

snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>|v2c <community-string>|v3 {auth|no-auth|auth-priv}<username>The snmp-server host command executes in the Global Configuration mode.


Table 54: snmp-server host command parameters

Parameter Descriptionhost-ip Enter a dotted-decimal IP address of a host

to be the trap destination.

community-string If you are using the proprietary method forSNMP, enter a community string that worksas a password and permits access to theSNMP protocol.

port <trap-port> Enter a value for the SNMP trap port between1 and 65535.

v1<community-string> To configure the new standards-basedtables, using v1 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v2c<community-string> To configure the new standards-basedtables, using v2c creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v3{auth|no-auth|auth-priv} To configure the new standards-basedtables, using v3 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created. Enterthe following variables:

• auth—auth specifies SNMPv3 traps aresent using authentication and no privacy.

• no-auth—no-auth specifies SNMPv3 trapsare sent using with no authentication andno privacy.

• auth-priv—specifies traps are sent usingauthentication and privacy; this parameter




is available only if the image has full SHA/DES support.

username To configure the new standards-basedtables; specifies the SNMPv3 username fortrap destination; enter an alphanumericstring.

show snmp-server host command

The show snmp-server host command displays the current SNMP host informationincluding the configured trap port.

The syntax for the show snmp-server host command is

show snmp-server hostThe show snmp-server host executes in the Privileged EXEC mode.

no snmp-server host command

The no snmp-server host command deletes trap receivers from the table.

The proprietary method syntax for the no snmp-server host command is

no snmp-server host [<host-ip> [community-string>]]Using the standards-based method of configuring SNMP, a trap receiver matching the IPaddress and SNMP version is deleted.

The standards-based method syntax for the no snmp-server host command is

no snmp-server host <host-ip> [port<trap-port>] {v1|v2c|v3|<community-string>}The no snmp-server host command executes in the Global Configuration mode.

If you do not specify any parameters, this command deletes all trap destinations from thes5AgTrpRcvrTable and from SNMPv3 tables.


Table 55: no snmp-server host command parameters

Parameter Description<host-ip> [<community-string>] In the proprietary method, enter the following

variables:




• host-ip—the IP address of a trapdestination host.

• community-string—the community stringthat works as a password and permitsaccess to the SNMP protocol.

If both parameters are omitted, all hosts arecleared, proprietary and standards-based. Ifa host IP is included, the community-string isrequired or an error is reported.

<host-ip> Using the standards-based method, enterthe IP address of a trap destination host.

port <trap-port> Using the standards-based method, enterthe SNMP trap port.

v1|v2c|v3|<community-string> Using the standards-based method,specifies trap receivers in the SNMPv3 MIBs.<community-string>—the community stringthat works as a password and permitsaccess to the SNMP protocol.

default snmp-server host command

The default snmp-server host command restores the-old style SNMP server and thestandards based tables are reset (cleared).

The syntax for the default snmp-server host command is:

default snmp-server hostThe default snmp-server host command is executed in the Global Configuration mode.

The default snmp-server host command has no parameters or variables.

snmp-server location command

The snmp-server location command configures the SNMP sysLocation value.

The syntax for the snmp-server location command is:

snmp-server location <text>The snmp-server location command is executed in the Global Configuration mode.




Table 56: snmp-server location command parameters

Parameter Descriptiontext Specify the SNMP sysLocation value; enter an

alphanumeric string of up to 255 characters.

no snmp-server location command

The no snmp-server location command clears the SNMP sysLocation value.

The syntax for the no snmp-server location command is:

no snmp-server locationThe no snmp-server location command is executed in the Global Configuration mode.

default snmp-server location command

The default snmp-server location command restores sysLocation to the defaultvalue.

The syntax for the default snmp-server location command is:

default snmp-server locationThe default snmp-server location command is executed in the Global Configurationmode.

snmp-server name command

The snmp-server name command configures the SNMP sysName value.

The syntax for the snmp-server name command is:

snmp-server name <text>The snmp-server name command is executed in the Global Configuration mode.


Table 57: snmp-server name command parameters

Parameter Descriptiontext Specify the SNMP sysName value; enter an

alphanumeric string of up to 255 characters.



no snmp-server name command

The no snmp-server name command clears the SNMP sysName value.

The syntax for the no snmp-server name command is:

no snmp-server nameThe no snmp-server name command is executed in the Global Configuration mode.

default snmp-server name command

The default snmp-server name command restores sysName to the default value.

The syntax for the default snmp-server name command is:

default snmp-server nameThe default snmp-server name command is executed in the Global Configuration mode.

snmp-server user command

The snmp-server user command creates an SNMPv3 user.

For each user, you can create three sets of read/write/notify views:

• for unauthenticated access• for authenticated access• for authenticated and encrypted access

The syntax for the snmp-server user command for unauthenticated access is:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]The syntax for the snmp-server user command for authenticated access is:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]The syntax for the snmp-server user command for authenticated and encrypted access is:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] {3des|aes|des} <password> [read-view<view-name>] [write-view<view-name>][notify-view<view-name]The snmp-server user command is executed in the Global Configuration mode.



The sha and 3des/aes/des parameters are only available if the switch image has SSH support.

For authenticated access, you must specify the md5 or sha parameter. For authenticated andencrypted access, you must also specify the 3des, aes, or des parameter.

For each level of access, you can specify read, write, and notify views. If you do not specifyview parameters for authenticated access, the user will have access to the views specified forunauthenticated access. If you do not specify view parameters for encrypted access, the userwill have access to the views specified for authenticated access or, if no authenticated viewswere specified, the user will have access to the views specified for unauthenticated access.


Table 58: snmp-server user command parameters

Parameters Descriptionusername Specifies the user name. Enter an alphanumeric string

of up to 255 characters.

md5 <password> Specifies the use of an md5 password. <password>specifies the new user md5 password; enter analphanumeric string. If this parameter is omitted, the useris created with only unauthenticated access rights.

read-view <view-name> Specifies the read view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string of up to 255 characters.

write-view <view-name> Specifies the write view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string that can contain at least some ofthe nonalphanumeric characters.

notify-view <view-name> Specifies the notify view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string that can contain at least some ofthe nonalphanumeric characters.

SHA Specifies SHA authentication.

3DES Specifies 3DES privacy encryption.

AES Specifies AES privacy encryption.

DES Specifies DES privacy encryption.

engine-id Specifies the new remote user to receive notifications.

notify-view—specifies the viewname to notify.



Important:If a view parameter is omitted from the command, that view type cannot be accessed.

no snmp-server user command

The no snmp-server user command deletes the specified user.

The syntax for the no snmp-server user command is:

no snmp-server user [engine-id<engine ID>] <username>The no snmp-server user command is executed in the Global Configuration mode.

Important:If you do not specify any parameters, this command deletes all snmpv3 users from theSNMPv3 tables.


Table 59: no snmp-server user command parameters

Parameters Description[engine-id <engine ID>] Specifies the SNMP engine ID of the remote SNMP

entity.

username Specifies the user to be removed.

snmp-server view command

The snmp-server view command creates an SNMPv3 view. The view is a set of MIB objectinstances which can be accessed.

The syntax for the snmp-server view command is:

snmp-server view <view-name> <OID> [<OID> {<OID> [<OID> [<OID> [<OID>[<OID> [<OID> [<OID> [<OID>]]]]]]]]]The snmp-server view command is executed in the Global Configuration mode.


Table 60: snmp-server view command parameters

Parameters Descriptionviewname Specifies the name of the new view; enter an

alphanumeric string.



Parameters DescriptionOID Specifies Object identifier. OID can be entered as a

dotted form OID. Each OID must be preceded by a+ or - sign (if this is omitted, a + sign is implied). The+ is not optional.For the dotted form, a sub-identifier can be anasterisk, indicating a wildcard. Here are someexamples of valid OID parameters:

• sysName

• +sysName

• -sysName

• +sysName.0

• +ifIndex.1

• -ifEntry..1 (this matches all objects in the ifTablewith an instance of 1; that is, the entry for interface#1)

• 1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr)

The + or - indicates whether the specified OID isincluded in or excluded from, the set of MIB objectsaccessible using this view.There are 10 possible OID values.

no snmp-server view command

The no snmp-server view command deletes the specified view.

The syntax for the no snmp-server view is:

no snmp-server view <viewname>The no snmp-server view is executed in the Global Configuration mode.


Table 61: no snmp-server view command parameters

Parameter Descriptionviewname Specifies the name of the view to be removed. This is

not an optional parameter.

snmp-server bootstrap command

The snmp-server bootstrap command allows you to specify how you wish to secureSNMP communications, as described in the SNMPv3 standards. It creates an initial set of



configuration data for SNMPv3. This configuration data follows the conventions described inthe SNMPv3 standard (in RFC 3414 and 3415). This commands creates a set of initial users,groups and views.

Important:This command deletes all existing SNMP configurations, hence must be used with care.

The syntax for the snmp-server bootstrap command is:

snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure>The snmp-server bootstrap command is executed in the Global Configuration mode.


Table 62: snmp-server bootstrap command parameters

Parameters Description<minimum-secure> Specifies a minimum security configuration that allows read

access and notify access to all processes (view restricted) withnoAuth-noPriv and read, write, and notify access to allprocesses (internet view) using Auth-noPriv and Auth-Priv.

Important:In this configuration, view restricted matches view internet.

<semi-secure> Specifies a minimum security configuration that allows readaccess and notify access to all processes (view restricted) withnoAuth-noPriv and read, write, and notify access to allprocesses (internet view) using Auth-noPriv and Auth-Priv.

Important:In this configuration, restricted contains a smaller subset ofviews than internet view. The subsets are defined accordingto RFC 3515 Appendix A.

<very-secure> Specifies a maximum security configuration that allows noaccess to the users.

show snmp-server notification-control

The show snmp-server notification-control command shows the current state ofthe applicable notifications.

The syntax for the show snmp-server notification-control command is

show snmp-server notification-controlThe show snmp-server notification-control command executes in PrivilegedEXEC mode.



snmp-server notification-control command

The snmp-server notification-control command enables the notification identifiedby the command parameter. The notification options are:

• DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap• Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort• IP Source Guard: bsSourceGuardReachedMaxIpEntries,

bsSourceGuardCannotEnablePortThe syntax for the snmp-server notification-control command is

snmp-server notification-control <WORD/1-128>The snmp-server notification-control command executes in Global Configurationmode.


Table 63: snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a

supported notification type.

no snmp-server notification-control

The no snmp-server notification-control command disables the notificationidentified by the command parameter. The notification options are:

• DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap• Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort• IP Source Guard: bsSourceGuardReachedMaxIpEntries,

bsSourceGuardCannotEnablePortThe syntax for the no snmp-server notification-control command is

no snmp-server notification-control <WORD/1-128>The no snmp-server notification-control command executes in GlobalConfiguration mode.




Table 64: no snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a

supported notification type.

default snmp-server notification-control

The default snmp-server notification-control command returns the notificationidentified by the command parameter to its default state.

The syntax for the default snmp-server notification-control command is

default snmp-server notification-control <WORD/1-128>The default snmp-server notification-control command executes in GlobalConfiguration mode.


Table 65: default snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a supported

notification type.

spanning-tree rstp traps command

The RSTP traps feature provides notifications for the following events:

• RSTP instance up/down• RSTP core memory allocation error• RSTP core buffer allocation error• New root bridge• Port protocol migration

The default settings of RSTP traps are enabled. The events are notified as SNMP traps andas system log messages.

The following messages for the RSTP traps will be logged into the system log:

• Trap: RSTP General Event (Up/Down)• Trap: RSTP Error Event (Mem Fail / Buff Fail)• Trap: RSTP New Root tt:tt:tt:tt:tt:tt:tt:tt



• Trap: RSTP Topology Change• Trap: RSTP Protocol Migration Type: Send (RSTP/STP) for Port: t

If the traps are not received on the traps receiver host (should be configured) but the traps arelogged into the system log, the network connectivity should be checked.

The spanning-tree rstp traps command enables RSTP traps.

The syntax for the spanning-tree rstp traps command is

spanning-tree rstp trapsThe spanning-tree rstp traps command executes in the Global Configuration mode.

no spanning-tree rstp traps command

The no spanning-tree rstp traps command disables RSTP traps.

The syntax for the no spanning-tree rstp traps is

no spanning-tree rstp trapsThe no spanning-tree rstp traps command executes in the Global Configurationmode.

default spanning-tree rstp traps command

The default spanning-tree rstp traps command returns RSTP traps to their defaultstate.

The syntax for the default spanning-tree rstp traps is

default spanning-tree rstp trapsThe default spanning-tree rstp traps command executes in the GlobalConfiguration mode.

show spanning-tree rstp traps config conmmand

The show spanning-tree rstp traps config command shows the current state of theRSTP trap.

The syntax for the show spanning-tree rstp traps config command is

show spanning-tree rstp traps configThe show spanning-tree rstp traps config command executes in the PrivilegedEXEC mode.



Configuring TACACS+ using CLITo configure TACACS+ to perform AAA services for system users, do the following:

1. Configure the TACACS+ server itself. For more information, see the vendordocumentation for your server for specific configuration procedures.

2. Configure TACACS+ server settings on the switch3. Enable TACACS+ services over serial or Telnet connections4. Enable TACACS+ authorization and specify privilege levels5. Enable TACACS+ accounting

Important:You can enable TACACS+ authorization without enabling TACACS+ accounting, and youcan enable TACACS+ accounting without enabling TACACS+ authorization.

Use the following commands to configure TACACS+:

• Configuring TACACS+ server settings on page 100• Enabling remote TACACS+ services on page 101• Enabling TACACS+ authorization on page 101• Setting authorization privilege levels on page 102• Enabling TACACS+ accounting• Viewing TACACS+ information on page 102

Configuring TACACS+ server settings

To add a TACACS+ server, use the following command in Global or Interface Configurationmode:

tacacs serverThe following table describes the parameters for this command.

Table 66: tacas server command parameters

Parameter Descriptionhost <IPaddr> Specifies the IP address of the primary

server you want to add or configure.

key <key> Specifies the secret authentication andencryption key used for all communicationsbetween the NAS and the TACACS+ server.The key, also referred to as the sharedsecret, must be the same as the one defined



Parameter Descriptionon the server. You are prompted to confirmthe key when you enter it.

Important:The key parameter is a requiredparameter when you create a new serverentry. The parameter is optional when youare modifying an existing entry.

[secondary host <IPaddr>] Specifies the IP address of the secondaryserver. The secondary server is used only ifthe primary server does not respond.

[port <port>] Specifies the TCP port for TACACS+ whereport is an integer in the range of 0-65535.The default port number is 49.

To delete a TACACS+ server, use one of the following commands in Global or InterfaceConfiguration mode:

no tacacsdefault tacacsThe commands erase settings for the TACACS+ primary and secondary servers and secretkey, and restore default port settings.

Enabling remote TACACS+ services

To enable TACACS+ to provide services to remote users over serial or Telnet connections, usethe following commands in Global or Interface Configuration mode.

For serial connections:

cli password serial tacacsFor Telnet connections:

cli password telnet tacacsYou must configure a TACACS+ server on the switch before you can enable remote TACACS+ services. For more information about configuring the primary TACACS+ server and sharedsecret, see “Configuring TACACS+ server settings” (page 159).

Enabling TACACS+ authorization

To enable TACACS+ authorization globally on the switch, use the following command in Globalor Interface Configuration mode:

tacacs authorization enable



To disable TACACS+ authorization globally on the switch, use the following command in Globalor Interface Configuration mode:

tacacs authorization disableThe default is disabled.

Setting authorization privilege levels

The preconfigured privilege levels control which commands can be executed. If a user hasbeen assigned a privilege level for which authorization has been enabled, TACACS+authorizes the authenticated user to execute a specific command only if the command isallowed for that privilege level.

To specify the privilege levels to which authorization applies, use the following command inGlobal or Interface Configuration mode:

tacacs authorization level all|<level>|noneThe following table describes the parameters for this command.

Table 67: tacas authorization command parameters

Parameter Descriptionall Authorization is enabled for all privilege levels.

<level> An integer in the range 0–15 that specifies theprivilege levels for which authorization is enabled.You can enter a single level, a range of levels, orseveral levels. For any levels you do not specify,authorization does not apply, and users assignedto these levels can execute all commands.

none Authorization is not enabled for any privilege level.All users can execute any command available onthe switch.

Viewing TACACS+ information

To display TACACS+ configuration status, enter the following command from any mode:

show tacacs



Configuring IP Manager using CLITo configure the IP Manager to control management access to the switch, do the following:

• Enable IP Manager.• Configure the IP Manager list.

Use the following commands to configure IP Manager:

• Enabling IP Manager on page 103• Configuring the IP Manager list on page 103• Removing IP Manager list entries on page 104• Viewing IP Manager settings on page 104

Enabling IP Manager

To enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the followingcommand in Global Configuration mode:

ipmgr {telnet|snmp|web|ssh}The following table describes the parameters for this command.

Table 68: Enabling IP manager command parameters

Parameter Descriptiontelnet Enables the IP Manager list check for Telnet access.

snmp Enables the IP Manager list check for SNMP, includingDevice Manager.

web Enables the IP Manager list check for Web-basedmanagement system.

ssh Enables the IP Manager list check for SSH access.

To disable IP Manager for a management system, use the no keyword at the start of thecommand.

Configuring the IP Manager list

To specify the source IP addresses or address ranges that have access the switch when IPManager is enabled, use the following command in Global Configuration mode:

For Ipv4 entries with list ID between 1-50:

ipmgr source-ip <list ID> <Ipv4addr> [mask<mask>]




Table 69: ipmgr source-ip command parameters

Parameter Description<list ID> An integer in the range 1-50 for Ipv4 entries and

51-100 for Ipv6 entries that uniquely identifies theentry in the IP Manager list.

<Ipv4addr> Specifies the source IP address from whichaccess is allowed. Enter the IP address either asan integer or in dotted-decimal notation.

[mask <mask>] Specifies the subnet mask from which access isallowed. Enter the IP mask in dotted-decimalnotation.

Removing IP Manager list entries

To deny access to the switch for specified source IP addresses or address ranges, use thefollowing command in Global Configuration mode:

no ipmgr source-ip [<list ID>]<list ID> is an integer in the range 1-50 for Ipv4 addresses that uniquely identifies the entry inthe IP Manager list.

The command sets both the IP address and mask for the specified entry to 255.255.255.255for Ipv4 entries. If you do not specify a <list ID> value, the command resets the whole list tofactory defaults.

Viewing IP Manager settings

To view IP Manager settings, use the following command in any mode:

show ipmgrThe command displays

• whether Telnet, SNMP, SSH, and Web access are enabled• whether the IP Manager list is being used to control access to Telnet, SNMP, SSH, and

Web-based management system• the current IP Manager list configuration



Configuring password security using CLIThe CLI commands detailed in this section are used to manage password security features.These commands can be used in the Global Configuration and Interface Configurationcommand modes.

• Enabling password security on page 105• Disabling password security on page 105• Creating user names and passwords on page 105• Configuring password retry attempts on page 106• Configuring password history on page 106• Defaulting password history on page 106• Displaying password history settings on page 106

Enabling password security

The password security command enables the Password Security feature on the WLAN8100 Series.

The syntax of the password security command is

password security

Disabling password security

The no password security command disables the Password Security feature on theWLAN 8100 Series.

The syntax for the no password security command is

no password security

Creating user names and passwords

Use the username command to create custom user names and assign switch read-only andread-write passwords to them. These custom user names apply to local authentication only.

The syntax of this command is as follows:

username <username> {ro | rw}After entering this command the user is prompted to enter the password for the new user.

Custom users cannot have custom access rights and limitations. Use of the associated read-only password confers the same rights and limitations as the default read-only user. Use of



the associated read-write password confers the same rights and limitation as the default read-write user.

Configuring password retry attempts

To configure the number of times a user can retry a password, use the following command inGlobal or Interface Configuration mode:

telnet-access retry <number>Where number is an integer in the range 1 to 100 that specifies the allowed number of failedlog on attempts. The default is 3.

Configuring password history

Use the password password-history command to configure the number of passwordsstored in the password history table. This command has the following syntax:

password password-history <3-10>The parameter <3-10> represents the number of passwords to store in the history table. Usethe appropriate value when configuring the feature.

Defaulting password history

Use the default password password-history command to return the number ofpasswords stored in the password history table to the default value of 3.

Displaying password history settings

The show password password-history command is used to display the number ofpasswords currently stored in the password history table.

Displaying CLI Audit log using CLIThe CLI audit provides a means for tracking CLI commands. The show audit log commanddisplays the command history audit log stored in NVRAM. The syntax for the show auditlog command is:

show audit log [asccfg | serial | telnet]The show audit log command is in the Privileged EXEC mode.

The following table describes the parameters and variables for the show audit logcommand.



Table 70: show audit log command parameters

Parameter Descriptionasccfg Displays the audit log for ASCII configuration.

serial Displays the audit log for serial connections.

telnet Displays the audit log for Telnet and SSHconnections.

Configuring Secure Socket Layer services using CLIThe following table lists CLI commands available for working with Secure Socket Layer (SSL).

Table 71: SSL commands

Command Description[no] ssl Enables or disables SSL. The Web server operates

in a secure mode when SSL is enabled and innonsecure mode when the SSL server is disabled.

[no] ssl certificate Creates or deletes a certificate. The new certificate isused only on the next system reset or SSL serverreset. The new certificate is stored in the NVRAM withthe file name SSLCERT.DAT. The new certificate filereplaces the existing file. On deletion, the certificatein NVRAM is also deleted. The current SSL serveroperation is not affected by the create or deleteoperation.

ssl reset Resets the SSL server. If SSL is enabled, the SSLserver is restarted and initialized with the certificatethat is stored in the NVRAM. Any existing SSLconnections are closed. If SSL is not enabled, theexisting nonsecure connection is also closed and thenonsecure operation resumes.

show ssl Shows the SSL server configuration and SSL serverstate.

show ssl certificate Displays the certificate which is stored in the NVRAMand is used by the SSL server.

The following table describes the output for the show ssl command.



Table 72: Server state information

Field DescriptionWEB Server SSL secured Shows whether the Web server is using an

SSL connection.

SSL server state Displays one of the following states:

• Un-initialized: The server is not running.

• Certificate Initialization: The server isgenerating a certificate during itsinitialization phase.

• Active: The server is initialized andrunning.

SSL Certificate: Generation in progress Shows whether SSL is in the process ofgenerating a certificate. The SSL servergenerates a certificate during server startupinitialization, or CLI user can regenerate anew certificate.

SSL Certificate: Saved in NVRAM Shows whether an SSL certificate exists inthe NVRAM. The SSL certificate is notpresent if the system is being initialized forthe first time or CLI user has deleted thecertificate.

Configuring Secure Shell protocol using CLISecure Shell protocol is used to improve Telnet and provide a secure access to CLI interface.There are two versions of the SSH Protocol. The WLAN 8100 Series SSH supports SSH2.

The following CLI commands are used in the configuration and management of SSH.

• show ssh command on page 109• ssh dsa-host-key command on page 109• no ssh dsa-host-key command on page 110• ssh download-auth-key command on page 110• no ssh dsa-auth-key command on page 110• ssh command on page 111• no ssh command on page 111• ssh secure command on page 111• ssh dsa-auth command on page 112• no ssh dsa-auth on page 112



• default ssh dsa-auth command on page 112• ssh pass-auth command on page 112• no ssh pass-auth command on page 112• default ssh pass-auth command on page 113• ssh port command on page 113• default ssh port command on page 113• ssh timeout command on page 113• default ssh timeout command on page 114

show ssh command

This command displays information about all active SSH sessions and on other general SSHsettings.

The syntax for the show ssh command is:

show ssh {global|session|download-auth-key}The following table describes the parameters for this command.

Table 73: show ssh command parameters

Parameter Descriptiondownload-auth-key Display authorization key and TFTP server IP address

global Display general SSH settings

session Display SSH session information

The show ssh global command is executed in the Privileged EXEC command mode.

ssh dsa-host-key command

The ssh dsa-host-key command triggers the DSA key regeneration.

The syntax for the ssh dsa-host-key command is:

ssh dsa-host-keyThe command is executed in the Global Configuration mode.

The ssh dsa-host-key command has no parameters or variables.



no ssh dsa-host-key command

The no ssh dsa-host-key command deletes the DSA keys in the switch. A new DSA keycan be generated by executing dsa-host-key or SSH enable commands.

The syntax for the no ssh dsa-host-key command is:

no ssh dsa-host-keyThe no ssh dsa-host-key command is executed in the Global Configuration mode.

The no ssh dsa-host-key command has no parameters or variables.

ssh download-auth-key command

The ssh download-auth-key command downloads the DSA authentication key into theswitch from the specified TFTP server or from the USB stick, if available.

The syntax for the ssh download-auth-key command is:

ssh download-auth-key [address] [<key-name>] [usb]The following table describes the parameters for this command.

Table 74: ssh download-auth-key command parameters

Parameter Descriptionaddress Specify the TFTP server IP address.

key-name Specify the TFTP/USB file name.

usb Specify whether download SSH auth key from theUSB stick.Available only if the device has USB port.

The ssh download-auth-key command is executed in the Global Configuration mode.

no ssh dsa-auth-key command

The no ssh dsa-auth-key command deletes the DSA authentication key stored in theswitch.

The syntax for the no ssh dsa-auth-key command is:

no ssh dsa-auth-keyThe no ssh dsa-auth-key command is executed in the Global Configuration mode.



ssh command

The ssh command enables SSH in a non secure mode. If the host keys do not exist, they aregenerated.

The syntax for the ssh command is:

sshThe ssh command is executed in the Global Configuration mode.

This command has no parameters.

no ssh command

The no ssh command disables SSH.

The syntax for the no ssh command is:

no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth}The following table describes the parameters for this command.

Table 75: no ssh command parameters

Parameter Descriptiondsa-auth Disable SSH DSA authentication.

dsa-auth-key Delete SSH DSA auth key.

dsa-host-key Delete SSH DSA host key.

pass-auth Disable SSH password authentication.

The no ssh command is executed in the Global Configuration mode.

ssh secure command

The ssh secure command disables web, SNMP, and Telnet management interfacespermanently.

The no ssh command does NOT turn them back on; they must be re-enabled manually. Awarning message is issued to the user to enable one of the other interfaces before turning offSSH secure mode.

The syntax for the ssh secure command is:

ssh secureThe ssh secure command is executed in the Global Configuration mode.



ssh dsa-auth command

The ssh dsa-auth command enables the user log on using DSA key authentication.

The syntax for the command is:

ssh dsa-authThe ssh dsa-auth command is executed in the Global Configuration mode.

no ssh dsa-auth

The no ssh dsa-auth command disables user log on using DSA key authentication.

The syntax for the no ssh dsa-auth command is:

no ssh dsa-authThe no ssh dsa-auth command is executed in the Global Configuration mode.

default ssh dsa-auth command

The default ssh dsa-auth command enables the user log on using the DSA keyauthentication.

The syntax for the default ssh dsa-auth command is:

default ssh dsa-authThe default ssh dsa-auth command is executed in the Global Configuration mode.

ssh pass-auth command

The ssh pass-auth command enables user log on using the password authenticationmethod.

The syntax for the ssh pass-auth command is:

ssh pass-authThe ssh pass-auth command is executed in the Global Configuration mode.

no ssh pass-auth command

The no ssh pass-auth command disables user log on using password authentication.

The syntax for the no ssh pass-auth command is:



no ssh pass-authThe no ssh pass-auth command is executed in the Global Configuration mode.

default ssh pass-auth command

The default ssh pass-auth command enables user log on using passwordauthentication.

The syntax for the default ssh pass-auth command is:

default ssh pass-authThe default ssh pass-auth command is executed in the Global Configuration mode.

ssh port command

The ssh port command sets the TCP port for the SSH daemon.

The syntax for the ssh port command is:

ssh port <1-65535>Substitute the <1-65535> with the number of the TCP port to be used.

The ssh port command is executed in the Global Configuration mode.

default ssh port command

The default ssh port command sets the default TCP port for the SSH daemon.

The syntax for the default ssh port command is:

default ssh portThe default ssh port command is executed in the Global Configuration mode.

ssh timeout command

The ssh timeout command sets the authentication timeout, in seconds.

The syntax of the ssh timeout command is:

ssh timeout <1-120>Substitute <1-120> with the desired number of seconds.

The ssh timeout command is executed in the Global Configuration mode.



default ssh timeout command

The default ssh timeout command sets the default authentication timeout to 60 seconds.

The syntax for the default ssh timeout command is:

default ssh timeoutThe default ssh timeout command is executed in the Global Configuration mode.

Configuring VLANs and Link AggregationThis chapter describes the methods and procedures necessary to configure VLANs, SpanningTree and Link Aggregation on the WC 8180.

Navigation

• Configuring VLANs using CLI on page 114• Configuring STP using CLI on page 125• Configuring MLT using CLI on page 135• Configuring LACP and VLACP using CLI on page 137

Configuring VLANs using CLIThe Command Line Interface commands detailed in this section allow for the creation andmanagement of VLANs. Depending on the type of VLAN being created or managed, thecommand mode needed to execute these commands can differ.

Navigation

This section contains information about the following topics:

• Displaying VLAN information on page 115• Displaying VLAN interface information on page 116• Displaying VLAN port membership on page 116• Setting the management VLAN on page 116• Resetting the management VLAN to default on page 117• Creating a VLAN on page 117• Deleting a VLAN on page 118• Modifying VLAN MAC address flooding on page 118• Configuring VLAN name on page 119



• Enabling automatic PVID on page 119• Configuring VLAN port settings on page 119• Configuring VLAN members on page 120• Configuring VLAN Configuration Control on page 120• Managing the MAC address forwarding database table on page 122• IP Directed Broadcasting on page 124

Displaying VLAN information

Use the following procedure to display the number, name, type, protocol, user PID, state of aVLAN and whether it is a management VLAN.

To display VLAN information, use the following command from Privileged EXEC mode.show vlan [configcontrol] [dhcp-relay <1-4094>] [igmp{<1-4094>| unknown-mcast-allow-flood | unknown-mcast-no-flood}] [interface { info | vids}] [ip <vid>] [mgmt] [multicast<membership>] [type {port | protocol-ipEther2| protocol-ipx802.3 | protocol-ipx802.2 | protocol-ipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-Netbios | protocol-xnsEther2 | protocol-vi nesEther2 |protocol-ipv6Ether2 | protocol-Userdef |protocol-RarpEther2][vid <1-4094>]

Variable definitions

The following table describes the variables for this command.

Variable Valuevid <1-4094> Enter the number of the VLAN to display.

type Enter the type of VLAN to display:

• port - port-based

• protocol - protocol-based (see following list)

protocol-ipEther2 Specifies an ipEther2 protocol-based VLAN.

protocol-ipx802.3 Specifies an ipx802.3 protocol-based VLAN.


protocol-ipxSnap Specifies an ipxSnap protocol-based VLAN.

Configuring VLANs and Link Aggregation


Variable Valueprotocol-ipxEther2 Specifies an ipxEther2 protocol-based VLAN.

protocol-decEther2 Specifies a decEther2 protocol-based VLAN.

protocol-snaEther2 Specifies an snaEther2 protocol-based VLAN.

protocol-Netbios Specifies a NetBIOS protocol-based VLAN.

protocol-xnsEther2 Specifies an xnsEther2 protocol-based VLAN.

protocol-vinesEther2 Specifies a vinesEther2 protocol-based VLAN.

protocol-ipv6Ether2 Specifies an ipv6Ether2 protocol-based VLAN.

protocol-Userdef Specifies a user-defined protocol-based VLAN.

protocol-RarpEther2 Specifies a RarpEther2 protocol-based VLAN.

Displaying VLAN interface information

Use the following procedure to display VLAN settings associated with a port, including tagginginformation, PVID number, priority, and filtering information for tagged, untagged, andunregistered frames.

To display VLAN interface information, use the following command from PrivilegedEXEC mode.show vlan interface info [<portlist>]

Displaying VLAN port membership

Use the following procedure to display port memberships in VLANs.

To display VLAN port memberships, use the following command from Privileged EXECmode.show vlan interface vids [<portlist>]

Setting the management VLAN

Use the following procedure to set a VLAN as the management VLAN.



To set the management VLAN, use the following command from Global Configurationmode.vlan mgmt <1-4094>

Resetting the management VLAN to default

Use the following procedure to reset the management VLAN to VLAN1.

To reset the management VLAN to default, use the following command from GlobalConfiguration mode.default vlan mgmt

Creating a VLAN

Use the following procedure to create a VLAN. A VLAN is created by setting the state of apreviously nonexistent VLAN.

To create a VLAN, use the following command from Global Configuration mode.vlan create <1-4094> [name<line>] type {port | protocol-ipEther2 | protocol-ipx802.3 | protocolipx802.2 | protocol-ipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-N etbios | protocol-xnsEther2 | protocol-vinesEther2 | protocol-ipv6Ether2 | protocol-Userdef<4096-65534>| protocol-RarpEther2}

Variable definitions

Variable Value<1-4094> Enter the number of the VLAN to create.

name <line> Enter the name of the VLAN to create.

type Enter the type of VLAN to create:



Variable Value

• port - port-based

• protocol - protocol-based (see following list)

protocol-ipEther2 Specifies an ipEther2 protocol-based VLAN.



protocol-ipxSnap Specifies an ipxSnap protocol-based VLAN.

protocol-ipxEther2 Specifies an ipxEther2 protocol-based VLAN.

protocol-decEther2 Specifies a decEther2 protocol-based VLAN.

protocol-snaEther2 Specifies an snaEther2 protocol-based VLAN.

protocol-Netbios Specifies a NetBIOS protocol-based VLAN.

protocol-xnsEther2 Specifies an xnsEther2 protocol-based VLAN.

protocol-vinesEther2 Specifies a vinesEther2 protocol-based VLAN.

protocol-Userdef <4096-65534> Specifies a user-defined protocol-based VLAN.

protocol-ipv6Ether2 Specifies an ipv6Ether2 protocol-based VLAN.

Deleting a VLAN

Use the following procedure to delete a VLAN.

To delete a VLAN, use the following command from Global Configuration mode.vlan delete <2-4094>

Modifying VLAN MAC address flooding

Use the following procedure to remove MAC addresses from the list of addresses for whichflooding is allowed. This procedure can also be used as an alternate method of deleting aVLAN.

To modify VLAN MAC address flooding, or to delete a VLAN, use the followingcommand from Global Configuration mode.no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]



Configuring VLAN name

Use the following procedure to configure or modify the name of an existing VLAN.

To configure the VLAN name, use the following command from Global Configurationmode.vlan name <1-4094> <line>

Enabling automatic PVID

Use the following procedure to enable the automatic PVID feature.

To enable automatic PVID, use the following command from Global Configurationmode.[no] auto-pvidUse the no form of this command to disable

Configuring VLAN port settings

Use the following procedure to configure VLAN-related settings for a port.

To configure VLAN port settings, use the following command from Global Configurationmode.vlan ports [<portlist>] [tagging {enable | disable | tagAll |untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>][filter-untagged-frame {enable | disable}] [filter-unregistered-frames {enable | disable}] [priority <0-7>] [name<line>]

Variable Definitions

Variable Value<portlist> Enter the port numbers to be configured for a VLAN.



Variable Valuetagging {enable|disable|tagAll|untagAll| tagPvidOnly|untagPvidOnly}

Enables or disables the port as a tagged VLANmember for egressing packet.

pvid <1-4094> Sets the PVID of the port to the specified VLAN.

filter-untagged-frame {enable|disable}

Enables or disables the port to filter received untaggedpackets.

filter-unregistered-frames {enable |disable}

Enables or disables the port to filter receivedunregistered packets. Enabling this feature on a portmeans that any frames with a VID to which the portdoes not belong to are discarded.

priority <0-7> Sets the port as a priority for the switch to consideras it forwards received packets.

name <line> Enter the name you want for this port.Note: This option can only be used if a single port isspecified in the <portlist>

Configuring VLAN members

Use the following procedure to add or delete a port from a VLAN.

To configure VLAN members, use the following command from Global Configurationmode.vlan members [add | remove] <1-4094> <portlist>


Variable Valueadd | remove Adds a port to or removes a port from a VLAN.

Note: If this parameter is omitted, set the exact portmembership for the VLAN; the prior port membership of theVLAN is discarded and replaced by the new list of ports.

<1-4094> Specifies the target VLAN.

portlist Enter the list of ports to be added, removed, or assigned to theVLAN.

Configuring VLAN Configuration Control

VLAN Configuration Control (VCC) allows a switch administrator to control how VLANs aremodified. VLAN Configuration Control is a superset of the existing AutoPVID functionality and



incorporates this functionality for backwards compatibility. VLAN Configuration Control isglobally applied to all VLANs on the switch.

VLAN Configuration Control offers four options for controlling VLAN modification:

• Strict• Automatic• AutoPVID• Flexible

Note: The factory default setting is Strict.

VLAN Configuration Control is only applied to ports with the tagging modes of Untag All andTag PVID Only.

To configure VCC using the CLI, refer to the following commands:

• Displaying VLAN Configuration Control settings on page 121• Modifying VLAN Configuration Control settings on page 121

Displaying VLAN Configuration Control settingsUse the following procedure to display the current VLAN Configuration Control setting.

To display VLAN Configuration Control settings, use the following command fromGlobal Configuration mode.show vlan configcontrol

Modifying VLAN Configuration Control settingsUse the following procedure to modify the current VLAN Configuration Control setting. Thiscommand applies the selected option to all VLANs on the switch.

To modify VLAN Configuration Control settings, use the following command fromGlobal Configuration morevlan configcontrol <vcc_option>


Variable Value<vcc_option> This parameter denotes the VCC option to use on the

switch. The valid values are:

• automatic -- Changes the VCC option to Automatic.

• autopvid -- Changes the VCC option to AutoPVID.



Variable Value

• flexible -- Changes the VCC option to Flexible.

• strict -- Changes the VCC option to Strict. This is thedefault VCC value.

Managing the MAC address forwarding database table

This section shows you how to view the contents of the MAC address forwarding databasetable, as well as setting the age-out time for the addresses.

The MAC flush feature is a direct way to flush MAC addresses from the MAC address table.The MAC flush commands allow flushing of:

• a single MAC address (see “Removing a single address from the MAC addresstable” (page 157))

• all addresses from the MAC address table (see “Clearing the MAC address table” (page156)

• a port or list of ports (see “Clearing the MAC address table on a FastEthernetinterface” (page 156))

• a trunk (see “Clearing the MAC address table on a trunk” (page 156))• a VLAN (see “Clearing the MAC address table on a VLAN” (page 156))

MAC flush deletes dynamically learned addresses. MAC flush commands may not be executedinstantly when the command is issued. Since flushing the MAC address table is not consideredan urgent task, MAC flush commands are assigned the lowest priority and placed in a queue.

The MAC flush commands are supported in CLI, SNMP, DM, and Web-based Management.

Use the following commands to manage the MAC address forwarding database table:

• Displaying MAC address forwarding table on page 122• Configuring MAC address retention on page 123• Setting MAC address retention time to default on page 123• Clearing the MAC address table on page 124• Clearing the MAC address table on a VLAN on page 124• Clearing the MAC address table on a FastEthernet interface on page 124• Clearing the MAC address table on a trunk on page 124

Displaying MAC address forwarding tableUse the following procedure to display the current contents of the MAC address forwardingdatabase table. You can filter the MAC Address table by port number. The MAC address tablecan store up to 16000 addresses.



To displaying the MAC address forwarding table, use the following command fromPrivileged EXEC modeshow mac-address-table [vid<1-4094>] [aging-time][address<H.H.H>] [port<portlist>]


Variable Valuevid <1-4094> Enter the number of the VLAN for which you want to

display the forwarding database. Default is to displaythe management VLAN’s database.

aging-time Displays the time in seconds after which an unusedentry is removed from the forwarding database.

address <H.H.H> Displays a specific MAC address if it exists in thedatabase. Enter the MAC address you want displayed.

Configuring MAC address retentionUse the following procedure to set the time during which the switch retains unseen MACaddresses.

To configure unseen MAC address retention, use the following command from GlobalConfiguration mode.mac-address-table aging-time <10-1 000 000>


Variable Valuevid <10-1 000 000> Enter the aging time in seconds that you want for

MAC addresses before they expire.

Setting MAC address retention time to defaultUse the following procedure to set the retention time for unseen MAC addresses to 300seconds.

To set the MAC address retention time to default, use the following command fromGlobal Configuration mode.default mac-address-table aging-time



Clearing the MAC address tableUse the following procedure to clear the MAC address table.

To flush the MAC address table, use the following command from Privileged EXECmode.clear mac-address-table

Clearing the MAC address table on a VLANUse the following procedure to flush the MAC addresses for the specified VLAN.

To flush the MAC address table for a specific VLAN, use the following command fromPrivileged EXEC mode.clear mac-address-table interface vlan <vlan#>

Clearing the MAC address table on a FastEthernet interfaceUse the following procedure to flush the MAC addresses for the specified ports. This commanddoes not flush the addresses learned on the trunk.

To clear the MAC address table on a FastEthernet interface, use the followingcommand from Privileged EXEC mode.clear mac-address-table interface FastEthernet <port-list|ALL>

Clearing the MAC address table on a trunkUse the following procedure to flush the MAC addresses for the specified trunk. This commandflushes only addresses that are learned on the trunk.

To flush a single MAC address, use the following command from Privileged EXECmode.clear mac-address-table address <H.H.H>

IP Directed Broadcasting

IP directed broadcasting takes the incoming unicast Ethernet frame, determines that thedestination address is the directed broadcast for one of its interfaces, and then forwards thedatagram onto the appropriate network using a link-layer broadcast.



IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways:

• Through a connected VLAN subnet to another connected VLAN subnet.• Through a remote VLAN subnet to the connected VLAN subnet.

By default, this feature is disabled.

The following CLI commands are used to work with IP directed broadcasting:

Enabling IP directed broadcast on page 125Enabling IP directed broadcast

Use the following procedure to enable IP directed broadcast.

To enable IP directed broadcast, use the following command from Global Configurationmode.[no] ip directed-broadcast enableUse the no form of this command to disable.

Configuring STP using CLIUse the following procedures to configure STP for the WLAN 8100 Series using the CLI.

• Setting the STP mode using the CLI on page 125• Configuring STP BPDU Filtering using the CLI on page 125• Creating and Managing STGs using the CLI on page 126• Managing RSTP using the CLI on page 132

Setting the STP mode using the CLI

Use the following procedure to set the STP operational mode.

To set the STP mode, use the following command from Global Configuration mode.spanning-tree op-mode {stpg | rstp }

Configuring STP BPDU Filtering using the CLI

Use the following procedure to configure STP BPDU Filtering on a port. This command isavailable in all STP modes (STPG, RSTP, and MSTP).



1. To enable STP BPDU filtering, use the following command from InterfaceConfiguration mode.[no] spanning-tree bpdu-filtering [port<portlist>] [enable][timeout <10-65535> | 0>]Use the no form of this command to disable.

2. To set the STP BPDU Filtering properties on a port to their default values, use thefollowing command from the Interface Configuration command mode:default spanning-tree bpdu-filtering [port<portlist>][enable] [timeout]

3. To show the current status of the BPDU Filtering parameters, use the followingcommand from the Privileged EXEC mode:show spanning-tree bpdu-filtering [<interface-type>][port<portlist>]


Variable Valueport <portlist> Specifies the ports affected by the command.

enable Enables STP BPDU Filtering on the specified ports.The default value is disabled.

timeout <10-65535| 0> When BPDU filtering is enabled, this indicates thetime (in seconds) during which the port remainsdisabled after it receives a BPDU. The port timer isdisabled if this value is set to 0. The default value is120 seconds.

Creating and Managing STGs using the CLI

To create and manage Spanning Tree Groups, you can refer to the Command Line Interfacecommands listed in this section. Depending on the type of Spanning Tree Group that you wantto create or manage, the command mode needed to execute these commands can differ.

In the following commands, the omission of any parameters that specify a Spanning TreeGroup results in the command operating against the default Spanning Tree Group (SpanningTree Group 1).

To configure STGs using the CLI, refer to the following:

• Configuring path cost calculation mode on page 127• Configuring STG port membership mode on page 127• Displaying STP configuration information on page 127



• Creating a Spanning Tree Group on page 128• Deleting a Spanning Tree Group on page 128• Enabling a Spanning Tree Group on page 128• Disabling a Spanning Tree Group on page 128• Configuring STP values on page 129• Restoring default Spanning Tree values on page 130• Adding a VLAN to a STG on page 130• Removing a VLAN from a STG on page 131• Configuring STP and MSTG participation on page 131• Resetting Spanning Tree values for ports to default on page 132

Configuring path cost calculation modeUse the following procedure to set the path cost calculation mode for all Spanning Tree Groupson the switch.

To configure path cost calculation mode, use the following command from PrivilegedEXEC mode.spanning-tree cost-calc-mode {dot1d | dot1t}

Configuring STG port membership modeUse the following procedure to set the STG port membership mode for all Spanning TreeGroups on the switch.

To configure STG port membership mode, use the following command from PrivilegedEXEC mode.spanning-tree port-mode {auto | normal}

Displaying STP configuration informationUse the following procedure to display spanning tree configuration information that is specific toeither the Spanning Tree Group or to the port.

To display STP configuration information, use the following command from PrivilegedEXEC mode.show spanning-tree [stp <1-8>] {config | port| port-mode |vlans}




Variable Valuestp <1-8> Displays specified Spanning Tree Group

configuration; enter the number of the groupto be displayed.

config | port | port-mode | vlans Displays spanning tree configuration for:

• config--the specified (or default) SpanningTree Group

• port--the ports within the Spanning TreeGroup

• port-mode--the port mode

• vlans--the VLANs that are members of thespecified Spanning Tree Group

Creating a Spanning Tree GroupUse the following procedure to create a Spanning Tree Group.

To create a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> create

Deleting a Spanning Tree GroupUse the following procedure to delete a Spanning Tree Group.

To delete a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> delete

Enabling a Spanning Tree GroupUse the following procedure to enable a Spanning Tree Group.

To enable a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stg <1-8> enable

Disabling a Spanning Tree GroupUse the following procedure to disable a Spanning Tree Group.



To disable a Spanning tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> disable

Configuring STP valuesUse the following procedure to set STP values by STG.

To configure STP values, use the following command from Global Configuration mode.spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time<1-10>] [max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 |0*3000 | ... | 0*E000 | 0*F000}] [tagged-bpdu {enable |disable}] [tagged-bpdu-vid >1-4094>] [multicast-address<H.H.H>] [add-vlan] [remove-vlan]


Variable Valuestp <1-8> Specifies the Spanning Tree Group; enter

the STG ID.

forward-time <4-30> Enter the forward time of the STG inseconds; the range is 4 -- 30, and the defaultvalue is 15.

hello-time <1-10> Enter the hello time of the STG in seconds;the range is 1 --10, and the default value is 2.

max-age <6-40> Enter the max-age of the STG in seconds;the range is 6 -- 40, and the default value is20.

priority {0x000 | 0x1000 | 0x2000 | 0x3000| .... | 0xE000 | 0xF000}

Sets the spanning tree priority (in Hex); if802.1T compliant, this value must be amultiple of 0x1000.

tagged-bpdu {enable | disable} Sets the BPDU as tagged or untagged. Thedefault value for Spanning Tree Group 1(default group) is untagged; the default forthe other groups is tagged.

tagged-bpdu-vid <1-4094> Sets the VLAN ID (VID) for the tagged BPDU.The default value is 4001 -- 4008 for STG 1-- 8, respectively.

multicast-address <H.H.H> Sets the spanning tree multicast address.

add-vlan Adds a VLAN to the Spanning Tree Group.



Variable Valueremove-vlan Removes a VLAN from the Spanning Tree

Group.

Restoring default Spanning Tree valuesUse the following procedure to restore default spanning tree values for the Spanning TreeGroup.

To restore Spanning Tree values to default, use the following command from GlobalConfiguration mode.default spanning-tree [stp <1-8> [forward-time] [hello-time][max-age] [priority] [tagged-bpdu] [multicast address]


Variable Valuestp <1-8> Disables the Spanning Tree Group; enter the

STG ID.

forward-time Sets the forward time to the default value of15 seconds.

hello-time Sets the hello time to the default value of 2seconds.

max-age Sets the maximum age time to the defaultvalue of 20 seconds.

priority Sets spanning tree priority (in Hex); if 802.1Tcompliant, this value must be a multiple of0x1000.

tagged-bpdu Sets the tagging to the default value. Thedefault value for Spanning Tree Group 1(default group) is untagged; the default forthe other groups is tagged.

multicast address Sets the spanning tree multicast MACaddress to the default.

Adding a VLAN to a STGUse the following procedure to add a VLAN to a specified Spanning Tree Group.

To add a VLAN to a STG, use the following command from Global Configuration mode.spanning-tree [stp <1-8>] add-vlan <1-4094>



Removing a VLAN from a STGUse the following procedure to remove a VLAN from a specified Spanning Tree Group.

To remove a VLAN from a STG, use the following command from Global Configurationmode.spanning-tree [stp <1-8>] remove-vlan <1-4094>

Configuring STP and MSTG participationUse the following procedure to set the Spanning Tree Protocol (STP) and multiple SpanningTree Group (STG) participation for the ports within the specified Spanning Tree Group.

To configure STP and MSTG participation, use the following command from InterfaceConfiguration mode.[no] spanning-tree [port <portlist>] [stp <1-8>] [learning{disable | normal | fast}] [cost <1-65535>] [priority]Use the no form of this command to disable.


Variable Valueport <portlist> Enables the spanning tree for the specified

port or ports; enter port or ports you wantenabled for the spanning tree.Note: If you omit this parameter, the systemuses the port number you specified when youissued the interface command to enter theInterface Configuration mode.

stp <1-8> Specifies the spanning tree group; enter theSTG ID.

learning {disable|normal|fast} Specifies the STP learning mode:

• disable -- disables FastLearn mode

• normal -- changes to normal learning mode

• fast -- enables FastLearn mode

cost <1-65535> Enter the path cost of the spanning tree;range is 1 -- 65535.

priority Sets the spanning tree priority for a port as ahexadecimal value. If the Spanning TreeGroup is 802.1T compliant, this value mustbe a multiple of 0x10.



Resetting Spanning Tree values for ports to defaultUse the following procedure to set the spanning tree values for the ports within the specifiedSpanning Tree Group to the factory default settings.

To reset Spanning Tree values to default, use the following command from InterfaceConfiguration mode.default spanning-tree [port <portlist>] [stp <1-8>] [learning][cost] [priority]


Variable Valueport <portlist> Enables spanning tree for the specified port or ports;

enter port or ports to be set to factory spanning treedefault values.Note: If this parameter is omitted, the system usesthe port number specified when the interfacecommand was used to enter Interface Configurationmode.

stp <1-8> Specifies the Spanning Tree Group to set to factorydefault values; enter the STG ID. This commandplaces the port into the default STG. The defaultvalue for STG is 1.

learning Sets the spanning tree learning mode to the factorydefault value.The default value for learning is Normal mode.

cost Sets the path cost to the factory default value.The default value for path cost depends on the typeof port.

priority Sets the priority to the factory default value.The default value for the priority is 0x8000.

Managing RSTP using the CLIUse the following command to configure RSTP:

• Configuring RSTP parameters on page 132• Configuring RSTP on a port on page 134• Displaying RSTP configuration on page 134• Displaying RSTP port configuration on page 133

Configuring RSTP parametersUse the following procedure to set the RSTP parameters which include forward delay, hellotime, maximum age time, default path cost version, bridge priority, transmit holdcount, andversion for the bridge.



To configure RSTP parameters, use the following command from Global Configurationmode.spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>][max-age <6-40>] [pathcost-type {bits16 | bits32}] [priority{0000|1000|2000| ...| F000}] [tx-holdcount <1-10>] [version{stp-compatible | rstp}]


Variable Valueforward-time <4-30> Sets the RSTP forward delay for the bridge

in seconds; the default is 15.

hello-time <1-10> Sets the RSTP hello time delay for the bridgein seconds; the default is 2.

max-age <6-40> Sets the RSTP maximum age time for thebridge in seconds; the default is 20.

pathcost-type {bits16 | bits32} Sets the RSTP default path cost version; thedefault is bits32.

priority {0000 | 1000 | ... | F000} Sets the RSTP bridge priority (in hex); thedefault is 8000.

tx-hold count Sets the RSTP Transmit Hold Count; thedefault is 3.

version {stp-compatible | rstp} Sets the RSTP version; the default is rstp.

Displaying RSTP port configurationUse the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related port-level configuration details.

To display RSTP port configuration, use the following command from Privileged EXECmode.show spanning-tree rstp port {config | status | statistics |role} [<portlist>]


Variable Valueconfig Displays RSTP port-level configuration.

status Displays RSTP port-level role information.



Variable Valuestatistics Displays RSTP port-level statistics.

role Displays RSTP port-level status.

Configuring RSTP on a portUse the following procedure to set the RSTP parameters, which include path cost, edge-portindicator, learning mode, point-to-point indicator, priority, and protocol migration indicator onthe single or multiple port.

To configure RSTP on a port, use the following command from Interface Configurationmode.spanning-tree rstp [port <portlist>] [cost <1-200000000> [edge-port {false | true}] [learning {disable | enable}] [p2p {auto |force-false | force-true}] [priority {00 | 10 | ... | F0}][protocol-migration {false | true}]


Variable Valueport <portlist> Filter on list of ports.

cost <1-200000000> Sets the RSTP path cost on the single ormultiple ports; the default is 200000.

edge-port {false | true} Indicates whether the single or multiple portsare assumed to be edge ports. Thisparameter sets the Admin value of edge portstatus; the default is false.

learning {disable | enable} Enables or disables RSTP on the single ormultiple ports; the default is enable.

p2p {auto | force-false | force-true} Indicates whether the single or multiple portsare to be treated as point-to-point links. Thiscommand sets the Admin value of P2PStatus; the default is force-true.

priority {00 | 10 |... | F0} Sets the RSTP port priority on the single ormultiple ports; the default is 80.

protocol-migration {false | true} Forces the single or multiple port to transmitRSTP BPDUs when set to true, whileoperating in RSTP mode; the default is false.

Displaying RSTP configurationUse the following procedure to display the Rapid Spanning Tree Protocol (RSTP) relatedbridge-level configuration details.



To display RSTP configuration details, use the following command from PrivilegedEXEC mode.show spanning-tree rstp {config | status | statistics}


Variable Valueconfig Displays RSTP bridge-level configuration.

status Displays RSTP bridge-level role information.

statistics Displays RSTP bridge-level statistics.

Configuring MLT using CLIThe Command Line Interface commands detailed in this section allow for the creation andmanagement of Multi-Link trunks. Depending on the type of Multi-Link trunk being created ormanaged, the command mode needed to execute these commands can differ.

Refer to the following sections to configure MLT:

• Displaying MLT configuration and utilization on page 135• Configuring a Multi-Link trunk on page 135• Disabling a MLT on page 136• Displaying MLT properties on page 136• Configuring STP participation for MLTs on page 137

Displaying MLT configuration and utilization

Use the following procedure to display Multi-Link Trunking (MLT) configuration and utilization.

To display MLT configuration and utilization, use the following command fromPrivileged EXEC mode.show mlt [utilization <1-32>]

Configuring a Multi-Link trunk

Use the following procedure to configure a Multi-Link trunk (MLT).



To configure a Multi-Link trunk, use the following command from Global Configurationmode.mlt <id> [name<trunkname>] [enable | disable] [member<portlist>] [learning {disable | fast | normal}] [bpdu {all-ports | single-port}] loadbalance {basic | advance}


Variable Valueid Enter the trunk ID; the range is 1 to 32.

name <trunkname> Specifies a text name for the trunk; enter upto 16 alphanumeric characters.

enable | disable Enables or disables the trunk.

member <portlist> Enter the ports that are members of the trunk.

learning <disable | fast | normal> Sets STP learning mode.

bpdu {all-ports | single-port} Sets trunk to send and receive BPDUs oneither all ports or a single port.

loadbalance {basic | advance} Sets the MLT load-balancing mode:

• basic: MAC-based load-balancing

• advance: IP-based load-balancing

Disabling a MLT

Use the following procedure to disable a Multi-Link trunk (MLT), clearing all the port members.

To disable a MLT, use the following command from Global Configuration mode.no mlt [<id>]

Displaying MLT properties

Use the following procedure to display the properties of Multi-Link trunks (MLT) participatingin Spanning Tree Groups (STG).



To display MLT properties, use the following command from Global Configurationmode.show mlt spanning-tree <1-32>

Configuring STP participation for MLTs

Use the following procedure to set Spanning Tree Protocol (STP) participation for Multi-Linktrunks (MLT).

To configure STP participation for MLTs, use the following command from GlobalConfiguration mode.mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable |normal | fast}]


Variable Value<1-32> Specifies the ID of the MLT to associate with

the STG.

stp <1-8> Specifies the spanning tree group.

learning {disable | normal | fast} Specifies the STP learning mode:

• disable -- disables learning

• normal -- sets the learning mode to normal

• fast -- sets the learning mode to fast

Configuring LACP and VLACP using CLIThis section contains information on the following topics:

• Configuring Link Aggregation using CLI on page 137• Configuring VLACP using CLI on page 142

Configuring Link Aggregation using CLI

This section describes the commands necessary to configure and manage Link Aggregationusing the Command Line Interface (CLI).



To configure Link Aggregation using the CLI, refer to the fo

• Displaying LACP system settings on page 138• Displaying LACP per port configuration on page 138• Displaying LACP port mode on page 138• Displaying LACP port statistics on page 139• Clearing LACP port statistics on page 139• Displaying LACP port debug information on page 139• Displaying LACP aggregators on page 139• Configuring LACP system priority on page 140• Enabling LACP port aggregation mode on page 140• Configuring the LACP administrative key on page 140• Configuring LACP operating mode on page 140• Configuring per port LACP priority on page 141• Configuring LACP periodic transmission timeout interval on page 142• Configuring LACP port mode on page 142

Displaying LACP port modeUse the following procedure to display the current port mode (default or advanced).

To display the port mode, use the following command from Privileged EXEC mode.show lacp port-mode

Displaying LACP system settingsUse the following procedure to display system-wide LACP settings.

To display system settings, use the following command from Privileged EXEC mode.show lacp system

Displaying LACP per port configurationUse the following procedure to display information on the per-port LACP configuration. Selectports either by port number or by aggregator value.

To display per port configuration, use the following command from Privileged EXECmode.show lacp port [<portList> | aggr <1-65535>]




Variable Value<portList> Enter the specific ports for which to display LACP

information.

aggr <1-65535> Enter the aggregator value to display ports that aremembers of it.

Displaying LACP port statisticsUse the following procedure to displayLACP port statistics. Select ports either by port numberor by aggregator value.

To display port statistics, use the following command from Privileged EXEC mode.show lacp stats [<portList> | aggr <1-65535>]


Variable Value<portList> Enter the specific ports for which to display LACP

information.

aggr <1-65535> Enter the aggregator value to display ports that aremembers of it.

Clearing LACP port statisticsUse the following procedure to clear existing LACP port statistics.

To clear statistics, use the following command from Interface Configuration mode.lacp clear-stats <portList>

Displaying LACP port debug informationUse the following procedure to display port debug information.

To display port debug information, use the following command from Privileged EXECmode.show lacp debug member [<portList>]

Displaying LACP aggregatorsUse the following procedure to display LACP aggregators or LACP trunks.



To display aggregators, use the following command from Privileged EXEC mode.show lacp aggr <1-65535>

Configuring LACP system priorityUse the following procedure to configure the LACP system priority. It is used to set the system-wide LACP priority. The factory default priority value is 32768.

To configure system priority, use the following command from Global Configurationmode.lacp system-priority <0-65535>

Enabling LACP port aggregation modeUse the following procedure to enable the port aggregation mode.

To enable the port aggregation mode, use the following command from InterfaceConfiguration mode.[no] lacp aggregation [port <portList>] enableUse the no form of the command to disable.

Configuring the LACP administrative keyUse the following procedure to configure the administrative LACP key for a set of ports.

To set the administrative key, use the following command from Interface Configurationmode.lacp key [port <portList>] <1-4095>


Variable Valueport <portList> The ports to configure the LACP key for.

<1-4095> The LACP key to use.

Configuring LACP operating modeUse the following procedure to configure the LACP mode of operations for a set of ports.



To configure the operating mode, use the following command from InterfaceConfiguration mode.lacp mode [port <portList>] {active | passive | off}


Variable Valueport <portList> The ports for which the LACP mode is to be

set.

{active | passive | off} The type of LACP mode to set for the port.The LACP modes are:

• active -- The port will participate as anactive Link Aggregation port. Ports inactive mode send LACPDUs periodically tothe other end to negotiate for linkaggregation.

• passive -- The port will participate as apassive Link Aggregation port. Ports inpassive mode send LACPDUs only whenthe configuration is changed or when itslink partner communicates first.

• off -- The port does not participate in LinkAggregation.

LACP requires at least one end of each linkto be in active mode.

Configuring per port LACP priorityUse the following procedure to configure the per-port LACP priority for a set of ports.

To configure priority, use the following command from Interface Configuration mode.lacp priority [port <portList> <0-65535>


Variable Valueport <portList> The ports for which to configure LACP priority.

<0-65535> The priority value to assign.



Configuring LACP periodic transmission timeout intervalUse the following procedure to configure the LACP periodic transmission timeout interval fora set of ports.

To configure the interval, use the following command from Interface Configurationmode.lacp timeout-time [port <portList>] {long | short}


Variable Valueport <portList> The ports for which to configure the timeout

interval.

{long | short} Specify the long or short timeout interval.

Configuring LACP port modeUse the following procedure to configure the LACP port mode on the switch.

To configure the port mode, use the following command from Interface Configurationmode.lacp port-mode {default | advance}


Variable Valuedefault Default LACP port mode.

advance Advanced LACP port mode.

Configuring VLACP using CLI

To configure VLACP using the CLI, refer to the following commands:

• Enabling VLACP globally on page 143• Configuring VLACP multicast MAC address on page 145• Configuring VLACP port parameters on page 143• Displaying VLACP status on page 145• Displaying VLACP port configuration on page 145



Enabling VLACP globallyUse the following procedure to globally enable VLACP for the device.

To enable VLACP, use the following command from Global Configuration mode.[no] vlacp enableUse the no form of this command to disable.

Configuring VLACP port parametersUse the following procedure to configure VLACP parameters on a port.

To configure parameters, use the following command from Interface Configurationmode.[no] vlacp port <port> [enable | disable] [timeout <long/short>][fast-periodic-time <integer>] [slow-periodic-time<integer>] [timeout-scale <integer>] [funcmac-addr <mac>][ethertype <hex>]Use the no form of this command to remove parameters.


Variable Value<port> Specifies the port number.

enable|disable Enables or disables VLACP.

timeout <long/short> Specifies whether the timeout control valuefor the port is a long or short timeout.

• long sets the port timeout value to:(timeout-scale value) × (slow-periodic-time value).

• short sets the port’s timeout value to:(timeout-scale value) × (fast-periodic-timevalue).

For example, if the timeout is set to shortwhile the timeout-scale value is 3 and thefast-periodic-time value is 400 ms, the timerexpires after 1200 ms.Default is long.

fast-periodic-time <integer> Specifies the number of millisecondsbetween periodic VLACPDU transmissionsusing short timeouts.



Variable ValueThe range is 400-20000 milliseconds.Default is 500.

slow-periodic-time <integer> Specifies the number of millisecondsbetween periodic VLACPDU transmissionsusing long timeouts.The range is 10000-30000 milliseconds.Default is 30000.

timeout-scale <integer> Sets a timeout scale for the port, wheretimeout = (periodic time) × (timeout scale).The range is 1-10. Default is 3.Note: With VLACP, a short interval existsbetween a port transmitting a VLACPDU andthe partner port receiving the sameVLACPDU. However, if the timeout-scale isset to less than 3, the port timeout value doesnot take into account the normal travel timeof the VLACPDU. The port expects to receivea VLACPDU at the same moment the partnerport sends it. Therefore, the delayedVLACPDU results in the link being blocked,and then enabled again when the packetarrives. To prevent this scenario fromhappening, set the timeout-scale to a valuelarger than 3. VLACP partners must also wait3 synchronized VLACPDUs to have the linkenabled. If VLACP partner miss 3consecutive packets from the other partner,sets the link as VLACP down.

funcmac-addr <mac> Specifies the address of the far-end switchconfigured to be the partner of this switch. Ifnone is configured, any VLACP-enabledswitch communicating with the local switchthrough VLACP PDUs is considered to bethe partner switch.Note: VLACP has only one multicast MACaddress, configured using the vlacpmacaddress command, which is the Layer 2destination address used for theVLACPDUs.The port-specific funcmac-addr parameterdoes not specify a multicast MAC address,but instead specifies the MAC address of theswitch to which this port is sendingVLACPDUs.You are not always required to configurefuncmac-addr. If not configured, the firstVLACP-enabled switch that receives the



Variable ValuePDUs from a unit assumes that it is theintended recipient and processes the PDUsaccordingly.If you want an intermediate switch to dropVLACP packets, configure the funcmac-addr parameter to the desired destinationMAC address. With funcmac-addrconfigured, the intermediate switches do notmisinterpret the VLACP packets.

ethertype <hex> Sets the VLACP protocol identification forthis port. Defines the ethertype value of theVLACP frame. The range is 8101-81FF.Default is 8103.

Configuring VLACP multicast MAC addressUse the following procedure to set the multicast MAC address used by the device forVLACPDUs.

To configure the multicast MAC address, use the following command from GlobalConfiguration mode.[no] vlacp macaddress <macaddress>Use the no form of this command to delete the address.

Displaying VLACP statusUse the following procedure to display the status of VLACP on the switch.

To display VLACP status, use the following command from Privileged EXEC mode.show vlacp

Displaying VLACP port configurationUse the following procedure to display the VLACP configuration details for a port or list of ports.

To display port configuration, use the following command from Privileged EXEC mode.show vlacp interface <slot/port>where <slot/port> specifies a port or list of ports.

Among other properties, the show vlacp interface command displays a columncalled HAVE PARTNER, with possible values of yes or no.



If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true,then that port has received VLACPDUs from a port and those PDUs were recognizedas valid according to the interface settings.If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED isFALSE, then the partner for that port is down (that port received at least one correctVLACPDU, but did not receive additional VLACPDUs within the configured timeoutperiod). In this case VLACP blocks the port. This scenario is also seen if only one unithas VLACP enabled and the other has not enabled VLACP.The show vlacp interface command is in the privExec command mode.

Note: If VLACP is enabled on an interface, the interface will not forward traffic unlessit has a valid VLACP partner. If one partner has VLACP enabled and the other is notenabled, the unit with VLACP enabled will not forward traffic, however the unit withVLACP disabled will continue to forward traffic.

Configuring IP routing

IP routing configuration using CLIThis chapter describes the procedures you can use to configure routable VLANs using the CLI.

The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLANbecomes a routable Layer 3 VLAN if an IP address and MAC address are attached to theVLAN. When routing is enabled in Layer 3 mode, every Layer 3 VLAN is capable of routing aswell as carrying the management traffic. You can use any Layer 3 VLAN instead of theManagement VLAN to manage the switch.

Refer to the following sections to configure IP routing using CLI:

• IP routing configuration procedures on page 147• Configuring global IP routing status on page 147• Displaying global IP routing status on page 148• Configuring an IP address for a VLAN on page 148• Configuring IP routing status on a VLAN on page 149• Configuring a secondary IP address for a VLAN on page 149• Displaying the IP address configuration and routing status for a VLAN on page 150• Displaying IP routes on page 151



• Performing a traceroute on page 151• Bad xref to DLM-18512499

IP routing configuration procedures

To configure inter-VLAN routing on the switch, perform the following steps:

1. Enable IP routing globally.

2. Assign an IP address to a specific VLAN or brouter port.Routing is automatically enabled on the VLAN or brouter port when you assign anIP address to it.

IP routing configuration navigation

• Configuring global IP routing status• Displaying global IP routing status• Configuring an IP address for a VLAN• Configuring IP routing status for a VLAN• Displaying the IP address configuration and routing status for a VLAN• Displaying IP routes• Performing a traceroute• Entering Router Configuration mode

Configuring global IP routing status

Use this procedure to enable and disable global routing at the switch level. By default, routing isdisabled.

To configure the status of IP routing on the switch, enter the following from the GlobalConfiguration mode:[no] ip routing




Variable Valueno Disables IP routing on the switch

Displaying global IP routing status

Use this command to display the status of IP blocking on the switch.

To display the status of IP blocking on the switch, enter the following from the UserEXEC mode:show ip routing

Configuring an IP address for a VLAN

To enable routing an a VLAN, you must first configure an IP address on the VLAN.

To configure an IP address on a VLAN, enter the following from the VLAN InterfaceConfiguration mode:[no] ip address <ipaddr> <mask> [<MAC-offset>]


Variable Value[no] Removes the configured IP address and

disables routing on the VLAN.

<ipaddr> Specifies the IP address to attach to theVLAN.

<mask> Specifies the subnet mask to attach to theVLAN

[<MAC-offset>] Specifies the value used to calculate theVLAN MAC address, which is offset from theswitch MAC address. The valid range is1-256. Specify the value 1 for theManagement VLAN only. If no MAC offset isspecified, the switch applies oneautomatically.



Configuring IP routing status on a VLAN

Use this procedure to enable and disable routing for a particular VLAN.

To configure the status of IP routing on a VLAN, enter the following from the VLANInterface Configuration mode:[default] [no] ip routing


Variable Valuedefault Disables IP routing on the VLAN.

no Disables IP routing on the VLAN.

Configuring a secondary IP address for a VLAN

Use this procedure to configure a secondary IP interface to a VLAN (also known asmultinetting). You can have a maximum of eight secondary IP addresses for every primaryaddress, and you must configure the primary address before configuring any secondaryaddresses.

Primary and secondary interfaces must reside on different subnets.

To remove a primary IP address from a VLAN, you must first remove all secondary addressesfrom the VLAN.

Prerequisites

Configure a primary IP address on the VLAN.

To configure the secondary IP interface on the VLAN, enter the following from the VLANInterface Configuration mode.[no] ip address <ip address> <mask> [<mac offset>] secondary


Variable Valueno Removes the configured IP address. To remove a

primary IP address from a VLAN, you must first removeall secondary addresses from the VLAN.

<ipaddr> Specifies the IP address to attach to the VLAN.



Variable Value<mask> Specifies the subnet mask to attach to the VLAN

[<MAC-offset>] Specifies the value used to calculate the VLAN MACaddress, which is offset from the switch MAC address.The valid range is 1-256. Specify the value 1 for theManagement VLAN only. If no MAC offset is specified,the switch applies one automatically.

Job aid: Example of adding a secondary IP interface to a VLANPrimary and secondary interfaces must reside on different subnets. In the following example,4.1.0.10 is the primary IP and 4.1.1.10 is the secondary IP.

(config)# interface vlan 4(config)# ip address 4.1.0.10 255.255.255.0 6(config-if)# ip address 4.1.1.10 255.255.255.0 7 secondary

Displaying the IP address configuration and routing status for a VLAN

Use this procedure to display the IP address configuration and the status of routing on a VLAN.

To display the IP address configuration on a VLAN, enter the following from the VLANPrivileged Exec mode:show vlan ip [vid <vid>]


Variable Value[vid <vid>] Specifies the VLAN ID of the VLAN to be displayed.

Range is 1-4094.

Job aidThe following table shows the field descriptions for the show vlan ip command.

Field DescriptionVid Specifies the VLAN ID.

ifindex Specifies an index entry for the interface.

Address Specifies the IP address associated with the VLAN.

Mask Specifies the mask.

MacAddress Specifies the MAC address associated with theVLAN.



Field DescriptionOffset Specifies the value used to calculate the VLAN MAC

address, which is offset from the switch MAC address.

Routing Specifies the status of routing on the VLAN: enabledor disabled.

Displaying IP routes

Use this procedure to display all active routes in the routing table.

Route entries appear in ascending order of the destination IP addresses.

To display all active routes in the routing table, enter the following from the User EXECcommand mode:show ip route [<dest-ip>] [-s <subnet><mask>] [summary]


Variable Value[<dest-ip>] Specifies the destination IP address of the route to

display.

[-s <subnet><mask>] Specifies the destination subnet of the routes todisplay.

[summary] Displays a summary of IP route information.

Performing a traceroute

Use this procedure to display the route taken by IP packets to a specified host.

1. To perform a traceroute, enter the following from the Global Configuration mode:traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w><1-1464>

2. Type CTRL+C to interrupt the command.




Variable ValueHostname Specifies the name of the remote host.

A.B.C.D Specifies the IP address of the remote host.

-m Specifies the maximum time to live (ttl). The valuefor this parameter is in the rage from 1-255. Thedefault value is 10. Example: traceroute 10.3.2.134-m 10

-p Specifies the base UDP port number. The value forthis parameter is in the range from 0-65535.Example: traceroute 1.2.3.4 -p 87

-q Specifies the number of probes per time to live. Thevalue for this parameter is in the range from 1-255.The default value is 3. Example: traceroute10.3.2.134 -q 3

-v Specifies verbose mode. Example: traceroute10.3.2.134 -v

-w Specifies the wait time per probe. The value for thisparameter is in the range from 1-255. The defaultvalue is 5 seconds. Example: traceroute 10.3.2.134-w 15

<1-1464> Specifies the UDP probe packet size. TIP: probepacket size is 40 plus specified data length in bytes.Example: traceroute 10.3.2.134 -w 60

Static route configuration using CLIThis chapter describes the procedures you can use to configure static routes using the CLI.

Static route configuration navigation

• Configuring a static route on page 152• Displaying static routes on page 153• Configuring a management route on page 154• Displaying the management routes on page 155

Configuring a static route

Use this procedure to configure a static route. Create static routes to manually configure a pathto destination IP address prefixes.



Prerequisites

• Enable IP routing globally• Enable IP routing and configure an IP address on the VLANs to be routed.

To configure a static route, enter the following from the Global Configuration commandmode:[no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable][enable] [weight<cost>]


Variable Value[no] Removes the specified static route.

<dest-ip> Specifies the destination IP address for the route beingadded. 0.0.0.0 is considered the default route.

<mask> Specifies the destination subnet mask for the route beingadded.

<next-hop> Specifies the next hop IP address for the route being added.

[<cost>] Specifies the weight, or cost, of the route being added. Rangeis 1-65535.

[disable] Disables the specified static route.

[enable] Enables the specified static route.

[weight<cost>] Changes the weight, or cost, of an existing static route. Rangeis 1-65535.

Displaying static routes

Use this procedure to display all static routes, whether these routes are active or inactive.

To display a static route, enter the following from the User EXEC command mode:show ip route static [<dest-ip>] [-s<subnet><mask>]


Variable Value<dest-ip> Specifies the destination IP address of the

static routes to display.



Variable Value[-s<subnet><mask>] Specifies the destination subnet of the routes

to display.

Job aidThe following table shows the field descriptions for the show ip route static command.

Field DescriptionDST Identifies the route destination.

MASK Identifies the route mask.

NEXT Identifies the next hop in the route.

COST Identifies the route cost.

VLAN Identifies the VLAN ID on the route.

PORT Specifies the ports.

PROT Specifies the routing protocols. For static routes, optionsare LOC (local route) or STAT (static route).

TYPE Indicates the type of route as described by the TypeLegend on the CLI screen.

PRF Specifies the route preference.

Configuring a management route

Use this procedure to create a management route to the far end network, with a next-hop IPaddress from the management VLAN’s subnet. A maximum of 4 management routes can beconfigured on the switch.

Prerequisites

• Enable IP routing globally• Enable IP routing and configure an IP address on the management VLAN interface.

To configure a static management route, enter the following from the GlobalConfiguration command mode:[no] ip mgmt route <dest-ip><mask><next-hop>


Variable Value[no] Removes the specified management route.



Variable Value<dest-ip> Specifies the destination IP address for the route being

added.

<mask> Specifies the destination subnet mask for the route beingadded.

<next-hope> Specifies the next hop IP address for the route beingadded.

Displaying the management routes

Use this procedure to display the static routes configured for the management VLAN.

To display the static routes configured for the management VLAN, enter the followingfrom the User EXEC mode:show ip mgmt route

Job aid

The following table shows the shows the field descriptions for the show ip mgmt routecommand.

Field DescriptionDestination IP Identifies the route destination.

Subnet Mask Identifies the route mask.

Gateway IP Identifies the next hop in the route.

DHCP relay configuration using CLIThis chapter describes the procedures you can use to configure DHCP relay using the CLI.

Important:DHCP relay uses a hardware resource that is shared by switch Quality of Serviceapplications. When DHCP relay is enabled globally, the Quality of Service filter manager willnot be able to use precedence 11 for configurations.



Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay

agent.• Ensure that a route to the destination DHCP server is available on the switch.

DHCP relay configuration procedures

To configure DHCP relay, perform the following steps:

1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.)

2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCPrelay agent and the remote DHCP server as the destination.

3. Enable DHCP for the specific VLAN.

DHCP relay configuration navigation

• Configuring global DHCP relay status on page 156• Displaying the global DHCP relay status on page 157• Specifying a local DHCP relay agent and remote DHCP server on page 157• Displaying the DHCP relay configuration on page 158• Configuring DHCP relay status and parameters on a VLAN on page 158• Displaying the DHCP relay configuration for a VLAN on page 159• Displaying DHCP relay counters on page 160• Clearing DHCP relay counters for a VLAN on page 160

Configuring global DHCP relay status

Use this procedure to configure the global DHCP relay status. DHCP relay is enabled bydefault.

To configure the global DHCP relay status, enter the following from the GlobalConfiguration mode:[no] ip dhcp-relay




Variable Value[no] Disables DHCP relay.

Displaying the global DHCP relay status

Use this procedure to display the current DHCP relay status for the switch.

To display the global DHCP relay status, enter the following from the User EXECcommand mode:show ip dhcp-relay

Specifying a local DHCP relay agent and remote DHCP server

Use this procedure to specify a VLAN as a DHCP relay agent on the forwarding path to aremote DHCP server. The DHCP relay agent can forward DHCP client requests from the localnetwork to the DHCP server in the remote network.

The DHCP relay feature is enabled by default, and the default mode is BootP-DHCP.

Prerequisites

Enable IP routing and configure an IP address on the VLAN to configure as a DHCP relayagent.

To configure a VLAN as a DHCP relay agent, enter the following from the GlobalConfiguration mode:[no] ip dhcp-relay fwd-path <relay-agent-ip> <DHCP-server>[enable] [disable] [mode {bootp | bootp-dhcp | dhcp}]


Variable Value[no] Removes the specified DHCP forwarding path.

<relay-agent-ip> Specifies the IP address of the VLAN that servesas the local DHCP relay agent.

<DHCP-server> Specifies the address of the remote DHCPserver to which DHCP packets are to be relayed.



Variable Value[enable] Enables the specified DHCP relay forwarding

path.

[disable] Disables the specified DHCP relay forwardingpath.

[mode {bootp | bootp-dhcp | dhcp}] Specifies the mode for DHCP relay.

• BootP only

• BootP and DHCP

• DHCP only

If you do not specify a mode, the default DHCPand BootP is used.

Displaying the DHCP relay configuration

Use this procedure to display the current DHCP relay agent configuration.

To display the DHCP relay configuration, enter the following from the User EXECcommand mode:show ip dhcp-relay fwd-path

Job aid

The following table shows the field descriptions for the show ip dhcp-relay fwd-pathcommand.

Field DescriptionINTERFACE Specifies the interface IP address of the DHCP relay

agent.

SERVER Specifies the IP address of the DHCP server.

ENABLE Specifies whether DHCP is enabled.

MODE Specifies the DHCP mode.

Configuring DHCP relay status and parameters on a VLAN

Use this procedure to configure the DHCP relay parameters on a VLAN. To enable DHCP relayon the VLAN, enter the command with no optional parameters.



To configure DHCP relay on a VLAN, enter the following from the VLAN InterfaceConfiguration mode:[no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp| dhcp | bootp_dhcp}]


Variable Value

[no] Disables DHCP relay on the specified VLAN.

[broadcast] Enables the broadcast of DHCP reply packets tothe DHCP clients on this VLAN interface.

min-sec <min-sec> The switch immediately forwards a BootP/DHCP packet if the ’secs’ field in the BootP/DHCP packet header is greater than theconfigured min-sec value; otherwise, the packetis dropped. Range is 0-65535. The default is 0.

mode {bootp | dhcp | bootp_dhcp} Specifies the type of DHCP packets this VLANsupports:

• bootp - Supports BootP only

• dhcp - Supports DHCP only

• bootp_dhcp - Supports both BootP and DHCP

Displaying the DHCP relay configuration for a VLAN

Use this procedure to display the current DHCP relay parameters configured for a VLAN.

To display the DHCP relay VLAN parameters, enter the following from the PrivilegedEXEC command mode:show vlan dhcp-relay [<vid>]


Variable Value[<vid>] Specifies the VLAN ID of the VLAN to be displayed. Range is

1-4094.

Job aidThe following table shows the field descriptions for the show ip dhcp-relay command.



Field DescriptionIfIndex Indicates the VLAN interface index.

MIN_SEC Indicates the minimum time, in seconds, to waitbetween receiving a DHCP packet and forwarding theDHCP packet to the destination device. A value ofzero indicates forwarding is done immediately withoutdelay.

ENABLED Indicates whether DHCP relay is enabled on theVLAN.

MODE Indicates the type of DHCP packets this interfacesupports. Options include none, BootP, DHCP, andboth.

ALWAYS_BROADCAST Indicates whether DHCP reply packets are broadcastto the DHCP client on this VLAN interface.

Displaying DHCP relay counters

Use this procedure to display the current DHCP relay counters. This includes the number ofrequests and the number of replies.

To display the DHCP relay counters, enter the following from the User EXEC commandmode:show ip dhcp-relay counters

Job aid

The following table shows the field descriptions for the show ip dhcp-relay counterscommand.

Field DescriptionINTERFACE Indicates the interface IP address of the DHCP relay

agent.

REQUESTS Indicates the number of DHCP requests.

REPLIES Indicates the number of DHCP replies.

Clearing DHCP relay counters for a VLAN

Use this procedure to clear the DHCP relay counters for a VLAN.



To clear the DHCP relay counters, enter the following from the VLAN InterfaceConfiguration command mode:ip dhcp-relay clear-counters

Directed broadcasts configuration using CLIThis chapter describes procedures you can use to configure and display the status of directedbroadcasts using CLI.

Navigation

• Configuring directed broadcasts on page 161• Displaying the directed broadcast configuration on page 161

Configuring directed broadcasts

Use this procedure to enable directed broadcasts on the switch. By default, directed broadcastsare disabled.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be configured as a

broadcast interface.• Ensure that a route (local or static) to the destination address is available on the switch.

To enable directed broadcasts, enter the following from the Global Configuration mode:ip directed-broadcast enable

Displaying the directed broadcast configuration

Use this procedure to display the status of directed broadcasts on the switch. By default,directed broadcasts are disabled.

To display directed broadcast status, enter the following from the User EXEC mode:show ip directed-broadcast



Static ARP and Proxy ARP configuration using CLIThis chapter describes the procedures you can use to configure Static ARP, Proxy ARP, anddisplay ARP entries using the CLI.

Static ARP and Proxy ARP configuration navigation

• Static ARP configuration on page 162• Displaying the ARP table on page 162• Proxy ARP configuration on page 164

Static ARP configuration

This section describes how to configure Static ARP using the CLI.

Configuring a static ARP entryUse this procedure to create and enable a static ARP entry.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the target VLAN.

To configure a static ARP entry, enter the following from the Global Configuration mode:[no] ip arp <A.B.C.D> <aa:bb:cc:dd:ee:ff> <port> [vid <1-4094>]


Variable Value[no] Removes the specified ARP entry.

<A.B.C.D> Specifies the IP address of the device being setas a static ARP entry.

<aa:bb:cc:dd:ee:ff> Specifies the MAC address of the device being setas a static ARP entry.

< port> Specifies the port number to which the static ARPentry is being added.

vid <1-4094> Specifies the VLAN ID to which the static ARPentry is being added.

Displaying the ARP tableUse the following procedures to display the ARP table, configure a global timeout for ARPentries, and clear the ARP cache.



Navigation

• Displaying ARP entries on page 163• Configuring a global timeout for ARP entries on page 163• Clearing the ARP cache on page 164

Displaying ARP entriesUse this procedure to display ARP entries.

To display ARP entries, enter the following from the User Exec mode:show arp-tableORshow ip arp [static | dynamic] [<ip-addr> | {-s <subnet><mask>{] [summary]The show ip arp command is invalid if the switch is not in Layer 3 mode.


Variable Value<ip-addr> Specifies the IP address of the ARP entry to be displayed.

-s <subnet> <mask> Displays ARP entries for the specified subnet only.

static Displays all configured static entries, including thosewithout a valid route.

Job aidThe following table shows the field descriptions for the show ip arp command.

Field DescriptionIP Address Specifies the IP address of the ARP entry.

Age (min) Displays the ARP age time.

MAC Address Specifies the MAC address of the ARP entry.

VLAN-Unit/Port/Trunk Specifies the VLAN/port of the ARP entry.

Flags Specifies the type of ARP entry. S=Static,D=Dynamic, L=Local, B=Broadcast.

Configuring a global timeout for ARP entriesUse this procedure to configure an aging time for the ARP entries.



To configure a global timeout for ARP entries, enter the following from the GlobalConfiguration mode:ip arp timeout <timeout>


Variable Value<timeout> Specifies the amount of time in minutes before an ARP entry

ages out. Range is 5-360. The default value is 360 minutes.

Clearing the ARP cacheUse this procedure to clear the cache of ARP entries.

To clear the ARP cache, enter the following from the Global Configuration mode:clear arp-cache

Proxy ARP configuration

This section describes how to configure Proxy ARP using the CLI.

Navigation

• Configuring proxy ARP status on page 164• Displaying proxy ARP status on a VLAN on page 165

Configuring proxy ARP statusUse this procedure to enable proxy ARP functionality on a VLAN. By default, proxy ARP isdisabled.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be configured as a Proxy

ARP interface.

To configure proxy ARP status, enter the following from the VLAN InterfaceConfiguration mode:[default] [no] ip arp-proxy enable




Variable Valuedefault Disables proxy ARP functionality on the VLAN.

no Disables proxy ARP functionality on the VLAN.

Displaying proxy ARP status on a VLANUse this procedure to display the status of proxy ARP on a VLAN.

To display proxy ARP status for a VLAN, enter the following from the User EXEC mode:show ip arp-proxy interface [vlan<vid>]


Variable Value<vid> Specifies the ID of the VLAN to display. Range is 1-4094.

Job aidThe following table shows the field descriptions for the show ip arp-proxy interfacescommand.

Field DescriptionVlan Identifies a VLAN.

Proxy ARP status Specifies the status of Proxy ARP on the VLAN.

IGMP snooping configuration using CLIThis chapter describes the procedures you can use to configure IGMP snooping on a VLANusing CLI.

IGMP snooping configuration procedures

To configure IGMP snooping, the only required configuration is to enable snooping onthe VLAN.All related configurations, listed below, are optional and can be configured to suit therequirements of your network.



IGMP snooping configuration navigation

• Configuring IGMP snooping on a VLAN on page 166• Configuring IGMP send query on a VLAN on page 167• Configuring IGMP proxy on a VLAN on page 167• Configuring the IGMP version on a VLAN on page 168• Configuring static mrouter ports on a VLAN on page 168• Displaying IGMP snoop, proxy, and mrouter configuration on page 169• Configuring IGMP parameters on a VLAN on page 170• Configuring the router alert option on a VLAN on page 171• Displaying IGMP interface information on page 172• Displaying IGMP group membership information on page 173• Configuring unknown multicast packet filter on page 175• Displaying the status of unknown multicast packet filtering on page 175• Specifying a multicast MAC address to be allowed to flood all VLANs on page 176• Displaying the multicast MAC addresses for which flooding is allowed on page 176• Displaying IGMP cache information on page 177• Flushing the router table on page 178• Configuring IGMP selective channel block on page 178

Configuring IGMP snooping on a VLAN

Enable IGMP snooping on a VLAN to forward the multicast data to only those ports that aremembers of the group.

IGMP snooping is disabled by default.

To enable IGMP snooping, enter the following from the VLAN Interface Configurationcommand mode:[default] [no] ip igmp snoopingOREnter the following from the Global Configuration command mode:[default] vlan igmp <vid> [snooping {enable | disable}]




Variable Valuedefault Disables IGMP snooping on the selected VLAN.

no Disables IGMP snooping on the selected VLAN.

enable Enables IGMP snooping on the selected VLAN.

disable Disables IGMP snooping on the selected VLAN.

Configuring IGMP send query on a VLAN

Use this procedure to enable IGMP send query on a snoop-enabled VLAN. When IGMPsnooping send query is enabled, the IGMP snooping querier sends out periodic IGMP queriesthat trigger IGMP report messages from the switch or host that wants to receive IP multicasttraffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding.

IGMP send query is disabled by default.

Prerequisites

You must enable snoop on the VLAN.

To enable IGMP send query, enter the following command from the VLAN InterfaceConfiguration mode:ip igmp send-query

Configuring IGMP proxy on a VLAN

Use this procedure to enable IGMP proxy on a snoop-enabled VLAN. With IGMP proxyenabled, the switch consolidates incoming report messages into one proxy report for thatgroup.

IGMP proxy is disabled by default.

Prerequisites

You must enable snoop on the VLAN.

To enable IGMP proxy, enter the following from the VLAN Interface Configurationmode:[default] [no] ip igmp proxyOREnter the following from the Global Configuration command mode:



[default] [no] vlan igmp <vid> [proxy {enable | disable}]


Variable Valuedefault Disables IGMP proxy on the selected VLAN.

no Disables IGMP proxy on the selected VLAN.

<vid> Specifies the VLAN ID.

enable Enables IGMP proxy on the selected VLAN.

disable Disables IGMP proxy on the selected VLAN.

Configuring the IGMP version on a VLAN

Use this procedure to configure the IGMP version running on the VLAN. You can specify theversion as IGMPv1, IGMPv2, or IGMPv3 (IGMPv3 is supported for IGMP snooping only; it isnot supported with PIM-SM). The default is IGMPv2.

To configure the IGMP version, enter the following from the VLAN InterfaceConfiguration mode:[default] ip igmp version <1-3>


Variable Valuedefault Restores the default IGMP protocol version (IGMPv2).

<1-3> Specifies the IGMP version.

Configuring static mrouter ports on a VLAN

IGMP snoop considers the port on which the IGMP query is received as the active IGMPmulticast router (mrouter) port. By default, the switch forwards incoming IGMP MembershipReports only to the active mrouter port.

To forward the IGMP reports to additional ports, you can configure the additional ports as staticmrouter ports.



To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 accordingto the supported version on the VLAN), enter the following from the VLAN InterfaceConfiguration mode:[default] [no] ip igmp mrouter <portlist>ORTo configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from theGlobal Configuration command mode:[no] vlan igmp <vid> {v1-members | v2-members} [add | remove]<portlist>


Variable Valuedefault Removes all static mrouter ports.

no Removes the specified static mrouter port.

<portlist> Specifies the list of ports to add or remove as staticmrouter ports.

{v1-members | v2-members} Specifies whether the static mrouter ports areIGMPv1 or IGMPv2.

[add | remove] Specifies whether to add or remove the staticmrouter ports.

Displaying IGMP snoop, proxy, and mrouter configuration

Use this procedure to display the IGMP snoop, proxy, and mrouter configuration per VLAN.

To display IGMP snoop information, enter:show ip igmp snooping


Variable ValueVlan Indicates the Vlan ID.

Snoop Enable Indicates whether snoop is enabled (true) or disabled(false).



Variable ValueProxy Snoop Enable Indicates whether IGMP proxy is enabled (true) or disabled

(false).

Static Mrouter Ports Indicates the static mrouter ports in this VLAN that provideconnectivity to an IP multicast router.

Active Mrouter Ports Displays all dynamic (querier port) and static mrouter portsthat are active on the interface.

Mrouter Expiration Time Specifies the time remaining before the multicast router isaged out on this interface. If the switch does not receivequeries before this time expires, it flushes out all groupmemberships known to the VLAN. The Query MaxResponse Interval (obtained from the queries received) isused as the timer resolution.

Configuring IGMP parameters on a VLAN

Use this procedure to configure the IGMP parameters on a VLAN.

Important:The query interval, robustness, and version values must be the same as those configuredon the interface (VLAN) of the multicast router (IGMP querier).

To configure IGMP parameters, enter the following from the VLAN InterfaceConfiguration mode:[default] ip igmp [last-member-query-interval<last-mbr-query-in>] [query-interval<query-int>] [query-max-response<query-max-resp>] [robust-value<robust-val>] [version<1-3>]ORenter the following from the Global Configuration command mode:[default] vlan igmp <vid> [query-interval<query-int<] [robust-value<robust-val>]


Variable Valuedefault Sets the selected parameter to the default value. If no

parameters are specified, snoop is disabled and all IGMPparameters are set to their defaults.

<last-mbr-query-int> Sets the maximum response time (in 1/10 seconds) thatis inserted into group-specific queries sent in response to



Variable Valueleave group messages. This parameter is also the timebetween group-specific query messages. This value isnot configurable for IGMPv1.Decreasing the value reduces the time to detect the lossof the last member of a group.The range is from 0–255, and the default is 10 (1 second).Avaya recommends configuring this parameter to valueshigher than 3. If a fast leave process is not required,Avaya recommends values above 10. (The value 3 isequal to 0.3 of a second, and 10 is equal to 1.0 second.)

<query-int> Sets the frequency (in seconds) at which host querypackets are transmitted on the VLAN.The range is 1–65535. The default value is 125 seconds.

<query-max-resp> Specifies the maximum response time (in 1/10 seconds)advertised in IGMPv2 general queries on this interface.The range is 0–255. The default value is 100 (10seconds).

<robust-val> Specifies tuning for the expected packet loss of anetwork. This value is equal to the number of expectedquery packet losses for each serial query interval, plus 1.If you expect a network to lose query packets, you mustincrease the robustness value.Ensure that the robustness value is the same as theconfigured value on the multicast router (IGMP querier).The range is from 2 to 255, and the default is 2. Thedefault value of 2 means that one query for each queryinterval can be dropped without the querier aging out.

Configuring the router alert option on a VLAN

Use this command to enable the router alert feature. This feature instructs the router to dropcontrol packets that do not have the router-alert flag in the IP header.

Important:To maximize your network performance, Avaya recommends that you set the router alertoption according to the version of IGMP currently in use: IGMPv1—Disable IGMPv2—Enable IGMPv3—Enable

To configure the router alert option on a VLAN, enter the following from the VLANInterface Configuration mode:[default] [no] ip igmp router-alert




Variable Valuedefault Disables the router alert option.

no Disables the router alert option.

Displaying IGMP interface information

Use this procedure to display IGMP interface parameters.

To display the IGMP interface information, enter:show ip igmp interface [vlan <vid>]OREnter:show vlan igmp <vid>

Job aid

The following table shows the field descriptions for the show ip igmp interfacecommand command.

Field DescriptionVLAN Indicates the VLAN on which IGMP is configured.

Query Intvl Specifies the frequency (in seconds) at which host querypackets are transmitted on the interface.

Vers Specifies the version of IGMP configured on this interface.

Oper Vers Specifies the version of IGMP running on this interface.

Querier Specifies the IP address of the IGMP querier on the IPsubnet to which this interface is attached.

Query MaxRsp T Indicates the maximum query response time (in tenths ofa second) advertised in IGMPv2 queries on this interface.

Wrong Query Indicates the number of queries received whose IGMPversion does not match the Interface version. You mustconfigure all routers on a LAN to run the same version ofIGMP. Thus, if queries are received with the wrong version,a configuration error occurs.



Field DescriptionJoins Indicates the number of times a group membership was

added on this interface.

Robust Specifies the robust value configured for expected packetloss on the interface.

LastMbr Query Indicates the maximum response time (in tenths of asecond) inserted into group-specific queries sent inresponse to leave group messages, and is also the amountof time between group-specific query messages. Use thisvalue to modify the leave latency of the network. A reducedvalue results in reduced time to detect the loss of the lastmember of a group. This does not apply if the interface isconfigured for IGMPv1.

Send Query Indicates whether the ip igmp send-query feature isenabled or disabled. Values are YES of NO. Default isdisabled.

The following table shows the field descriptions for the show vlan igmp command.

Field DescriptionSnooping Indicates whether snooping is enabled or disabled.

Proxy Indicates whether proxy snoop is enabled ordisabled.

Robust Value Indicates the robust value configured for expectedpacket loss on the interface.

Query Time Indicates the frequency (in seconds) at which hostquery packets are transmitted on the interface.

IGMPv1 Static Router Ports Indicates the IGMPv1 static mrouter ports.

IGMPv2 Static Router Ports Indicates the IGMPv2 static mrouter ports.

Send Query Indicates whether the ip igmp send-query feature isenabled or disabled. Values are YES of NO. Defaultis disabled.

Displaying IGMP group membership information

Display the IGMP group information to show the learned multicast groups and the attachedports.

To display IGMP group information, enter:



show ip igmp group [count] [group <A.B.C.D>] [member-subnet<A.B.C.D>/<0-32>]OREnter:show vlan multicast membership <vid>


Variable Valuecount Displays the number of IGMP group entries.

group <A.B.C.D> Displays group information for the specifiedgroup.

member-subnet <A.B.C.D>/<0-32 Displays group information for the specifiedmember subnet.

Job aidThe following table shows the field descriptions for the show ip igmp group command.

Field DescriptionGroup Address Indicates the multicast group address.

VLAN Indicates the VLAN interface on which the group exists.

Member Address Indicates the IP address of the IGMP receiver (host orIGMP reporter). The IP address is 0.0.0.0 if the type isstatic.

Expiration Indicates the time left before the group report expires. Thisvariable is updated upon receiving a group report.

Type Specifies the type of membership: static or dynamic.

In Port Identifies the member port for the group. This is the port onwhich group traffic is forwarded and in those case wherethe type is dynamic, it is the port on which the IGMP joinwas received.

The following table shows the field descriptions for the show vlan multicastmembership command.

Field DescriptionMulticast Group Address Indicates the multicast group address.

In Port Indicates the physical interface or a logical interface(VLAN) that received group reports from varioussources.



Configuring unknown multicast packet filter

The default switch behavior is to flood all packets with unknown multicast addresses. Use thisprocedure to prevent the flooding of packets with unknown multicast addresses and enablethe forwarding of these packets to static mrouter ports only.

To configure unknown multicast packet flooding, enter the following from the GlobalConfiguration mode:[no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable |disable}


Variable Valueno Enables the flooding of multicast packets on the VLAN.

default Enables the flooding of multicast packets on the VLAN.

enable Prevents the flooding of multicast packets on the VLAN.

disable Enables the flooding of multicast packets on the VLAN.

Displaying the status of unknown multicast packet filtering

Use this procedure to display the status of unknown multicast filtering: enabled (no flooding)or disabled (flooding allowed).

To display the unknown multicast flooding configuration, enter:show vlan igmp unknown-mcast-no-flood

Job aid

The following table shows the field descriptions for the show vlan igmp unknown-mcast-no-flood command.

Field DescriptionUnknown Multicast No-Flood Specifies the status of unknown multicast

filtering: enabled or disabled.



Specifying a multicast MAC address to be allowed to flood all VLANs

Use this procedure to allow particular unknown multicast packets to be flooded on all switchVLANs.

To add MAC addresses starting with 01.00.5E to the allow-flood table, you must specify thecorresponding multicast IP address. For instance, you cannot add MAC address 01.00.5E.01.02.03 to the allow-flood table, but instead you must specify IP address 224.1.2.3.

For all other types of MAC address, you can enter the MAC address directly to allow flooding.

To allow particular unknown multicast packets to be flooded, enter the following fromthe Global Configuration mode:vlan igmp unknown-mcast-allow-flood {<H.H.H> |<mcast_ip_address>}


Variable Value<H.H.H> Specifies the multicast MAC address to be flooded.

Accepted formats are:

• H.H.H

• xx:xx:xx:xx:xx:xx

• xx.xx.xx.xx.xx.xx

• xx-xx-xx-xx-xx-xx

<mcast_ip_address> Specifies the multicast IP address to be flooded.

Displaying the multicast MAC addresses for which flooding is allowed

Use this procedure to display the multicast MAC addresses for which flooding is allowed onall switch VLANs.

To display the multicast MAC addresses for which flooding is allowed, enter:show vlan igmp unknown-mcast-allow-flood



Job aid

The following table shows the field descriptions for the show vlan igmp unknown-mcast-allow-flood command.

Field DescriptionAllowed Multicast Addresses Indicates multicast addresses that can flood.

Displaying IGMP cache information

Display the IGMP cache information to show the learned multicast groups in the cache andthe IGMPv1 version timers.

Note: Using the show ip igmp cache command may not display the expected results in someconfigurations. If the expected results are not displayed, use the show ip igmp group commandto view the information.

To display the IGMP cache information, enter:show ip igmp cache

Job aid

The following table shows the field descriptions for the show ip igmp cache command.

Field DescriptionGroup Address Indicates the multicast group address.

Vlan ID Indicates the VLAN interface on which the groupexists.

Last Reporter Indicates the last IGMP host to join the group.

Expiration Indicates the group expiration time (in seconds).

V1 Host Timer Indicates the time remaining until the local routerassumes that no IGMP version 1 members exist onthe IP subnet attached to the interface. Uponhearing an IGMPv1 membership report, this valueis reset to the group membership timer.When the time remaining is nonzero, the localinterface ignores IGMPv2 leave messages that itreceives for this group.



Field DescriptionType Indicates whether the entry is learned dynamically

or is added statically.

Flushing the router table

Use this procedure to flush the router table.

To flush the router table, enter the following from the Global Configuration mode:ip igmp flush vlan <vid> {grp-member|mrouter}


Variable Value{grp-member|mrouter} Flushes the table specified by type.

Configuring IGMP selective channel block

In certain deployment scenarios it might be required not to allow multicast streaming fromspecific group addresses to users connected to certain ports. With the IGMP selective channelblock feature this type of control can be implemented. When configured it will control the IGMPmembership of ports by blocking IGMP reports received from users on that port destined forthe specific group address/addresses. The filter can be configured to block a single multicastaddress or range of addresses.

This feature will work regardless of whether the switch is in Layer 2 IGMP snooping mode orthe full IGMP mode (PIM-SM enabled). It will also be applicable for IGMPv1 and v2.

Configuring IGMP selective channel block navigation

• Creating an IGMP profile on page 179• Deleting an IGMP profile on page 179• Applying the IGMP filter profile on interface on page 179• Removing a profile from an interface on page 179• Displaying an IGMP profile on page 180



Creating an IGMP profile

Use this procedure to create an IGMP profile.

1. From Global Configuration mode, enter the ip igmp profile <profilenumber (1-65535)> command.

2. Enter the deny command.

3. Enter the range <ip multicast address><ip multicast address>command.

Deleting an IGMP profile

Use this procedure to delete an IGMP profile.

To delete an IGMP profile enter the following command from Global Configurationmode:no ip igmp profile <profile number (1-65535)>

Applying the IGMP filter profile on interface

Use this procedure to apply the IGMP filter profile on an interface.

1. From Global Configuration mode enter the interface <interface-id>command.

2. Enter the ip igmp filter <profile number> command.

Removing a profile from an interface

Use this procedure to remove a profile from an interface.



1. From Global Configuration mode enter the interface <interface-id>command.

2. Enter the no ip igmp filter <profile number> command.

Displaying an IGMP profile

Use this procedure to display an IGMP profile.

To display an IGMP profile enter the following command from Global Configurationmode:show ip igmp profile <cr> or <profile number>

Configuring Access ListsThe CLI commands detailed in this section allow for the configuration and management ofaccess lists.

Navigation

• Assigning ports to an access list on page 180• Removing an access list assignment on page 181• Creating an IP access list on page 181• Removing an IP access list on page 182• Creating a Layer 2 access list on page 183• Removing a Layer 2 access list on page 184

Assigning ports to an access listAssign ports to an access list by performing this the procedure.

Assign ports to an access list by using the following command in Global Configurationmode.



qos acl-assign port <port_list> acl-type {ip | l2} name <name>


Variable Valueport <port_list> Specifies the list of ports assigned to the specified access list.

acl-type {ip | l2} Specifies the type of access list used; IP or Layer 2.

name <name> Specifies the name of the access list to be used. Access listsmust be configured before ports can be assigned to them.

Removing an access list assignmentRemove an access list assignment by performing this procedure.

Remove an access list assignment by using the following command from GlobalConfiguration mode.no qos acl-assign <aclassignid>

Creating an IP access listCreate an IP access list by performing this procedure.

Create an access list by using the following procedure from Global Configuration mode.qos ip-acl name <name> [addr-type <addrtype>] [src-ip<source_ip>] [dst-ip <destination_ip>] [ds-field <dscp>][{protocol <protocol_type> | next_header <header>}] [src-port-min <port> src-port-max <port>] [dst-port-min <port> dst-port-max <port>] [flow-id <flowid>] [drop-action {drop | pass}][update-dscp <0 - 63>] [update-1p <0 - 7>] [set-drop-prec {highdrop | low drop}] [block <block_name>]

Configuring Access Lists



Variable Valuename <name> Specifies the name assigned to this access list.

addr-type <addrtype> Specifies the IP address type to use for the access list.

src-ip <source_ip> Specifies the source IP address to use for this access list.

dst-ip <destination_ip> Specifies the destination IP address to use for this access list.

ds-field <dscp> Specifies the DSCP value to use for this access list.

{protocol <protocol_type>| next_header <header>}

Specifies the protocol type or IP header to use with this accesslist.

src-port-min <port> src-port-max <port>

Specifies the minimum and maximum source ports to use withthis access list. Both values must be specified.

dst-port-min <port> dst-port-max <port>

Specifies the minimum and maximum destination ports to usewith the access list. Both values must be specified.

flow-id <flowid> Specifies the flow ID to use with this access list.

drop-action {drop | pass} Specifies the drop action to use for this access list.

update-dscp <0 - 63> Specifies the DSCP value to update for this access list.

update-1p <0 - 7> Specifies the 802.1p value to update for this access list.

set-drop-prec {high drop |low drop}

Specifies the drop precedence to configure for this access list.

block <block_name> Specifies the block name to associate with the access list.

Removing an IP access listRemove an IP access list by performing this procedure.

Remove an access list by using the following command from Global Configurationmode.no qos ip-acl <aclid>



Creating a Layer 2 access listCreate a Layer 2 access list by performing this procedure.

Create an access list by using the following command from Global Configuration mode.qos l2-acl name <name> [src-mac <source_mac_address>] [src-mac-mask <source_mac_address_mask>] [dst-mac<destination_mac_address>] [dst-mac-mask<destination_mac_address_mask>] [vlan-min <vid_min> vlan-max<vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority<ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 -63>] [update-1p <0 - 7>] [set-drop-prec {high-drop | low-drop}] [block <block_name>]Note: Possible values for vlan-max are based on the binary value of vlan-min, and areobtained by replacing consecutive trailing zeros in this binary value with ones, startingat the right-most position. For example, if vlan-min = 200, then there are 4 possiblevalues for vlan-max: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207)The value of vlan-max is vlan-min + 2n - 1, where n is the number of consecutive trailingzeros replaced.


Variable Valuename <name> Specifies the name assigned to this access list.

src-mac<source_mac_address>

Specifies the source MAC address to use for this access list.

src-mac-mask<source_mac_address_mask>

Specifies the source MAC address mask to use for this accesslist.

[dst-mac<destination_mac_address>]

Specifies the destination MAC address to use for this access list.

dst-mac-mask<destination_mac_address_mask>

Specifies the destination MAC address mask to use for thisaccess list.

vlan-min <vid_min> vlan-max <vid_max>

Specifies the minimum and maximum VLANs to use with thisaccess list. Both values must be specified.

Configuring Access Lists


Variable Valuevlan-tag <vtag> Specifies the VLAN tag to use with this access list.

ethertype <etype> Specifies the Ethernet protocol type to use with the access list.

priority <ieee1p_seq> Specifies the priority value to use with this access list.

drop-action {drop | pass} Specifies the drop action to use for this access list.

update-dscp <0 - 63> Specifies the DSCP value to update for this access list.

update-1p <0 - 7> Specifies the 802.1p value to update for this access list.

set-drop-prec {high-drop |low-drop}

Specifies the drop precedence to configure for this access list.

block <block_name> Specifies the block name to associate with the access list.

Removing a Layer 2 access listRemove a Layer 2 access list by performing this procedure.

Remove an access list by using the following command from Global Configurationmode.no qos l2-acl <aclid>

Configuring Elements, Classifiers, and Classifier BlocksUse the CLI commands in this section to configure elements, classifiers, and classifier blocks.

Navigation

• Configuring IP classifier element entries on page 185• Viewing IP classifier entries on page 186• Removing IP classifier entries on page 186• Adding Layer 2 elements on page 186• Viewing Layer 2 elements on page 188• Removing Layer 2 elements on page 188• Linking IP and L2 classifier elements on page 188• Removing classifier entries on page 189



• Combining individual classifiers on page 189• Removing classifier block entries on page 190

Configuring IP classifier element entriesUse the following procedure to add and configure classifier entries.

Add and configure classifier entries by using the following command from GlobalConfiguration mode.qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>][dst-ip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>][ip-flag <ip-flags>] [ipv4-options <no-opt | with-opt>] [next-header <nextheader>] [session-id] [src-ip <src-ip-info>] [src-port-min <port>] [tcp-control <tcp-flags>]


Variable Value<cid> Specifies the element ID, value ranges from 1–55000.

addr-type <addrtype> Specifies the address type. Use the value ipv4 toindicate an IPv4 address or the value ipv6 to indicatean IPv6 address. The default value is ipv4.

ds-field <0-63> Specifies a 6-bit DSCP value; value ranges from 0–63. Default is ignore.

dst-ip <dst-ip-info> Specifies the source IP address and mask in the formof a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6.Default is 0.0.0.0.

dst-port-min <port> Specifies the L4 destination port minimum value.

flow-id <flowid> Specifies the IPv6 flow identifier.

ip-flag <ip-flags> Specifies the flags present in an IPv4 header.

ipv4-options <no-opt | with-opt> Specifies whether the Option field is present in thepacket header. Valid values are

• no-opt—indicates that only IPv4 packets withoutoptions will match this classifier element.

• with-opt—indicates that only IPv4 packets withoptions will match this classifier element.

Configuring Elements, Classifiers, and Classifier Blocks


Variable Valuenext-header Specifies the IPv6 next header classifier criteria; range

is 0–255.

src-ip <src-ip-info> Specifies the source IP address and mask in the formof a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6.Default is 0.0.0.0.

session-id Specifies the session ID.

src-port-min <port> Specifies the L4 source port minimum value.

tcp-control <tcp-flags> Specifies the control flags present in an TCP header.

Viewing IP classifier entriesView IP classifier entries by performing this procedure.

View IP classifier element entries by using the following commands from the PrivilegedEXEC Configuration mode.show qos ip-element [<1-65535>] [all] [system] [user]

Removing IP classifier entriesUse the following procedure to remove IP classifier entries.

Note: An IP element that is referenced in a classifier cannot be deleted.

Remove IP classifier entries by using the following command from GlobalConfiguration mode.no qos ip-element <1-55000>

Adding Layer 2 elementsUse the following procedure to add Layer 2 elements.

Note: A Layer 2 element referenced in a classifier cannot be deleted.



Add Layer 2 elements by using the following command from the Global Configurationmode.qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask<dst-mac-mask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkt-type <etherII | llc | snap>] [priority <ieee1p-seq>] [session-id <session-id>] [src-mac <src-mac>] [src-mac-mask <src-mac-mask>] [vlan-min <vid-min>] [vlan-tag <vtag>]


Variable Value<1-55000> Specifies the element ID; range is 1–55000.

dst-mac <dst-mac> Specifies the destination MAC element criteria.Valid format is H.H.H.

dst-mac-mask <dst-mac-mask> Specifies the destination MAC mask elementcriteria. Valid format is H.H.H.

ethertype <etype> Specifies the Ethernet type. Valid format is0xXXXX, for example, 0x0801. Default is ignore.

ivlan-min <vid-min> Specifies the inner VLAN ID minimum valueelement criteria. Range is 1–4094.

pkt-type <etherII | llc | snap> Specifies the packet frame format.

• etherII—indicates that only Ethernet II formatframes match this classifier component.

• snap—indicates that only EEE 802 SNAPformat frames match this classifier component.

• llc—indicates that only IEEE 802 LLC formatframes match this classifier component.

priority <ieee1p-seq> Specifies the 802.1p priority values; range from0–7 or all. Default is ignore.

session-id <session-id> Specifies the session ID.

src-mac <src-mac> Specifies the source MAC element criteria. Enterin the format H.H.H.

src-mac-mask <src-mac-mask> Specifies the source MAC mask element criteria.Valid format is H.H.H.

vlan-min <vid-min> Specifies the VLAN ID minimum value elementcriteria. Range is 1–4094.



Variable Valuevlan-tag <format> Specifies the packet format element criteria:

• untagged

• tagged

The default is Ignore.

Viewing Layer 2 elementsView Layer 2 elements by performing this procedure.

View Layer 2 element entries by using the following commands from the PrivilegedEXEC Configuration mode.show qos l2-element [<1-65535>] [all] [system] [user]

Removing Layer 2 elementsUse the following procedure to delete Layer 2 element entries.

Delete element entries by using the following command from Global Configurationmode.no qos l2-element <1-55000>

Linking IP and L2 classifier elementsUse the following procedure to link IP and L2 classifier elements.

Note: A classifier that is referenced in a classifier block or installed policy cannot be deleted.

Link elements by using the following command from Global Configuration mode.qos classifier <1-55000> set-id <1-55000> [name <WORD>]element-type {ip | l2 | system} element-id <1-55000>




Variable Valueclassifier <1-55000> Specifies the classifier ID; range is 1–55000.

set-id <1-55000> Specifies the classifier set ID; range is 1–55000.

name <WORD> Specifies the set label; maximum is 16 alphanumericcharacters.

element-type {ip| l2 |system} Specifies the element type; either ip or l2, or systemclassifier.

element-id <1-55000> Specifies the element ID; range is 1–55000.

Removing classifier entriesUse the following procedure to delete classifier entries.

Note: Each classifier can have only a single IP classifier element plus a single L2 classifierelement or system classifier element. However, a classifier can be created using only one IPclassifier element or only one L2 classifier element or only one system classifier element.

Delete classifier entries by using the following command from Global Configurationmode.no qos classifier <1-55000>

Combining individual classifiersUse the following procedure to combine individual classifiers.

Note: A classifier block that is referenced in an installed policy cannot be deleted.

Combine individual classifiers by using the following command from GlobalConfiguration mode.qos classifier-block <1-55000> block-number <1-55000> [name<WORD>]{set-id <1-55000> | set-name <WORD>} [{in-profile-action <1-55000> | in-profile-action-name <WORD>} | {meter<1-55000> | meter-name <WORD>}]




Variable Valueclassifier-block<1-55000> Specifies an the classifier block ID; range is 1–55000.

block-number <1-55000> Specifies the classifier block number; range is 1–55000.

name <WORD> Specifies the label for the classifier block; maximum is 16alphanumeric characters.

set-id <1-55000> Specifies the classifier set to be linked to the classifier block;range is 1–55000.

set-name <WORD> Specifies the classifier set name to be linked to the classifierblock; maximum is 16 alphanumeric characters.

in-profile-action<1-55000>

Specifies the in profile action to be linked to the filter block;range is 1–55000.

in-profile-action-name<WORD>

Specifies the in profile action name to be linked to the classifierblock; maximum is 16 alphanumeric characters.

meter <1-55000> Specifies the meter to be linked to the classifier block; rangeis 1–55000.

meter-name <WORD> Specifies the meter name to be linked to the classifier block;maximum is 16 alphanumeric characters.

Removing classifier block entriesUse the following procedure to delete classifier block entries.

Delete classifier block entries by using the following command from GlobalConfiguration mode.no qos classifier-block <1-55000>

Configuring wired Quality of ServiceThis chapter discusses how to configure DiffServ and Quality of Service (QoS) parameters forpolicy-enabled networks.

Note: When the ignore value is used in QoS, the system matches all values for that parameter.



Navigation

• Displaying QoS Parameters on page 191• Displaying QoS capability policy configuration on page 195• Configuring Access Lists on page 180• Configuring QoS Security• QoS Agent configuration on page 196• Configuring Default Buffering Capabilities on page 198• Configuring the CoS-to-Queue Assignments on page 199• Configuring QoS Interface Groups on page 200• Configuring DSCP and 802.1p and Queue Associations on page 201• Configuring Elements, Classifiers, and Classifier Blocks on page 184• Configuring QoS system-element on page 203• Configuring QoS Actions on page 205• Configuring QoS Interface Action Extensions on page 207• Configuring QoS Meters on page 208• Configuring QoS Interface Shaper on page 210• Configuring QoS Policies on page 211• QoS Generic Filter set configuration on page 213• Configuring User Based Policies on page 215• Maintaining the QoS Agent on page 218• Configuring DoS Attack Prevention Package on page 221

Displaying QoS ParametersDisplay QoS parameters by performing this procedure.

Display QoS parameters by using the following command from Privileged EXEC mode.show qos { acl-assign <1 - 65535> | action [user | system | all| <1-65535>] | agent [details]| arp {spoofing [port] } | bpdu{blocker [port] } | capability [meter|shaper] | classifier[user | system | all | <1-65535>] | classifier-block [user |system | all |<1-65535> ] | dhcp {snooping [port] | spoofing[port] } | diag [unit] | dos {nachia [port] | sqlslam [port] |tcp-dnsport [port] | egressmap [ds| status]| if-action-extension [user | system | all | <1-65535>] | if-assign [port]| if-group | if-shaper [port] | ingressmap | ip-acl <1 - 65535>| ip-element [user | system | all | <1-65535>] | l2-acl <1 -

Configuring wired Quality of Service


65535> | l2-element [user | system | all | <1-65535>] | meter[user | system | all | <1-65535>] | nsna | policy [user | system| all | <1-65535>] | queue-set | queue-set-assignment |statistics <1-65535> | system-element [user | system | all |<1-65535>] | ubp | user-policy}


Variable Valueacl-assign <1 - 65535> Displays the specified access list assignment entry.

<1-65535>—Displays a particular entry.

action [<1-65535> | all |system | user]

Displays the base action entries. The applicable values are:

• <1-65535>—displays a particular entry.

• all—displays user-created, default, and system entries.

• system—displays only system entries.

• user—displays only user-created and default entries.

Default is all.

agent <details> Displays the global QoS parameters.details—displays the policy class support table.

arp spoofing Displays QoS ARP spoofing prevention settings. Thisparameter not available on 8100 Series.

bpdu blocker Displays QoS BPDU settings.blocker—displays QoS BPDU blocker settings.This parameter not available on 8100 Series.

capability [meter | shaper] Displays the current QoS meter and shaper capabilities ofeach interface. The applicable values are:

• meter—displays QoS port meter capabilities.

• shaper—displays QoS port shaper capabilities.

classifier [<1-65535> | all |system user]

Displays the classifier set entries. The applicable values are:


• all—displays all user-created, default, and system entries.



Default is all.



Variable Valueclassifier-block [<1-65535>| all | system | user]

Displays the classifier block entries. The applicable values are:





Default is all.

dhcp [snooping | spoofing] Displays QoS DHCP settings. The applicable values are:

• snooping—displays QoS DHCP snooping settings.

• spoofing—displays QoS DHCP spoofing preventionsettings.

This parameter not available on 8100 Series.

diag [unit] Displays the diagnostics entries.unit <1-8>—displays diagnostic entries for particular unit

dos [nachia | sqlslam | tcp-dnsport | tcp-ftpport | tcp-synfinscan | xmas]

Displays QoS DoS settings. The applicable values are:

• nachia—displays QoS DoS Nachia settings.

• sqlslam—displays QoS DoS SQLSlam settings.

• tcp-dnsport—displays QoS DoS TCP DnsPort settings.

• tcp-ftpport—displays QoS DoS TCP FtpPort settings.

• tcp-synfinscan—displays QoS DoS TCP SynFinScansettings.

• xmas—displays QoS DoS Xmas settings.

This parameter not available on 8100 Series.

egressmap Displays the association between the DSCP and the 802.1ppriority and drop precedence.

if-action-extension[<1-65535> | all | system |user]

Displays the interface action extension entries. The applicablevalues are:





Default is all.

if-assign [port] Displays the list of interface assignments.port—List of ports. Displays the configuration for particularports

if-group Displays the interface groups.



Variable Valueif-shaper [port] Displays the interface shaping parameters.

port—List of ports. Displays the configuration for particularports

ingressmap Displays the 802.1p priority to DSCP mapping.

ip-acl <1 - 65535> Displays the specified IP access list assignment entry.

<1-65535>—displays a particular entry.

ip-element [<1-65535> | all| system | user]

Displays the IP classifier element entries. The applicablevalues are:





Default is all.

l2-acl <1 - 65535> Displays the specified Layer 2 access list assignment entry.


l2-element [<1-65535> | all| system | user]

Displays the Layer 2 classifier element entries. The applicablevalues are:





Default is all.

meter [<1-65535> | all |system | user]

Displays the meter entries. The applicable values are:





Default is all.

nsna [classifier | interface |name]

Displays QoS NSNA entries. The applicable values are:

• classifier—displays QoS NSNA classifier entries.

• interface—displays QoS NSNA interface entries.

• name—specifies the label to display a particular NSNAtemplate entry.



Variable Valuepolicy [<1-65535> | all |system | user]

Displays the policy entries. The applicable values are:





Default is all.

queue-set Displays the queue set configuration.

queue-set-assignment Displays the association between the 802.1p priority to that ofa specific queue.

statistics <1-65535> Displays the policy and filter statistics values.


system-element[<1-65535> | all | system |user]

Displays the system classifier element entries. The applicablevalues are:





ubp [classifier | interface |name]

Displays QoS UBP entries. The applicable values are:

• classifier—displays QoS UBP classifier entries.

• interface—displays QoS UBP interface entries.

• name—specifies the label to display a particular UBPtemplate entry.

user-policy Displays QoS User Policy entries.

Displaying QoS capability policy configurationDisplay QoS meter and shaper capabilities for system ports by performing this procedure.

Display QoS capability policy configuration by using the following command fromPrivileged EXEC mode:show qos capability {meter [port] | shaper [port]}




Variable Valuemeter [port] Displays granularity for committed rate, maximum committed

rate and maximum bucket that can be used on ports for meters.port—specifies list of ports. Displays the information forparticular ports

shaper [port] Displays granularity for committed rate, maximum committedrate and maximum bucket that can be used on ports for shapers.port—specifies list of ports. Displays the information forparticular ports

QoS Agent configurationThe CLI commands detailed in this section allow for the configuration and management of theQoS Agent.

Navigation

• Globally enabling and disabling QoS Agent support on page 196• Configuring a default queue set on page 197• Modifying default queue configuration on page 198

Globally enabling and disabling QoS Agent support

Perform this procedure to globally enable or disable QoS Agent support. The commands usedin this procedure are available in Global Configuration mode.

QoS Agent support is enabled by default. QoS Agent support cannot be disabled if QoSfunctionality is currently used by NSNA or UBP.

1. Globally enable QoS Agent support using the following command:qos agent oper-mode [enable]ORdefault qos agent [oper-mode]

2. Globally disable QoS Agent support using the following commands:qos agent oper-mode [disable]OR



no qos agent oper-mode [enable]


Variable Valueenable Enables QoS Agent functionality for the system.

disable Disables QoS Agent functionality for the system.

Configuring a default queue set

Use the following procedure to specify the default queue set.

Note: The default qos agent command has the same result as the qos agent reset-defaultcommand.

Configure the queue set by using the following command from Global Configurationmode.default qos agent [buffer | dos-attack-prevention | nt-mode |nvram-delay | queue-set | statistics-tracking | ubp]


Variable Valuebuffer Restores default QoS resource buffer allocation.

dos-attack-prevention Restores default QoS DoS Attack Prevention. This parameteris only available on the 5600 Series switch.

nt-mode Restores default QoS NT application traffic processing mode.

nvram-delay Restores default maximum time in seconds to writeconfiguration data to a nonvolatile storage.

queue-set Restores default QoS queue set.

statistics-tracking Restores default QoS statistics tracking support.

ubp Restores default QoS UBP support level.

Job aid: Viewing the QoS agentThe following is an example for viewing the qos agent5530-24TFD(config)#show qos agent QoS Operational Mode: Enabled QoSNVRam Commit Delay: 10 seconds QoS Queue Set: 2 QoS Buffering: LargeQoS UBP Support Level: Low Security Local Data QoS Default StatisticsTracking: Aggregate QoS DOS Attack Prevention: Disabled Minimum TCP



Header Length: 20 Maximum IPv4 ICMP Length: 512 Maximum IPv6 ICMPLength: 512 QoS NT mode: Disabled

Modifying default queue configuration

Use the following procedure to modify the default queue configuration.

Note: The queue-set value sets the number of queues in a queue set for each port type. Thedefault value is 2.

Modify the configuration by using the following command from Global Configurationmode.qos agent queue-set <1-8>

Configuring Default Buffering CapabilitiesUse the following CLI commands to display and modify the buffer allocation mode.

Navigation

• Configuring default QoS resource buffer on page 198• Modifying QoS resource buffer allocation on page 198

Configuring default QoS resource buffer

Use the following procedure to allocate the default QoS resource buffer.

Restore the default the resource buffer by using the following command from GlobalConfiguration mode.default qos agent buffer

Modifying QoS resource buffer allocation

Use the following procedure to modify QoS resource buffer allocation.

Modify resource buffer allocation by using the following command from GlobalConfiguration mode.



qos agent buffer <regular | large | maximum>


Variable Valuebuffer Modifies the QoS resource buffer allocation. The

allowed buffer allocation modes for all QoS interfacesare as follows:

• regular

• large

• maximum

Note: The buffer mode determines the level of resourcesharing across interfaces sharing the same porthardware.

Configuring the CoS-to-Queue AssignmentsUse the following CLI commands to display and modify CoS-to-queue assignments.

Configuring 802.1p priority values

Use the following procedure to associate the 802.1p priority values with a specific queue withina specific queue set. This association determines the egress scheduling treatment that trafficwith a specific 802.1p priority value receives.

Configure priority values by using the following command from Global Configurationmode.qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8>


Variable Valuequeue-set <1-56> Specifies the queue-set, value ranges from 1–56.

1p <0-7> Specifies the 802.1p priority value for which the queueassociation is being modified; value ranges from 0–7.

queue <1-8> Specifies the queue within the identified queue set to assign the802.1p priority traffic at egress, value ranges from 1–8.



Configuring QoS Interface GroupsUse the CLI commands in this section to add or delete ports to or from an interface group, oradd or delete the interface groups themselves.

Navigation

• Configuring ports for an interface group on page 200• Removing ports from an interface group on page 200• Creating an interface group on page 201• Removing an interface group on page 201

Configuring ports for an interface group

Use the following procedure to add ports to a defined interface group.

Note: The system automatically removes the port from an existing interface group to assignit to a new interface group.

Add ports by using the following command from Interface Configuration mode.qos if-assign [port <portlist>] name [<WORD>]


Variable Valueport <portlist> Specifies the ports to add to interface group.

name <WORD> Specifies name of interface group.

Removing ports from an interface group

Use the following procedure to delete ports from a defined interface group.

Note: Ports not associated with an interface are considered QoS-disabled and may not haveQoS operations applied until assigned to an interface group.

Delete ports by using the following command from Interface Configuration mode.no qos if-assign [port <portlist>]



Creating an interface group

Use the following procedure to create interface groups.

Create interface groups by using the following command from Global Configurationmode.qos if-group name <WORD> class <trusted | untrusted |unrestricted>


Variable Valuename <WORD> Specifies the name of the interface group; maximum is 32 US-

ASCII. Name must begin with a letter a..z or A..Z.

class <trusted | untrusted| unrestricted>

Defines a new interface group and specifies the class of trafficreceived on interfaces associated with this interface group:

• trusted

• untrusted

• unrestricted

Removing an interface group

Use the following procedure to delete interface groups.

Note 1: An interface group referenced by an installed policy cannot be deleted.

Note 2: An interface group associated with ports cannot be deleted.

Delete interface groups by using the following command from Global Configurationmode.no qos if-group name <WORD>

Configuring DSCP and 802.1p and Queue AssociationsThis section contains procedures used to configure DSCP, 802.1p priority and queue setassociations.



Navigation

• Configuring DSCP to 802.1p priority on page 202• Restoring egress mapping entries to default on page 202• Configuring 802.1p priority to DSCP on page 203• Restoring ingress mapping entries to default on page 203

Configuring DSCP to 802.1p priority

Use the following procedure to configure DSCP-to-802.1p priority and drop precedenceassociations that are used for assigning these values at packet egress, based on the DSCPin the received packet.

Configure priority by using the following command from Global Configuration mode.qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop |high-drop>


Variable Valuename <WORD> Specifies the label for the egress mapping.

ds <0-63> Specifies the DSCP value used as a lookup key for 802.1ppriority and drop precedence at egress when appropriate; rangeis between 0 and 63.

1p <0-7> Specifies the 802.1p priority value associated with the DSCP;range is between 0 and 7.

dp <low-drop | high-drop> Specifies the drop precedence values associated with theDSCP:

• low-drop

• high-drop

Restoring egress mapping entries to default

Use the following procedure to reset the egress mapping entries to factory default values.

Reset the entries by using the following command from Global Configuration mode.default qos egressmap



Configuring 802.1p priority to DSCP

Use the following procedure to configure 802.1p priority-to-DSCP associations that are usedfor assigning default values at packet ingress based on the 802.1p value in the ingressingpacket.

Configure priority by using the following command from Global Configuration mode.qos ingressmap [name <WORD>] 1p <0-7> ds <0-63>


Variable Valuename <WORD> Specifies the label for the ingress mapping.

1p <0-7> Specifies the 802.1p priority used as lookup key for DSCPassignment at ingress; range is between 0 and 7.

ds <0-63> Specifies the DSCP value associated with the target 802.1ppriority; range is between 0 and 63.

Restoring ingress mapping entries to default

Use the following procedure to reset the ingress mapping entries to factory default values.

Reset the entries by using the following command from Global Configuration mode.default qos ingressmap

Configuring QoS system-elementNavigation

• Configuring system classifier element parameters on page 204• Viewing system classifier elements parameters on page 205• Removing system classifier element entries on page 205



Configuring system classifier element parameters

Use the following procedure to configure system classifier element parameters that may beused in QoS policies.

Configure system classifier element parameters by using the following command fromGlobal Configuration mode.qos system-element <1-55000> [known-mcast | unknown-mcast |unknown-ucast] [pattern-format {tagged | untagged}] [pattern-ip-version {ipv4 | ipv6 | non-ip}] [pattern-data <WORD>pattern-mask <WORD>] [session-id]


Variable Value<1-55000> Specifies the system classifier element entry id; range

is 1–55000.

known-mcast Specifies the filter on known multicast destinationaddress.

unknown-mcast Specifies the filter on unknown multicast destinationaddress.

unknown-ucast Specifies the Filter on unknown unicast destinationaddress.

pattern-format { tagged | untagged } Specifies the format of data/mask pattern. Specifiesthe available values are:

• tagged— Data/mask pattern describes a taggedpacket

• untagged—Data/mask pattern describes anuntagged packet

pattern-data <WORD> Specifies the byte pattern data to filter on.Note: The format of the WORD string is in the form ofXX:XX:XX:....:XX.

pattern-mask <WORD> Specifies the byte pattern mask to filter on.Note: The format of the WORD string is in the form ofXX:XX:XX:....:XX.

pattern-ip-version Specifies the IP version of the pattern data or mask.



Variable Value

• ipv4—Filter IPv4 Header

• ipv6—Filter IPv6 Header

• non-ip—Filter non-ip packets

session-id Specifies the session ID.

Viewing system classifier elements parameters

View system classifier elements parameters by performing this procedure.

View system classifier elements parameters by using the following commands fromthe Privileged EXEC Configuration mode.show qos system-element [<1-65535>] [all] [system] [user]

Removing system classifier element entries

Use the following procedure to remove system classifier element entries.

Remove system classifier element entries by using the following command from GlobalConfiguration mode.no qos system-element <1-55000>

Configuring QoS ActionsThe configuration of QoS actions directs the WC 8180 to take specific action on each packet.This section covers the following CLI commands.

Navigation

• Creating and updating QoS actions on page 205• Removing QoS actions on page 207

Creating and updating QoS actions

Use the following procedure to create and update QoS actions.



Note: Certain options can be restricted based on the policy associated with the specific action.An action that is referenced in a meter or an installed policy cannot be deleted.

Create or update QoS actions by using the following command from GlobalConfiguration mode.qos action <10-55000> [name <WORD>] [drop-action <enable |disable | deferred-pass>] [update-dscp <0-63>] [update-1p{<0-7> | use-tos-prec | use-egress}] [set-drop-prec <low-drop |high-drop>] [action-ext <1-55000> | action-ext-name <WORD>]


Variable Value<10-55000> Specifies the QoS action; range is 10–55000.

name <WORD> Assigns a name to a QoS action with the designated actionID. Enter the name for the action; maximum is 16alphanumeric characters

drop-action<enable | disable| deferred-pass>

Specifies whether packets are dropped or not:

• enable—drop the traffic flow

• disable—do not drop the traffic flow

• deferred-pass—traffic flow decision deferred to otherinstalled policies

Default is deferred pass.Note: If you omit this parameter, the default value applies.

update-dscp <0-63> Specifies whether DSCP value are updated or leftunchanged; unchanged equals ignore. Enter the 6-bit DSCPvalue; range is 0 to 63.Default is ignore.

update-1p<0-7> Specifies whether 802.1p priority value are updated or leftunchanged; unchanged equals ignore:

• ieee1p—enter the value you want; range is 0 to 7

• use-egress—uses the egress map to assign value

• use-tos-prec—uses the type of service precedence toassign value.

Default is ignore.Note: Requires specification of update-dscp value.

set-drop-prec <low-drop |high-drop>

Specifies the drop precedence value:

• low-drop

• high-drop



Variable ValueDefault is low-drop.

action-ext <1-55000> Specifies the action extension; range is 1–55000.

action-ext-name <WORD> Specifies a label for the action extension; maximum is 16alphanumeric characters.

Removing QoS actions

Use the following procedure to delete QoS action entries.

Note: An action cannot be deleted if referenced by a policy, classifier block, or meter.

Delete QoS action entries by using the following command from Global Configurationmode.no qos action <10-55000>

Configuring QoS Interface Action ExtensionsQoS interface action extensions direct the WC 8180 to take specific action on each packet.This section covers the following CLI commands.

Navigation

• Creating interface action extension entries on page 207• Removing interface action extension entries on page 208

Creating interface action extension entries

Use the following procedure to create interface action extension entries.

Note: An interface extension that is referenced in an action entry cannot be deleted.

Create interface action extension entries by using the following command from GlobalConfiguration mode.qos if-action-extension <1-55000> [name <WORD>] {egress-ucast<port> | egress-non-ucast <port>}




Variable Value<1-55000> Specifies the QoS action. The range is 1–55000

name <WORD> Assigns a name to a QoS action with the designatedaction ID. Enter the name for the action; maximum is16 alphanumeric characters

egress-ucast <port> | egress-non-ucast <port>

Specifies redirection of unicast/non-unicast tospecified port.

Removing interface action extension entries

Use the following procedure to remove interface action extension entries.

Remove interface action extension entries by using the following command fromGlobal Configuration mode.no qos if-action-extension <1-55000>

Configuring QoS MetersUse the following CLI commands to set the meters, if you want to meter or police the traffic,configure the committed rate, burst rate, and burst duration.

Navigation

• Creating QoS meter entries on page 208• Removing QoS meter entries on page 209

Creating QoS meter entries

Use the following procedure to create QoS meter entries.

Create QoS meter entries by using the following command from Global Configurationmode.qos meter <1-55000> [name <WORD>] committed-rate <64-10230000>{burst-size <burst-size> max-burst-rate <64-4294967295> [max-burst-duration <1-4294967295>]} {in-profile-action <1-55000> |



in-profile-action-name <WORD>} {out-profile-action <1,9-55000>| out-profile-action-name <WORD>}


Variable Value<1-55000> Specifies the QoS meter; range is 1–55000.

name <WORD> Specifies name for meter; maximum is 16alphanumeric characters.

committed-rate <64-10230000> Specifies rate that traffic must not exceed for extendedperiods to be considered in-profile. Enter the rate inKb/s for in-profile traffic in increments of 1000 Kbits/sec; range is 64 to 10230000 Kbits/sec.

burst-size <4,8,16,...,16384> Committed burst size in Kilobytes. The value range is:4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096,8192, 16384.

max-burst-rate <64-4294967295> Specifies the largest burst of traffic that can bereceived a given time for the traffic to be consideredin-profile. Used in calculating the committed burst size.Enter the burst size in Kb/s for in-profile traffic; rangeis 64 to 4294967295 Kbits/sec.

max-burst-duration<1-4294967295>

Specifies the amount of time that the largest burst oftraffic that can be received for the traffic to beconsidered in-profile. Used in calculating thecommitted burst size. Enter the burst duration in msfor in-profile traffic; range is 1–4294967295 ms.

in-profile-action <1-55000> Specifies the in-profile action ID; range is 1–55000.

in-profile-action-name <WORD> Specifies the in-profile action name.

out-profile-action <1,9-55000> Specifies the out-of-profile action ID; range is 1,9 to55000.

out-profile-action-name <word> Specifies the out of profile action name.

Removing QoS meter entries

Use the following procedure to delete QoS meter entries.

Note: A meter that is referenced in an installed policy or classifier block cannot be deleted.

Remove QoS meter entries by using the following command from Global Configurationmode.



no qos meter <1-55000>

Configuring QoS Interface ShaperNavigation

• Configuring interface shaping on page 210• Disabling interface shaping on page 211

Configuring interface shaping

Use the following procedure to configure interface shaping.

Configure interface shaping by using the following command from InterfaceConfiguration mode.qos if-shaper [port <portlist>] [name <WORD>] shape-rate<64-10230000> {burst-size <burst-size> max-burst-rate<64-4294967295> [max-burst-duration <1-4294967295>]}


Variable Valueburst-size <4,8,16, ..., 16384> Specifies the committed burst size in Kilobytes. The

value range is: 4, 8, 16, 32, 64, 128, 256, 512, 1024,2048, 4096, 8192, 16384.

port <portlist> Specifies the ports to configure shaping parameters.

name <WORD> Specifies name for if-shaper; maximum is 16alphanumeric characters.

shape-rate <64-10230000> Specifies the shaping rate in kilobits/sec; range is64-10230000 kilobits/sec.

max-burst-rate <64-4294967295> Specifies the largest burst of traffic that can bereceived a given time for the traffic to be consideredin-profile. Used in calculating the committed burst size.Enter the burst size in Kb/s for in-profile traffic; rangeis 64 to 4294967295 Kbits/sec.

max-burst-duration<1-4294967295>

Specifies the amount of time that the largest burst oftraffic that can be received for the traffic to beconsidered in-profile. Used in calculating the



Variable Valuecommitted burst size. Enter the burst duration in msfor in-profile traffic; range is 1–4294967295 ms.

Disabling interface shaping

Use the following procedure to disable interface shaping.

Disable interface shaping by using the following command from Interface Configurationmode.no qos if-shaper [port <portlist>]

Configuring QoS PoliciesUse the following CLI commands to configure QoS policies.

Navigation

• Configuring QoS policies on page 211• Removing QoS policies on page 213

Configuring QoS policies

Use the following procedure to create and configure QoS policies.

Note: All components associated with a policy, including the interface group, element,classifier, classifier block, action, and meter, must be defined before referencing thosecomponents in a policy.

Create a QoS policy by using the following command from Global Configuration mode.qos policy <1-55000> {enable|disable [name <WORD>] {port<port_list> | if-group <WORD>} clfr-type {classifier | block}{clfr-id <1-55000> | clfr-name <WORD>} {{in-profile-action<1-55000> | in-profile-action-name <WORD>} | meter <1-55000> |meter-name <WORD>}} [non-match-action <1-55000> | non-match-action-name <WORD>] precedence <1-15> [track-statistics<individual | aggregate>]}




Variable Value<1-55000> Specifies the QoS policy; range is 1–55000.

enable|disable Enables or disables the QoS policy.

name <WORD> Specifies the name for the policy; maximum is 16alphanumeric characters.

port <portlist> Specifies the ports to which to directly apply this policy.

if-group <WORD> Specifies the interface group name to which this policyapplies; maximum number of characters is 32 US-ASCII. The group name must begin with a letter withinthe range a..z or A..Z.

clfr-type <classifier | block> Specifies the classifier type; classifier or block.

clfr-id <1-55000> Specifies the classifier ID; range is 1–55000.

clfr-name <WORD> Specifies the classifier name or classifier block name;maximum is 16 alphanumeric characters.

in-profile-action <1-55000> Specifies the action ID for in-profile traffic; range is 1–55000.

in-profile-action-name <WORD> Specifies the action name for in-profile traffic;maximum is 16 alphanumeric characters.

meter <1-55000> Specifies meter ID associated with this policy; rangeis 1–55000.

meter-name <WORD> Specifies the meter name associated with this policy;maximum of 16 alphanumeric characters.

non-match-action <1-55000> Specifies the action ID for non-match traffic; range is1–55000. This parameter is not applicable to 5600Series switches.

non-match-action-name <WORD> Specifies the action name for non-match traffic;maximum is 16 alphanumeric characters.

precedence <1-15> Specifies the precedence of this policy in relation toother policies associated with the same interfacegroup. Enter precedence number; range is 1–15.Note: Policies with a lower precedence value areevaluated after policies with a higher precedencenumber. Evaluation goes from highest value to lowest.

track-statistics <individual |aggregate>

Specifies statistics tracking on this policy, either:

• individual—statistics on individual classifiers

• aggregate—aggregate statistics



Removing QoS policies

Use the following procedure to disable QoS policy entries. Policies can be enabled using theqos policy <policynum> enable command.

Remove QoS policy entries by using the following command from Global Configurationmode.no qos policy <1-55000>

QoS Generic Filter set configurationThis section contains procedures used to configure and manipulate a generic filter set.

Navigation

• Configuring a traffic profile classifier entry• Configuring a traffic profile set on page 213• Deleting a classifier, classifier block, or an entire filter set on page 217• Viewing filter descriptions on page 217

Configuring a traffic profile set

Configure a traffic profile set by performing the following procedure.

Use the following command to configure a traffic profile classifier entry.qos traffic-profile set port <port> name <name> [commited-rate<64-10230000>] [drop-nm-action <drop | pass>] [enable]This command is used in the Global Configuration mode.


Variable Valueport <port> Specifies the ports to apply the traffic profile

to.

name <name> Specifies the name of the traffic profile.

commited-rate <64-10230000> Specifies the committed rate in Kilobits persecond.



Variable Valuedrop-nm-action <drop | pass> Specifies the action to take when the packet

is nonmatching. This action is applied to alltraffic that was not previously matched by thespecified filtering data. Options are drop(packet is dropped) and pass (packet is notdropped).

enable Enables the traffic profile.

Deleting a classifier, classifier block, or an entire filter set

Delete a filter classifier or set by performing this procedure.

1. Delete a Traffic Profile classifier by using the following command from the GlobalConfiguration mode.no qos traffic-profile classifier name <classifier-name>

2. Delete a Traffic Profile set by using the following command from the GlobalConfiguration mode.no qos traffic-profile set {name <name> | port <port>}

Viewing filter descriptions

View filter descriptions by performing this procedure.

1. View classifier entries by using the following commands from the Privileged EXECConfiguration mode.show qos traffic-profile classifierORshow qos traffic-profile classifier name <classifier name>

2. View the parameters for a specific set by using the following command from thePrivileged EXEC Configuration mode.show qos traffic-profile set <set name> port <port>

3. View ports and the filter sets assigned to those ports by using the followingcommand from the Privileged EXEC Configuration mode.show qos traffic-profile interface



Configuring User Based PoliciesUse the following procedure to configure User Based Policies.

Configure User Based Policies by using the following command from the Globalconfiguration mode.qos ubpNote: To modify an entry in a filter set, you must delete the entry and add a new entrywith the desired modifications.


Variable Valueclassifier name [addr-type {ipv4|ipv6}] [block] [drop-action] [ds-field] [dst-ip] [dst-mac] [dst-port-min] [ethertype] [eval-order] [flow-id] [next-header] [priority] [protocol][set-drop-prec] [src-ip] [src-mac][src-port-min] [update-1p] [update-dscp] [vlan-min] [ vlan-tag]

Creates the User Based Policy classifier entry.Optional parameters:

• addr-type {ipv4|ipv6} specifies the type of IP addressused by this classifier entry. The type is limited toIPv4 and IPv6 addresses.

• block specifies the label to identify access listelements that are of the same block.

• drop-action specifies whether or not to drop non-conforming traffic.

• ds-field specifies the value for the DiffServCodepoint (DSCP) in a packet.

• dst-ip specifies the IP address to match against thedestination IP address of a packet.

• dst-mac specifies the MAC address against whichthe MAC destination address of incoming packets iscompared.

• dst-port-min specifies the minimum value for thelayer 4 destination port number in a packet. dst-port-max must be terminated prior to configuringthis parameter.

• ethertype specifies a value indicating the version ofEthernet protocol being used.

• eval-order specifies the evaluation order for allelements with the same name.



Variable Value

• flow-id specifies the flow identifier for IPv6 packets.

• next-header specifies the IPv6 next-header value.Values are in the range 0-255.

• priority specifies a value for the 802.1p user priority.

• protocol specifies the IPv4 protocol value.

• set-drop-prec specifies drop precendence

• src-ip specifies the IP address to match against thesource IP address of a packet.

• src-mac specifies the MAC source address ofincoming packets.

• src-port-min specifies the minimum value for theLayer 4 source port number in a packet. src-port-max must be terminated prior to configuringthis parameter.

• update-1p specifies an 802.1p value used to updateuser priority.

• update-dscp specifies a value used to update theDSCP field in an IPv4 packet.

• vlan-min specifies the minimum value for the VLANID in a packet. vlan-max must be terminated priorto configuring this parameter.

• vlan-tag specifies the type of VLAN tagging in apacket.

set name [commited-rate] [drop-nm-action] [drop-out-action] [max-burst-rate] [max-burst-duration][update-dscp-out-action] [set-priority]

Creates the User Based Policy set.Optional parameters:

• commited-rate specifies the commited rate in Kbps.

• drop-nm-action specifies the action to take when thepacket is non-matching. This action is applied to alltraffic that was not previously matched by thespecified filtering data. Options are enable (packetis dropped) and disable (packet is not dropped).

• drop-out-action specifies the action to take when apacket is out-of-profile. This action is only applied ifmetering is being enforced, and if the traffic isdeemed out of profile based on the level of traffic andthe metering criteria. Options are enable (packetis dropped) and disable (packet is not dropped).

• max-burst-rate specifies the maximum number ofbytes allowed in a single transmission burst.



Variable Value

• max-burst-duration specifies the maximum burstduration in milliseconds.

• update-dscp-out-action specifies an updated DSCPvalue for an IPv4 packet for out of profile traffic..

• set-priority specifies the priority level of this filter set.

Deleting a classifier, classifier block, or an entire filter set

Use the following procedure to delete a classifier, classifier block, or filter set.

Note: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBPfilter set.

1. Delete an entire filter set by using the following command from the Globalconfiguration mode.no qos ubp name <filter name>Note: You cannot delete a filter set while it is in use.

2. Delete a classifier by using the following command from the Global configurationmode.no qos ubp name <filter name> eval-order <value>

Viewing filter descriptions

Use the following procedure to view User-based Policy filter parameters, view parameters for aspecific filter set, view ports and associated filter sets, and view classifier entries.

1. View User Based Policy filter parameters by using the following command from thePrivileged EXEC configuration mode.show qos ubp

2. View the parameters for a specific filter set by using the following command fromthe Privileged EXEC configuration mode.show qos ubp name <filter name>

3. View ports and the filter sets assigned to those ports by using the followingcommand from the Privileged EXEC configuration mode.



show qos ubp interface4. View classifier entries by using the following command from the Privileged EXEC

configuration mode.show qos ubp classifier

Maintaining the QoS AgentUse the following CLI commands to maintain the QoS agent.

Navigation

• Resetting QoS to factory default state on page 218• Configuring QOS NT mode on page 218• Configuring QoS UBP support on page 219• Configuring QoS statistics tracking type on page 219• Configuring NVRAM delay on page 220• Resetting NVRAM delay to default on page 220• Resetting the QoS agent on page 221

Resetting QoS to factory default state

Use the following procedure to delete all user-defined entries, remove all installed policies, andreset the system to its QoS factory default values.

Note 1: You cannot reset QoS defaults if the NSNA application references a QoS NSNA filterset.

Note 2: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBPfilter set.

Reset QoS to factory defaults by using the following command from GlobalConfiguration mode.qos agent reset-default

Configuring QOS NT mode

This procedure describes how to configure the QoS Agent NT mode.



Configure QoS NT mode by using the following command from Global Configurationmode.qos agent nt-mode [pure|mixed|disabled]


Variable Valuedisabled NT application traffic processing is disabled on all ports.

mixed NT application traffic processing enabled on all port with egress DSCPmapping.

pure NT application traffic processing enabled on all ports without egress DSCPmapping.

Configuring QoS UBP support

Use the following procedure to configure the UBP support level.

Configure the UBP support level by using the following command from GlobalConfiguration mode.qos agent ubp [disable|epm|high-security-local|low-security-local]


Variable Valuedisable QoS agent rejects information forwarded by other applications.

epm QoS Agent notifications generated for EPM based on userinformation forwarded by other applications.

high-security-local User may be rejected if resources needed to install the UBP filter setare not available.

low-security-local User may be accepted even if the UBP filter set could not be applied.

Configuring QoS statistics tracking type

This procedure describes the steps necessary to configure the type of statistics tracking usedwith QoS.



Configure the QoS statistics tracking type by using the following command from GlobalConfiguration mode.qos agent statistics-tracking [aggregate|disable|individual]


Variable Valueaggregate Allocates a single statistics counter to track data for all classifiers

contained in the QoS policy being created.

disable Disable statistics tracking.

individual Allocates individual statistics counters to track data for each classifiercontained in the QoS policy being created.

Configuring NVRAM delay

Use the following procedure to specify the maximum amount of time, in seconds, before non-volatile QoS configuration is written to non-volatile storage. Delaying NVRAM access can beused to minimize file input and output. This can aid QoS agent efficiency if a large amount ofQoS data is being configured.

Configure NVRAM delay by using the following command from Global Configurationmode.qos agent nvram-delay <0-604800>Default is 10 seconds.

Resetting NVRAM delay to default

Use the following procedure to reset the NVRAM delay time to factory default.

Reset NVRAM delay to default by using the following command from GlobalConfiguration mode.default qos agent nvram-delay



Resetting the QoS agent

Use the following procedure to delete all user-defined entries, remove all installed policies, andreset the system to its QoS factory default values.

Reset the QoS agent by using the following command from Global Configuration mode.default qos agent

Configuring DoS Attack Prevention PackageThis section contains procedures used to configure the DoS Attack Prevention Package(DAPP). This feature is only applicable to the 8100 Series switch.

Navigation

• Enabling DAPP on page 221• Configuring DAPP status tracking on page 221• Configuring DAPP minimum TCP header size on page 222• Configuring DAPP maximum IPv4 ICMP length on page 222• Configuring DAPP maximum IPv6 ICMP length on page 222

Enabling DAPP

This procedure describes the steps necessary to enable DAPP.

Enable DAPP by using the following command from Global Configuration mode:[no] qos agent dos-attack-prevention enableUse the no form of this command to disable.

Configuring DAPP status tracking

This procedure describes how to configure DAPP status tracking.

Note: If adequate resources are not available to enable this feature the command will fail.



Enable DAPP status tracking by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention status-tracking [enable | max-ipv4-icmp | max-ipv6-icmp | min-tcp-header]

Configuring DAPP maximum IPv6 ICMP lengthThis procedure describes how to set the maximum IPv6 ICMP length used by DAPP.

Set the maximum IPv6 ICMP length by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention max-ipv6-icmp <0-16383>

Configuring DAPP minimum TCP header size

This procedure describes how to set the minimum TCP header size used by DAPP.

Set the minimum TCP header size by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention min-tcp-header <0-255>

Configuring DAPP maximum IPv4 ICMP length

This procedure describes how to set the maximum IPv4 ICMP length used by DAPP.

Set the maximum IPv4 ICMP length by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention max-ipv4-icmp <0-1023>

Configuring ServiceabilityThis chapter describes the methods and procedures necessary to configure RMON and IPFIX.



Navigation

• Configuring RMON with the CLI on page 223• Configuring IPFIX using CLI on page 228

Configuring RMON with the CLIThis section describes the CLI commands used to configure and manage RMON.

Navigation

• Viewing RMON alarms on page 223• Viewing RMON events on page 223• Viewing RMON history on page 224• Viewing RMON statistics on page 224• Setting RMON alarms on page 224• Deleting RMON alarm table entries on page 225• Configuring RMON event log and traps on page 226• Deleting RMON event table entries on page 226• Configuring RMON history on page 226• Deleting RMON history table entries. on page 227• Configuring RMON statistics on page 227• Disabling RMON statistics on page 228

Viewing RMON alarms

Use the following procedure to view RMON alarms.

1. Enter Privileged Executive mode.

2. Use the show rmon alarm command to display information about RMON alarms.

Viewing RMON events

Use the following procedure to display information regarding RMON events.

Configuring Serviceability



2. Enter the show rmon event command.

Viewing RMON history

Use this procedure to display information regarding the configuration of RMON history.


2. Enter the show rmon history [<port>] command.


Variable Definition<port> The specified port number for which RMON

history settings is displayed.

Viewing RMON statistics

Use the following procedure to display information regarding the configuration of RMONstatistics.


2. Enter the show rmon stats command.

Setting RMON alarms

Use the following procedure to set

1. Enter Global Configuration mode.

2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute |delta} rising-threshold <-2147483648-2147483647> [<1-65535>]



falling-threshold <-2147483648-2147483647> [<1-65535>][owner <LINE>] command.


Parameter Description<1-65535> Unique index for the alarm entry.

<WORD> The MIB object to be monitored. This object identifier can be anEnglish name.

<1-2147483647> The sampling interval, in seconds.

absolute Use absolute values (value of the MIB object is compareddirectly with thresholds).

delta Use delta values (change in the value of the MIB object betweensamples is compared with thresholds).

rising-threshold<-2147483648-2147483647 > [<1-65535>]

The first integer value is the rising threshold value. The optionalsecond integer specifies the event entry to be triggered after therising threshold is crossed. If omitted, or if an invalid event entryis referenced, no event is triggered.

falling-threshold<-2147483648-2147483647 > [<1-65535>]

The first integer value is the falling threshold value. The optionalsecond integer specifies the event entry to be triggered after thefalling threshold is crossed. If omitted, or if an invalid event entryis referenced, no event is triggered.

[owner <LINE>] Specify an owner string to identify the alarm entry.

Deleting RMON alarm table entries

Use the following procedure to delete RMON alarm table entries.


2. Enter the no rmon alarm [<1-65535>] command.


Variable Definition[<1-65535>] The number assigned to the alarm. If no

number is selected, all RMON alarm tableentries are deleted.



Configuring RMON event log and traps

Use the following procedure to configure RMON event log and trap settings.


2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>][owner <LINE>] command.


Parameter Description<1-65535> Unique index for the event entry.

[log] Record events in the log table.

[trap] Generate SNMP trap messages for events.

[description <LINE>] Specify a textual description for the event.

[owner <LINE>] Specify an owner string to identify the event entry.

Deleting RMON event table entries

Use the following procedure to clear entries in the table.


2. Enter the no rmon event [<1-65535>] command to delete the entries.


Variable Definition[<1-65535>] Unique identifier of the event. If not given, all

table entries are deleted.

Configuring RMON history

Use the following procedure to configure RMON history settings.




2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600>[owner <LINE>] command to configure the RMON history..


Parameter Description<1-65535> Unique index for the history entry.

<LINE> Specify the port number to be monitored.

<1-65535> The number of history buckets (records) to keep.

<1-3600> The sampling rate (how often a history sample is collected).

[owner <LINE>] Specify an owner string to identify the history entry.

Deleting RMON history table entries.

Use this procedure to delete RMON history table entries.


2. Enter the no rmon history [<1-65535>] command to delete the entries.


Variable Definition[<1-65535>] Unique identifier of the event. If not given, all

table entries are deleted.

Configuring RMON statistics

Use this procedure to configure RMON statistics settings.


2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command toconfigure RMON statistics.




Parameter Description<1-65535> Unique index for the stats entry.

[owner <LINE>] Specify an owner string to identify the stats entry.

Disabling RMON statistics

Use this procedure to disable RMON statistics. If the variable is omitted, all entries in the tableare cleared.


2. Enter the no rmon stats [<1-65535>] command to disable RMON statistics.


Variable Definition<1-65535> Unique index for the statistics entry. If

omitted, all statistics are disabled.

Configuring IPFIX using CLIThis section describes the commands used in the configuration and management of IP FlowInformation Export (IPFIX) using the CLI.

Navigation

• Configuring IPFIX collectors on page 228• Enabling IPFIX globally on page 229• Configuring unit specific IPFIX on page 229• Enabling IPFIX on the interface on page 230• Enabling IPFIX export through ports on page 230• Deleting the IPFIX information for a port on page 231• Viewing the IPFIX table on page 231

Configuring IPFIX collectors

The ip ipfix collector command is used to configure IPFIX collectors. IPFIX collectorsare used to collect and analyze data exported from an IPFIX compliant switch. In Software



Release 5.0, the only external collector supported is NetQOS. At this time, up to two collectorscan be supported.

IPFIX data is exported from the switch in Netflow version 9 format. Data is exported using UDPport 9995.

IPFIX data is not load balanced when two collectors are in use. Identical information is sent toboth collectors.

Use the following procedure to configure the IPFIX collectors.


2. Use the ip ipfix collector <unit_number> <collector_ip_address>command to configure the IPFIX collector.


Parameter Description<unit_number> The unit number of the collector. Currently up to two collectors

are supported so the values 1 or 2 are valid.

<collector_ip_address> The IP address of the collector.

Enabling IPFIX globally

Use the following procedure to globally enable IPFIX on the switch.


2. Use the ip ipfix enable command to enable IPFIX on the switch.

Configuring unit specific IPFIX

Use the following command to configure unit specific IPFIX parameters.


2. Use the ip ipfix slot <unit_number> [aging-interval<aging_interval>] [export-interval <export_interval>][exporter-enable] [template-refresh-interval



<template_refresh_interval>] [template-refresh-packets<template_refresh_packets>] command to enable IPFIX on the switch.


Parameter Description<unit_number> The unit number of the collector. Currently up to two collectors

are supported so the values 1 or 2 are valid.

<aging_interval> The IPFIX aging interval. This value is in seconds from 0 to2147400.

<export_interval> The IPFIX export interval. This interval is the value at whichIPFIX data is exported in seconds from 10 to 3600.

<template_refresh_interval>

The IPFIX template refresh interval. This value is in secondsfrom 300 to 3600.

<template_refresh_packets>

The IPFIX template refresh packet setting. This value is thenumber of packets from 10000 - 100000.

Enabling IPFIX on the interface

Use the following procedure to enable IPFIX on the interface.

1. Enter Interface Configuration mode.

2. Use the ip ipfix enable command to enable IPFIX on the interface.

Enabling IPFIX export through ports

Use the following procedure to enable the ports exporting data through IPFIX.

1. Enter Interface Configuration mode.

2. Use the ip ipfix port <port_list> command to enable IPFIX on theinterface.


Variable Definitionport-list Single or comma-separated list of ports.



Deleting the IPFIX information for a port

Use the following procedure to delete the collected IPFIX information for a port.


2. Use the ip ipfix flush port <port_list> [export-and-flush]command to delete the collected IPFIX information for the port or ports.


Variable Definitionport-list Single or comma-separated list of ports.

export-and-flush Export data to a collector before it is deleted.

Viewing the IPFIX table

Use the following procedure to display IPFIX data collected from the switch.


2. Use the show ip ipfix table <unit_number> sort-by <sort_by>sort-order <sort_order> display <num_entries> command view theIPFIX data.


Variable Definition<unit_number> The unit number of the collector. Currently up to two collectors are

supported so the values 1 or 2 are valid.

<sort_by> The value on which the data is sorted. Valid options are:

• byte-count

• dest-addr

• first-pkt-time

• last-pkt-time

• pkt-count

• port



Variable Definition

• protocol

• source-addr

• TCP-UDP-dest-port

• TCP-UDP-src-port

• TOS

<sort_order> The order in which the data is sorted. Valid options are ascending anddescending.

<num_entries> The number of data rows to display. Valid options are:

• all

• top-10

• top-25

• top-50

• top-100

• top-200

Configuring diagnostics and graphingThis chapter describes the methods and procedures necessary to configure diagnostics andgraphing.

Navigation

• System diagnostics and statistics using CLI on page 232• Network monitoring configuration using CLI on page 234

System diagnostics and statistics using CLIThis chapter describes the procedures you can use to perform system diagnostics and gatherstatistics using CLI.

Navigation

• Viewing port-statistics on page 233• Displaying port operational status on page 233• Validating port operational status on page 233• Showing port information on page 234



Viewing port-statistics

Use this procedure to view the statistics for the port on both received and transmitted traffic.


2. Enter the show port-statistics [port <portlist>] command.


Variable Definitionport <portlist> The ports to display statistics for. When no port list is

specified, all ports are shown.

Displaying port operational status

Use this procedure to display the port operational status.

Important:If you use a terminal with a width of greater than 80 characters, the output is displayed in atabular format.


2. Enter the show interfaces [port list] verbose command. If you issuethe command with no parameters the port status is shown for all ports.

3. Observe the CLI output.

Validating port operational status

VLACP: Configure VLACP on port 1 from a 8100 series unit and on port 2 on 5000 series unit.Have a link between these 2 ports. When the show interfaces command is typed, VLACPstatus is up for port on the unit where the command is typed. Pull out the link from the otherswitch, VLACP status goes Down.

STP: After switch boots, type show interfaces command. STP Status is Listening (wait afew seconds and try again). STP Status becomes Learning.

Configuring diagnostics and graphing


After a while (15 seconds is the forward delay default value, only if you did not configure anothertime interval for STP forward delay), if you type show interfaces again, STP Status shouldbe forwarding.

Showing port information

Perform this procedure to display port configuration information.


2. Enter the show interfaces <portlist> config command.

3. Observe the CLI output.

Network monitoring configuration using CLIThis section describes using CLI to view and configure network monitoring.

Navigation

• Viewing CPU utilization on page 234• Viewing memory utilization on page 235• Configuring the system log on page 235• Configuring remote logging on page 237• Configuring port mirroring on page 239• Displaying Many-to-Many port-mirroring on page 241• Configuring Many-to-Many port-mirroring on page 242• Disabling Many-to-Many port-mirroring on page 243

Viewing CPU utilization

Use this procedure to view the CPU utilization


2. Enter the show cpu-utilization command.

3. Observe the displayed information.



Viewing memory utilization

Use this procedure to view the memory utilization


2. Enter the show memory-utilization command.


Configuring the system log

This section outlines the CLI commands used in the configuration and management of thesystem log.

Navigation

• Displaying the system log on page 235• Configuring the system log on page 236• Disabling the system log on page 236• Setting the system log to default on page 236• Clearing the system log on page 236

Displaying the system logUse this procedure to displays the configuration, and the current contents, of the system eventlog.

Enter the show show logging [config] [critical] [serious][informational] [sort-reverse] command Privileged Executive mode.


Variable Valueconfig Display configuration of event logging.

critical Display critical log messages.

serious Display serious log messages.

informational Display informational log messages.

sort-reverse Display informational log messages in reversechronological order (beginning with most recent).



Configuring the system logUse this procedure to configure the system settings for the system event log.

Enter the logging [enable | disable] [level critical | serious |informational | none] [nv-level critical | serious | none]command Privileged Executive mode.


Variable Valueenable | disable Enables or disables the event log (default is Enabled).

level critical | serious | informational| none

Specifies the level of logging stored in DRAM.

nv-level critical | serious | none Specifies the level of logging stored in NVRAM.

Disabling the system logUse this procedure to disable the system event log.

Enter the no logging command in global configuration mode.

Setting the system log to defaultUse this procedure to default the system event log configuration.

Enter the default logging command in global configuration mode.

Clearing the system logUse this procedure to clear all log messages in DRAM.

Enter the clear logging system [non-volatile] [nv] [volatile]command in global configuration mode.


Variable Valuenon-volatile Clears log messages from NVRAM.

nv Clears log messages from NVRAM and DRAM.



Variable Valuevolatile Clears log messages from DRAM.

Configuring remote logging

Use the CLI to configure remote logging. This section discusses the commands that enableremote logging.

Navigation

• Displaying logging on page 237• Enabling remote logging on page 237• Disabling remote logging on page 237• Setting the remote logging address on page 238• Clearing the remote server IP address on page 238• Setting the log severity on page 238• Resetting the severity level on page 239• Setting the default remote logging level on page 239

Displaying loggingUse this procedure to display the configuration and the current contents of the system eventlog.


2. Enter the show logging command to display the log.

Enabling remote loggingUse this procedure to enable remote logging. By default, remote logging is disabled.


2. Enter the logging remote enable command to enable the use of a remotesyslog server.

Disabling remote loggingUse this procedure to disable remote logging.




2. Enter the no logging remote enable command to disable the use of a remotesyslog server.

Setting the remote logging addressUse this procedure to set the address of the remote server for the syslog.


2. Enter the logging remote address <A.B.C.D> command to disable the useof a remote syslog server.


Parameters and variables Description<A.B.C.D> Specifies the IP address of the remote server in

dotted-decimal notation. The default address is0.0.0.0.

Clearing the remote server IP addressUse this procedure to clear the IP address of the remote server.


2. Enter the no logging remote address command to clear the IP address ofthe remote syslog server.

Setting the log severityUse this command to set the severity level of the logs sent to the remote server.


2. Enter the logging remote level {critical | informational |serious | none} command to set the severity level of the logs that will be sent tothe server.




Parameters and variables Description{critical | serious | informational |none}

Specifies the severity level of the log messages to besent to the remote server:

• critical

• informational

• serious

• none

Resetting the severity levelUse this command to remove severity level setting


2. Enter the no logging remote level command to remove the severity level ofthe logs that will be sent to the server. The level is set to none.

Setting the default remote logging levelUse this procedure to set the remote logging level to default.


2. Enter the default logging remote level command to sets the severity levelof the logs sent to the remote server. The default level is none.

Configuring port mirroring

Port mirroring can be configured with the CLI commands detailed in this section.

Navigation

• Displaying the port-mirroring configuration on page 239• Configure port-mirroring on page 240• Disabling port-mirroring on page 241

Displaying the port-mirroring configurationUse this procedure to display the existing port-mirroring configuration.




2. Enter the show port-mirroring command to display the port-mirroringconfiguration.

Configure port-mirroringUse this procedure to set the port-mirroring configuration


2. Enter the port-mirroring mode {disable | Xrx monitor-port<portlist> mirror-ports <portlist> | Xtx monitor-port<portlist> mirror-ports <portlist> | ManytoOneRx monitor-port <portlist> mirror-ports <portlist> | ManytoOneTxmonitor-port <portlist> mirror-port-X <portlist> |ManytoOneRxTx monitor-port <portlist> mirror-port-X<portlist> | XrxOrXtx monitor-port <portlist> mirror-port-X<portlist> | XrxOrYtx monitor-port <portlist> mirror-port-X<portlist> mirror-port-Y <portlist> | XrxYtxmonitor-port<portlist> mirror-port-X <portlist> mirror-port-Y <portlist>| XrxYtxOrYrxXtx monitor-port <portlist> mirror-port-X<portlist> mirror-port-Y <portlist> | Asrc monitor-port<portlist> mirror-MAC-A <macaddr> | Adst monitor-port<portlist> mirror-MAC-A <macaddr> | AsrcOrAdst monitor-port<portlist> mirror-MAC-A <macaddr> | AsrcBdst monitor-port<portlist> mirror-MAC-A <macaddr> mirror-MAC-B <macaddr> |AsrcBdstOrBsrcAdst monitor-port <portlist> mirror-MAC-A<macaddr> mirror-MAC-B <macaddr>} command to display the port-mirroring configuration.


Parameter Descriptiondisable Disables port-mirroring.

monitor-port Specifies the monitor port.

mirror-port-X Specifies the mirroring port X.

mirror-port-Y Specifies the mirroring port Y.

mirror-MAC-A Specifies the mirroring MAC address A.

mirror-MAC-B Specifies the mirroring MAC address B.

portlist Enter the port numbers.



Parameter DescriptionManytoOneRx Many to one port mirroring on ingress packets.

ManytoOneTx Many to one port mirroring on egress packets.

ManytoOneRxTx Many to one port mirroring on ingress and egresstraffic.

Xrx Mirror packets received on port X.

Xtx Mirror packets transmitted on port X.

XrxOrXtx Mirror packets received or transmitted on port X.

XrxYtx Mirror packets received on port X and transmitted onport Y. This mode is not recommended for mirroringbroadcast and multicast traffic.

XrxYtxOrXtxYrx Mirror packets received on port X and transmitted onport Y or packets received on port Y and transmittedon port X.

XrxOrYtx Mirror packets received on port X or transmitted onport Y.

macaddr Enter the MAC address in format H.H.H.

Asrc Mirror packets with source MAC address A.

Adst Mirror packets with destination MAC address A.

AsrcOrAdst Mirror packets with source or destination MACaddress A.

AsrcBdst Mirror packets with source MAC address A anddestination MAC address B.

AsrcBdstOrBsrcAdst Mirror packets with source MAC address A anddestination MAC address B or packets with sourceMAC address B and destination MAC address A.

Disabling port-mirroringUse this procedure to disable port-mirroring

1. Enter Global Configuration mode

2. Enter the no port-mirroring command to disable port-mirroring.

Displaying Many-to-Many port-mirroringUse this procedure to display Many-to-Many port-mirroring settings



1. Enter Privileged Executive mode

2. Enter the show port-mirroring command.


Configuring Many-to-Many port-mirroringUse this procedure to configure Many-to-Many port-mirroring


2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc |AsrcBdst | AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx |ManyToOneRxTx | ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx |XrxYtx | XrxYtxOrYrxXtx | Xtx} command.

3. Enter the command from step 2 for up to four instances.


Variable Valuedisable Disable mirroring.

Adst Mirror packets with destination MAC addressA

Asrc Mirror packets with source MAC address A.

AsrcBdst Mirror packets with source MAC address Aand destination MAC address B.

AsrcBdstOrBsrcAdst Mirror packets with source MAC address Aand destination MAC address B or packetswith source MAC address B and destinationMAC address A.

AsrcOrAdst Mirror packets with source or destinationMAC address A.

ManyToOneRx Mirror many to one port mirroring on ingresspackets.

ManyToOneRxTx Mirror many to one port mirroring on ingressand egress packets.

ManyToOneTx Mirror many to one port mirroring on egresspackets.

Xrx Mirror packets received on port X.



Variable ValueXrxOrXtx Mirror packets received on port X and

transmitted on port Y.

XrxYtx Mirror packets received on port X andtransmitted on port Y.

XrxYtxOrYrxXtx Mirror packets received on port X andtransmitted on port Y or packets received onport Y and transmitted on port X.

Xtx Mirror packets received on port X ortransmitted on port Y

Disabling Many-to-Many port-mirroringUse this procedure to disable Many-to-Many port-mirroring


2. Enter the port-mirroring [<1-4>] mode disable or no port-mirroring [<1-4>] command to disable a specific instance.

3. Enter the no port-mirroring command to disable all instances.


Variable Definition<1-4> The port-mirroring instance.



config cli

Documents

press ctrl

access point

multiple trap

global configuration

varying access

privexec command

configuring

interface