Sun Netra CP3140 Switch Software Reference Manual

This chapter provides a detailed explanation of the Switching commands. It includes the following configuration types:

• System Information and Statistics Commands
• System Management Commands
• SNMP Community Commands
• Management VLAN Command
• System Configuration Commands
• Virtual LAN (VLAN) Commands
• System Utility Commands
• User Account Commands
• Port Based Network Access Control (IEEE 802.1X) Commands
• Remote Authentication Dial In User Service (RADIUS) Commands
• Secure Shell (SSH) Commands
• Hypertext Transfer Protocol (HTTP) Commands
• DHCP Server Commands
• Double VLAN Commands
• Provisioning (IEEE 802.1p) Commands
• GARP Commands
• GARP VLAN Registration Protocol (GVRP) Commands
• GARP Multicast Registration Protocol (GMRP) Commands
• Internet Group Management Protocol (IGMP) Commands
• Spanning Tree (STP) Commands
• Layer 2 Failover Commands
• Link Aggregation (LAG)/Port-Channel (802.3AD) Commands

---

System Information and Statistics Commands

This section provides a detailed explanation of the FASTPATH software platform commands. The commands are divided into four functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.
• Copy commands transfer or save configuration and informational files to and from the switch.
• Clear commands clear some or all of the settings to factory defaults.

show arp switch

This command displays connectivity between the switch and other devices. The Address Resolution Protocol (ARP) cache identifies the MAC addresses of the IP stations communicating with the switch.

• Format - show arp switch
• Mode - Privileged EXEC



TABLE 5-1 Entry Definitions for show arp switch

Entry	Definition
MAC Address	A unicast MAC address for which the switch has forwarding and/or filtering information. The format is six two-digit hexadecimal numbers that are separated by colons--for example, 01:23:45:67:89:AB
IP Address	The IP address assigned to each interface.
slot/port	Valid slot and port number separated by forward slashes.

show eventlog

This command displays the event log, which contains error messages from the system. The event log is not cleared on a system reset.

• Format - show eventlog
• Mode - Privileged EXEC



TABLE 5-2 Entry Definitions for show eventlog

Entry	Definition
File	The file in which the event originated.
Line	The line number of the event
Task Id	The task ID of the event
Code	The event code
Time	The time this event occurred

show hardware

This command displays inventory information for the switch.

• Format - show hardware
• Mode - Privileged EXEC



TABLE 5-3 Entry Definitions for show hardware

Entry	Definition
Switch Description	Text used to identify the product name of this switch
Machine Type	The machine model as defined by the Vital Product Data
Machine Model	The machine model as defined by the Vital Product Data
Serial Number	The unique box serial number for this switch
FRU Number	The field-replaceable unit number
Part Number	Manufacturing part number
Maintenance Level	Indicates hardware changes that are significant to software
Manufacturer	Manufacturer descriptor field
Burned in MAC Address	Universally assigned network address
Software Version	The release.version.revision number of the code currently running on the switch
Operating System	The operating system currently running on the switch
Network Processing Element	The type of the processor microcode
Additional Packages	This displays the additional packages that are incorporated into this system, such as FASTPATH BGP-4, or FASTPATH Multicast

show interface

This command displays a summary of statistics for a specific port or a count of all CPU traffic based upon the argument.

• Format - show interface {<slot/port> | switchport}
• Mode - Privileged EXEC

The display parameters, when the argument is <slot/port>, are as follows.

The display parameters, when the argument is switchport, are as follows.

show interface ethernet

This command displays detailed statistics for a specific port or for all CPU traffic based upon the argument.

• Format - show interface ethernet {<slot/port> | switchport}
• Mode - Privileged EXEC

The display parameters, when the argument is '<slot/port>', are as follows.

The display parameters, when the argument is ‘switchport’, are as follows.

show logging

This command displays the trap log maintained by the switch. The trap log contains a maximum of 256 entries that wrap.

• Format - show logging
• Mode - Privileged EXEC



TABLE 5-8 Entry Definitions for show logging

Entry	Definition
Number of Traps since last reset	The number of traps that have occurred since the last reset of this device.
Number of Traps since log last displayed	The number of traps that have occurred since the traps were last displayed. Getting the traps by any method (terminal interface display, Web display, upload file from switch etc.) will result in this counter being cleared to 0.
Log	The sequence number of this trap.
System Up Time	The relative time since the last reboot of the switch at which this trap occurred.
Trap	The relevant information of this trap.

show mac-addr-table

This command displays the forwarding database entries. If the command is entered with no parameter, the entire table is displayed. This is the same as entering the optional all parameter. Alternatively, the administrator can enter a MAC Address to display the table entry for the requested MAC address and all entries following the requested MAC address.

• Format - show mac-addr-table [<macaddr> | all]
• Mode - Privileged EXEC



TABLE 5-9 Entry Definitions for show mac-addr-table

Entry	Definition
Mac Address	A unicast MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
Slot/Port	The port which this address was learned.
if Index	This object indicates the ifIndex of the interface table entry associated with this port.
Status	The status of this entry. The meanings of the values are: Static - The value of the corresponding instance was added by the system or a user when a static MAC filter was defined. It cannot be relearned. Learned - The value of the corresponding instance was learned by observing the source MAC addresses of incoming traffic, and is currently in use. Management - The value of the corresponding instance (system MAC address) is also the value of an existing instance of dot1dStaticAddress. It is identified with interface 0/1 and is currently used when enabling VLANs for routing. Self - The value of the corresponding instance is the address of one of the switch’s physical interfaces (the system’s own MAC address). GMRP Learned - The value of the corresponding was learned via GMRP and applies to Multicast. Other - The value of the corresponding instance does not fall into one of the other categories.

show msglog

This command displays the message log maintained by the switch. The message log contains system trace information.

The trap log contains a maximum of 256 entries that wrap.

• Format - show msglog
• Mode - Privileged EXEC



TABLE 5-10 Entry Definitions for show msglog

Entry	Definition
Message	The message that has been logged.

show running-config

This command is used to display the current setting of different protocol packages supported on the switch. This command displays only those parameters with values of that from default value. The output is displayed in the script format, which can be used to configure another switch with same configuration.

• Format - show running-config
• Mode - Privileged EXEC

show sysinfo

This command displays switch information.

• Format - show sysinfo
• Mode - Privileged EXEC



TABLE 5-11 Entry Definitions for show sysinfo

Entry	Definition
Switch Description	Text used to identify this switch.
System Name	Name used to identify the switch.
System Location	Text used to identify the location of the switch. May be up to 31 alphanumeric characters. The factory default is blank.
System Contact	Text used to identify a contact person for this switch. May be up to 31 alphanumeric characters. The factory default is blank.
System ObjectID	The base object ID for the switch’s enterprise MIB.
System Up Time	The time in days, hours, and minutes since the last switch reboot.
MIBs Supported	A list of MIBs supported by this agent.

snmp-server

This command sets the name and the physical location of the switch, and the organization responsible for the network.The range for name, location and contact is from 1 to 31 alphanumeric characters.

• Default - none
• Format - snmp-server {sysname <name> | location <loc> | contact <con>}
• Mode - Global Config

---

System Management Commands

These commands manage the switch and show current management settings. The commands are divided into two functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.

bridge aging-time

This command configures the forwarding database address aging timeout in seconds. In an IVL system, the [fdbid | all] parameter is required.

• Default - 300
• Format - bridge aging-time <10-1,000,000> [fdbid | all]
• Mode - Global Config



TABLE 5-12 Entry Definitions for bridge aging-time

Entry	Definition
Seconds	The <seconds> parameter must be within the range of 10 to 1,000,000 seconds.
Forwarding Database ID	Fdbid (Forwarding database ID) indicates which forwarding database's aging timeout is being configured. The All option is used to configure all forwarding database's agetime.

no bridge aging-time

This command sets the forwarding database address aging timeout to 300 seconds. In an IVL system, the [fdbid | all] parameter is required.

• Format - no bridge aging-time [fdbid | all]
• Mode - Global Config



TABLE 5-13 Entry Definitions for no bridge aging-time

Entry	Definition
Forwarding Database ID	Fdbid (Forwarding database ID) indicates which forwarding database's aging timeout is being configured. All is used to configure all forwarding database's agetime.

mtu

This command sets the maximum transmission unit (MTU) size (in bytes) for physical and port-channel (LAG) interfaces. For the standard implementation, the range of <mtusize> is a valid integer between 1522-9216.

• Default - 1522
• Format - mtu <1522-9216>
• Mode - Interface Config

no mtu

This command sets the default maximum transmission unit (MTU) size (in bytes) for the interface.

• Format - no mtu
• Mode - Interface Config

network javamode

This command specifies whether or not the switch should allow access to the Java applet in the header frame of the Web interface. When access is enabled, the Java applet can be viewed from the Web interface. When access is disabled, the user cannot view the Java applet.

• Default - enabled
• Format - network javamode
• Mode - Privileged EXEC

no network javamode

This command disallows access to the Java applet in the header frame of the Web interface. When access is disabled, the user cannot view the Java applet.

• Format - no network javamode
• Mode - Privileged EXEC

network mac-address

This command sets locally administered MAC addresses. The following rules apply:

• Bit 6 of byte 0 (called the U/L bit) indicates whether the address is universally administered (b'0') or locally administered (b'1').
• Bit 7 of byte 0 (called the I/G bit) indicates whether the destination address is an individual address (b'0') or a group address (b'1').

The second character, of the twelve character macaddr, must be 2, 6, A or E.

A locally administered address must have bit 6 On (b'1') and bit 7 Off (b'0').

• Format - network mac-address <macaddr>
• Mode - Privileged EXEC

network mac-type

This command specifies whether the burned in MAC address or the locally-administered MAC address is used.

• Default - burnedin
• Format - network mac-type {local | burnedin}
• Mode - Privileged EXEC

no network mac-type

This command resets the value of MAC address to its default.

• Format - no network mac-type
• Mode - Privileged EXEC

network parms

This command sets the IP Address, subnet mask and gateway of the router. The IP Address and the gateway must be on the same subnet.

• Format - network parms <ipaddr> <netmask> [<gateway>]
• Mode - Privileged EXEC

network protocol

This command specifies the network configuration protocol to be used. If you modify this value change is effective immediately. The parameter bootp indicates that the switch periodically sends requests to a Bootstrap Protocol (BootP) server or a dhcp server until a response is received. none indicates that the switch should be manually configured with IP information.

• Default - none
• Format - network protocol {none | bootp | dhcp}
• Mode - Privileged EXEC

remotecon maxsessions

This command specifies the maximum number of remote connection sessions that can be established. A value of 0 indicates that no remote connection can be established. The range is 0 to 5.

• Default - 5
• Format - remotecon maxsessions <0-5>
• Mode - Privileged EXEC

no remotecon maxsessions

This command sets the maximum number of remote connection sessions that can be established to the default value.

• Format - no remotecon maxsessions
• Mode - Privileged EXEC

remotecon timeout

This command sets the remote connection session timeout value, in minutes. A session is active as long as the session has been idle for the value set. A value of 0 indicates that a session remains active indefinitely. The time is a decimal value from 0 to 160.

• Default - 5
• Format - remotecon timeout <0-160>
• Mode - Privileged EXEC

no remotecon timeout

This command sets the remote connection session timeout value, in minutes, to the default.

• Format - no remotecon timeout
• Mode - Privileged EXEC

serial baudrate

This command specifies the communication rate of the terminal interface. The supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200.

• Default - 9600
• Format - serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200}
• Mode - Line Config

no serial baudrate

This command sets the communication rate of the terminal interface.

• Format - no serial baudrate
• Mode - Line Config

serial timeout

This command specifies the maximum connect time (in minutes) without console activity. A value of 0 indicates that a console can be connected indefinitely. The time range is 0 to 160.

• Default - 5
• Format - serial timeout <0-160>
• Mode - Line Config

no serial timeout

This command sets the maximum connect time (in minutes) without console activity.

• Format - no serial timeout
• Mode - Line Config

set prompt

This command changes the name of the prompt. The length of name may be up to 64 alphanumeric characters.

• Format - set prompt <prompt string>
• Mode - Privileged EXEC

serviceport ip

This command sets the IP address, the netmask and the gateway of the router.

• Format - serviceport ip <ipaddr> <netmask> [gateway]
• Mode - Privileged EXEC

serviceport protocol

This command specifies the servicePort configuration protocol. If you modify this value, the change takes effect immediately.

• Format - serviceport protocol {none | bootp | dhcp}
• Mode - Privileged EXEC

show forwardingdb agetime

This command displays the timeout for address aging. In an IVL system, the [fdbid | all] parameter is required.

• Default - all
• Format - show forwardingdb agetime [fdbid | all]
• Mode - Privileged EXEC



TABLE 5-14 Entry Definitions for show forwardingdb agetime

Entry	Definition
Forwarding DB ID	Fdbid (Forwarding database ID) indicates the forwarding database whose aging timeout is to be shown. The all option is used to display the aging timeouts associated with all forwarding databases. This field displays the forwarding database ID in an IVL system.
Agetime	In an IVL system, this parameter displays the address aging timeout for the associated forwarding database.

show network

This command displays configuration settings associated with the switch's network interface. The network interface is the logical interface used for in-band connectivity with the switch via any of the switch's front panel ports. The configuration parameters associated with the switch's network interface do not affect the configuration of the front panel ports through which traffic is switched or routed.

• Format - show network
• Mode - Privileged EXEC and User EXEC



TABLE 5-15 Entry Definitions for show network

Entry	Definition
IP Address	The IP address of the interface. The factory default value is 0.0.0.0
Subnet Mask	The IP subnet mask for this interface. The factory default value is 0.0.0.0
Default Gateway	The default gateway for this IP interface. The factory default value is 0.0.0.0
Burned In MAC Address	The burned in MAC address used for in-band connectivity.
Locally Administered MAC Address	If desired, a locally administered MAC address can be configured for in-band connectivity. To take effect, 'MAC Address Type' must be set to 'Locally Administered'. Enter the address as twelve hexadecimal digits (6 bytes) with a colon between each byte. Bit 1 of byte 0 must be set to a 1 and bit 0 to a 0; that is, byte 0 should have the following mask 'xxxx xx10'. The MAC address used by this bridge when it must be referred to in a unique fashion. It is recommended that this be the numerically smallest MAC address of all ports that belong to this bridge. However it is only required to be unique. When concatenated with dot1dStpPriority a unique BridgeIdentifier is formed which is used in the Spanning Tree Protocol.
MAC Address Type	Specifies which MAC address should be used for in-band connectivity. The choices are the burned in or the Locally Administered address. The factory default is to use the burned in MAC address.
Network Configuration Protocol Current	Indicates which network protocol is being used. The options are: bootp dhcp none.
Java Mode	Specifies if the switch should allow access to the Java applet in the header frame. Enabled means the applet can be viewed. The factory default is disabled.
Management VLAN ID	Specifies the management VLAN ID.

show remotecon

This command displays telnet settings.

• Format - show remotecon
• Mode - Privileged EXEC and User EXEC



TABLE 5-16 Entry Definitions for show remotecon

Entry	Definition
Remote Connection Login Timeout (minutes)	This object indicates the number of minutes a remote connection session is allowed to remain inactive before being logged off. A zero means there will be no timeout. May be specified as a number from 0 to 160. The factory default is 5.
Maximum Number of Remote Connection Sessions	This object indicates the number of simultaneous remote connection sessions allowed. The factory default is 5.
Allow New Telnet Sessions	Indicates that new telnet sessions will not be allowed when set to no. The factory default value is yes.

show serial

This command displays serial communication settings for the switch.

• Format - show serial
• Mode - Privileged EXEC and User EXEC



TABLE 5-17 Entry Definitions for show serial

Entry	Definition
Serial Port Login Timeout (minutes)	Specifies the time, in minutes, of inactivity on a Serial port connection, after which the Switch will close the connection. Any numeric value between 0 and 160 is allowed, the factory default is 5. A value of 0 disables the timeout.
Baud Rate	The default baud rate at which the serial port will try to connect. The available values are 1200, 2400, 4800, 9600, 19200, 38400,57600, and 115200 baud. The factory Default is 9600 baud.
Character Size	The number of bits in a character. The number of bits is always 8.
Flow Control	Whether Hardware Flow-Control is enabled or disabled. Hardware Flow Control is always disabled.
Stop Bits	The number of Stop bits per character. The number of Stop bits is always 1.
Parity Type	The Parity Method used on the Serial Port. The Parity Method is always None.

show serviceport

This command displays service port configuration information.

• Format - show serviceport
• Mode - Privileged EXEC



TABLE 5-18 Entry Definitions for show serviceport

Entry	Definition
IP Address	The IP address of the interface. The factory default value is 0.0.0.0
Subnet Mask	The IP subnet mask for this interface. The factory default value is 0.0.0.0
Default Gateway	The default gateway for this IP interface. The factory default value is 0.0.0.0
ServPort Configuration Protocol Current	Indicates what network protocol was used on the last, or current power-up cycle, if any.
Burned in MAC Address	The burned in MAC address used for in-band connectivity.

---

SNMP Community Commands

show snmpcommunity

This command displays SNMP community information. Six communities are supported. You can add, change, or delete communities. The switch does not have to be reset for changes to take effect.

The SNMP agent of the switch complies with SNMP Version 1 (for more about the SNMP specification, see the SNMP RFCs). The SNMP agent sends traps through TCP/IP to an external SNMP manager based on the SNMP configuration (the trap receiver and other SNMP community parameters).

• Format - show snmpcommunity
• Mode - Privileged EXEC



TABLE 5-19 Entry Definitions for show snmpcommunity

Entry	Definition
SNMP Community Name	The community string to which this entry grants access. A valid entry is a case-sensitive alphanumeric string of up to 16 characters. Each row of this table must contain a unique community name.
Client IP Address	An IP address (or portion thereof) from which this device will accept SNMP packets with the associated community. The requesting entity's IP address is ANDed with the Subnet Mask before being compared to the IP Address. Note that if the Subnet Mask is set to 0.0.0.0, an IP Address of 0.0.0.0 matches all IP addresses. The default value is 0.0.0.0
Client IP Mask	A mask to be ANDed with the requesting entity's IP address before comparison with IP Address. If the result matches with IP Address then the address is an authenticated IP address. For example, if the IP Address = 9.47.128.0 and the corresponding Subnet Mask = 255.255.255.0 a range of incoming IP addresses would match; that is, the incoming IP Address could equal 9.47.128.0 - 9.47.128.255. The default value is 0.0.0.0
Access Mode	The access level for this community string.
Status	The status of this community access entry.

show snmptrap

This command displays SNMP trap receivers. Trap messages are sent across a network to an SNMP Network Manager. These messages alert the manager to events occurring within the switch or on the network. Six trap receivers are simultaneously supported.

• Format - show snmptrap
• Mode - Privileged EXEC



TABLE 5-20 Entry Definitions for show snmptrap

Entry	Definition
SNMP Trap Name	The community string of the SNMP trap packet sent to the trap manager. This may be up to 16 alphanumeric characters. This string is case sensitive.
IP Address	The IP address to receive SNMP traps from this device. Enter four numbers between 0 and 255 separated by periods.
Status	A pull down menu that indicates the receiver's status (enabled or disabled) and allows the administrator/user to perform actions on this user entry: Enable - send traps to the receiver. Disable - do not send traps to the receiver. Delete - remove the table entry.

show trapflags

This command displays trap conditions. Configure which traps the switch should generate by enabling or disabling the trap condition. If a trap condition is enabled and the condition is detected, the switch's SNMP agent sends the trap to all enabled trap receivers. The switch does not have to be reset to implement the changes. Cold and warm start traps are always generated and cannot be disabled.

• Format - show trapflags
• Mode - Privileged EXEC



TABLE 5-21 Entry Definitions for show trapflags

Entry	Definition
Authentication Flag	May be enabled or disabled. The factory default is enabled. Indicates whether authentication failure traps will be sent.
Link Up/Down Flag	May be enabled or disabled. The factory default is enabled. Indicates whether link status traps will be sent.
Multiple Users Flag	May be enabled or disabled. The factory default is enabled. Indicates whether a trap will be sent when the same user ID is logged into the switch more than once at the same time (either via telnet or serial port).
Spanning Tree Flag	May be enabled or disabled. The factory default is enabled. Indicates whether spanning tree traps will be sent.
Broadcast Storm Flag	May be enabled or disabled. The factory default is enabled. Indicates whether broadcast storm traps will be sent.
DVMRP Traps	May be enabled or disabled. The factory default is disabled. Indicates whether DVMRP traps will be sent.
OSPF Traps	May be enabled or disabled. The factory default is disabled. Indicates whether OSPF traps will be sent.
PIM Traps	May be enabled or disabled. The factory default is disabled. Indicates whether PIM traps will be sent.

snmp-server community

This command adds (and names) a new SNMP community. A community name is a name associated with the switch and with a set of SNMP managers that manage it with a specified privileged level. The length of name can be up to 16 case-sensitive characters.

• Default - Two default community names: Public and Private. You can replace these default community names with unique identifiers for each community. The default values for the remaining four community names are blank.
• Format - snmp-server community <name>
• Mode - Global Config

no snmp-server community

This command removes this community name from the table. The name is the community name to be deleted.

• Format - no snmp-server community <name>
• Mode - Global Config

snmp-server community ipaddr

This command sets a client IP address for an SNMP community. The address is the associated community SNMP packet sending address and is used along with the client IP mask value to denote a range of IP addresses from which SNMP clients may use that community to access the device. A value of 0.0.0.0 allows access from any IP address. Otherwise, this value is ANDed with the mask to determine the range of allowed client IP addresses. The name is the applicable community name.

• Default - 0.0.0.0
• Format - snmp-server community ipaddr <ipaddr> <name>
• Mode - Global Config

no snmp-server community ipaddr

This command sets a client IP address for an SNMP community to 0.0.0.0. The name is the applicable community name.

• Format - no snmp-server community ipaddr <name>
• Mode - Global Config

snmp-server community ipmask

This command sets a client IP mask for an SNMP community. The address is the associated community SNMP packet sending address and is used along with the client IP address value to denote a range of IP addresses from which SNMP clients may use that community to access the device. A value of 255.255.255.255 will allow access from only one station, and will use that machine's IP address for the client IP Address. A value of 0.0.0.0 will allow access from any IP address. The name is the applicable community name.

• Default - 0.0.0.0
• Format - snmp-server community ipmask <ipmask> <name>
• Mode - Global Config

no snmp-server community ipmask

This command sets a client IP mask for an SNMP community to 0.0.0.0. The name is the applicable community name. The community name may be up to 16 alphanumeric characters.

• Format - no snmp-server community ipmask <name>
• Mode - Global Config

snmp-server community mode

This command activates an SNMP community. If a community is enabled, an SNMP manager associated with this community manages the switch according to its access right. If the community is disabled, no SNMP requests using this community are accepted. In this case the SNMP manager associated with this community cannot manage the switch until the Status is changed back to Enable.

• Default - The default private and public communities are enabled by default. The four undefined communities are disabled by default.
• Format - snmp-server community mode <name>
• Mode - Global Config

no snmp-server community mode

This command deactivates an SNMP community. If the community is disabled, no SNMP requests using this community are accepted. In this case the SNMP manager associated with this community cannot manage the switch until the Status is changed back to Enable.

• Format - no snmp-server community mode <name>
• Mode - Global Config

snmp-server community ro

This command restricts access to switch information. The access mode is read-only (also called public).

• Format - snmp-server community ro <name>
• Mode - Global Config

snmp-server community rw

This command restricts access to switch information. The access mode is read/write (also called private).

• Format - snmp-server community rw <name>
• Mode - Global Config

snmp-server enable traps

This command enables the Authentication Flag.

• Default - enabled
• Format - snmp-server enable traps
• Mode - Global Config

no snmp-server enable traps

This command disables the Authentication Flag.

• Format - no snmp-server enable traps
• Mode - Global Config

snmp-server enable traps bcaststorm

This command enables the broadcast storm trap. When enabled, broadcast storm traps are sent only if the broadcast storm recovery mode setting associated with the port is enabled .

• Default - enabled
• Format - snmp-server enable traps bcaststorm
• Mode - Global Config

no snmp-server enable traps bcaststorm

This command disables the broadcast storm trap. When enabled, broadcast storm traps are sent only if the broadcast storm recovery mode setting associated with the port is enabled .

• Format - no snmp-server enable traps bcaststorm
• Mode - Global Config

snmp-server enable traps linkmode

This command enables Link Up/Down traps for the entire switch. When enabled, link traps are sent only if the Link Trap flag setting associated with the port is enabled (see snmp trap link-status).

• Default - enabled
• Format - snmp-server enable traps linkmode
• Mode - Global Config

no snmp-server enable traps linkmode

This command disables Link Up/Down traps for the entire switch.

• Format - no snmp-server enable traps linkmode
• Mode - Global Config

snmp-server enable traps multiusers

This command enables Multiple User traps. When the traps are enabled, a Multiple User Trap is sent when a user logs in to the terminal interface (EIA 232 or telnet) and there is an existing terminal interface session.

• Default - enabled
• Format - snmp-server enable traps multiusers
• Mode - Global Config

no snmp-server enable traps multiusers

This command disables Multiple User traps.

• Format - no snmp-server enable traps multiusers
• Mode - Global Config

snmp-server enable traps stpmode

This command enables the sending of new root traps and topology change notification traps.

• Default - enabled
• Format - snmp-server enable traps stpmode
• Mode - Global Config

no snmp-server enable traps stpmode

This command disables the sending of new root traps and topology change notification traps.

• Format - no snmp-server enable traps stpmode
• Mode - Global Config

snmptrap

This command adds an SNMP trap name. The maximum length of name is 16 case-sensitive alphanumeric characters.

• Default - The default name for the six undefined community names is Delete.
• Format - snmptrap <name> <ipaddr>
• Mode - Global Config

no snmptrap

This command deletes trap receivers for a community.

• Format - no snmptrap <name> <ipaddr>
• Mode - Global Config

snmptrap ipaddr

This command assigns an IP address to a specified community name. The maximum length of name is 16 case-sensitive alphanumeric characters.

• Format - snmptrap ipaddr <name> <ipaddrold> <ipaddrnew>
• Mode - Global Config

snmptrap mode

This command activates or deactivates an SNMP trap. Enabled trap receivers are active (able to receive traps). Disabled trap receivers are inactive (not able to receive traps).

• Format - snmptrap mode <name> <ipaddr>
• Mode - Global Config

no snmptrap mode

This command deactivates an SNMP trap. Disabled trap receivers are inactive (not able to receive traps).

• Format - no snmptrap mode <name> <ipaddr>
• Mode - Global Config

telnet

This command regulates new telnet sessions. If sessions are enabled, new telnet sessions can be established until there are no more sessions available. If sessions are disabled, no new telnet sessions are established. An established session remains active until the session is ended or an abnormal network error ends it.

• Default - enabled
• Format - telnet
• Mode - Privileged EXEC

no telnet

This command disables telnet sessions. If sessions are disabled, no new telnet sessions are established.

• Format - no telnet
• Mode - Privileged EXEC

snmp trap link-status

This command enables link status traps by interface.

• Format - snmp trap link-status
• Mode - Interface Config

no snmp trap link-status

This command disables link status traps by interface.

• Format - no snmp trap link-status
• Mode - Interface Config

snmp trap link-status all

This command enables link status traps for all interfaces.

• Format - snmp trap link-status all
• Mode - Global Config

no snmp trap link-status all

This command disables link status traps for all interfaces.

• Format - no snmp trap link-status all
• Mode - Global Config

---

Management VLAN Command

This command is used to set the Management VLAN.

network mgmt_vlan

This command configures the Management VLAN ID.

• Default - 1
• Format - network mgmt_vlan <1-4021>
• Mode - Privileged EXEC

---

System Configuration Commands

This chapter provides a detailed explanation of the System configuration commands. The commands are divided into two functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.

addport

This command adds one port to the port-channel (LAG). The first interface is a logical unit, slot and port slot and port number of a configured port-channel.

• Format - addport <logical slot/port>
• Mode - Interface Config

cablestatus

This command tests the status of the cable attached to an interface.

• Format - cablestatus <slot/port>
• Mode - Privileged EXEC

auto-negotiate

This command enables automatic negotiation on a port. The default value is enable.

• Format - auto-negotiate
• Mode - Interface Config

no auto-negotiate

This command disables automatic negotiation on a port.

• Format - no auto-negotiate
• Mode - Interface Config

auto-negotiate all

This command enables automatic negotiation on all ports. The default value is enable.

• Format - auto-negotiate all
• Mode - Global Config

no auto-negotiate all

This command disables automatic negotiation on all ports.

• Format - no auto-negotiate all
• Mode - Global Config

deleteport (Interface Config)

This command deletes the port from the port-channel (LAG). The interface is a logical unit, slot and port slot and port number of a configured port-channel.

• Format - deleteport <logical slot/port>
• Mode - Interface Config

deleteport (Global Config)

This command deletes all configured ports from the port-channel (LAG). The interface is a logical unit, slot and port slot and port number of a configured port-channel.

• Format - deleteport {<logical slot/port> | all}
• Mode - Global Config

monitor session

This command configures a probe port and a monitored port for monitor session (port monitoring). The first slot/port is the source monitored port and the second slot/port is the destination probe port. If this command is executed while port monitoring is enabled, it will have the effect of changing the probe and monitored port values.

• Format - monitor session source <slot/port> <destination> <slot/port>
• Mode - Global Config

no monitor session

This command removes the monitor session (port monitoring) designation from both the source probe port and the destination monitored port and removes the probe port from all VLANs. The port must be manually re-added to any desired VLANs.

• Format - no monitor session
• Mode - Global Config

monitor session mode

This command configures the monitor session (port monitoring) mode to enable. The probe and monitored ports must be configured before monitor session (port monitoring) can be enabled. If enabled, the probe port will monitor all traffic received and transmitted on the physical monitored port. It is not necessary to disable port monitoring before modifying the probe and monitored ports.

• Default - disabled
• Format - monitor session mode
• Mode - Global Config

no monitor session mode

This command sets the monitor session (port monitoring) mode to disable.

• Format - no monitor session mode
• Mode - Global Config

shutdown

This command disables a port.

• Default - enabled
• Format - shutdown
• Mode - Interface Config

no shutdown

This command enables a port.

• Format - no shutdown
• Mode - Interface Config

shutdown all

This command disables all ports.

• Default - enabled
• Format - shutdown all
• Mode - Global Config

no shutdown all

This command enables all ports.

• Format - no shutdown all
• Mode - Global Config

speed

This command sets the speed and duplex setting for the interface.

• Format - speed {<100 | 10> <half-duplex | full-duplex>}
• Mode - Interface Config

Acceptable values for the speed command are as follows.

speed all

This command sets the speed and duplex setting for all interfaces.

• Format - speed all {<100 | 10> <half-duplex | full-duplex>}
• Mode - Global Config

Acceptable values for the speed all command are as follows.

storm-control broadcast

This command enables broadcast storm recovery mode. If the mode is enabled, broadcast storm recovery with high and low thresholds is implemented.

The threshold implementation follows a percentage pattern. If the broadcast traffic on any Ethernet port exceeds the high threshold percentage (as shown in TABLE 5-24) of the link speed, the switch discards the broadcasts traffic until the broadcast traffic returns to the low threshold percentage or less. The full implementation is depicted in the following table.

• Format - storm-control broadcast
• Mode - Global Config

no storm-control broadcast

This command disables broadcast storm recovery mode.

The threshold implementation follows a percentage pattern. If the broadcast traffic on any Ethernet port exceeds the high threshold percentage (as shown in TABLE 5-25) of the link speed, the switch discards the broadcasts traffic until the broadcast traffic returns to the low threshold percentage or less. The full implementation is depicted in the following table.

• Format - no storm-control broadcast
• Mode - Global Config

storm-control flowcontrol

This command enables 802.3x flow control for the switch.

• Default - disabled
• Format - storm-control flowcontrol
• Mode - Global Config

no storm-control flowcontrol

This command disables 802.3x flow control for the switch.

• Format - no storm-control flowcontrol
• Mode - Global Config

show mac-address-table multicast

This command displays the Multicast Forwarding Database (MFDB) information. If the command is entered with no parameter, the entire table is displayed. This is the same as entering the optional all parameter. The user can display the table entry for one MAC Address by specifying the MAC address as an optional parameter.

• Format - show mac-address-table multicast <macaddr | all>
• Mode - Privileged EXEC



TABLE 5-26 Entry Definitions for show mac-address-table multicast

Entry	Definition
Mac Address	A multicast MAC address for which the switch has forwarding and or filtering information. The format is two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as a MAC address and VLAN ID combination of 8 bytes.
Type	This displays the type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Component	The component that is responsible for this entry in the Multicast Forwarding Database. Possible values are IGMP Snooping, GMRP, and Static Filtering.
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).
Forwarding Interfaces	The resultant forwarding list is derived from combining all the component’s forwarding interfaces and removing the interfaces that are listed as the static filtering interfaces.

show mac-address-table static

This command displays the Static MAC Filtering information for all Static MAC Filters. If <all> is selected, all the Static MAC Filters in the system are displayed. If a macaddr is entered, a vlan must also be entered and the Static MAC Filter information will be displayed only for that MAC address and VLAN.

• Format - show mac-address-table static {<macaddr> <vlanid> | all}
• Mode - Privileged EXEC



TABLE 5-27 Entry Definitions for show mac-address-table static

Entry	Definition
MAC Address	The MAC Address of the static MAC filter entry.
VLAN ID	The VLAN ID of the static MAC filter entry.
Source Port(s)	Indicates the source port filter set's slot and port(s).
Destination Port(s)	Indicates the destination port filter set's slot and port(s).

show mac-address-table staticfiltering

This command displays the Static Filtering entries in the Multicast Forwarding Database (MFDB) table.

• Format - show mac-address-table staticfiltering
• Mode - Privileged EXEC



TABLE 5-28 Entry Definitions for show mac-address-table staticfiltering

Entry	Definition
Mac Address	A unicast MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
Type	This displays the type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

show mac-address-table stats

This command displays the Multicast Forwarding Database (MFDB) statistics.

• Format - show mac-address-table stats
• Mode - Privileged EXEC



TABLE 5-29 Entry Definitions for show mac-address-table stats

Entry	Definition
Total Entries	This displays the total number of entries that can possibly be in the Multicast Forwarding Database table.
Most MFDB Entries Ever Used	This displays the largest number of entries that have been present in the Multicast Forwarding Database table. This value is also known as the MFDB high-water mark.
Current Entries	This displays the current number of entries in the Multicast Forwarding Database table.

show monitor

This command displays the Port monitoring information for the system.

• Format - show monitor
• Mode - Privileged EXEC



TABLE 5-30 Entry Definitions for show monitor

Entry	Definition
Port Monitor Mode	Indicates whether the Port Monitoring feature is enabled or disabled. The possible values are enable and disable.
Probe Port slot/port	The slot/port configured as the probe port. If this value has not been configured, 'Not Configured' will be displayed.
Monitored Port slot/port	The slot/port configured as the monitored port. If this value has not been configured, 'Not Configured' will be displayed.

show port

This command displays port information.

• Format - show port {<slot/port> | all}
• Mode - Privileged EXEC



TABLE 5-31 Entry Definitions for show port

Entry	Definition
Slot/Port	Valid slot and port number separated by forward slashes.
Type	If not blank, this field indicates that this port is a special type of port. The possible values are: Mon - This port is a monitoring port. Look at the Port Monitoring screens to find out more information. Lag - This port is a member of a port-channel (LAG). Probe - This port is a probe port.
Admin Mode	Selects the Port control administration state. The port must be enabled in order for it to be allowed into the network. May be enabled or disabled. The factory default is enabled.
Physical Mode	Selects the desired port speed and duplex mode. If auto-negotiation support is selected, then the duplex mode and speed will be set from the auto-negotiation process. Note that the port's maximum capability (full duplex -100M) will be advertised. Otherwise, this object will determine the port's duplex mode and transmission rate. The factory default is Auto.
Physical Status	Indicates the port speed and duplex mode.
Link Status	Indicates whether the Link is up or down.
Link Trap	This object determines whether or not to send a trap when link status changes. The factory default is enabled.
LACP Mode	Displays whether LACP is enabled or disabled on this port.

show port protocol

This command displays the Protocol-Based VLAN information for either the entire system, or for the indicated Group.

• Format - show port protocol <groupid | all>
• Mode - Privileged EXEC



TABLE 5-32 Entry Definitions for show port protocol

Entry	Definition
Group Name	This field displays the group name of an entry in the Protocol-based VLAN table.
Group ID	This field displays the group identifier of the protocol group.
Protocol(s)	This field indicates the type of protocol(s) for this group.
VLAN	This field indicates the VLAN associated with this Protocol Group.
Interface(s)	This field lists the slot/port interface(s) that are associated with this Protocol Group.

show storm-control

This command displays switch configuration information.

• Format - show storm-control
• Mode - Privileged EXEC



TABLE 5-33 Entry Definitions for show storm-control

Entry	Definition
Broadcast Storm Recovery Mode	May be enabled or disabled. The factory default is disabled.
802.3x Flow Control Mode	May be enabled or disabled. The factory default is disabled.

---

Virtual LAN (VLAN) Commands

vlan

This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is
2-4021.

• Format - vlan <2-4021>
• Mode - VLAN database

no vlan

This command deletes an existing VLAN. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-4021.

• Format - no vlan <2-4021>
• Mode - VLAN database

vlan acceptframe

This command sets the frame acceptance mode per interface. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

• Default - admit all
• Format - vlan acceptframe <vlanonly | all>
• Mode - Interface Config

no vlan acceptframe

This command sets the frame acceptance mode per interface to Admit All. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

• Format - vlan acceptframe <vlanonly | all>
• Mode - Interface Config

vlan ingressfilter

This command enables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

• Default - disabled
• Format - vlan ingressfilter
• Mode - Interface Config

no vlan ingressfilter

This command disables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

• Format - no vlan ingressfilter
• Mode - Interface Config

vlan makestatic

This command changes a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). The ID is a valid VLAN identification number. VLAN range is 2-4021.

• Format - vlan makestatic <2-4021>
• Mode - VLAN database

vlan name

This command changes the name of a VLAN. The name is an alphanumeric string of up to 32 characters, and the ID is a valid VLAN identification number. ID range is 1-4021.

• Default - The name for VLAN ID 1 is always Default. The name for other VLANs is defaulted to a blank string.
• Format - vlan name <2-4021> <name>
• Mode - VLAN database

no vlan name

This command sets the name of a VLAN to a blank string. The VLAN ID is a vailid VLAN identification number. ID range is 1-4021.

• Format - no vlan name <2-4021>
• Mode - VLAN database

vlan participation

This command configures the degree of participation for a specific interface in a VLAN. The ID is a valid VLAN identification number, and the interface is a valid interface number.

• Format - vlan participation <exclude | include | auto> <1-4021>
• Mode - Interface Config

Participation options are as follows.

vlan participation all

This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.

• Format - vlan participation all <exclude | include | auto> <1-4021>
• Mode - Global Config

Participation options are as follows.

vlan port acceptframe all

This command sets the frame acceptance mode for all interfaces. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

• Default - admit all
• Format - vlan port acceptframe all <vlanonly | all>
• Mode - Global Config

no vlan port acceptframe all

This command sets the frame acceptance mode for all interfaces to Admit All. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

• Format - no vlan port acceptframe all <vlanonly | all>
• Mode - Global Config

vlan port ingressfilter all

This command enables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

• Default - disabled
• Format - vlan port ingressfilter all
• Mode - Global Config

no vlan port ingressfilter all

This command disables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

• Format - no vlan port ingressfilter all
• Mode - Global Config

vlan port pvid all

This command changes the VLAN ID for all interfaces.

• Default - 1
• Format - vlan port pvid all <1-4021>
• Mode - Global Config

no vlan port pvid all

This command sets the VLAN ID for all interfaces to 1.

• Format - no vlan port pvid all <1-4021>
• Mode - Global Config

vlan port tagging all

This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

• Format - vlan port tagging all <1-4021>
• Mode - Global Config

no vlan port tagging all

This command configures the tagging behavior for all interfaces in a VLAN to disabled. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

• Format - no vlan port tagging all <1-4021>
• Mode - Global Config

vlan protocol group

This command adds protocol-based VLAN group to the system. The <groupName> is a character string of 1 to 16 characters. When it is created, the protocol group will be assigned a unique number that will be used to identify the group in subsequent commands.

• Format - vlan protocol group <groupname>
• Mode - Global Config

vlan protocol group add protocol

This command adds the <protocol> to the protocol-based VLAN identified by <groupid>. A group may have more than one protocol associated with it. Each interface and protocol combination can only be associated with one group. If adding a protocol to a group causes any conflicts with interfaces currently associated with the group, this command will fail and the protocol will not be added to the group. The possible values for protocol are ip, arp, and ipx.

• Default - none
• Format - vlan protocol group add protocol <groupid> <protocol>
• Mode - Global Config

no vlan protocol group add protocol

This command removes the <protocol> from this protocol-based VLAN group that is identified by this <groupid>. The possible values for protocol are ip, arp, and ipx.

• Format - no vlan protocol group add protocol <groupid> <protocol>
• Mode - Global Config

vlan protocol group remove

This command removes the protocol-based VLAN group that is identified by this <groupid>.

• Format - vlan protocol group remove <groupid>
• Mode - Global Config

protocol group

This command attaches a <vlanid> to the protocol-based VLAN identified by <groupid>. A group may only be associated with one VLAN at a time, however the VLAN association can be changed.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

• Default - none
• Format - protocol group <groupid> <vlanid>
• Mode - VLAN database

no protocol group

This command removes the <vlanid> from this protocol-based VLAN group that is identified by this <groupid>.

• Format - no protocol group <groupid> <vlanid>
• Mode - VLAN database

protocol vlan group

This command adds the physical <slot/port> interface to the protocol-based VLAN identified by <groupid>. A group may have more than one interface associated with it. Each interface and protocol combination can only be associated with one group. If adding an interface to a group causes any conflicts with protocols currently associated with the group, this command will fail and the interface(s) will not be added to the group.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

• Default - none
• Format - protocol vlan group <groupid>
• Mode - Interface Config

no protocol vlan group

This command removes the <interface> from this protocol-based VLAN group that is identified by this <groupid>. If <all> is selected, all ports will be removed from this protocol group.

• Format - no protocol vlan group <groupid>
• Mode - Interface Config

protocol vlan group all

This command adds all physical interfaces to the protocol-based VLAN identified by <groupid>. A group may have more than one interface associated with it. Each interface and protocol combination can only be associated with one group. If adding an interface to a group causes any conflicts with protocols currently associated with the group, this command will fail and the interface(s) will not be added to the group.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

• Default - none
• Format - protocol vlan group all <groupid>
• Mode - Global Config

no protocol vlan group all

This command removes all interfaces from this protocol-based VLAN group that is identified by this <groupid>.

• Format - no protocol vlan group all <groupid>
• Mode - Global Config

vlan pvid

This command changes the VLAN ID per interface.

• Default - 1
• Format - vlan pvid <1-4021>
• Mode - Interface Config

no vlan pvid

This command sets the VLAN ID per interface to 1.

• Format - no vlan pvid <1-4021>
• Mode - Interface Config

vlan tagging

This command configures the tagging behavior for a specific interface in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

• Format - vlan tagging <1-4021>
• Mode - Interface Config

no vlan tagging

This command configures the tagging behavior for a specific interface in a VLAN to disabled. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

• Format - no vlan tagging <1-4021>
• Mode - Interface Config

show vlan

This command displays detailed information, including interface information, for a specific VLAN. The ID is a valid VLAN identification number.

• Format - show vlan <vlanid>
• Mode - Privileged EXEC and User EXEC



TABLE 5-36 Entry Definitions for show vlan

Entry	Definition
VLAN ID	There is a VLAN Identifier (VID) associated with each VLAN. The range of the VLAN ID is 1 to 4021.
VLAN Name	A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has a name of `Default`. This field is optional.
VLAN Type	Type of VLAN, which can be Default, (VLAN ID = 1), a static (one that is configured and permanently defined), or Dynamic (one that is created by GVRP registration).
Slot/Port	Valid slot and port number separated by forward slashes. It is possible to set the parameters for all ports by using the selectors on the top line.
Current	Determines the degree of participation of this port in this VLAN. The permissible values are: Include - This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard. Exclude - This port is never a member of this VLAN. This is equivalent to registration forbidden in the IEEE 802.1Q standard. Autodetect - Specifies to allow the port to be dynamically registered in this VLAN via GVRP. The port will not participate in this VLAN unless a join request is received on this port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Configured	Determines the configured degree of participation of this port in this VLAN. The permissible values are: Include - This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard. Exclude - This port is never a member of this VLAN. This is equivalent to registration forbidden in the IEEE 802.1Q standard. Autodetect - Specifies to allow the port to be dynamically registered in this VLAN via GVRP. The port will not participate in this VLAN unless a join request is received on this port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Tagging	Select the tagging behavior for this port in this VLAN. Tagged - Specifies to transmit traffic for this VLAN as tagged frames. Untagged - Specifies to transmit traffic for this VLAN as untagged frames.

show vlan brief

This command displays a list of all configured VLANs.

• Format - show vlan brief
• Mode - Privileged EXEC and User EXEC



TABLE 5-37 Entry Definitions for show vlan brief

Entry	Definition
VLAN ID	There is a VLAN Identifier (vlanid )associated with each VLAN. The range of the VLAN ID is 1 to 4021.
VLAN Name	A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has a name of `Default`. This field is optional.
VLAN Type	Type of VLAN, which can be Default, (VLAN ID = 1), a static (one that is configured and permanently defined), or a Dynamic (one that is created by GVRP registration).

show vlan port

This command displays VLAN port information.

• Format - show vlan port {<slot/port> | all}
• Mode - Privileged EXEC and User EXEC



TABLE 5-38 Entry Definitions for show vlan port

Entry	Definition
Slot/Port	Valid slot and port number separated by forward slashes. It is possible to set the parameters for all ports by using the selectors on the top line.
Port VLAN ID	The VLAN ID that this port will assign to untagged frames or priority tagged frames received on this port. The value must be for an existing VLAN. The factory default is 1.
Acceptable Frame Types	Specifies the types of frames that may be received on this port. The options are 'VLAN only' and 'Admit All'. When set to 'VLAN only', untagged frames or priority tagged frames received on this port are discarded. When set to 'Admit All', untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance to the 802.1Q VLAN specification.
Ingress Filtering	May be enabled or disabled. When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled.
GVRP	May be enabled or disabled.
Default Priority	The 802.1p priority assigned to tagged packets arriving on the port.

---

System Utility Commands

This section describes system utilities. The commands are divided into two functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.

clear config

This command resets the configuration to the factory defaults without powering off the switch. The switch is automatically reset when this command is processed. You are prompted to confirm that the reset should proceed.

• Format - clear config
• Mode - Privileged EXEC

clear counters

This command clears the stats for a specified <slot/port>or for all the ports or for the entire switch based upon the argument.

• Format - clear counters {<slot/port> | all}
• Mode - Privileged EXEC

clear igmpsnooping

This command clears the tables managed by the IGMP Snooping function and will attempt to delete these entries from the Multicast Forwarding Database.

• Format - clear igmpsnooping
• Mode - Privileged EXEC

clear pass

This command resets all user passwords to the factory defaults without powering off the switch. You are prompted to confirm that the password reset should proceed.

• Format - clear pass
• Mode - Privileged EXEC

enable passwd

This command changes the Privileged EXEC password. First type the command then hit the enter or the return key.

• Format - enable passwd
• Mode - Privileged EXEC

clear port-channel

This command clears all port-channels (LAGs).

• Format - clear port-channel
• Mode - Privileged EXEC

clear traplog

This command clears the trap log.

• Format - clear traplog
• Mode - Privileged EXEC

clear vlan

This command resets VLAN configuration parameters to the factory defaults.

• Format - clear vlan
• Mode - Privileged EXEC

logout

This command closes the current telnet connection or resets the current serial connection.

• Format - logout
• Mode - Privileged EXEC

ping

This command checks if another computer is on the network and listens for connections. To use this command, configure the switch for network (in-band) connection. The source and target devices must have the ping utility enabled and running on top of TCP/IP. The switch can be pinged from any IP workstation with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation. The terminal interface sends, three pings to the target station.

• Format - ping <ipaddr>
• Mode - Privileged EXEC and User EXEC

reload

This command resets the switch without powering it off. Reset means that all network connections are terminated and the boot code executes. The switch uses the stored configuration to initialize the switch. You are prompted to confirm that the reset should proceed. A successful reset is indicated by the LEDs on the switch.

• Format - reload
• Mode - Privileged EXEC

copy

This command uploads and downloads to/from the switch. Local URLs can be specified using tftp or xmodem. The following can be specified as the source file for uploading from the switch: startup configuration (nvram:startup-config), error log (nvram:errorlog), message log (nvram:msglog) and trap log (nvram:traplog). A URL is specified for the destination.

The command can also be used to download the startup configuration or code image by specifying the source as a URL and destination as nvram:startup-config or .system:image respectively.

The command can be used to the save the running configuration to nvram by specifying the source as system:running-config and the destination as nvram:startup-config. The command can also be used to download SSH key files as nvram:sshkey-rsa, nvram:sshkey-rsa2, and nvram:sshkey-dsa and http secure-server certificates as nvram:sslpem-root, nvram:sslpem-server, nvram:sslpem-dhweak, and nvram:sslpem-dhstrong.

• Default - none
• Format:
• copy nvram:startup-config <url>
• copy nvram:errorlog <url>
• copy nvram:msglog <url>
• copy nvram:traplog <url>
• copy <url> nvram:startup-config
• copy <url> system:image
• copy system:running-config nvram:startup-config
• copy <url> nvram:sslpem-root
• copy <url> nvram:sslpem-server
• copy <url> nvram:sslpem-dhweak
• copy <url> nvram:sslpem-dhstrong
• copy <url> nvram:sshkey-rsa1
• copy <url> nvram:sshkey-rsa2
• copy <url> nvram:sshkey-dsa

• Mode - Privileged EXEC

---

User Account Commands

These commands manage user accounts. The commands are divided into two functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.

disconnect

This command closes a telnet session.

• Format - disconnect {<sessionID> | all}
• Mode - Privileged EXEC

show loginsession

This command displays current telnet and serial port connections to the switch.

• Format - show loginsession
• Mode - Privileged EXEC



TABLE 5-39 Entry Definitions for show loginsession

Entry	Definition
ID	Login Session ID
User Name	The name the user will use to login using the serial port or Telnet. A new user may be added to the switch by entering a name in a blank entry. The user name may be up to 8 characters, and is not case sensitive. Two users are included as the factory default, ‘admin’ and ‘guest’.
Connection From	IP address of the telnet client machine or EIA-232 for the serial port connection.
Idle Time	Time this session has been idle.
Session Time	Total time this session has been connected.

show users

This command displays the configured user names and their settings. This command is only available for users with Read/Write privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.

• Format - show users
• Mode - Privileged EXEC



TABLE 5-40 Entry Definitions for show users

Entry	Description
User Name	The name the user will use to login using the serial port, Telnet or Web. A new user may be added to the switch by entering a name in a blank entry. The user name may be up to eight characters, and is not case sensitive. Two users are included as the factory default, ‘admin’ and ‘guest’
Access Mode	Shows whether the operator is able to change parameters on the switch (Read/Write) or is only able to view them (Read Only). As a factory default, the ‘admin’ user has Read/Write access and the ‘guest’ has Read Only access. There can only be one Read/ Write user and up to five Read Only users.
SNMPv3 Access Mode	This field displays the SNMPv3 Access Mode. If the value is set to Read-Write, the SNMPv3 user will be able to set and retrieve parameters on the system. If the value is set to ReadOnly, the SNMPv3 user will only be able to retrieve parameter information. The SNMPv3 access mode may be different than the CLI and Web access mode.
SNMPv3 Authentication	This field displays the authentication protocol to be used for the specified login user.
SNMPv3 Encryption	This field displays the encryption protocol to be used for the specified login user.

users name

This command adds a new user (account) if space permits. The account <username> can be up to eight characters in length. The name may be comprised of alphanumeric characters as well as the dash (‘-’) and underscore (‘_’). The <username> is not case-sensitive.

Six user names can be defined.

• Format - users name <username>
• Mode - Global Config

no users name

This command removes an operator.

• Format - no users name <username>
• Mode - Global Config

users passwd

This command is used to change a password. The password should not be more than eight alphanumeric characters in length. If a user is authorized for authentication or encryption is enabled, the password must be at least eight alphanumeric characters in length. The username and password are not case-sensitive. When a password is changed, a prompt will ask for the former password. If none, press enter.

• Default - no password
• Format - users passwd <username>
• Mode - Global Config

no users passwd

This command sets the password of an existing operator to blank. When a password is changed, a prompt will ask for the operator's former password. If none, press enter.

• Format - no users passwd <username>
• Mode - Global Config

users snmpv3 accessmode

This command specifies the snmpv3 access privileges for the specified login user. The valid accessmode values are readonly or readwrite. The <username> is the login user name for which the specified access mode applies. The default is readwrite for ‘admin’ user; readonly for all other users

• Default:
• admin - readwrite
• other - readonly

• Format - users snmpv3 accessmode <username> <readonly | readwrite>
• Mode - Global Config

no users snmpv3 accessmode

This command sets the snmpv3 access privileges for the specified login user as readwrite for the ‘admin’ user; readonly for all other users. The <username> is the login user name for which the specified access mode will apply.

• Format - no users snmpv3 accessmode <username>
• Mode - Global Config

users snmpv3 authentication

This command specifies the authentication protocol to be used for the specified login user. The valid authentication protocols are none, md5 or sha. If md5 or sha are specified, the user login password is also used as the snmpv3 authentication password and therefore must be at least eight characters in length. The <username> is the login user name associated with the authentication protocol.

• Default - no authentication
• Format - users snmpv3 authentication <username> <none | md5 | sha>
• Mode - Global Config

no users snmpv3 authentication

This command sets the authentication protocol to be used for the specified login user to none. The <username> is the login user name for which the specified authentication protocol will be used.

• Format - users snmpv3 authentication <username>
• Mode - Global Config

users snmpv3 encryption

This command specifies the encryption protocol to be used for the specified login user. The valid encryption protocols are des or none.

If des is specified, the required key may be specified on the command line. The encryption key must be 8 to 64 characters long. If the des protocol is specified but a key is not provided, the user will be prompted for the key. When using the des protocol, the user login password is also used as the snmpv3 encryption password and therefore must be at least eight characters in length.

If none is specified, a key must not be provided. The <username> is the login user name associated with the specified encryption.

• Default - no encryption
• Format - users snmpv3 encryption <username> <none | des[key]>
• Mode - Global Config

no users snmpv3 encryption

This command sets the encryption protocol to none. The <username> is the login user name for which the specified encryption protocol will be used.

• Format - no users snmpv3 encryption <username>
• Mode - Global Config

---

Port Based Network Access Control (IEEE 802.1X) Commands

This section provides a detailed explanation of the 802.1x commands. The commands are divided into the following groups:

• Configuration commands are used to configure features and options of the switch. For every configuration command there is a show command that will display the configuration setting.
• Show commands are used to display switch settings, statistics and other information.

authentication login

This command creates an authentication login list. The <listname> is up to 15 alphanumeric characters and is not case sensitive. Up to 10 authentication login lists can be configured on the switch. When a list is created, the authentication method “local” is set as the first method.

When the optional parameters “Option1”, “Option2” and/or “Option3” are used, an ordered list of methods are set in the authentication login list. If the authentication login list does not exist, a new authentication login list is first created and then the authentication methods are set in the authentication login list. The maximum number of authentication login methods is three. The possible method values are local, radius and reject.

The value of local indicates that the user’s locally stored ID and password are used for authentication. The value of radius indicates that the user’s ID and password will be authenticated using the RADIUS server. The value of reject indicates the user is never authenticated.

To authenticate a user, the authentication methods in the user’s login will be attempted in order until an authentication attempt succeeds or fails.

• Format - authentication login <listname> [method1 [method2 [method3]]]
• Mode - Global Config

no authentication login

This command deletes the specified authentication login list. The attempt to delete will fail if any of the following conditions are true:

• The login list name is invalid or does not match an existing authentication login list
• The specified authentication login list is assigned to any user or to the non configured user for any component
• The login list is the default login list included with the default configuration and was not created using ‘authentication login’. The default login list cannot be deleted.

Following are the format and mode for the no authentication login command:

• Format - no authentication login <listname>
• Mode - Global Config

clear dot1x statistics

This command resets the 802.1x statistics for the specified port or for all ports.

• Format - clear dot1x statistics { <slot/port> | all }
• Mode - Privileged EXEC

clear radius statistics

This command is used to clear all RADIUS statistics.

• Format - clear radius statistics
• Mode - Privileged EXEC

dot1x defaultlogin

This command assigns the authentication login list to use for non-configured users for 802.1x port security. This setting is over-ridden by the authentication login list assigned to a specific user if the user is configured locally. If this value is not configured, users will be authenticated using local authentication only.

• Format - dot1x defaultlogin <listname>
• Mode - Global Config

dot1x initialize

This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is 'auto'. If the control mode is not 'auto' an error will be returned.

• Format - dot1x initialize <slot/port>
• Mode - Privileged EXEC

dot1x login

This command assigns the specified authentication login list to the specified user for 802.1x port security. The <user> parameter must be a configured user and the <listname> parameter must be a configured authentication login list.

• Format - dot1x login <user> <listname>
• Mode - Global Config

dot1x max-req

This command sets the maximum number of times the authenticator state machine on this port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The <count> value must be in the range 1-10.

• Default - 2
• Format - dot1x max-req <count>
• Mode - Interface Config

no dot1x max-req

This command sets the maximum number of times the authenticator state machine on this port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant.

• Format - no dot1x max-req
• Mode - Interface Config

dot1x port-control

This command sets the authentication mode to be used on the specified port. The control mode may be one of the following:

• force-unauthorized: The authenticator PAE unconditionally sets the controlled port to unauthorized.
• force-authorized: The authenticator PAE unconditionally sets the controlled port to authorized.
• auto: The authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server.

Following are the format and mode for the dot1x port-control command.

• Default - auto
• Format - dot1x port-control {force-unauthorized | force-authorized | auto}
• Mode - Interface Config

no dot1x port-control

This command sets the authentication mode to be used on the specified port to 'auto'.

• Format - no dot1x port-control
• Mode - Interface Config

dot1x port-control All

This command sets the authentication mode to be used on all ports. The control mode may be one of the following.

• force-unauthorized: The authenticator PAE unconditionally sets the controlled port to unauthorized.
• force-authorized: The authenticator PAE unconditionally sets the controlled port to authorized.
• auto: The authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server.

Following are the format and mode for the dot1x port-control All command.

• Default - auto
• Format - dot1x port-control all {force-unauthorized | force-authorized | auto}
• Mode - Global Config

no dot1x port-control All

This command sets the authentication mode to be used on all ports to 'auto'.

• Format - no dot1x port-control all
• Mode - Global Config

dot1x re-authenticate

This command begins the re-authentication sequence on the specified port. This command is only valid if the control mode for the specified port is 'auto'. If the control mode is not 'auto' an error will be returned.

• Format - dot1x re-authenticate <slot/port>
• Mode - Privileged EXEC

dot1x re-authentication

This command enables re-authentication of the supplicant for the specified port.

• Default - disabled
• Format - dot1x re-authentication
• Mode - Interface Config

no dot1x re-authentication

This command disables re-authentication of the supplicant for the specified port.

• Format - no dot1x re-authentication
• Mode - Interface Config

dot1x system-auth-control

This command is used to enable the dot1x authentication support on the switch. By default, the authentication support is disabled. While disabled, the dot1x configuration is retained and can be changed, but is not activated.

• Default - disabled
• Format - dot1x system-auth-control
• Mode - Global Config

no dot1x system-auth-control

This command is used to disable the dot1x authentication support on the switch.

• Format - no dot1x system-auth-control
• Mode - Global Config

dot1x timeout

This command sets the value, in seconds, of the timer used by the authenticator state machine on this port. Depending on the token used and the value (in seconds) passed, various timeout configurable parameters are set. The following tokens are supported.

• reauth-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to determine when re-authentication of the supplicant takes place. The reauth-period must be a value in the range 1 - 65535.
• quiet-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The quiet-period must be a value in the range 0 - 65535.
• tx-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The quiet-period must be a value in the range 1 - 65535.
• supp-timeout: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supp-timeout must be a value in the range 1 - 65535.
• server-timeout: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to timeout the authentication server. The supp-timeout must be a value in the range 1 - 65535.

Following are the format and mode for the dot1x timeout command.

• Defaults:
• reauth-period: 3600 seconds
• quiet-period: 60 seconds
• tx-period: 30 seconds
• supp-timeout: 30 seconds
• server-timeout: 30 seconds

• Format - dot1x timeout {{reauth-period <seconds>} | {quiet-period <seconds>} | {tx-period <seconds>} | {supp-timeout <seconds>} | {server-timeout <seconds>}}
• Mode - Interface Config

no dot1x timeout

This command sets the value, in seconds, of the timer used by the authenticator state machine on this port to the default values. Depending on the token used, the corresponding default values are set.

• Format - no dot1x timeout {reauth-period | quiet-period | tx-period | supp-timeout | server-timeout}
• Mode - Interface Config

dot1x user

This command adds the specified user to the list of users with access to the specified port or all ports. The <user> parameter must be a configured user.

• Format - dot1x user <user> {<slot/port> | all}
• Mode - Global Config

no dot1x user

This command removes the user from the list of users with access to the specified port or all ports.

• Format - no dot1x user <user> {<slot/port> | all}
• Mode - Global Config

show radius accounting

This command is used to display the configured RADIUS accounting mode, accounting server and the statistics for the configured accounting server.

• Format - show radius accounting [statistics <ipaddr>]
• Mode - Privileged EXEC

If the optional token statistics <ipaddr> is not included, then only the accounting mode and the RADIUS accounting server details are displayed.

If the optional token statistics <ipaddr> is included, the statistics for the configured RADIUS accounting server are displayed. The IP address parameter must match that of a previously configured RADIUS accounting server. The following information regarding the statistics of the RADIUS accounting server is displayed.

show authentication

This command displays the ordered authentication methods for all authentication login lists.

• Format - show authentication
• Mode - Privileged EXEC



TABLE 5-43 Entry Definitions for show authentication

Entry	Definition
Authentication Login List	This displays the authentication login listname.
Method 1	This displays the first method in the specified authentication login list, if any.
Method 2	This displays the second method in the specified authentication login list, if any.
Method 3	This displays the third method in the specified authentication login list, if any.

show authentication users

This command displays information about the users assigned to the specified authentication login list. If the login is assigned to non-configured users, the user “default” will appear in the user column.

• Format - show authentication users <listname>
• Mode - Privileged EXEC



TABLE 5-44 Entry Definitions for show authentication users

Entry	Definition
User	This field displays the user assigned to the specified authentication login list.
Component	This field displays the component (User or 802.1x) for which the authentication login list is assigned.

show dot1x

This command is used to show a summary of the global dot1x configuration, summary information of the dot1x configuration for a specified port or all ports, the detailed dot1x configuration for a specified port and the dot1x statistics for a specified port depending on the tokens used.

• Format - show dot1x [{summary {<slot/port> | all} | {detail <slot/port>} | {statistics <slot/port>}]
• Mode - Privileged EXEC

If none of the optional parameters are used, the global dot1x configuration summary is displayed.

If the optional parameter summary {<slot/port> | all} is used, the dot1x configuration for the specified port or all ports are displayed.

If the optional parameter detail <slot/port> is used, the detailed dot1x configuration for the specified port are displayed.

If the optional parameter statistics <slot/port> is used, the dot1x statistics for the specified port are displayed.

show dot1x users

This command displays 802.1x port security user information for locally configured users.

• Format - show dot1x users <slot/port>
• Mode - Privileged EXEC



TABLE 5-49 Entry Definitions for show dot1x users

Entry	Definition
User	Users configured locally to have access to the specified port.

show users authentication

This command displays all user and all authentication login information. It also displays the authentication login list assigned to the default user.

• Format - show users authentication
• Mode - Privileged EXEC



TABLE 5-50 Entry Definitions for show users authentication

Entry	Definition
User	This field lists every user that has an authentication login list assigned.
System Login	This field displays the authentication login list assigned to the user for system login.
802.1x Port Security	This field displays the authentication login list assigned to the user for 802.1x port security.

users defaultlogin

This command assigns the authentication login list to use for non-configured users when attempting to log in to the system. This setting is overridden by the authentication login list assigned to a specific user if the user is configured locally. If this value is not configured, users will be authenticated using local authentication only.

• Format - users defaultlogin <listname>
• Mode - Global Config

users login

This command assigns the specified authentication login list to the specified user for system login. The <user> must be a configured <user> and the <listname> must be a configured login list.

If the user is assigned a login list that requires remote authentication, all access to the interface from all CLI, web, and telnet sessions will be blocked until the authentication is complete.

Note that the login list associated with the ‘admin’ user can not be changed to prevent accidental lockout from the switch.

• Format - users login <user> <listname>
• Mode - Global Config

---

Remote Authentication Dial In User Service (RADIUS) Commands

This section provides a detailed explanation of the RADIUS commands. The commands are divided into the following groups:

• Configuration commands are used to configure features and options of the switch. For every configuration command there is a show command that will display the configuration setting.
• Show commands are used to display switch settings, statistics and other information.

radius accounting mode

This command is used to enable the RADIUS accounting function.

• Default - disabled
• Format - radius accounting mode
• Mode - Global Config

no radius accounting mode

This command is used to set the RADIUS accounting function to the default value; that is, the RADIUS accounting function is disabled.

• Format - no radius accounting mode
• Mode - Global Config

radius server host

This command is used to configure the RADIUS authentication and accounting server.

If the 'auth' token is used, the command configures the IP address to use to connect to a RADIUS authentication server. Up to 3 servers can be configured per RADIUS client. If the maximum number of configured servers is reached, the command will fail until one of the servers is removed by executing the no form of the command. If the optional <port> parameter is used, the command will configure the UDP port number to use to connect to the configured RADIUS server. In order to configure the UDP port number, the IP address must match that of a previously configured RADIUS authentication server. The port number must lie between 1-65535, with 1812 being the default value.

If the 'acct' token is used, the command configures the IP address to use for the RADIUS accounting server. Only a single accounting server can be configured. If an accounting server is currently configured, it must be removed from the configuration using the no form of the command before this command succeeds. If the optional <port> parameter is used, the command will configure the UDP port to use to connect to the RADIUS accounting server. The IP address specified must match that of a previously configured accounting server. If a port is already configured for the accounting server then the new port will replace the previously configured value. The port must be a value in the range 1 - 65535, with 1813 being the default value.

• Format - radius server host {auth | acct} <ipaddr> [<port>]
• Mode - Global Config

no radius server host

This command is used to remove the configured RADIUS authentication server or the RADIUS accounting server. If the 'auth' token is used, the previously configured RADIUS authentication server is removed from the configuration. Similarly, if the 'acct' token is used, the previously configured RADIUS accounting server is removed from the configuration. The <ipaddr> parameter must match the IP address of the previously configured RADIUS authentication / accounting server.

• Format - no radius server host {auth | acct} <ipaddress>
• Mode - Global Config

radius server key

This command is used to configure the shared secret between the RADIUS client and the RADIUS accounting / authentication server. Depending on whether the 'auth' or 'acct' token is used, the shared secret will be configured for the RADIUS authentication or RADIUS accounting server. The IP address provided must match a previously configured server. When this command is executed, the secret will be prompted. The secret must be an alphanumeric value not exceeding 20 characters.

• Format - radius server key {auth | acct} <ipaddr>
• Mode - Global Config

radius server msgauth

This command enables the message authenticator attribute for a specified server.

• Default - radius server msgauth <ipaddr>
• Mode - Global Config

radius server primary

This command is used to configure the primary RADIUS authentication server for this RADIUS client. The primary server is the one that is used by default for handling RADIUS requests. The remaining configured servers are only used if the primary server cannot be reached. A maximum of three servers can be configured on each client. Only one of these servers can be configured as the primary. If a primary server is already configured prior to this command being executed, the server specified by the IP address specified used in this command will become the new primary server. The IP address must match that of a previously configured RADIUS authentication server.

• Format - radius server primary <ipaddr>
• Mode - Global Config

radius server retransmit

This command sets the maximum number of times a request packet is re-transmitted when no response is received from the RADIUS server. The retries value is an integer in the range of 1 to 15.

• Default - 10
• Format - radius server retransmit <retries>
• Mode - Global Config

no radius server retransmit

This command sets the maximum number of times a request packet is re-transmitted, when no response is received from the RADIUS server, to the default value, 10.

• Format - no radius server retransmit
• Mode - Global Config

radius server timeout

This command sets the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received. The timeout value is an integer in the range of 1 to 30.

• Default - 6
• Format - radius server timeout <seconds>
• Mode - Global Config

no radius server timeout

This command sets the timeout value (in seconds) after which a request must be retransmitted to the RADIUS server if no response is received, to the default value, 6.

• Format - no radius server timeout
• Mode - Global Config

show radius

This command is used to display the various RADIUS configuration items for the switch as well as the configured RADIUS servers. If the optional token servers is not included, the following RADIUS configuration items will be displayed.

• Format - show radius [servers]
• Mode - Privileged EXEC



TABLE 5-51 Entry Definitions for show radius With Token servers Not Included

Entry	Definition
Primary Server IP Address	Indicates the configured server currently in use for authentication
Number of configured servers	The configured IP address of the authentication server
Max number of retransmits	The configured value of the maximum number of times a request packet is retransmitted
Timeout Duration	The configured timeout value, in seconds, for request re-transmissions
Accounting Mode	Yes or No

If the optional token 'servers' is included, the following information regarding the configured RADIUS servers is displayed.

show radius statistics

This command is used to display the statistics for RADIUS or configured server . To show the configured RADIUS server statistic, the IP Address specified must match that of a previously configured RADIUS server. On execution, the following fields are displayed.

• Format - show radius statistics [ipaddr]
• Mode - Privileged EXEC

If the IP address is not specified only the Invalid Server Address field is displayed. Otherwise other listed fields are displayed.

---

Secure Shell (SSH) Commands

This section provides a detailed explanation of the SSH commands. The commands are divided into the following groups:

• Configuration commands are used to configure features and options of the switch. For every configuration command there is a show command that will display the configuration setting.
• Show commands are used to display switch settings, statistics and other information.

ip ssh

This command is used to enable SSH.

• Default - disabled
• Format - ip ssh
• Mode - Privileged EXEC

no ip ssh

This command is used to disable SSH.

• Format - no ip ssh
• Mode - Privileged EXEC

ip ssh protocol

This command is used to set or remove protocol levels (or versions) for SSH. Either SSH1 (1), SSH2 (2), or both SSH 1 and SSH 2 (1 and 2) can be set.

• Default - 1 and 2
• Format - ip ssh protocol [1] [2]
• Mode - Privileged EXEC

show ip ssh

This command displays the SSH settings.

• Format - show ip ssh
• Mode - Privileged EXEC



TABLE 5-54 Entry Definitions for show ip ssh

Entry	Definition
Administrative Mode	This field indicates whether the administrative mode of SSH is enabled or disabled.
Protocol Level	The protocol level may have the values of version 1, version 2 or both versions 1 and version 2.
Connections	This field specifies the current SSH connections.

---

Hypertext Transfer Protocol (HTTP) Commands

This section provides a detailed explanation of the HTTP commands. The commands are divided into the following groups:

• Configuration commands are used to configure features and options of the switch. For every configuration command there is a show command that will display the configuration setting.
• Show commands are used to display switch settings, statistics and other information.

ip http secure-port

This command is used to set the sslt port where port can be 1-65535 and the default is port 443.

• Default - 443
• Format - ip http secure-port <portid>
• Mode - Privileged EXEC

no ip http secure-port

This command is used to reset the sslt port to the default value.

• Format - no ip http secure-port
• Mode - Privileged EXEC

ip http secure-protocol

This command is used to set protocol levels (versions). The protocol level can be set to TLS1, SSL3 or to both TLS1 and SSL3.

• Default - SSL3 and TLS1
• Format - ip http secure-protocol [SSL3] [TLS1]
• Mode - Privileged EXEC

ip http secure-server

This command is used to enable the secure socket layer for secure HTTP.

• Default - disabled
• Format - ip http secure-server
• Mode - Privileged EXEC

no ip http secure-server

This command is used to disable the secure socket layer for secure HTTP.

• Format - ip http secure-server
• Mode - Privileged EXEC

ip http server

This command enables access to the switch through the Web interface. When access is enabled, the user can login to the switch from the Web interface. When access is disabled, the user cannot login to the switch's Web server.

Disabling the Web interface takes effect immediately. All interfaces are effected.

• Default - enabled
• Format - ip http server
• Mode - Privileged EXEC

no ip http server

This command disables access to the switch through the Web interface. When access is disabled, the user cannot login to the switch's Web server.

• Format - no ip http server
• Mode - Privileged EXEC

show ip http

This command displays the http settings for the switch.

• Format - show ip http
• Mode - Privileged EXEC



TABLE 5-55 Entry Definitions for show ip http

Entry	Definition
Secure-Server Administrative Mode	This field indicates whether the administrative mode of secure HTTP is enabled or disabled.
Secure Protocol Level	The protocol level may have the values of SSL3, TSL1, or both SSL3 and TSL1.
Secure Port	This field specifies the port configured for SSLT.
HTTP Mode	This field indicates whether the HTTP mode is enabled or disabled.

---

DHCP Server Commands

These commands configure the DHCP Server parameters and address pools. The commands are divided by functionality into these different groups:

• Configuration Commands are used to configure features and options of the switch. For every configuration command there is a show command that will display the configuration setting.
• Show commands are used to display switch settings, statistics and other information.
• Clear commands clear some or all of the settings to factory defaults.

client-identifier

This command specifies the unique identifier for a DHCP client. Unique-identifier is a valid notation in hexadecimal format. In some systems, such as Microsoft DHCP clients, the client identifier is required instead of hardware addresses. The unique-identifier is a concatenation of the media type and the MAC address. For example, the Microsoft client identifier for Ethernet address c819.2488.f177 is 01c8.1924.88f1.77 where 01 represents the Ethernet media type. Refer to the "Address Resolution Protocol Parameters" section of RFC 1700, Assigned Numbers for a list of media type codes.

• Default - None
• Format - client-identifier <uniqueidentifier>
• Mode - DHCP Pool Config

no client-identifier

This command deletes the client identifier.

• Format - no client-identifier
• Mode - DHCP Pool Config

client-name

This command specifies the name for a DHCP client. Name is a string consisting of standard ASCII characters.

• Default - None
• Format - client-name <name>
• Mode - DHCP Pool Config

no client-name

This command removes the client name.

• Format - no client-name
• Mode - DHCP Pool Config

default-router

This command specifies the default router list for a DHCP client. {address1, address2... address8} are valid IP addresses, each made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid.

• Default - None
• Format - default-router <address1> [<address2>....<address8>]
• Mode - DHCP Pool Config

no default-router

This command removes the default router list.

• Format - no default-router
• Mode - DHCP Pool Config

dns-server

This command specifies the IP servers available to a DHCP client. Address parameters are valid IP addresses; each made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid.

• Default - none
• Format - dns-server <address1> [<address2>....<address8>]
• Mode - DHCP Pool Config

no dns-server

This command removes the DNS Server list.

• Format - no dns-server
• Mode - DHCP Pool Config

hardware-address

This command specifies the hardware address of a DHCP client.

Hardware-address is the MAC address of the hardware platform of the client consisting of 6 bytes in dotted hexadecimal format.

Type indicates the protocol of the hardware platform. It is 1 for 10 MB Ethernet and 6 for IEEE 802.

• Default - ethernet
• Format - hardware-address <hardwareaddress> [type]
• Mode - DHCP Pool Config

no hardware-address

This command removes the hardware address of the DHCP client.

• Format - no hardware-address
• Mode - DHCP Pool Config

host

This command specifies the IP address and network mask for a manual binding to a DHCP client. Address and Mask are valid IP addresses; each made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid.

The prefix-length is an integer from 0 to 32.

• Default - none
• Format - host <address> [mask | prefix-length]
• Mode - DHCP Pool Config

no host

This command removes the IP address of the DHCP client.

• Format - no host
• Mode - DHCP Pool Config

ip dhcp excluded-address

This command specifies the IP addresses that a DHCP server should not assign to DHCP clients. Low-address and high-address are valid IP addresses; each made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid.

• Default - none
• Format - ip dhcp excluded-address <lowaddress> [highaddress]
• Mode - Global Config

no ip dhcp excluded-address

This command removes the excluded IP addresses for a DHCP client. Low-address and high-address are valid IP addresses; each made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid.

• Format - no ip dhcp excluded-address <lowaddress> [highaddress]
• Mode - Global Config

ip dhcp ping packets

This command is used to specify the number in a range from 2-10, of packets a DHCP server sends to a pool address as part of a ping operation. Setting the number of ping packets to 0 is the same as ‘no ip dhcp ping packets’ and will prevent the server from pinging pool addresses.

• Default - 2
• Format - ip dhcp ping packets <0,2-10>
• Mode - Global Config

no ip dhcp ping packets

This command prevents the server from pinging pool addresses and will set the number of packets to 0.

• Default - 0
• Format - no ip dhcp ping packets
• Mode - Global Config

ip dhcp pool

This command configures a DHCP address pool name on a DHCP server and enters DHCP pool configuration mode.

• Default - none
• Format - ip dhcp pool <name>
• Mode - Global Config Mode

no ip dhcp pool

This command removes the DHCP address pool. The name should be previously configured pool name.

• Format - no ip dhcp pool <name>
• Mode - Global Config Mode

lease

This command configures the duration of the lease for an IP address that is assigned from a DHCP server to a DHCP client. The overall lease time should be between 1-86400 minutes. If infinite is specified, lease is set for 60 days. Days is an integer from 0 to 59. Hours is an integer from 0 to 1439. Minutes is an integer from 0 to 86399.

• Default - 1 (day)
• Format - lease {[<days> [hours] [minutes]] | [infinite]}
• Mode - DHCP Pool Config

no lease

This command restores the default value of the lease time for DHCP Server.

• Format - no lease
• Mode - DHCP Pool Config

network

This command is used to configure the subnet number and mask for a DHCP address pool on the server. Network-number is a valid IP address, made up of four decimal bytes ranging from 0 to 255. IP address 0.0.0.0 is invalid. Mask is the IP subnet mask for the specified address pool. The prefix-length is an integer from 0 to 32.

• Default - none
• Format - network <networknumber> [mask | prefixlength]
• Mode - DHCP Pool Config

no network

This command removes the subnet number and mask.

• Format - no network
• Mode - DHCP Pool Config

service dhcp

This command enables the DHCP server and relay agent features on the router.

• Default - disabled
• Format - service dhcp
• Mode - Global Config

no service dhcp

This command disables the DHCP server and relay agent features.

• Format - no service dhcp
• Mode - Global Config

bootfile

The command specifies the name of the default boot image for a DHCP client. The <filename> specifies the boot image file.

• Default - none
• Format - bootfile <filename>
• Mode - DHCP Pool Config

no bootfile

This command deletes the boot image name.

• Format - no bootfile
• Mode - DHCP Pool Config

domain-name

This command specifies the domain name for a DHCP client. The <domain> specifies the domain name string of the client.

• Default - none
• Format - domain-name <domain>
• Mode - DHCP Pool Config

no domain-name

This command removes the domain name.

• Format - no domain-name
• Mode - DHCP Pool Config

ip dhcp bootp automatic

This command enables the allocation of the addresses to the bootp client. The addresses are from the automatic address pool.

• Default - disable
• Format - ip dhcp bootp automatic
• Mode - Global Config

no ip dhcp bootp automatic

This command disables the allocation of the addresses to the bootp client. The address are from the automatic address pool.

• Format - no ip dhcp bootp automatic
• Mode - Global Config

ip dhcp conflict logging

This command enables conflict logging on DHCP server.

• Default - enabled
• Format - ip dhcp conflict logging
• Mode - Global Config

no ip dhcp conflict logging

This command disables conflict logging on DHCP server.

• Format - no ip dhcp conflict logging
• Mode - Global Config