value being greater than or equal to “(Bridge Max Age / 2) + 1”.

Default	15
Format	spanning-tree forward-time <4-30>
Mode	Global Config

no spanning-tree forward-time

This command sets the Bridge Forward Delay parameter for the common and internal spanning tree to the default value, 15.

Format	no spanning-tree forward-time
Mode	Global Config

spanning-tree hello-time

This command sets the Admin Hello Time parameter to a new value for the common and internal spanning tree. The hellotime <value> is in whole seconds within a range of 1 to 10 with the value being less than or equal to "(Bridge Max Age / 2) - 1".

Default	2
Format	spanning-tree hello-time <1-10>
Mode	Interface Config

no spanning-tree hello-time

This command sets the admin Hello Time parameter for the common and internal spanning tree to the default value.

Format	no spanning-tree hello-time
Mode	Interface Config

spanning-tree max-age

This command sets the Bridge Max Age parameter to a new value for the common and internal spanning tree. The max-age value is in seconds within a range of 6 to 40, with the value being less than or equal to "2 times - (Bridge Forward Delay - 1)".

Default	20
Format	spanning-tree max-age <6-40>
Mode	Global Config

no spanning-tree max-age

This command sets the Bridge Max Age parameter for the common and internal spanning tree to the default value, 20.

Format	no spanning-tree max-age
Mode	Global Config

spanning-tree max-hops

This command sets the MSTP Max Hops parameter to a new value for the common and internal spanning tree. The max-hops value is a range from 1 to 127.

Default	20
Format	spanning-tree max-hops <1-127>
Mode	Global Config

no spanning-tree max-hops

This command sets the Bridge Max Hops parameter for the common and internal spanning tree to the default value.

Format	no spanning-tree max-hops
Mode	Global Config

spanning-tree mst

This command sets the Path Cost or Port Priority for this port within the multiple spanning tree instance or in the common and internal spanning tree. If you specify an <mstid> parameter that corresponds to an existing multiple spanning tree instance, the configurations are done for that multiple spanning tree instance. If you specify 0 (defined as the default CIST ID) as the <mstid>, the configurations are done for the common and internal spanning tree instance.

If you specify the cost option, the command sets the path cost for this port within a multiple spanning tree instance or the common and internal spanning tree instance, depending on the <mstid> parameter. You can set the path cost as a number in the range of 1 to 200000000 or auto. If you select auto the path cost value is set based on Link Speed.

If you specify the external-cost option, this command sets the external-path cost for MST instance ‘0’ i.e. CIST instance. You can set the external cost as a number in the range of 1 to 200000000 or auto. If you specify auto, the external path cost value is set based on Link Speed.

If you specify the port-priority option, this command sets the priority for this port within a specific multiple spanning tree instance or the common and internal spanning tree instance, depending on the <mstid> parameter. The port-priority value is a number in the range of 0 to 240 in increments of 16.

Default	cost--auto external-cost--auto port-priority--128
Format	spanning-tree mst <mstid> {{cost <1-200000000> | auto} | {external-cost <1-200000000> | auto} | port-priority <0-240>}
Mode	Interface Config

no spanning-tree mst

This command sets the Path Cost or Port Priority for this port within the multiple spanning tree instance, or in the common and internal spanning tree to the respective default values. If you specify an <mstid> parameter that corresponds to an existing multiple spanning tree instance, you are configuring that multiple spanning tree instance. If you specify 0 (defined as the default CIST ID) as the <mstid>, you are configuring the common and internal spanning tree instance.

If the you specify cost, this command sets the path cost for this port within a multiple spanning tree instance or the common and internal spanning tree instance, depending on the <mstid> parameter, to the default value, i.e. a path cost value based on the Link Speed.

If you specify external-cost, this command sets the external path cost for this port for mst ‘0’ instance, to the default value, i.e. a path cost value based on the Link Speed.

If you specify port-priority, this command sets the priority for this port within a specific multiple spanning tree instance or the common and internal spanning tree instance, depending on the <mstid> parameter, to the default value.

Format	no spanning-tree mst <mstid> <cost | external-cost | port-priority>
Mode	Interface Config

spanning-tree mst instance

This command adds a multiple spanning tree instance to the switch. The instance <mstid> is a number within a range of 1 to 4094, that corresponds to the new instance ID to be added. The maximum number of multiple instances supported by FASTPATH is 4.

Default	none
Format	spanning-tree mst instance <mstid>
Mode	Global Config

no spanning-tree mst instance

This command removes a multiple spanning tree instance from the switch and reallocates all VLANs allocated to the deleted instance to the common and internal spanning tree. The instance <mstid> is a number that corresponds to the desired existing multiple spanning tree instance to be removed.

Format	no spanning-tree mst instance <mstid>
Mode	Global Config

spanning-tree mst priority

This command sets the bridge priority for a specific multiple spanning tree instance. The parameter <mstid> is a number that corresponds to the desired existing multiple spanning tree instance. The priority value is a number within a range of 0 to 61440 in increments of 4096.

If you specify 0 (defined as the default CIST ID) as the <mstid>, this command sets the Bridge Priority parameter to a new value for the common and internal spanning tree. The bridge priority value is a number within a range of 0 to 61440. The twelve least significant bits are masked according to the 802.1s specification. This causes the priority to be rounded down to the next lower valid priority.

Default	32768
Format	spanning-tree mst priority <mstid> <0-61440>
Mode	Global Config

no spanning-tree mst priority

This command sets the bridge priority for a specific multiple spanning tree instance to the default value. The parameter <mstid> is a number that corresponds to the desired existing multiple spanning tree instance.

If 0 (defined as the default CIST ID) is passed as the <mstid>, this command sets the Bridge Priority parameter for the common and internal spanning tree to the default value.

Format	spanning-tree mst priority <mstid>
Mode	Global Config

spanning-tree mst vlan

This command adds an association between a multiple spanning tree instance and a VLAN so that the VLAN is no longer associated with the common and internal spanning tree. The parameter <mstid> is a number that corresponds to the desired existing multiple spanning tree instance. The <vlanid> corresponds to an existing VLAN ID.

Format	spanning-tree mst vlan <mstid> <vlanid>
Mode	Global Config

no spanning-tree mst vlan

This command removes an association between a multiple spanning tree instance and a VLAN so that the VLAN is again be associated with the common and internal spanning tree. The parameter <mstid> is a number that corresponds to the desired existing multiple spanning tree instance. The <vlanid> corresponds to an existing VLAN ID.

Format	no spanning-tree mst vlan <mstid> <vlanid>
Mode	Global Config

no spanning-tree port mode

This command sets the Administrative Switch Port State for this port to disabled.

Format	no spanning-tree port mode
Mode	Interface Config

spanning-tree port mode all

This command sets the Administrative Switch Port State for all ports to enabled.

Default	disabled
Format	spanning-tree port mode all
Mode	Global Config

no spanning-tree port mode all

This command sets the Administrative Switch Port State for all ports to disabled.

Format	no spanning-tree port mode all
Mode	Global Config

show spanning-tree

This command displays spanning tree settings for the common and internal spanning tree. The following details are displayed.

Format	show spanning-tree
Modes	Privileged EXEC User EXEC

TABLE 0-1 Entry Definitions for show spanning-tree Without brief Parameter

Entry	Definition
Bridge Priority	Specifies the bridge priority for the Common and Internal Spanning tree (CST). The value lies between 0 and 61440. It is displayed in multiples of 4096.
Bridge Identifier	The bridge identifier for the CST. It is made up using the bridge priority and the base MAC address of the bridge.
Time Since Topology Change	Time in seconds.
Topology Change Count	Number of times changed.
Topology Change	Boolean value of the Topology Change parameter for the switch indicating if a topology change is in progress on any port assigned to the common and internal spanning tree.
Designated Root	The bridge identifier of the root bridge. It is made up from the bridge priority and the base MAC address of the bridge.
Root Path Cost	Value of the Root Path Cost parameter for the common and internal spanning tree.
Root Port Identifier	Identifier of the port to access the Designated Root for the CST.
Root Port Max Age	Derived value.
Root Port Bridge Forward Delay	Derived value.
Hello Time	Configured value of the parameter for the CST.
Bridge Hold Time	Minimum time between transmission of Configuration Bridge Protocol Data Units (BPDUs)
Bridge Max Hops	Bridge max-hops count for the device.
CST Regional Root	Bridge Identifier of the CST Regional Root. It is made up using the bridge priority and the base MAC address of the bridge.
Regional Root Path Cost	Path Cost to the CST Regional Root.
Associated FIDs	List of forwarding database identifiers currently associated with this instance.
Associated VLANs	List of VLAN IDs currently associated with this instance.

show spanning-tree brief

When the “brief” optional parameter is included, this command displays spanning tree settings for the bridge.

Format	show spanning-tree brief
Modes	Privileged EXEC User EXEC

This command displays spanning tree settings for the bridge. The following information appears.

TABLE 0-2 Entry Definitions for show spanning-tree With brief Parameter

Bridge Priority	Configured Value
Bridge Identifier	The bridge identifier for the selected MST instance. It is made up using the bridge priority and the base MAC address of the bridge.
Bridge Max Age	Configured value.
Bridge Max Hops	Bridge max-hops count for the device.
Bridge Hello Time	Configured value.
Bridge Forward Delay	Configured value.
Bridge Hold Time	Minimum time between transmission of Configuration Bridge Protocol Data Units (BPDUs)

show spanning-tree interface

This command displays the settings and parameters for a specific switch port within the common and internal spanning tree. The <slot/port> is the desired switch port. The following details are displayed on execution of the command.

Format	show spanning-tree interface <slot/port>
Modes	Privileged EXEC User EXEC

TABLE 3-1 Entry Definitions for show spanning-tree interface

Entry	Definition
Hello Time	Admin hello time for this port.
Port Mode	Enabled or disabled.
Port Up Time Since Counters Last Cleared	Time since port was reset, displayed in days, hours, minutes, and seconds.
STP BPDUs Transmitted	Spanning Tree Protocol Bridge Protocol Data Units sent
STP BPDUs Received	Spanning Tree Protocol Bridge Protocol Data Units received.
RST BPDUs Transmitted	Rapid Spanning Tree Protocol Bridge Protocol Data Units sent
RST BPDUs Received	Rapid Spanning Tree Protocol Bridge Protocol Data Units received.
MSTP BPDUs Transmitted	Multiple Spanning Tree Protocol Bridge Protocol Data Units sent
MSTP BPDUs Received	Multiple Spanning Tree Protocol Bridge Protocol Data Units received.

show spanning-tree mst port detailed

This command displays the detailed settings and parameters for a specific switch port within a particular multiple spanning tree instance. The parameter <mstid> is a number that corresponds to the desired existing multiple spanning tree instance. The <slot/port> is the desired switch port.

Format	show spanning-tree mst port detailed <mstid> <slot/port>
Mode	Privileged EXEC User EXEC

TABLE 3-2 Entry Definitions for show spanning-tree mst port detailed

Entry	Definition
MST Instance ID	The ID of the existing MST instance.
Port Identifier	The port identifier for the specified port within the selected MST instance. It is made up from the port priority and the interface number of the port.
Port Priority	The priority for a particular port within the selected MST instance. The port priority is displayed in multiples of 16.
Port Forwarding State	Current spanning tree state of this port.
Port Role	Each enabled MST Bridge Port receives a Port Role for each spanning tree. The port role is one of the following values: Root Port, Designated Port, Alternate Port, Backup Port, Master Port or Disabled Port
Auto-Calculate Port Path Cost	This indicates whether auto calculation for port path cost is enabled.
Port Path Cost	Configured value of the Internal Port Path Cost parameter.
Auto-Calculate External Port Path Cost	This indicates whether auto calculation for external port path cost is enabled.
External Port Path Cost	Configured value of the external Port Path Cost parameter.
Designated Root	The Identifier of the designated root for this port.
Designated Port Cost	Path Cost offered to the LAN by the Designated Port
Designated Bridge	Bridge Identifier of the bridge with the Designated Port.
Designated Port Identifier	Port on the Designated Bridge that offers the lowest cost to the LAN.

If you specify 0 (defined as the default CIST ID) as the <mstid>, this command displays the settings and parameters for a specific switch port within the common and internal spanning tree. The <slot/port> is the desired switch port. In this case, the following are displayed.

TABLE 3-3 Entry Definitions for show spanning-tree mst port detailed if 0 is Passed as the <mtsid>

Entry	Definition
Port Identifier	The port identifier for this port within the CST.
Port Priority	The priority of the port within the CST.
Port Forwarding State	The forwarding state of the port within the CST.
Port Role	The role of the specified interface within the CST.
Port Path Cost	The configured path cost for the specified interface.
Designated Root	Identifier of the designated root for this port within the CST.
Designated Port Cost	Path Cost offered to the LAN by the Designated Port.
Designated Bridge	The bridge containing the designated port
Designated Port Identifier	Port on the Designated Bridge that offers the lowest cost to the LAN
Topology Change Acknowledgement	Value of flag in next Configuration Bridge Protocol Data Unit (BPDU) transmission indicating if a topology change is in progress for this port.
Hello Time	The hello time in use for this port.
Edge Port	The configured value indicating if this port is an edge port.
Edge Port Status	The derived value of the edge port status. True if operating as an edge port; false otherwise.
Point To Point MAC Status	Derived value indicating if this port is part of a point to point link.
CST Regional Root	The regional root identifier in use for this port.
CST Port Cost	The configured path cost for this port.

show spanning-tree mst port summary

This command displays the settings of one or all ports within the specified multiple spanning tree instance. The parameter <mstid> indicates a particular MST instance. The parameter {<slot/port> | all} indicates the desired switch port or all ports.

If you specify 0 (defined as the default CIST ID) as the <mstid>, the status summary displays for one or all ports within the common and internal spanning tree.

Format	show spanning-tree mst port summary <mstid> {<slot/port> | all}
Modes	Privileged EXEC User EXEC

TABLE 3-4 Entry Definitions for show spanning-tree mst port summary

Entry	Definition
MST Instance ID	The MST instance associated with this port.
Interface	Valid slot and port number separated by forward slashes.
Type	Currently not used.
STP State	The forwarding state of the port in the specified spanning tree instance
Port Role	The role of the specified port within the spanning tree.
Link Status	The operational status of the link. Possible values are “Up” or “Down”.
Link Trap	The link trap configuration for the specified interface.

show spanning-tree mst summary

This command displays summary information about all multiple spanning tree instances in the switch. On execution, the following details are displayed.

Format	show spanning-tree mst summary
Modes	Privileged EXEC User EXEC

TABLE 3-5 Entry Definitions for show spanning-tree mst summary

Entry	Definition
MST Instance ID List	List of multiple spanning trees IDs currently configured.

For each MSTID, the following will be displayed.

TABLE 3-6 Entry Definitions for show spanning-tree mst summary for Each MTSID

Display	Definition
Associated FIDs	List of forwarding database identifiers associated with this instance.
Associated VLANs	List of VLAN IDs associated with this instance.

show spanning-tree summary

This command displays spanning tree settings and parameters for the switch. The following details are displayed on execution of the command.

Format	show spanning-tree summary
Modes	Privileged EXEC User EXEC

TABLE 3-7 Entry Definitions for show spanning-tree summary

Entry	Definition
Spanning Tree Adminmode	Enabled or disabled.
Spanning Tree Version	Version of 802.1 currently supported (IEEE 802.1s, IEEE 802.1w, or IEEE 802.1d) based upon the Force Protocol Version parameter.
Configuration Name	Identifier used to identify the configuration currently being used.
Configuration Revision Level	Identifier used to identify the configuration currently being used.
Configuration Digest Key	Identifier used to identify the configuration currently being used.
MST Instances	List of all multiple spanning tree instances configured on the switch

show spanning-tree vlan

This command displays the association between a VLAN and a multiple spanning tree instance. The <vlanid> corresponds to an existing VLAN ID.

Format	show spanning-tree vlan <vlanid>
Modes	Privileged EXEC User EXEC

TABLE 3-8 Entry Definitions for show spanning-tree vlan

Entry	Definition
VLAN Identifier	VLANs associated with the selected MST instance.
Associated Instance	Identifier for the associated multiple spanning tree instance or "CST" if associated with the common and internal spanning tree

---

Virtual LAN (VLAN) Commands

This section describes the commands you use to configure VLAN settings.

vlan database

This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics.

Format	vlan database
Mode	Privileged EXEC

network mgmt_vlan

This command configures the Management VLAN ID.

Default	1
Format	network mgmt_vlan <1-4069>
Mode	Privileged EXEC

no network mgmt_vlan

This command sets the Management VLAN ID to the default.

Format	no network mgmt_vlan
Mode	Privileged EXEC

vlan

This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-3965.

Format	vlan <2-3965>
Mode	VLAN Config

no vlan

This command deletes an existing VLAN. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). VLAN range is 2-3965.

Format	no vlan <2-3965>
Mode	VLAN Config

vlan acceptframe

This command sets the frame acceptance mode per interface. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

Default	all
Format	vlan acceptframe {vlanonly | all}
Mode	Interface Config

no vlan acceptframe

This command sets the frame acceptance mode per interface to Admit All. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

Format	vlan acceptframe {vlanonly | all}
Mode	Interface Config

vlan ingressfilter

This command enables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

Default	disabled
Format	vlan ingressfilter
Mode	Interface Config

no vlan ingressfilter

This command disables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

Format	no vlan ingressfilter
Mode	Interface Config

vlan makestatic

This command changes a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). The ID is a valid VLAN identification number. VLAN range is 2-3965.

Format	vlan makestatic <2-3965>
Mode	VLAN Config

vlan name

This command changes the name of a VLAN. The name is an alphanumeric string of up to 32 characters, and the ID is a valid VLAN identification number. ID range is 1-4094.

Default	VLAN ID 1 - default other VLANS - blank string
Format	vlan name <2-3965> <name>
Mode	VLAN Config

no vlan name

This command sets the name of a VLAN to a blank string. The VLAN ID is a vailid VLAN identification number. ID range is 1-4094.

Format	no vlan name <2-3965>
Mode	VLAN Config

vlan participation

This command configures the degree of participation for a specific interface in a VLAN. The ID is a valid VLAN identification number, and the interface is a valid interface number.

Format	vlan participation {exclude | include | auto} <1-4094>
Mode	Interface Config

Participation options are as follows.

TABLE 3-9 Entry Definitions for vlan participation

Entry	Definition
include	The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude	The interface is never a member of this VLAN. This is equivalent to registration forbidden.
auto	The interface is dynamically registered in this VLAN by GVRP. The interface will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.

vlan participation all

This command configures the degree of participation for all interfaces in a VLAN. The ID is a valid VLAN identification number.

Format	vlan participation all {exclude | include | auto} <1-4094>
Mode	Global Config

Participation options are as follows.

TABLE 3-10 Entry Definitions for vlan participation all

Entry	Definition
include	The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude	The interface is never a member of this VLAN. This is equivalent to registration forbidden.
auto	The interface is dynamically registered in this VLAN by GVRP. The interface will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.

vlan port acceptframe all

This command sets the frame acceptance mode for all interfaces. For VLAN Only mode, untagged frames or priority frames received on this interface are discarded. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

Default	all
Format	vlan port acceptframe all {vlanonly | all}
Mode	Global Config

no vlan port acceptframe all

This command sets the frame acceptance mode for all interfaces to Admit All. For Admit All mode, untagged frames or priority frames received on this interface are accepted and assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.

Format	no vlan port acceptframe all
Mode	Global Config

vlan port ingressfilter all

This command enables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

Default	disabled
Format	vlan port ingressfilter all
Mode	Global Config

no vlan port ingressfilter all

This command disables ingress filtering for all ports. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.

Format	no vlan port ingressfilter all
Mode	Global Config

vlan port pvid all

This command changes the VLAN ID for all interface.

Default	1
Format	vlan port pvid all <1-4094>
Mode	Global Config

no vlan port pvid all

This command sets the VLAN ID for all interfaces to 1.

Format	no vlan port pvid all
Mode	Global Config

vlan port tagging all

This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

Format	vlan port tagging all <1-4094>
Mode	Global Config

no vlan port tagging all

This command configures the tagging behavior for all interfaces in a VLAN to disabled. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

Format	no vlan port tagging all
Mode	Global Config

vlan protocol group

This command adds protocol-based VLAN group to the system. The <groupName> is a character string of 1 to 16 characters. When it is created, the protocol group will be assigned a unique number that will be used to identify the group in subsequent commands.

Format	vlan protocol group <groupname>
Mode	Global Config

vlan protocol group add protocol

This command adds the <protocol> to the protocol-based VLAN identified by <groupid>. A group may have more than one protocol associated with it. Each interface and protocol combination can only be associated with one group. If adding a protocol to a group causes any conflicts with interfaces currently associated with the group, this command will fail and the protocol will not be added to the group. The possible values for protocol are ip, arp, and ipx.

---

Note - FASTPATH supports IPv4 protocol-based VLANs.

---

Default	none
Format	vlan protocol group add protocol <groupid> <protocol>
Mode	Global Config

no vlan protocol group add protocol

This command removes the <protocol> from this protocol-based VLAN group that is identified by this <groupid>. The possible values for protocol are ip, arp, and ipx.

Format	no vlan protocol group add protocol <groupid> <protocol>
Mode	Global Config

vlan protocol group remove

This command removes the protocol-based VLAN group that is identified by this <groupid>.

Format	vlan protocol group remove <groupid>
Mode	Global Config

protocol group

This command attaches a <vlanid> to the protocol-based VLAN identified by <groupid>. A group may only be associated with one VLAN at a time, however the VLAN association can be changed.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

Default	none
Format	protocol group <groupid> <vlanid>
Mode	VLAN Config

no protocol group

This command removes the <vlanid> from this protocol-based VLAN group that is identified by this <groupid>.

Format	no protocol group <groupid> <vlanid>
Mode	VLAN Config

protocol vlan group

This command adds the physical <slot/port> interface to the protocol-based VLAN identified by <groupid>. A group may have more than one interface associated with it. Each interface and protocol combination can only be associated with one group. If adding an interface to a group causes any conflicts with protocols currently associated with the group, this command will fail and the interface(s) will not be added to the group.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

Default	none
Format	protocol vlan group <groupid>
Mode	Interface Config

no protocol vlan group

This command removes the <interface> from this protocol-based VLAN group that is identified by this <groupid>. If <all> is selected, all ports will be removed from this protocol group.

Format	no protocol vlan group <groupid>
Mode	Interface Config

protocol vlan group all

This command adds all physical interfaces to the protocol-based VLAN identified by <groupid>. A group may have more than one interface associated with it. Each interface and protocol combination can only be associated with one group. If adding an interface to a group causes any conflicts with protocols currently associated with the group, this command will fail and the interface(s) will not be added to the group.

The referenced VLAN should be created prior to the creation of the protocol-based VLAN except when GVRP is expected to create the VLAN.

Default	none
Format	protocol vlan group all <groupid>
Mode	Global Config

no protocol vlan group all

This command removes all interfaces from this protocol-based VLAN group that is identified by this <groupid>.

Format	no protocol vlan group all <groupid>
Mode	Global Config

vlan pvid

This command changes the VLAN ID per interface.

Default	1
Format	vlan pvid <1-4094>
Mode	Interface Config

no vlan pvid

This command sets the VLAN ID per interface to 1.

Format	no vlan pvid
Mode	Interface Config

vlan tagging

This command configures the tagging behavior for a specific interface in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

Format	vlan tagging <1-4094>
Mode	Interface Config

no vlan tagging

This command configures the tagging behavior for a specific interface in a VLAN to disabled. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.

Format	no vlan tagging <1-4094>
Mode	Interface Config

vlan association subnet

This command associates a VLAN to a specific IP-subnet.

Format	vlan association subnet <ipaddr> <netmask> <vlanid>
Mode	VLAN Config

no vlan association subnet

This command removes association of a specific IP-subnet to a VLAN.

Format	no vlan association subnet <ipaddr> <netmask>
Mode	VLAN Config

vlan association mac

This command associates a MAC address to a VLAN.

Format	vlan association mac <macaddr> <vlanid>
Mode	VLAN database

no vlan association mac

This command removes the association of a MAC address to a VLAN.

Format	no vlan association mac <macaddr>
Mode	VLAN database

show vlan

This command displays detailed information, including interface information, for a specific VLAN. The ID is a valid VLAN identification number.

Format	show vlan <vlanid>
Modes	Privileged EXEC User EXEC

TABLE 3-11 Entry Definitions for show vlan

Entry	Definition
VLAN ID	There is a VLAN Identifier (VID) associated with each VLAN. The range of the VLAN ID is 1 to 4094.
VLAN Name	A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has a name of “Default.” This field is optional.
VLAN Type	Type of VLAN, which can be Default (VLAN ID = 1) or static (one that is configured and permanently defined), or Dynamic (one that is created by GVRP registration).
Interface	Valid slot and port number separated by forward slashes. It is possible to set the parameters for all ports by using the selectors on the top line.
Current	Determines the degree of participation of this port in this VLAN. The permissible values are as follows: Include - This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard. Exclude - This port is never a member of this VLAN. This is equivalent to registration forbidden in the IEEE 802.1Q standard. Autodetect - Specifies to allow the port to be dynamically registered in this VLAN via GVRP. The port will not participate in this VLAN unless a join request is received on this port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Configured	Determines the configured degree of participation of this port in this VLAN. The permissible values are as follows: Include - This port is always a member of this VLAN. This is equivalent to registration fixed in the IEEE 802.1Q standard. Exclude - This port is never a member of this VLAN. This is equivalent to registration forbidden in the IEEE 802.1Q standard. Autodetect - Specifies to allow the port to be dynamically registered in this VLAN via GVRP. The port will not participate in this VLAN unless a join request is received on this port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Tagging	Select the tagging behavior for this port in this VLAN. Tagged - specifies to transmit traffic for this VLAN as tagged frames. Untagged - specifies to transmit traffic for this VLAN as untagged frames.

show vlan brief

This command displays a list of all configured VLANs.

Format	show vlan brief
Modes	Privileged EXEC User EXEC

TABLE 3-12 Entry Definitions for show vlan brief

Entry	Definition
VLAN ID	There is a VLAN Identifier (vlanid) associated with each VLAN. The range of the VLAN ID is 1 to 4094.
VLAN Name	A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. VLAN ID 1 always has a name of “Default.” This field is optional.
VLAN Type	Type of VLAN, which can be Default (VLAN ID = 1) or static (one that is configured and permanently defined), or a Dynamic (one that is created by GVRP registration).

show vlan port

This command displays VLAN port information.

Format	show vlan port {<slot/port> | all}
Modes	Privileged EXEC User EXEC

TABLE 3-13 Entry Definitions for show vlan port

Entry	Definition
Interface	Valid slot and port number separated by forward slashes. It is possible to set the parameters for all ports by using the selectors on the top line.
Port VLAN ID	The VLAN ID that this port will assign to untagged frames or priority tagged frames received on this port. The value must be for an existing VLAN. The factory default is 1.
Acceptable Frame Types	Specifies the types of frames that may be received on this port. The options are 'VLAN only' and 'Admit All'. When set to 'VLAN only', untagged frames or priority tagged frames received on this port are discarded. When set to 'Admit All', untagged frames or priority tagged frames received on this port are accepted and assigned the value of the Port VLAN ID for this port. With either option, VLAN tagged frames are forwarded in accordance to the 802.1Q VLAN specification.
Ingress Filtering	May be enabled or disabled. When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled.
GVRP	May be enabled or disabled.
Default Priority	The 802.1p priority assigned to tagged packets arriving on the port.

show vlan association subnet

This command displays the VLAN associated with a specific configured IP-Address and net mask. If no IP Address and net mask are specified, the VLAN associations of all the configured IP-subnets are displayed.

Format	show vlan association subnet [<ipaddr> <netmask>]
Mode	Privileged EXEC

TABLE 3-14 Entry Definitions for show vlan association subnet

Entry	Definition
IP Address	The IP address assigned to each interface.
Net Mask	The subnet mask
VLAN ID	There is a VLAN Identifier (VID) associated with each VLAN.

show vlan association mac

This command displays the VLAN associated with a specific configured MAC address. If no MAC address is specified, the VLAN associations of all the configured MAC addresses are displayed.

Format	show vlan association mac [<macaddr>]
Mode	Privileged EXEC

TABLE 3-15 Entry Definitions for show vlan association mac

Entry	Definition
Mac Address	A MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
VLAN ID	There is a VLAN Identifier (VID) associated with each VLAN.

---

Double VLAN Commands

This section describes the commands you use to configure double VLAN (DVLAN). Double VLAN tagging is a way to pass VLAN traffic from one customer domain to another through a Metro Core in a simple and cost effective manner. The additional tag on the traffic helps differentiate between customers in the MAN while preserving the VLAN identification of the individual customers when they enter their own 802.1Q domain.

dvlan-tunnel etherType

This command configures the ether-type for the specified interface. The ether-type may have the values of 802.1Q, vMAN, or custom. If the ether-type has a value of custom, the optional value of the custom ether type must be set to a value from 0 to 65535.

Default	vman
Format	dvlan-tunnel ethertype {802.1Q | vman | custom} [0-65535]
Mode	Global Config

no dvlan-tunnel etherType

This command configures the ether-type for the specified interface to its default value.

Format	no dvlan-tunnel ethertype
Mode	Global Config

mode dot1q-tunnel

This command is used to enable Double VLAN Tunneling on the specified interface. By default, Double VLAN Tunneling is disabled.

Default	disabled
Format	mode dot1q-tunnel
Mode	Interface Config

no mode dot1q-tunnel

This command is used to disable Double VLAN Tunneling on the specified interface. By default, Double VLAN Tunneling is disabled.

Format	no mode dot1q-tunnel
Mode	Interface Config

mode dvlan-tunnel

Use this command to enable Double VLAN Tunneling on the specified interface. By default, Double VLAN Tunneling is disabled.

Default	disabled
Format	mode dvlan-tunnel
Mode	Interface Config

---

Note - When you use the mode dvlan-tunnel command on an interface, it becomes a service provider port. Ports that do not have double VLAN tunneling enabled are customer ports.

---

no mode dvlan-tunnel

This command is used to disable Double VLAN Tunneling on the specified interface. By default, Double VLAN Tunneling is disabled.

Format	no mode dvlan-tunnel
Mode	Interface Config

show dot1q-tunnel

Use this command without the optional parameters to display all interfaces enabled for Double VLAN Tunneling. Use the optional parameters to display detailed information about Double VLAN Tunneling for the specified interface or all interfaces.

Format	show dot1q-tunnel [interface {<slot/port> | all}]
Modes	Privileged EXEC User EXEC

TABLE 3-16 Entry Definitions for show dot1q-tunnel

Entry	Definition
Interface	Valid slot and port number separated by forward slashes.
Mode	This field specifies the administrative mode through which Double VLAN Tunneling can be enabled or disabled. The default value for this field is disabled.
EtherType	This field represents a 2-byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel. There are three different EtherType tags. The first is 802.1Q, which represents the commonly used value of 0x8100. The second is vMAN, which represents the commonly used value of 0x88A8. If EtherType is not one of these two values, then it is a custom tunnel value, representing any value in the range of 0 to 65535.

show dvlan-tunnel

Use this command without the optional parameters to display all interfaces enabled for Double VLAN Tunneling. Use the optional parameters to display detailed information about Double VLAN Tunneling for the specified interface or all interfaces.

Format	show dvlan-tunnel [interface {<slot/port> | all}]
Modes	Privileged EXEC User EXEC

TABLE 3-17 Entry Definitions for show dvlan-tunnel

Entry	Definition
Interface	Valid slot and port number separated by forward slashes.
Mode	This field specifies the administrative mode through which Double VLAN Tunneling can be enabled or disabled. The default value for this field is disabled.
EtherType	This field represents a 2-byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel. There are three different EtherType tags. The first is 802.1Q, which represents the commonly used value of 0x8100. The second is vMAN, which represents the commonly used value of 0x88A8. If EtherType is not one of these two values, then it is a custom tunnel value, representing any value in the range of 0 to 65535.

---

Provisioning (IEEE 802.1p) Commands

This section describes the commands you use to configure provisioning, which allows you to prioritize ports.

vlan port priority all

This command configures the port priority assigned for untagged packets for all ports presently plugged into the device. The range for the priority is 0-7. Any subsequent per port configuration will override this configuration setting.

Format	vlan port priority all <priority>
Mode	Global Config

vlan priority

This command configures the default 802.1p port priority assigned for untagged packets for a specific interface. The range for the priority is 0-7

Default	0
Format	vlan priority <priority>
Mode	Interface Config

---

Protected Ports Commands

This section describes commands you use to configure and view protected ports on a switch. Protected ports do not forward traffic to each other, even if they are on the same VLAN. However, protected ports can forward traffic to all unprotected ports in their group. Unprotected ports can forward traffic to both protected and unprotected ports. Ports are unprotected by default.

If an interface is configured as a protected port, and you add that interface to a Port Channel or Link Aggregation Group (LAG), the protected port status becomes operationally disabled on the interface, and the interface follows the configuration of the LAG port. However, the protected port configuration for the interface remains unchanged. Once the interface is no longer a member of a LAG, the current configuration for that interface automatically becomes effective.

switchport protected (Global Config)

Use this command to create a protected port group. The <groupid> parameter identifies the set of protected ports. Use the name <name> pair to assign a name to the protected port group. The name can be up to 32 alphanumeric characters long, including blanks. The default is blank.

---

Note - Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports.

---

Default	unprotected
Format	switchport protected <groupid> [name <name>]
Mode	Global Config

no switchport protected (Global Config)

Use this command to remove a protected port group. The groupid parameter identifies the set of protected ports. Use the name keyword to remove the name from the group.

Format	no switchport protected <groupid> [name]
Mode	Global Config

switchport protected (Interface Config)

Use this command to add an interface to a protected port group. The <groupid> parameter identifies the set of protected ports to which this interface is assigned. You can only configure an interface as protected in one group.

---

Note - Port protection occurs within a single switch. Protected port configuration does not affect traffic between ports on two different switches. No traffic forwarding is possible between two protected ports.

---

Default	unprotected
Format	switchport protected <groupid>
Mode	Interface Config

no switchport protected (Interface Config)

Use this command to configure a port as unprotected. The groupid parameter identifies the set of protected ports to which this interface is assigned.

Format	no switchport protected <groupid>
Mode	Interface Config

show switchport protected

This command displays the status of all the interfaces, including protected and unprotected interfaces.

Format	show switchport protected <groupid>
Modes	Privileged EXEC User EXEC

TABLE 3-18 Entry Definitions for show switchport protected

Entry	Definition
Group ID	The number that identifies the protected port group.
Name	An optional name of the protected port group. The name can be up to 32 alphanumeric characters long, including blanks. The default is blank.
List of Physical Ports	List of ports, which are configured as protected for the group identified with <groupid>. If no port is configured as protected for this group, this field is blank.

show interfaces switchport

This command displays the status of the interface (protected/unprotected) under the groupid.

Format	show interfaces switchport <slot/port> <groupid>
Mode	User EXEC Privileged EXEC

TABLE 3-19 Entry Definitions for

Entry	Definition
Name	A string associated with this group as a convenience. It can be up to 32 alphanumeric characters long, including blanks. The default is blank. This field is optional.
Protected	Indicates whether the interface is protected or not. It shows TRUE or FALSE. If the group is a multiple groups then it shows TRUE in Group <groupid>

---

GARP Commands

This section describes the commands you use to configure Generic Attribute Registration Protocol (GARP) and view GARP status. The commands in this section affect both GARP VLAN Registration Protocol (GVRP) and Garp Multicast Registration Protocol (GMRP). GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GVMP).

set garp timer join

This command sets the GVRP join time for one port (Interface Config mode) or all (Global Config mode) and per GARP. Join time is the interval between the transmission of GARP Protocol Data Units (PDUs) registering (or re-registering) membership for a VLAN or multicast group. This command has an effect only when GVRP is enabled. The time is from 10 to 100 (centiseconds). The value 20 centiseconds is 0.2 seconds.

Default	20
Format	set garp timer join <10-100>
Modes	Interface Config Global Config

no set garp timer join

This command sets the GVRP join time (for one or all ports and per GARP) to the default and only has an effect when GVRP is enabled.

Format	no set garp timer join
Modes	Interface Config Global Config

set garp timer leave

This command sets the GVRP leave time for one port (Interface Config mode) or all ports (Global Config mode) and only has an effect when GVRP is enabled. Leave time is the time to wait after receiving an unregister request for a VLAN or a multicast group before deleting the VLAN entry. This can be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service. The leave time is 20 to 600 (centiseconds). The value 60 centiseconds is 0.6 seconds.

Default	60
Format	set garp timer leave <20-600>
Modes	Interface Config Global Config

no set garp timer leave

This command sets the GVRP leave time on all ports or a single port to the default and only has an effect when GVRP is enabled.

Format	no set garp timer leave
Modes	Interface Config Global Config

set garp timer leaveall

This command sets how frequently Leave All PDUs are generated. A Leave All PDU indicates that all registrations will be unregistered. Participants would need to rejoin in order to maintain registration. The value applies per port and per GARP participation. The time may range from 200 to 6000 (centiseconds). The value 1000 centiseconds is 10 seconds. You can use this command on all ports (Global Config mode) or a single port (Interface Config mode), and it only has an effect only when GVRP is enabled.

Default	1000
Format	set garp timer leaveall <200-6000>
Modes	Interface Config Global Config

no set garp timer leaveall

This command sets how frequently Leave All PDUs are generated the default and only has an effect when GVRP is enabled.

Format	no set garp timer leaveall
Modes	Interface Config Global Config

show garp

This command displays GARP information.

Format	show garp
Modes	Privileged EXEC User EXEC

TABLE 3-20 Entry Definitions for show garp

Entry	Definition
GMRP Admin Mode	This displays the administrative mode of GARP Multicast Registration Protocol (GMRP) for the system.
GVRP Admin Mode	This displays the administrative mode of GARP VLAN Registration Protocol (GVRP) for the system

---

GVRP Commands

This section describes the commands you use to configure and view GARP VLAN Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN configuration information, which allows GVRP to provide dynamic VLAN creation on trunk ports and automatic VLAN pruning.

---

Note - If GVRP is disabled, the system does not forward GVRP messages.

---

set gvrp adminmode

This command enables GVRP on the system.

Default	disabled
Format	set gvrp adminmode
Mode	Privileged EXEC

no set gvrp adminmode

This command disables GVRP.

Format	no set gvrp adminmode
Mode	Privileged EXEC

set gvrp interfacemode

This command enables GVRP on a single port (Interface Config mode) or all ports (Global Config mode).

Default	disabled
Format	set gvrp interfacemode
Modes	Interface Config Global Config

no set gvrp interfacemode

This command disables GVRP on a single port (Interface Config mode) or all ports (Global Config mode). If GVRP is disabled, Join Time, Leave Time and Leave All Time have no effect.

Format	no set gvrp interfacemode
Modes	Interface Config Global Config

show gvrp configuration

This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.

Format	show gvrp configuration {<slot/port> | all}
Modes	Privileged EXEC User EXEC

TABLE 3-21 Entry Definitions for show gvrp configuration

Entry	Definition
Interface	Valid slot and port number separated by forward slashes.
Join Timer	Specifies the interval between the transmission of GARP PDUs registering (or re-registering) membership for an attribute. Current attributes are a VLAN or multicast group. There is an instance of this timer on a per-Port, per-GARP participant basis. Permissible values are 10 to 100 centiseconds (0.1 to 1.0 seconds). The factory default is 20 centiseconds (0.2 seconds). The finest granularity of specification is one centisecond (0.01 seconds).
Leave Timer	Specifies the period of time to wait after receiving an unregister request for an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service. There is an instance of this timer on a per-Port, per-GARP participant basis. Permissible values are 20 to 600 centiseconds (0.2 to 6.0 seconds). The factory default is 60 centiseconds (0.6 seconds).
LeaveAll Timer	This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. There is an instance of this timer on a per-Port, per-GARP participant basis. The Leave All Period Timer is set to a random value in the range of LeaveAllTime to 1.5*LeaveAllTime. Permissible values are 200 to 6000 centiseconds (2 to 60 seconds). The factory default is 1000 centiseconds (10 seconds).
Port GMRP Mode	Indicates the GMRP administrative mode for the port, which is enabled or disabled (default). If this parameter is disabled, Join Time, Leave Time and Leave All Time have no effect.

---

GMRP Commands

This section describes the commands you use to configure and view GARP Multicast Registration Protocol (GMRP) information. Like IGMP snooping, GMRP helps control the flooding of multicast packets.GMRP-enabled switches dynamically register and de-register group membership information with the MAC networking devices attached to the same segment. GMRP also allows group membership information to propagate across all networking devices in the bridged LAN that support Extended Filtering Services.

---

Note - If GMRP is disabled, the system does not forward GMRP messages.

---

set gmrp adminmode

This command enables GARP Multicast Registration Protocol (GMRP) on the system.

Default	disabled
Format	set gmrp adminmode
Mode	Privileged EXEC

no set gmrp adminmode

This command disables GARP Multicast Registration Protocol (GMRP) on the system.

Format	no set gmrp adminmode
Mode	Privileged EXEC

set gmrp interfacemode

This command enables GARP Multicast Registration Protocol on a single interface (Interface Config mode) or all interfaces (Global Config mode). If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality is disabled on that interface. GARP functionality is subsequently re-enabled if routing is disabled and port-channel (LAG) membership is removed from an interface that has GARP enabled.

Default	disabled
Format	set gmrp interfacemode
Modes	Interface Config Global Config

no set gmrp interfacemode

This command disables GARP Multicast Registration Protocol on a single interface or all interfaces. If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality is disabled. GARP functionality is subsequently re-enabled if routing is disabled and port-channel (LAG) membership is removed from an interface that has GARP enabled.

Format	no set gmrp interfacemode
Modes	Interface Config Global Config

show gmrp configuration

This command displays Generic Attributes Registration Protocol (GARP) information for one or all interfaces.

Format	show gmrp configuration {<slot/port> | all}
Modes	Privileged EXEC User EXEC

TABLE 3-22 Entry Definitions show gmrp configuration

Entry	Definition
Interface	This displays the slot/port of the interface that this row in the table describes.
Join Timer	Specifies the interval between the transmission of GARP PDUs registering (or re-registering) membership for an attribute. Current attributes are a VLAN or multicast group. There is an instance of this timer on a per-port, per-GARP participant basis. Permissible values are 10 to 100 centiseconds (0.1 to 1.0 seconds). The factory default is 20 centiseconds (0.2 seconds). The finest granularity of specification is 1 centisecond (0.01 seconds).
Leave Timer	Specifies the period of time to wait after receiving an unregister request for an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service. There is an instance of this timer on a per-Port, per-GARP participant basis. Permissible values are 20 to 600 centiseconds (0.2 to 6.0 seconds). The factory default is 60 centiseconds (0.6 seconds).
LeaveAll Timer	This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. There is an instance of this timer on a per-Port, per-GARP participant basis. The Leave All Period Timer is set to a random value in the range of LeaveAllTime to 1.5*LeaveAllTime. Permissible values are 200 to 6000 centiseconds (2 to 60 seconds). The factory default is 1000 centiseconds (10 seconds).
Port GMRP Mode	Indicates the GMRP administrative mode for the port. It may be enabled or disabled. If this parameter is disabled, Join Time, Leave Time and Leave All Time have no effect.

show mac-address-table gmrp

This command displays the GMRP entries in the Multicast Forwarding Database (MFDB) table.

Format	show mac-address-table gmrp
Mode	Privileged EXEC

TABLE 3-23 Entry Definitions for show mac-address-table gmrp

Entry	Definition
Mac Address	A unicast MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address is displayed as 8 bytes.
Type	Displays the type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

---

Port-Based Network Access Control Commands

This section describes the commands you use to configure port-based network access control (802.1x). Port-based network access control allows you to permit access to network services only to and devices that are authorized and authenticated.

authentication login

This command creates an authentication login list. The <listname> is any character string and is not case sensitive. Up to 10 authentication login lists can be configured on the switch. When a list is created, the authentication method “local” is set as the first method.

When the optional parameters “Option1”, “Option2” and/or “Option3” are used, an ordered list of methods are set in the authentication login list. If the authentication login list does not exist, a new authentication login list is first created and then the authentication methods are set in the authentication login list. The maximum number of authentication login methods is three. The possible method values are local, radius and reject.

The value of local indicates that the user’s locally stored ID and password are used for authentication. The value of radius indicates that the user’s ID and password will be authenticated using the RADIUS server. The value of reject indicates the user is never authenticated.

To authenticate a user, the first authentication method in the user’s login (authentication login list) is attempted. FASTPATH software does not utilize multiple entries in the user’s login. If the first entry returns a timeout, the user authentication attempt fails.

---

Note - The default login list included with the default configuration can not be changed.

---

Format	authentication login <listname> [<method1> [<method2> [<method3>]]]
Mode	Global Config

no authentication login

This command deletes the specified authentication login list. The attempt to delete fails if any of the following conditions are true:

• The login list name is invalid or does not match an existing authentication login list
• The specified authentication login list is assigned to any user or to the non configured user for any component
• The login list is the default login list included with the default configuration and was not created using ‘authentication login’. The default login list cannot be deleted.



Format	no authentication login <listname>
Mode	Global Config

clear dot1x statistics

This command resets the 802.1x statistics for the specified port or for all ports.

Format	clear dot1x statistics {<slot/port> | all}
Mode	Privileged EXEC

clear radius statistics

This command is used to clear all RADIUS statistics.

Format	clear radius statistics
Mode	Privileged EXEC

dot1x defaultlogin

This command assigns the authentication login list to use for non-configured users for 802.1x port security. This setting is over-ridden by the authentication login list assigned to a specific user if the user is configured locally. If this value is not configured, users will be authenticated using local authentication only.

Format	dot1x defaultlogin <listname>
Mode	Global Config

dot1x initialize

This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is 'auto'. If the control mode is not 'auto' an error will be returned.

Format	dot1x initialize <slot/port>
Mode	Privileged EXEC

dot1x login

This command assigns the specified authentication login list to the specified user for 802.1x port security. The <user> parameter must be a configured user and the <listname> parameter must be a configured authentication login list.

Format	dot1x login <user> <listname>
Mode	Global Config

dot1x max-req

This command sets the maximum number of times the authenticator state machine on this port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The <count> value must be in the range 1 - 10.

Default	2
Format	dot1x max-req <count>
Mode	Interface Config

no dot1x max-req

This command sets the maximum number of times the authenticator state machine on this port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant.

Format	no dot1x max-req
Mode	Interface Config

dot1x port-control

This command sets the authentication mode to use on the specified port. Select force-unauthorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Select auto to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server.

Default	auto
Format	dot1x port-control {force-unauthorized | force-authorized | auto}
Mode	Interface Config

no dot1x port-control

This command sets the authentication mode on the specified port to the default value.

Format	no dot1x port-control
Mode	Interface Config

dot1x port-control all

This command sets the authentication mode to use on all ports. Select force-unauthorized to specify that the authenticator PAE unconditionally sets the controlled port to unauthorized. Select force-authorized to specify that the authenticator PAE unconditionally sets the controlled port to authorized. Select auto to specify that the authenticator PAE sets the controlled port mode to reflect the outcome of the authentication exchanges between the supplicant, authenticator and the authentication server.

Default	auto
Format	dot1x port-control all {force-unauthorized | force-authorized | auto}
Mode	Global Config

no dot1x port-control all

This command sets the authentication mode on all ports to the default value.

Format	no dot1x port-control all
Mode	Global Config

dot1x re-authenticate

This command begins the re-authentication sequence on the specified port. This command is only valid if the control mode for the specified port is 'auto'. If the control mode is not 'auto' an error will be returned.

Format	dot1x re-authenticate <slot/port>
Mode	Privileged EXEC

dot1x re-authentication

This command enables re-authentication of the supplicant for the specified port.

Default	disabled
Format	dot1x re-authentication
Mode	Interface Config

no dot1x re-authentication

This command disables re-authentication of the supplicant for the specified port.

Format	no dot1x re-authentication
Mode	Interface Config

dot1x system-auth-control

Use this command to enable the dot1x authentication support on the switch. While disabled, the dot1x configuration is retained and can be changed, but is not activated.

Default	disabled
Format	dot1x system-auth-control
Mode	Global Config

no dot1x system-auth-control

This command is used to disable the dot1x authentication support on the switch.

Format	no dot1x system-auth-control
Mode	Global Config

dot1x timeout

This command sets the value, in seconds, of the timer used by the authenticator state machine on this port. Depending on the token used and the value (in seconds) passed, various timeout configurable parameters are set. The following tokens are supported.

reauth-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to determine when re-authentication of the supplicant takes place. The reauth-period must be a value in the range 1 - 65535.

quiet-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The quiet-period must be a value in the range 0 - 65535.

tx-period: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The quiet-period must be a value in the range 1 - 65535.

supp-timeout: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to timeout the supplicant. The supp-timeout must be a value in the range 1 - 65535.

server-timeout: Sets the value, in seconds, of the timer used by the authenticator state machine on this port to timeout the authentication server. The supp-timeout must be a value in the range 1 - 65535.

Default	reauth-period: 3600 seconds quiet-period: 60 seconds tx-period: 30 seconds supp-timeout: 30 seconds server-timeout: 30 seconds
Format	dot1x timeout {{reauth-period <seconds>} | {quiet-period <seconds>} | {tx-period <seconds>} | {supp-timeout <seconds>} | {server-timeout <seconds>}}
Mode	Interface Config

no dot1x timeout

This command sets the value, in seconds, of the timer used by the authenticator state machine on this port to the default values. Depending on the token used, the corresponding default values are set.

Format	no dot1x timeout {reauth-period | quiet-period | tx-period | supp-timeout | server-timeout}
Mode	Interface Config

dot1x user

This command adds the specified user to the list of users with access to the specified port or all ports. The <user> parameter must be a configured user.

Format	dot1x user <user> {<slot/port> | all}
Mode	Global Config

no dot1x user

This command removes the user from the list of users with access to the specified port or all ports.

Format	no dot1x user <user> {<slot/port> | all}
Mode	Global Config

users defaultlogin

This command assigns the authentication login list to use for non-configured users when attempting to log in to the system. This setting is overridden by the authentication login list assigned to a specific user if the user is configured locally. If this value is not configured, users will be authenticated using local authentication only.

Format	users defaultlogin <listname>
Mode	Global Config

users login

This command assigns the specified authentication login list to the specified user for system login. The <user> must be a configured <user> and the <listname> must be a configured login list.

If the user is assigned a login list that requires remote authentication, all access to the interface from all CLI, web, and telnet sessions will be blocked until the authentication is complete.

Note that the login list associated with the ‘admin’ user can not be changed to prevent accidental lockout from the switch.

Format	users login <user> <listname>
Mode	Global Config

show authentication

This command displays the ordered authentication methods for all authentication login lists.

Format	show authentication
Mode	Privileged EXEC

TABLE 3-24 Entry Definitions for show authentication

Entry	Definition
Authentication Login List	This displays the authentication login listname.
Method 1	This displays the first method in the specified authentication login list, if any.
Method 2	This displays the second method in the specified authentication login list, if any.
Method 3	This displays the third method in the specified authentication login list, if any.

show authentication users

This command displays information about the users assigned to the specified authentication login list. If the login is assigned to non-configured users, the user “default” will appear in the user column.

Format	show authentication users <listname>
Mode	Privileged EXEC
User	This field displays the user assigned to the specified authentication login list.
Component	This field displays the component (User or 802.1x) for which the authentication login list is assigned.

show dot1x

This command is used to show a summary of the global dot1x configuration, summary information of the dot1x configuration for a specified port or all ports, the detailed dot1x configuration for a specified port and the dot1x statistics for a specified port - depending on the tokens used.

Format	show dot1x [{summary {<slot/port> | all} | detail <slot/port> | statistics <slot/port>]
Mode	Privileged EXEC

If you do not use any of the optional parameters, the global dot1x configuration summary is displayed.

Administrative mode	Indicates whether authentication control on the switch is enabled or disabled.

If you use the optional parameter summary {<slot/port> | all}, the dot1x configuration for the specified port or all ports are displayed.

TABLE 0-3 Entry Definitions for show dot1x summary {<slot/port> | all}

Entry	Definition
Port	The interface whose configuration is displayed.
Control Mode	The configured control mode for this port. Possible values are force-unauthorized | force-authorized | auto.
Operating Control Mode	The control mode under which this port is operating. Possible values are authorized | unauthorized.
Reauthentication Enabled	Indicates whether re-authentication is enabled on this port.
Key Transmission Enabled	Indicates if the key is transmitted to the supplicant for the specified port.

If the optional parameter detail <slot/port> is used, the detailed dot1x configuration for the specified port are displayed.

TABLE 3-25 Entry Definitions for show dot1x detail {<slot/port> | all}

Entry	Definition
Port	The interface whose configuration is displayed.
Protocol Version	The protocol version associated with this port. The only possible value is 1, corresponding to the first version of the dot1x specification.
PAE Capabilities	The port access entity (PAE) functionality of this port. Possible values are Authenticator or Supplicant.
Authenticator PAE State	Current state of the authenticator PAE state machine. Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized.
Backend Authentication State	Current state of the backend authentication state machine. Possible values are Request, Response, Success, Fail, Timeout, Idle, and Initialize.
Quiet Period	The timer used by the authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The value is expressed in seconds and will be in the range 0 and 65535.
Transmit Period	The timer used by the authenticator state machine on the specified port to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Supplicant Timeout	The timer used by the authenticator state machine on this port to timeout the supplicant. The value is expressed in seconds and will be in the range of 1 and 65535.
Server Timeout	The timer used by the authenticator on this port to timeout the authentication server. The value is expressed in seconds and will be in the range of 1 and 65535.
Maximum Requests	The maximum number of times the authenticator state machine on this port will retransmit an EAPOL EAP Request/Identity before timing out the supplicant. The value will be in the range of 1 and 10.
Reauthentication Period	The timer used by the authenticator state machine on this port to determine when reauthentication of the supplicant takes place. The value is expressed in seconds and will be in the range of 1 and 65535.
Reauthentication Enabled	Indicates if reauthentication is enabled on this port. Possible values are ‘True” or “False”.
Key Transmission Enabled	Indicates if the key is transmitted to the supplicant for the specified port. Possible values are True or False.
Control Direction	Indicates the control direction for the specified port or ports. Possible values are both or in.

If you use the optional parameter statistics <slot/port>, the following dot1x statistics for the specified port appear.

TABLE 3-26 Entry Definitions for show dot1x statistics {<slot/port> | all}

Entry	Definition
Port	The interface whose statistics are displayed.
EAPOL Frames Received	The number of valid EAPOL frames of any type that have been received by this authenticator.
EAPOL Frames Transmitted	The number of EAPOL frames of any type that have been transmitted by this authenticator.
EAPOL Start Frames Received	The number of EAPOL start frames that have been received by this authenticator.
EAPOL Logoff Frames Received	The number of EAPOL logoff frames that have been received by this authenticator.
Last EAPOL Frame Version	The protocol version number carried in the most recently received EAPOL frame.
Last EAPOL Frame Source	The source MAC address carried in the most recently received EAPOL frame.
EAP Response/Id Frames Received	The number of EAP response/identity frames that have been received by this authenticator.
EAP Response Frames Received	The number of valid EAP response frames (other than resp/id frames) that have been received by this authenticator.
EAP Request/Id Frames Transmitted	The number of EAP request/identity frames that have been transmitted by this authenticator.
EAP Request Frames Transmitted	The number of EAP request frames (other than request/identity frames) that have been transmitted by this authenticator.
Invalid EAPOL Frames Received	The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.
EAP Length Error Frames Received	The number of EAPOL frames that have been received by this authenticator in which the frame type is not recognized.

show dot1x users

This command displays 802.1x port security user information for locally configured users.

Format	show dot1x users <slot/port>
Mode	Privileged EXEC
User	Users configured locally to have access to the specified port.

show users authentication

This command displays all user and all authentication login information. It also displays the authentication login list assigned to the default user.

Format	show users authentication
Mode	Privileged EXEC
User	Lists every user that has an authentication login list assigned.
System Login	Displays the authentication login list assigned to the user for system login.
802.1x Port Security	This field displays the authentication login list assigned to the user for 802.1x port security.

---

Storm-Control Commands

This section describes commands you use to configure storm control and view storm-control configuration information. The Storm Control feature allows you to limit the rate of specific types of packets through the switch on a per-port, per-type, basis. The Storm Control feature can help maintain network performance.

storm-control broadcast

Use this command to enable broadcast storm recovery mode for a specific interface. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control broadcast
Mode	Interface Config

no storm-control broadcast

Use this command to disable broadcast storm recovery mode for a specific interface.

Format	no storm-control broadcast
Mode	Interface Config

storm-control broadcast level

Use this command to configure the broadcast storm recovery threshold for an interface. When you use this command, broadcast storm recovery mode is enabled on the interface and broadcast storm recovery is active. If the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the configured threshold.

Default	5
Format	storm-control broadcast level <0-100>
Mode	Interface Config

no storm-control broadcast level

This command sets the broadcast storm recovery threshold to the default value for an interface and disables broadcast storm recovery.

Format	no storm-control broadcast level
Mode	Interface Config

storm-control broadcast all

This command enables broadcast storm recovery mode for all interfaces. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control broadcast all
Mode	Global Config

no storm-control broadcast all

This command disables broadcast storm recovery mode for all interfaces.

Format	no storm-control broadcast all
Mode	Global Config

storm-control broadcast all level

This command configures the broadcast storm recovery threshold for all interfaces. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of broadcast traffic will be limited to the configured threshold.This command also enables broadcast storm recovery mode for all interfaces.

Default	5
Format	storm-control broadcast all level <0-100>
Mode	Global Config

no storm-control broadcast all level

This command sets the broadcast storm recovery threshold to the default value for all interfaces and disables broadcast storm recovery.

Format	no storm-control broadcast all level
Mode	Global Config

storm-control multicast

This command enables multicast storm recovery mode for an interface. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control multicast
Mode	Interface Config

no storm-control multicast

This command disables multicast storm recovery mode for an interface.

Format	no storm-control multicast
Mode	Interface Config

storm-control multicast level

This command configures the multicast storm recovery threshold for an interface and enables multicast storm recovery mode. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

Default	5
Format	storm-control multicast level <0-100>
Mode	Interface Config

no storm-control multicast level

This command sets the multicast storm recovery threshold to the default value for an interface and disables multicast storm recovery.

Format	no storm-control multicast level
Mode	Interface Config

storm-control multicast all

This command enables multicast storm recovery mode for all interfaces. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control multicast all
Mode	Global Config

no storm-control multicast all

This command disables multicast storm recovery mode for all interfaces.

Format	no storm-control multicast all
Mode	Global Config

storm-control multicast all level

This command configures the multicast storm recovery threshold for all interfaces and enables multicast storm recovery mode. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of multicast traffic will be limited to the configured threshold.

Default	5
Format	storm-control multicast all level <0-100>
Mode	Global Config

no storm-control multicast all level

This command sets the multicast storm recovery threshold to the default value for all interfaces and disables multicast storm recovery.

Format	no storm-control multicast all level
Mode	Global Config

storm-control unicast

This command enables unicast storm recovery mode for an interface. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control unicast
Mode	Interface Config

no storm-control unicast

This command disables unicast storm recovery mode for an interface.

Format	no storm-control unicast
Mode	Interface Config

storm-control unicast level

This command configures the unicast storm recovery threshold for an interface and enables unicast storm recovery. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.This command also enables unicast storm recovery mode for an interface.

Default	5
Format	storm-control unicast level <0-100>
Mode	Interface Config

no storm-control unicast level

This command sets the unicast storm recovery threshold to the default value for an interface and disables unicast storm recovery.

Format	no storm-control unicast level
Mode	Interface Config

storm-control unicast all

This command enables unicast storm recovery mode for all interfaces. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.

Default	disabled
Format	storm-control unicast all
Mode	Global Config

no storm-control unicast all

This command disables unicast storm recovery mode for all interfaces.

Format	no storm-control unicast all
Mode	Global Config

storm-control unicast all level

This command configures the unicast storm recovery threshold and enables unicast storm recovery for all interfaces. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped. Therefore, the rate of unknown unicast traffic will be limited to the configured threshold.

Default	5
Format	storm-control unicast all level <0-100>
Mode	Global Config

no storm-control unicast all level

This command returns the unicast storm recovery threshold to the default value and disables unicast storm recovery for all interfaces.

Format	no storm-control unicast all level
Mode	Global Config

storm-control flowcontrol

This command enables 802.3x flow control for the switch and only applies to full-duplex mode ports.

---

Note - 802.3x flow control works by pausing a port when the port becomes oversubscribed and dropping all traffic for small bursts of time during the congestion condition. This can lead to high-priority and/or network control traffic loss.

---

Default	disabled
Format	storm-control flowcontrol
Mode	Global Config

no storm-control flowcontrol

This command disables 802.3x flow control for the switch.

---

Note - This command only applies to full-duplex mode ports.

---

Format	no storm-control flowcontrol
Mode	Global Config

show storm-control

This command displays switch configuration information. If you do not use any of the optional parameters, this command displays global storm control configuration parameters. Use the all keyword to display the per-port configuration parameters for all interfaces, or specify the slot/port to display information about a specific interface.

Format	show storm-control [all | <slot/port>]
Mode	Privileged EXEC

TABLE 3-27 Entry Definitions for show storm-control

Entry	Definition
Bcast Mode	Shows whether the broadcast storm control mode is enabled or disabled.
Bcast Level	Shows the broadcast storm control level.
Mcast Mode	Shows whether the multicast storm control mode is enabled or disabled.
Mcast Level	Shows the multicast storm control level.
Ucast Mode	Shows whether the Unknown Unicast or DLF (Destination Lookup Failure) storm control mode is enabled or disabled.
Ucast Level	Shows the Unknown Unicast or DLF (Destination Lookup Failure) storm control level

---

Port-Channel/LAG (802.3ad) Commands

This section describes the commands you use to configure port-channels, which are also known as link aggregation groups (LAGs). Link aggregation allows you to combine multiple full-duplex Ethernet links into a single logical link. Network devices treat the aggregation as if it were a single link, which increases fault tolerance and provides load sharing. The LAG feature initially load shares traffic based upon the source and destination MAC address.Assign the port-channel (LAG) VLAN membership after you create a port-channel. If you do not assign VLAN membership, the port-channel might become a member of the management VLAN which can result in learning and switching issues.

A port-channel (LAG) interface can be either static or dynamic, but not both. All members of a port channel must participate in the same protocols.) A static port-channel interface does not require a partner system to be able to aggregate its member ports.

---

Note - If you configure the maximum number of dynamic port-channels (LAGs) that your platform supports, additional port-channels that you configure are automatically static.

---

port-channel

This command configures a new port-channel (LAG) and generates a logical slot/port number for the port-channel. The <name> field is a character string which allows the dash “-” character as well as alphanumeric characters. Use the show port channel command to display the slot/port number for the logical interface.

---

Note - Before you include a port in a port-channel, set the port physical mode. For more information, see speed.

---

Format	port-channel <name>
Mode	Global Config

no port-channel

This command deletes a port-channel (LAG).

Format	no port-channel {<logical slot/port> | all}
Mode	Global Config

addport

This command adds one port to the port-channel (LAG). The first interface is a Logical slot and port number. of a configured port-channel.

---

Note - Before adding a port to a port-channel, set the physical mode of the port. For more information, see speed.

---

Format	addport <logical slot/port>
Mode	Interface Config

deleteport (Interface Config)

This command deletes the port from the port-channel (LAG). The interface is a Logical slot and port number. of a configured port-channel.

Format	deleteport <logical slot/port>
Mode	Interface Config

deleteport (Global Config)

This command deletes all configured ports from the port-channel (LAG). The interface is a Logical slot and port number. of a configured port-channel. To clear the port channels, see clear port-channel

Format	deleteport {<logical slot/port> | all}
Mode	Global Config

port-channel static

This command enables the static mode on a port-channel (LAG) interface. By default the static mode for a new port-channel is disabled, which means the port-channel is dynamic. However if the maximum number of allowable dynamic port-channels are already present in the system, the static mode for a new port-channel enabled, which means the port-channel is static.You can only use this command on port-channel interfaces.

Default	disabled
Format	port-channel static
Mode	Interface Config

no port-channel static

This command sets the static mode on a particular port-channel (LAG) interface to the default value. This command will be executed only for interfaces of type port-channel (LAG).

Format	no port-channel static
Mode	Interface Config

port lacpmode

This command enables Link Aggregation Control Protocol (LACP) on a port.

Default	enabled
Format	port lacpmode
Mode	Interface Config

no port lacpmode

This command disables Link Aggregation Control Protocol (LACP) on a port.

Format	no port lacpmode
Mode	Interface Config

port lacpmode all

This command enables Link Aggregation Control Protocol (LACP) on all ports.

Format	port lacpmode all
Mode	Global Config

no port lacpmode all

This command disables Link Aggregation Control Protocol (LACP) on all ports.

Format	no port lacpmode all
Mode	Global Config

port-channel adminmode

This command enables a port-channel (LAG). The option all sets every configured port-channel with the same administrative mode setting.

Format	port-channel adminmode [all]
Mode	Global Config

no port-channel adminmode

This command disables a port-channel (LAG). The option all sets every configured port-channel with the same administrative mode setting.

Format	no port-channel adminmode [all]
Mode	Global Config

port-channel linktrap

This command enables link trap notifications for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel. The option all sets every configured port-channel with the same administrative mode setting.

Default	enabled
Format	port-channel linktrap {<logical slot/port> | all}
Mode	Global Config

no port-channel linktrap

This command disables link trap notifications for the port-channel (LAG). The interface is a logical slot and port for a configured port-channel. The option all sets every configured port-channel with the same administrative mode setting.

Format	no port-channel linktrap {<logical slot/port> | all}
Mode	Global Config

port-channel name

This command defines a name for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel, and <name> is an alphanumeric string up to 15 characters.

Format	port-channel name {<logical slot/port> | all | <name>}
Mode	Global Config

show port-channel brief

This command displays a summary of individual port-channel (LAG) interfaces.

Format	show port-channel brief
Modes	Privileged EXEC User EXEC

For each port-channel the following information is displayed.

TABLE 3-28 Entry Definitions for show port-channel brief

Entry	Definition
Logical Interface	Shows the slot/port of the logical interface.
Port-channel Name	Shows the name of port-channel (LAG) interface.
Link-State	Shows whether the link is up or down.
Type	Shows whether the port-channel is statically or dynamically maintained.
Mbr Ports	Shows the members of this port-channel
Active Ports	Shows ports that are actively participating in the port-channel

show port-channel

This command displays an overview of all port-channels (LAGs) on the switch.

Format	show port-channel {<logical slot/port> | all}
Modes	Privileged EXEC User EXEC

TABLE 3-29 Entry Definitions for show port-channel

Entry	Definition
Logical Interface	Valid slot and port number separated by forward slashes.
Port-Channel Name	The name of this port-channel (LAG). You may enter any string of up to 15 alphanumeric characters.
Link State	Indicates whether the Link is up or down.
Admin Mode	May be enabled or disabled. The factory default is enabled.
Link Trap Mode	This object determines whether or not to send a trap when link status changes. The factory default is enabled.
STP Mode	The Spanning Tree Protocol Administrative Mode associated with the port or port-channel (LAG). The possible values are:as follows Disable - Spanning tree is disabled for this port. Enable - Spanning tree is enabled for this port.
Mbr Ports	A listing of the ports that are members of this port-channel (LAG), in slot/port notation. There can be a maximum of eight ports assigned to a given port-channel (LAG).
Port Speed	Speed of the port-channel port.
Type	This field displays the status designating whether a particular port-channel (LAG) is statically or dynamically maintained. Static - The port-channel is statically maintained. Dynamic - The port-channel is dynamically maintained.
Active Ports	This field lists ports that are actively participating in the port-channel (LAG).

---

Port Mirroring

Port mirroring, which is also known as port monitoring, selects network traffic that you can analyze with a network analyzer, such as a SwitchProbe device or other Remote Monitoring (RMON) probe.

monitor session

This command configures a probe port and a monitored port for monitor session (port monitoring). Use the source interface <slot/port> parameter to specify the interface to monitor. Use rx to monitor only ingress packets, or use tx to monitor only egress packets. If you do not specify an {rx | tx} option, the destination port monitors both ingress and egress packets. Use the destination interface <slot/port> to specify the interface to receive the monitored traffic. Use the mode parameter to enabled the administrative mode of the session. If enabled, the probe port monitors all the traffic received and transmitted on the physical monitored port.

Format	monitor session <session-id> {source interface <slot/port> [{rx | tx}] | destination interface <slot/port> | mode}
Mode	Global Config

no monitor session

Use this command without optional parameters to remove the monitor session (port monitoring) designation from the source probe port, the destination monitored port and all VLANs. Once the port is removed from the VLAN, you must manually add the port to any desired VLANs. Use the source interface <slot/port> parameter or destination interface <slot/port> to remove the specified interface from the port monitoring session. Use the mode parameter to disable the administrative mode of the session.

---

Note - Since the current version of FASTPATH only supports one session, if you do not supply optional parameters, the behavior of this command is similar to the behavior of the no monitor command.

---

Format	no monitor session <session-id> [{source interface <slot/port> | destination interface <slot/port> | mode}]
Mode	Global Config

no monitor

This command removes all the source ports and a destination port for the and restores the default value for mirroring session mode for all the configured sessions.

---

Note - This is a stand-alone “no” command. This command does not have a “normal” form.

---

Default	enabled
Format	no monitor
Mode	Global Config

show monitor session

This command displays the Port monitoring information for a particular mirroring session.

---

Note - The <session-id> parameter is an integer value used to identify the session. In the current version of the software, the <session-id> parameter is always one (1).

---

Format	show monitor session <session-id>
Mode	Privileged EXEC

TABLE 3-30 Entry Definitions for show monitor session

Entry	Definition
Session ID	An integer value used to identify the session. Its value can be anything between 1 and the maximum number of mirroring sessions allowed on the platform.
Monitor Session Mode	Indicates whether the Port Mirroring feature is enabled or disabled for the session identified with <session-id>. The possible values are Enabled and Disabled.
Probe Port	Probe port (destination port) for the session identified with <session-id>. If probe port is not set then this field is blank.
Source Port	The port, which is configured as mirrored port (source port) for the session identified with <session-id>. If no source port is configured for the session then this field is blank.
Type	Direction in which source port configured for port mirroring.Types are tx for transmitted packets and rx for receiving packets.

---

Static MAC Filtering

The commands in this section describe how to configure static MAC filtering.

macfilter

This command adds a static MAC filter entry for the MAC address <macaddr> on the VLAN <vlanid>.

The value of the <macaddr> parameter is a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6.

The restricted MAC Addresses are as follows:

• 00:00:00:00:00:00
• 01:80:C2:00:00:00 to 01:80:C2:00:00:0F
• 01:80:C2:00:00:20 to 01:80:C2:00:00:21
• FF:FF:FF:FF:FF:FF.

The <vlanid> parameter must identify a valid VLAN. You can create up to 100 static MAC filters.

Format	macfilter <macaddr> <vlanid>
Mode	Global Config

no macfilter

This command removes all filtering restrictions and the static MAC filter entry for the MAC address <macaddr> on the VLAN <vlanid>. The <macaddr> parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6.

The <vlanid> parameter must identify a valid VLAN.

Format	no macfilter <macaddr> <vlanid>
Mode	Global Config

macfilter addsrc

This command adds the interface to the source filter set for the MAC filter with the MAC address of <macaddr> and VLAN of <vlanid>. The <macaddr> parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The <vlanid> parameter must identify a valid VLAN.

Format	macfilter addsrc <macaddr> <vlanid>
Mode	Interface Config

no macfilter addsrc

This command removes a port from the source filter set for the MAC filter with the MAC address of <macaddr> and VLAN of <vlanid>. The <macaddr> parameter must be specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The <vlanid> parameter must identify a valid VLAN.

Format	no macfilter addsrc <macaddr> <vlanid>
Mode	Interface Config

macfilter addsrc all

This command adds all interfaces to the source filter set for the MAC filter with the MAC address of <macaddr> and <vlanid>. You must specify the <macaddr> parameter as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. The <vlanid> parameter must identify a valid VLAN.

Format	macfilter addsrc all <macaddr> <vlanid>
Mode	Global Config

no macfilter addsrc all

This command removes all interfaces to the source filter set for the MAC filter with the MAC address of <macaddr> and VLAN of <vlanid>. You must specify the <macaddr> parameter as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6.

The <vlanid> parameter must identify a valid VLAN.

Format	no macfilter addsrc all <macaddr> <vlanid>
Mode	Global Config

show mac-address-table static

This command displays the Static MAC Filtering information for all Static MAC Filters. If you select <all>, all the Static MAC Filters in the system are displayed. If you supply a value for <macaddr>, you must also enter a value for <vlanid>, and the system displays Static MAC Filter information only for that MAC address and VLAN.

Format	show mac-address-table static {<macaddr> <vlanid> | all}
Mode	Privileged EXEC

TABLE 3-31 Entry Definitions for show mac-address-table static

Entry	Definition
MAC Address	Is the MAC Address of the static MAC filter entry.
VLAN ID	Is the VLAN ID of the static MAC filter entry.
Source Port(s)	Indicates the source port filter set's slot and port(s).

show mac-address-table staticfiltering

This command displays the Static Filtering entries in the Multicast Forwarding Database (MFDB) table.

Format	show mac-address-table staticfiltering
Mode	Privileged EXEC

TABLE 3-32 Entry Definitions for show mac-address-table staticfiltering

Entry	Definition
Mac Address	A unicast MAC address for which the switch has forwarding and or filtering information. The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
Type	Displays the type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

---

IGMP Snooping Configuration Commands

This section describes the commands you use to configure IGMP snooping. FASTPATH supports IGMP Versions 1, 2, and 3. The IGMP snooping feature can help conserve bandwidth because it allows the switch to forward IP multicast traffic only to connected hosts that request multicast traffic. IGMPv3 adds source filtering capabilities to IGMP versions 1 and 2.

set igmp

This command enables IGMP Snooping on the system (Global Config Mode) or an interface (Interface Config Mode). This command also enables IGMP snooping on a particular VLAN and can enable IGMP snooping on all interfaces participating in a VLAN.

If an interface has IGMP Snooping enabled and you enable this interface for routing or enlist it as a member of a port-channel (LAG), IGMP Snooping functionality is disabled on that interface. IGMP Snooping functionality is re-enabled if you disable routing or remove port-channel (LAG) membership from an interface that has IGMP Snooping enabled.

The IGMP application supports the following activities:

• Validation of the IP header checksum (as well as the IGMP header checksum) and discarding of the frame upon checksum error.
• Maintenance of the forwarding table entries based on the MAC address versus the IP address.
• Flooding of unregistered multicast data packets to all ports in the VLAN.



Default	disabled
Format	set igmp <vlanid>
Modes	Global Config Interface Config VLAN Mode

no set igmp

This command disables IGMP Snooping on the system.

Format	no set igmp <vlanid>
Modes	Global Config Interface Config VLAN Mode

set igmp interfacemode

This command enables IGMP Snooping on all interfaces. If an interface has IGMP Snooping enabled and you enable this interface for routing or enlist it as a member of a port-channel (LAG), IGMP Snooping functionality is disabled on that interface. IGMP Snooping functionality is re-enabled if you disable routing or remove port-channel (LAG) membership from an interface that has IGMP Snooping enabled.

Default	disabled
Format	set igmp interfacemode
Mode	Global Config

no set igmp interfacemode

This command disables IGMP Snooping on all interfaces.

Format	no set igmp interfacemode
Mode	Global Config

set igmp fast-leave

This command enables or disables IGMP Snooping fast-leave admin mode on a selected interface or VLAN. Enabling fast-leave allows the switch to immediately remove the layer 2 LAN interface from its forwarding table entry upon receiving an IGMP leave message for that multicast group without first sending out MAC-based general queries to the interface.

Enable fast-leave admin mode only on VLANs where only one host is connected to each layer 2 LAN port. This prevents the inadvertent dropping of the other hosts that were connected to the same layer 2 LAN port but were still interested in receiving multicast traffic directed to that group. Also, fast-leave processing is supported only with IGMP version 2 hosts.

Default	disabled
Format	set igmp fast-leave <vlanid>
Modes	Interface Config VLAN Mode

no set igmp fast-leave

This command disables IGMP Snooping fast-leave admin mode on a selected interface.

Format	no set igmp fast-leave <vlanid>
Modes	Interface Config VLAN Mode

set igmp groupmembership-interval

This command sets the IGMP Group Membership Interval time on a VLAN, one interface or all interfaces. The Group Membership Interval time is the amount of time in seconds that a switch waits for a report from a particular group on a particular interface before deleting the interface from the entry. This value must be greater than the IGMPv3 Maximum Response time value. The range is 2 to 3600 seconds.

Default	260 seconds
Format	set igmp groupmembership-interval <vlanid> <2-3600>
Modes	Interface Config Global Config VLAN Mode

no set igmp groupmembership-interval

This command sets the IGMPv3 Group Membership Interval time to the default value.

Format	no set igmp groupmembership-interval
Modes	Interface Config Global Config VLAN Mode

set igmp maxresponse

This command sets the IGMP Maximum Response time for the system, on a particular interface or VLAN. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface. This value must be less than the IGMP Query Interval time value. The range is 1 to 3599 seconds.

Default	10 seconds
Format	set igmp maxresponse <1-3599>
Modes	Global Config Interface Config VLAN Mode

no set igmp maxresponse

This command sets the max response time (on the interface or VLAN) to the default value.

Format	no set igmp maxresponse
Modes	Global Config Interface Config VLAN Mode

set igmp mcrtexpiretime

This command sets the Multicast Router Present Expiration time. The time is set for the system, on a particular interface or VLAN. This is the amount of time in seconds that a switch waits for a query to be received on an interface before the interface is removed from the list of interfaces with multicast routers attached. The range is 0 to 3600 seconds. A value of 0 indicates an infinite time-out, i.e. no expiration.

Default	0
Format	set igmp mcrtexpiretime <vlanid> <0-3600>
Modes	Global Config Interface Config

no set igmp mcrtexpiretime

This command sets the Multicast Router Present Expiration time to 0. The time is set for the system, on a particular interface or a VLAN.

Format	no set igmp mcrtexpiretime <vlanid>
Modes	Global Config
Interface Config

set igmp mrouter

This command configures the VLAN ID for the VLAN that has the multicast router mode enabled.

Format	set igmp mrouter <vlanid>
Mode	Interface Config

no set igmp mrouter

This command disables multicast router mode for a VLAN with a particular VLAN ID.

Format	no set igmp mrouter <vlanid>
Mode	Interface Config

set igmp mrouter interface

This command configures the interface as a multicast router interface. When configured as a multicast router interface, the interface is treated as a multicast router interface in all VLANs.

Default	disabled
Format	set igmp mrouter interface
Mode	Interface Config

no set igmp mrouter interface

This command disables the status of the interface as a statically configured multicast router interface.

Format	no set igmp mrouter interface
Mode	Interface Config

show igmpsnooping

This command displays IGMP Snooping information. Configured information is displayed whether or not IGMP Snooping is enabled.

Format	show igmpsnooping [<slot/port> | <vlanid>]
Mode	Privileged EXEC

When the optional arguments <slot/port> or <vlanid> are not used, the command displays the following information.

TABLE 3-33 Entry Definitions for show igmpsnooping

Entry	Definition
Admin Mode	This indicates whether or not IGMP Snooping is active on the switch.
Interfaces Enabled for IGMP Snooping	Interfaces on which IGMP Snooping is enabled.
Multicast Control Frame Count	This displays the number of multicast control frames that are processed by the CPU.
VLANS Enabled for IGMP Snooping	VLANS on which IGMP Snooping is enabled.

When you specify the <slot/port> values, the following information displays.

TABLE 3-34 Entry Definitions for show igmpsnooping <slot/port>

Entry	Definition
IGMP Snooping Admin Mode	ndicates whether IGMP Snooping is active on the interface.
Fast Leave Mode	Indicates whether IGMP Snooping Fast-leave is active on the VLAN.
Group Membership Interval	Shows the amount of time in seconds that a switch will wait for a report from a particular group on a particular interface, which is participating in the VLAN, before deleting the interface from the entry.This value may be configured
Max Response Time	Displays the amount of time the switch waits after it sends a query on an interface, participating in the VLAN, because it did not receive a report for a particular group on that interface. This value may be configured.
Multicast Router Present Expiration Time	Displays the amount of time to wait before removing an interface that is participating in the VLAN from the list of interfaces with multicast routers attached. The interface is removed if a query is not received. This value may be configured.

When you specify a value for <vlanid>, the following additional information appears.

VLAN Admin Mode	Indicates whether IGMP Snooping is active on the VLAN.

show igmpsnooping mrouter interface

This command displays information about statically configured ports.

Format	show igmpsnooping mrouter interface <slot/port>
Mode	Privileged EXEC

TABLE 3-35 Entry Definitions for show igmpsnooping mrouter interface

Entry	Definition
Interface	Shows the port on which multicast router information is being displayed.
Multicast Router Attached	Indicates whether multicast router is statically enabled on the interface.
VLAN ID	Displays the list of VLANs of which the interface is a member.

show igmpsnooping mrouter vlan

This command displays information about statically configured ports.

Format	show igmpsnooping mrouter vlan <slot/port>
Mode	Privileged EXEC

TABLE 3-36 Entry Definitions for show igmpsnooping mrouter vlan

Entry	Definition
Interface	Shows the port on which multicast router information is being displayed.
VLAN ID	Displays the list of VLANs of which the interface is a member.

show mac-address-table igmpsnooping

This command displays the IGMP Snooping entries in the MFDB table.

Format	show mac-address-table igmpsnooping
Mode	Privileged EXEC

TABLE 3-37 Entry Definitions for show mac-address-table igmpsnooping

Entry	Definition
MAC Address	A multicast MAC address for which the switch has forwarding or filtering information. The format is two-digit hexadecimal numbers that are separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address is displayed as a MAC address and VLAN ID combination of 8 bytes.
Type	Displays the type of the entry, which is either static (added by the user) or dynamic (added to the table as a result of a learning process or protocol).
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).

---

Port Security Commands

This section describes the command you use to configure Port Security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.

---

Note - To enable the SNMP trap specific to port security, see snmp-server enable traps violation.

---

port-security

This command enables port locking at the system level (Global Config) or port level (Interface Config)

Default	disabled
Format	port-security
Modes	Global Config Interface Config

no port-security

This command disables port locking at the system level (Global Config) or port level (Interface Config).

Format	no port-security
Modes	Global Config Interface Config

port-security max-dynamic

This command sets the maximum of dynamically locked MAC addresses allowed on a specific port.

Default	600
Format	port-security max-dynamic <maxvalue>
Mode	Interface Config

no port-security max-dynamic

This command resets the maximum of dynamically locked MAC addresses allowed on a specific port to its default value.

Format	no port-security max-dynamic
Mode	Interface Config

port-security max-static

This command sets the maximum number of statically locked MAC addresses allowed on a specific port.

Default	20
Format	port-security max-static <maxvalue>
Mode	Interface Config

no port-security max-static

This command resets the maximum of statically locked MAC addresses allowed on a specific port to its default value.

Format	no port-security max-static
Mode	Interface Config

port-security mac-address

This command adds a MAC address to the list of statically locked MAC addresses. The <vid> is the VLAN ID.

Format	port-security mac-address <mac-address> <vid>
Mode	Interface Config

no port-security mac-address

This command removes a MAC address from the list of statically locked MAC addresses.

Format	no port-security mac-address <mac-address> <vid>
Mode	Interface Config

port-security mac-address move

This command converts dynamically locked MAC addresses to statically locked addresses.

Format	port-security mac-address move
Mode	Interface Config

show port-security

This command displays the port-security settings. If you do not use a parameter, the command displays the settings for the entire system. Use the optional parameters to display the settings on a specific interface or on all interfaces.

Format	show port-security [{<slot/port> | all}]
Mode	Privileged EXEC

For each interface, or for the interface you specify, the following information appears.

TABLE 0-4 Entry Definitions for show port-security

Entry	Definition
Admin Mode	Port Locking mode for the Interface. This field displays if you do not supply any parameters.
Dynamic Limit	Maximum dynamically allocated MAC Addresses.
Static Limit	Maximum statically allocated MAC Addresses.
Violation Trap Mode	Whether violation traps are enabled.

show port-security dynamic

This command displays the dynamically locked MAC addresses for the port.

Format	show port-security dynamic <slot/port>
Mode	Privileged EXEC
MAC Address	MAC Address of dynamically locked MAC.

show port-security static

This command displays the statically locked MAC addresses for port.

Format	show port-security static <slot/port>
Mode	Privileged EXEC
MAC Address	MAC Address of statically locked MAC.

show port-security violation

This command displays the source MAC address of the last packet discarded on a locked port.

Format	show port-security violation <slot/port>
Mode	Privileged EXEC
MAC Address	MAC Address of discarded packet on locked port.

---

LLDP (802.1AB) Commands

This section describes the command you use to configure Link Layer Discovery Protocol (LLDP), which is defined in the IEEE 802.1AB specification. LLDP allows stations on an 802 LAN to advertise major capabilities and physical descriptions. The advertisements allow a network management system (NMS) to access and display this information.

lldp transmit

Use this command to enable the LLDP advertise capability.

Default	disabled
Format	lldp transmit
Mode	Interface Config

no lldp transmit

Use this command to return the local data transmission capability to the default.

Format	no lldp transmit
Mode	Interface Config

lldp receive

Use this command to enable the LLDP receive capability.

Default	disabled
Format	lldp receive
Mode	Interface Configuration

no lldp receive

Use this command to return the reception of LLDPDUs to the default value.

Format	lldp receive
Mode	Interface Configuration

lldp timers

Use this command to set the timing parameters for local data transmission on ports enabled for LLDP. The <interval-seconds> determines the number of seconds to wait between transmitting local data LLDPDUs. The range is 1-32768 seconds. The <hold-value> is the multiplier on the transmit interval that sets the TTL in local data LLDPDUs. The multiplier range is 2-10. The <reinit-seconds> is the delay before re-initialization, and the range is 1-0 seconds.

Default	interval--30 seconds hold--4 reinit--2 seconds
Format	lldp timers [interval <interval-seconds>] [hold <hold-value>] [reinit <reinit-seconds>]
Mode	Global Config

no lldp timers

Use this command to return any or all timing parameters for local data transmission on ports enabled for LLDP to the default values.

Format	no lldp timers [interval] [hold] [reinit]
Mode	Global Config

lldp transmit-tlv

Use this command to specify which optional type length values (TLVs) in the 802.1AB basic management set are transmitted in the LLDPDUs. Use sys-name to transmit the system name TLV. To configure the system name, see snmp-server Use sys-desc to transmit the system description TLV. Use sys-cap to transmit the system capabilities TLV. Use port-desc to transmit the port description TLV. To configure the port description, see description

Default	no optional TLVs are included
Format	lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc]
Mode	Interface Config

no lldp transmit-tlv

Use this command to remove an optional TLV from the LLDPDUs. Use the command without parameters to remove all optional TLVs from the LLDPDU.

Format	no lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc]
Mode	Interface Config

lldp transmit-mgmt

Use this command to include transmission of the local system management address information in the LLDPDUs.

Format	lldp transmit-mgmt
Mode	Interface Config

no lldp transmit-mgmt

Use this command to include transmission of the local system management address information in the LLDPDUs. Use this command to cancel inclusion of the management information in LLDPDUs.

Format	no lldp transmit-mgmt
Mode	Interface Config

lldp notification

Use this command to enable remote data change notifications.

Default	disabled
Format	lldp notification
Mode	Interface Config

no lldp notification

Use this command to disable notifications.

Default	disabled
Format	no lldp notification
Mode	Interface Config

lldp notification-interval

Use this command to configure how frequently the system sends remote data change notifications. The <interval> parameter is the number of seconds to wait between sending notifications. The valid interval range is 5-3600 seconds.

Default	5
Format	lldp notification-interval <interval>
Mode	Global Config

no lldp notification-interval

Use this command to return the notification interval to the default value.

Format	no lldp notification-interval
Mode	Global Config

clear lldp statistics

Use this command to reset all LLDP statistics.

Format	clear lldp statistics
Mode	Global Config

clear lldp remote-data

Use this command to delete all information from the LLDP remote data table.

Format	clear lldp remote-data
Mode	Global Config

show lldp

Use this command to display a summary of the current LLDP configuration.

Format	show lldp
Mode	Privileged EXEC

TABLE 3-38 Entry Defintions for show lldp

Entry	Definition
Transmit Interval	Shows how frequently the system transmits local data LLDPDUs, in seconds.
Transmit Hold Multiplier	Shows the multiplier on the transmit interval that sets the TTL in local data LLDPDUs.
Re-initialization Delay	Shows the delay before re-initialization, in seconds.
Notification Interval	Shows how frequently the system sends remote data change notifications, in seconds.

show lldp interface

Use this command to display a summary of the current LLDP configuration for a specific interface or for all interfaces.

Format	show lldp interface {<slot/port> | all}
Mode	Privileged EXEC

TABLE 3-39 Entry Defintions for show lldp interface

Entry	Definition
Interface	Shows the interface in a slot/port format.
Link	Shows whether the link is up or down.
Transmit	Shows whether the interface transmits LLDPDUs.
Receive	Shows whether the interface receives LLDPDUs.
Notify	Shows whether the interface sends remote data change notifications.
TLVs	Shows whether the interface sends optional TLVs in the LLDPDUs. The TLV codes can be 0 (Port Description), 1 (System Name), 2 (System Description), or 3 (System Capability).
Mgmt	Shows whether the interface transmits system management address information in the LLDPDUs.

show lldp statistics

Use this command to display the current LLDP traffic and remote table statistics for a specific interface or for all interfaces.

Format	show lldp statistics {<slot/port> | all}
Mode	Privileged EXEC

TABLE 3-40 Entry Definitions for show lldp statistics

Entry	Definition
Last Update	Shows the amount of time since the last update to the remote table in days, hours, minutes, and seconds.
Total Inserts	Total number of inserts to the remote data table.
Total Deletes	Total number of deletes from the remote data table.
Total Drops	Total number of times the complete remote data received was not inserted due to insufficient resources.
Total Ageouts	Total number of times a complete remote data entry was deleted because the Time to Live interval expired. The table contains the following headings.
Interface	Shows the interface in slot/port format.
Transmit Total	Total number of LLDP packets transmitted on the port.
Receive Total	Total number of LLDP packets received on the port.
Errors	The number of invalid LLDP frames received on the port.
Ageouts	Total number of times a complete remote data entry was deleted for the port because the Time to Live interval expired.
TVL Discards	Shows the number of TLVs discarded
TVL Unknowns	Total number of LLDP TLVs received on the port where the type value is in the reserved range, and not recognized.

show lldp remote-device

Use this command to display summary information about remote devices that transmit current LLDP data to the system. You can show information about LLDP remote data received on all ports or on a specific port.

Format	show lldp remote-device {<slot/port> | all}
Mode	Privileged EXEC

TABLE 3-41 Entry Definitions for show lldp remote-device

Entry	Definition
Local Interface	Identifies the interface that received the LLDPDU from the remote device.
Chassis ID	Shows the ID of the remote device.
Port ID	Shows the port number that transmitted the LLDPDU.
System Name	Shows the system name of the remote device.

show lldp remote-device detail

Use this command to display detailed information about remote devices that transmit current LLDP data to an interface on the system.

Format	show lldp remote-device detail <slot/port>
Mode	Privileged EXEC

TABLE 3-42 Entry Definitions for show lldp remote-device detail

Entry	Definition
Local Interface	Identifies the interface that received the LLDPDU from the remote device.
Chassis ID Subtype	Shows the type of identification used in the Chassis ID field.
Chassis ID	Identifies the chassis of the remote device.
Port ID Subtype	Identifies the type of port on the remote device.
Port ID	Shows the port number that transmitted the LLDPDU.
System Name	Shows the system name of the remote device.
System Description	Describes the remote system by identifying the system name and versions of hardware, operating system, and networking software supported in the device.
Port Description	Describes the port in an alpha-numeric format. The port description is configurable.
System Capabilities Supported	Indicates the primary function(s) of the device.
System Capabilities Enabled	Shows which of the supported system capabilities are enabled.
Management Address	For each interface on the remote device with an LLDP agent, lists the type of address the remote LLDP agent uses and specifies the address used to obtain information related to the device.
Time To Live	Shows the amount of time (in seconds) the remote device's information received in the LLDPDU should be treated as valid information.

show lldp local-device

Use this command to display summary information about the advertised LLDP local data. This command can display summary information or detail for each interface.

Format	show lldp local-device {<slot/port> | all}
Mode	Privileged EXEC

TABLE 3-43 Entry Definitions for show lldp local-device

Entry	Definition
Interface	Identifies the interface in a slot/port format.
Port ID	Shows the port ID associated with this interface.
Port Description	Shows the port description associated with the interface.

show lldp local-device detail

Use this command to display detailed information about the LLDP data a specific interface transmits.

Format	show lldp local-device detail <slot/port>
Mode	Privileged EXEC

TABLE 3-44 Entry Definitions for show lldp local-device detail

Entry	Definition
Interface	Identifies the interface that sends the LLDPDU.
Chassis ID Subtype	Shows the type of identification used in the Chassis ID field.
Chassis ID	Identifies the chassis of the local device.
Port ID Subtype	Identifies the type of port on the local device.
Port ID	Shows the port number that transmitted the LLDPDU.
System Name	Shows the system name of the local device.
System Description	Describes the local system by identifying the system name and versions of hardware, operating system, and networking software supported in the device.
Port Description	Describes the port in an alpha-numeric format.
System Capabilities Supported	Indicates the primary function(s) of the device.
System Capabilities Enabled	Shows which of the supported system capabilities are enabled.
Management Address	Lists the type of address and the specific address the local LLDP agent uses to send and receive information.

---

Denial of Service Commands

This section describes the commands you use to configure DoS Control. FASTPATH software provides support for classifying and blocking specific types of Denial of Service attacks.

You can configure your system to monitor and block six types of attacks:

1. SIP=DIP: Source IP address = Destination IP address.

2. First Fragment:TCP Header size smaller then configured value.

3. TCP Fragment: IP Fragment Offset = 1.

4. TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.

5. L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.

6. ICMP: Limiting the size of ICMP Ping packets.

dos-control sipdip

This command enables Source IP Address = Destination IP Address (SIP=DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SIP=DIP, the packets will be dropped if the mode is enabled.

Default	disabled
Format	dos-control sipdip
Mode	Global Config

no dos-control sipdip

This command disables Source IP Address = Destination IP Address (SIP=DIP) Denial of Service prevention.

Format	no dos-control sipdip
Mode	Global Config

dos-control firstfrag

This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size smaller then the configured value, the packets will be dropped if the mode is enabled.The default is disabled. If you enable dos-control firstfrag, but do not provide a Minimum TCP Header Size, the system sets that value to 20.

Default	disabled <20>
Format	dos-control firstfrag [<0-255>]
Mode	Global Config

no dos-control firstfrag

This command sets Minimum TCP Header Size Denial of Service protection to the default value of disabled.

Format	no dos-control firstfrag
Mode	Global Config

dos-control tcpfrag

This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is enabled.

Default	disabled
Format	dos-control tcpfrag
Mode	Global Config

no dos-control tcpfrag

This command disabled TCP Fragment Denial of Service protection.

Format	no storm-control broadcast all
Mode	Global Config

dos-control tcpflag

This command enables TCP Flag Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attacks. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.

Default	disabled
Format	dos-control tcpflag
Mode	Global Config

no dos-control tcpflag

This command sets disables TCP Flag Denial of Service protections.

Format	no dos-control tcpflag
Mode	Global Config

dos-control l4port

This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the packets will be dropped if the mode is enabled.

---

Note - Some applications mirror source and destination L4 ports - RIP for example uses 520 for both. If you enable dos-control l4port, applications such as RIP may experience packet loss which would render the application inoperable.

---

Default	disabled
Format	dos-control l4port
Mode	Global Config

no dos-control l4port

This command disables L4 Port Denial of Service protections.

Format	no dos-control l4port
Mode	Global Config

dos-control icmp

This command enables Maximum ICMP Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMP Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.

Default	disabled <512>
Format	dos-control icmp <0-1023>
Mode	Global Config

no dos-control icmp

This command disables Maximum ICMP Packet Size Denial of Service protections.

Format	no dos-control icmp
Mode	Global Config

show dos-control

This command displays Denial of Service configuration information.

Format	show dos-control
Mode	Privileged EXEC

TABLE 3-45 Entry Definitions for show dos-control

Entry	Definition
SIPDIP Mode	May be enabled or disabled. The factory default is disabled.
First Fragment Mode	May be enabled or disabled. The factory default is disabled.
Min TCP Hdr Size <0-255>	The factory default is 20.
TCP Fragment Mode	May be enabled or disabled. The factory default is disabled.
TCP Flag Mode	May be enabled or disabled. The factory default is disabled.
L4 Port Mode	May be enabled or disabled. The factory default is disabled.
ICMP Mode	May be enabled or disabled. The factory default is disabled.
Max ICMP Pkt Size <0-1023>	The factory default is 512.

---

MAC Database Commands

This section describes the commands you use to configure and view information about the MAC databases.

bridge aging-time

This command configures the forwarding database address aging timeout in seconds. The <seconds> parameter must be within the range of 10 to 1,000,000 seconds.

Default	300
Format	bridge aging-time <10-1,000,000>
Mode	Global Config

no bridge aging-time

This command sets the forwarding database address aging timeout to the default value.

Format	no bridge aging-time
Mode	Global Config

show forwardingdb agetime

This command displays the timeout for address aging. In an IVL system, the [fdbid | all] parameter is required.

Default	all
Format	show forwardingdb agetime [fdbid | all]
Mode	Privileged EXEC

TABLE 3-46 Entry Definitions for show forwardingdb agetime

Entry	Definition
Forwarding DB ID	Fdbid (Forwarding database ID) indicates the forwarding database whose aging timeout is to be shown. The all option is used to display the aging timeouts associated with all forwarding databases. This field displays the forwarding database ID in an IVL system.
Agetime	In an IVL system, this parameter displays the address aging timeout for the associated forwarding database.

show mac-address-table multicast

This command displays the Multicast Forwarding Database (MFDB) information. If you enter the command with no parameter, the entire table is displayed. You can display the table entry for one MAC Address by specifying the MAC address as an optional parameter.

Format	show mac-address-table multicast <macaddr>
Mode	Privileged EXEC

TABLE 3-47 Entry Definitions for show mac-address-table multicast

Entry	Definition
MAC Address	A multicast MAC address for which the switch has forwarding and or filtering information. The format is two-digit hexadecimal numbers separated by colons, for example 01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as a MAC address and VLAN ID combination of 8 bytes.
Type	This displays the type of the entry. Static entries are those that are configured by the end user. Dynamic entries are added to the table as a result of a learning process or protocol.
Component	The component that is responsible for this entry in the Multicast Forwarding Database. Possible values are IGMP Snooping, GMRP, and Static Filtering.
Description	The text description of this multicast table entry.
Interfaces	The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).
Forwarding Interfaces	The resultant forwarding list is derived from combining all the component’s forwarding interfaces and removing the interfaces that are listed as the static filtering interfaces.

show mac-address-table stats

This command displays the Multicast Forwarding Database (MFDB) statistics.

Format	show mac-address-table stats
Mode	Privileged EXEC

TABLE 3-48 Entry Definitions for show mac-address-table stats

Entry	Definition
Total Entries	Displays the total number of entries that can possibly be in the Multicast Forwarding Database table.
Most MFDB Entries Ever Used	Displays the largest number of entries that have been present in the Multicast Forwarding Database table. This value is also known as the MFDB high-water mark.
Current Entries	Displays the current number of entries in the MFDB

---

Layer 2 Failover Commands

This section describes the Layer 2 failover commands. Layer 2 failover functionality disables configured server ports in case a monitored uplink port or port channel fails. This failover is designed to be used with NIC teaming or bonding to facilitate uplink redundancy without the need for Layer 2 connections between Fabric/Base switches.

Layer 2 failover incorparates the track object features of VRRP, using the object status to determine uplink status to the switch. For commands and configuration guidelines, see VRRP Tracking Commands.

failover track

This command configures the interface to track the configured monitor and to disable the interface if the monitor status is down. The number at the end of the command corresponds to the track object number listed under the global configuration.

Default	disabled
Format	Failover track [ <1-255> ]
Mode	Interface Config

show track failover

Show status of single or all interfaces configured with the failover track command.

Format	show track failover [ interface <0/#> ] [all]
Mode	Privileged EXEC

TABLE 3-49 Entry Definitions for show track failover

Entry	Definition
Interface	Displays interfaces configured with failover track command.
Track Num	Displays the tracking object number associated with the listed interface.
Track Status	Displays the status of the tracking object (up or down).
Interface Status	Displays the status of the interface configured with the failover track command. Up indicates the tracked object is up and the interface is connected and active. Disabled indicates the tracked object is down and the interface link state has been disabled.

---

Link Aggregation (LAG)/Port-Channel (802.3AD) Commands

This section provides a detailed explanation of the link aggregation (LAG) commands. The commands are divided into two functional groups:

• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. For every configuration command, there is a show command that displays the configuration setting.

port-channel staticcapability

This command enables the support of port-channels (static link aggregations - LAGs) on the device. By default, the static capability for all port-channels is disabled.

• Default - disabled
• Format - port-channel staticcapability
• Mode - Global Config

no port-channel staticcapability

This command disables the support of static port-channels (link aggregations - LAGs) on the device.

• Format - no port-channel staticcapability
• Mode - Global Config

port lacpmode

This command enables Link Aggregation Control Protocol (LACP) on a port.

• Default - disabled
• Format - port lacpmode
• Mode - Interface Config

no port lacpmode

This command disables Link Aggregation Control Protocol (LACP) on a port.

• Format - no port lacpmode
• Mode - Interface Config

port lacpmode all

This command enables Link Aggregation Control Protocol (LACP) on all ports.

• Format - port lacpmode all
• Mode - Global Config

no port lacpmode all

This command disables Link Aggregation Control Protocol (LACP) on all ports.

• Format - no port lacpmode all
• Mode - Global Config

port-channel

This command configures a new port-channel (LAG) and generates a logical slot/port number for the port-channel. The <name> field is a character string which allows the dash '-' character as well as alphanumeric characters. Display this number using the “show port-channel”.

---

Note - Before including a port in a port-channel, set the port physical mode (see speed).

---

• Format - port-channel <name>
• Mode - Global Config

no port-channel

This command deletes a port-channel (LAG).

• Format - no port-channel <name>
• Mode - Global Config

port-channel adminmode all

This command enables a port-channel (LAG). The interface is a logical slot/port for a configured port-channel. The option all sets every configured port-channel with the same administrative mode setting.

• Format - port-channel adminmode all
• Mode - Global Config

no port-channel adminmode

This command disables a port-channel (LAG). The interface is a logical slot/port for a configured port- channel. The option all sets every configured port-channel with the same administrative mode setting.

• Format - no port-channel adminmode all
• Mode - Global Config

port-channel linktrap

This command enables link trap notifications for the port-channel (LAG). The interface is a logical slot/ port for a configured port-channel. The option all sets every configured port-channel with the same administrative mode setting.

• Default - enabled
• Format - port-channel linktrap {<logical slot/port> | all}
• Mode - Global Config

no port-channel linktrap

This command disables link trap notifications for the port-channel (LAG). The interface is a logical unit, slot and port slot and port for a configured port-channel. The option all sets every configured port-channel with the same administrative mode setting.

• Format - no port-channel linktrap {<logical slot/port> | all]
• Mode - GlobalConfig

port-channel name

This command defines a name for the port-channel (LAG). The interface is a logical slot/port for a configured port-channel, and name is an alphanumeric string up to 15 characters. This command is used to modify the name that was associated with the port-channel when it was created.

• Format - port-channel name {<logical slot/port> | all | <name>}
• Mode - Global Config

show port-channel brief

This command displays the static capability of all port-channels (LAGs) on the device as well as a summary of individual port-channels.

• Format - show port-channel brief
• Mode - Privileged EXEC and User EXEC



TABLE 3-50 Entry Definitions for show port-channel brief

Entry	Definition
Static Capability	This field displays whether or not the device has static capability enabled.

For each port-channel, the following information is displayed.

TABLE 3-51 Informaiton Displayed For Each Channel of show port-channel brief

Entry	Definition
Name	This field displays the name of the port-channel.
Link State	This field indicates whether the link is up or down.
Mbr Ports	This field lists the ports that are members of this port-channel, in <slot/port> notation.
Active Ports	This field lists the ports that are actively participating in this port-channel.

show port-channel

This command displays an overview of all port-channels (LAGs) on the switch.

• Format - show port-channel {<logical slot/port> | all}
• Mode - Privileged EXEC



TABLE 3-52 Entry Definitions for show port-channel

Entry	Definition
Logical slot/port	Valid slot and port number separated by forward slashes.
Name	The name of this port-channel (LAG). You may enter any string of up to 15 alphanumeric characters.
Link State	Indicates whether the Link is up or down.
Admin Mode	May be enabled or disabled. The factory default is enabled.
Link Trap Mode	This object determines whether or not to send a trap when link status changes. The factory default is enabled.
STP Mode	The Spanning Tree Protocol Administrative Mode associated with the port or port-channel (LAG). The possible values are: Disable - Spanning tree is disabled for this port. Enable - Spanning tree is enabled for this port.
Mbr Ports	A listing of the ports that are members of this port-channel (LAG), in slot/port notation. There can be a maximum of eight ports assigned to a given port-channel (LAG).
Port Speed	Speed of the port-channel port.
Type	This field displays the status designating whether a particular port-channel (LAG) is statically or dynamically maintained. The possible values of this field are: Static, indicating that the port-channel is statically maintained Dynamic, indicating that the port-channel is dynamically maintained.
Active Ports	This field lists the ports that are actively participating in the port-channel (LAG).