Avaya WLAN 8100 WC 8180 CLI Reference

Avaya WLAN 8100 WC 8180 CLI Reference

1.1.0.0NN47251-107, 01.01

August 2011

© 2011 Avaya Inc.

All Rights Reserved.

Notice

While reasonable efforts have been made to ensure that theinformation in this document is complete and accurate at the time ofprinting, Avaya assumes no liability for any errors. Avaya reserves theright to make changes and corrections to the information in thisdocument without the obligation to notify any person or organization ofsuch changes.

Documentation disclaimer

“Documentation” means information published by Avaya in varyingmediums which may include product information, operating instructionsand performance specifications that Avaya generally makes availableto users of its products. Documentation does not include marketingmaterials. Avaya shall not be responsible for any modifications,additions, or deletions to the original published version ofdocumentation unless such modifications, additions, or deletions wereperformed by Avaya. End User agrees to indemnify and hold harmlessAvaya, Avaya's agents, servants and employees against all claims,lawsuits, demands and judgments arising out of, or in connection with,subsequent modifications, additions or deletions to this documentation,to the extent made by End User.

Link disclaimer

Avaya is not responsible for the contents or reliability of any linked Websites referenced within this site or documentation provided by Avaya.Avaya is not responsible for the accuracy of any information, statementor content provided on these sites and does not necessarily endorsethe products, services, or information described or offered within them.Avaya does not guarantee that these links will work all the time and hasno control over the availability of the linked pages.

Warranty

Avaya provides a limited warranty on its Hardware and Software(“Product(s)”). Refer to your sales agreement to establish the terms ofthe limited warranty. In addition, Avaya’s standard warranty language,as well as information regarding support for this Product while underwarranty is available to Avaya customers and other parties through theAvaya Support Web site: http://support.avaya.com. Please note that ifyou acquired the Product(s) from an authorized Avaya reseller outsideof the United States and Canada, the warranty is provided to you bysaid Avaya reseller and not by Avaya.

Licenses

THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYAWEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ AREAPPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/ORINSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC.,ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER(AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITHAVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESSOTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOESNOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINEDFROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR ANAVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHTTO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSEUSING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BYINSTALLING, DOWNLOADING OR USING THE SOFTWARE, ORAUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OFYOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,DOWNLOADING OR USING THE SOFTWARE (HEREINAFTERREFERRED TO INTERCHANGEABLY AS “YOU” AND “END USER”),AGREE TO THESE TERMS AND CONDITIONS AND CREATE ABINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THEAPPLICABLE AVAYA AFFILIATE ( “AVAYA”).

Copyright

Except where expressly stated otherwise, no use should be made ofmaterials on this site, the Documentation, Software, or Hardwareprovided by Avaya. All content on this site, the documentation and theProduct provided by Avaya including the selection, arrangement anddesign of the content is owned either by Avaya or its licensors and isprotected by copyright and other intellectual property laws including thesui generis rights relating to the protection of databases. You may notmodify, copy, reproduce, republish, upload, post, transmit or distributein any way any content, in whole or in part, including any code andsoftware unless expressly authorized by Avaya. Unauthorizedreproduction, transmission, dissemination, storage, and or use withoutthe express written consent of Avaya can be a criminal, as well as acivil offense under the applicable law.

Third-party components

Certain software programs or portions thereof included in the Productmay contain software distributed under third party agreements (“ThirdParty Components”), which may contain terms that expand or limitrights to use certain portions of the Product (“Third Party Terms”).Information regarding distributed Linux OS source code (for thoseProducts that have distributed the Linux OS source code), andidentifying the copyright holders of the Third Party Components and theThird Party Terms that apply to them is available on the Avaya SupportWeb site: http://support.avaya.com/Copyright.

Trademarks

The trademarks, logos and service marks (“Marks”) displayed in thissite, the Documentation and Product(s) provided by Avaya are theregistered or unregistered Marks of Avaya, its affiliates, or other thirdparties. Users are not permitted to use such Marks without prior writtenconsent from Avaya or such third party which may own the Mark.Nothing contained in this site, the Documentation and Product(s)should be construed as granting, by implication, estoppel, or otherwise,any license or right in and to the Marks without the express writtenpermission of Avaya or the applicable third party.

Avaya is a registered trademark of Avaya Inc.

All non-Avaya trademarks are the property of their respective owners,and “Linux” is a registered trademark of Linus Torvalds.

Downloading Documentation

For the most current versions of Documentation, see the AvayaSupport Web site: http://support.avaya.com.

Contact Avaya Support

Avaya provides a telephone number for you to use to report problemsor to ask questions about your Product. The support telephone numberis 1-800-242-2121 in the United States. For additional supporttelephone numbers, see the Avaya Web site: http://support.avaya.com.

2 Avaya WLAN 8100 WC 8180 CLI Reference August 2011Comments? [email protected]

http://support.avaya.com

http://www.avaya.com/support/LicenseInfo

http://support.avaya.com/Copyright



mailto:[email protected]?subject=Avaya WLAN 8100 WC 8180 CLI Reference

Contents

Chapter 1: Command Line Interface workflows............................................................... 7Basic controller configuration.................................................................................................................... 7Enabling traps and logs............................................................................................................................ 8Displaying system logs.............................................................................................................................. 9Troubleshooting client-related issues........................................................................................................ 9Troubleshooting AP-related issues........................................................................................................... 11Troubleshooting Layer 2 and Layer 3 issues............................................................................................ 12

Chapter 2: Command Line Interface Configuration......................................................... 15Configuring WLAN options........................................................................................................................ 15

Managing wireless communications................................................................................................. 15Configuring wireless communications.............................................................................................. 22

Configuring system options....................................................................................................................... 35General switch administration.......................................................................................................... 35Configuring Energy Saver Options................................................................................................... 49Using Simple Network Time Protocol............................................................................................... 49Real time clock configuration........................................................................................................... 52Custom Autonegotiation Advertisements ......................................................................................... 54Connecting to another switch........................................................................................................... 55Domain Name Server (DNS) Configuration..................................................................................... 57Changing switch software................................................................................................................ 59Configuration files in CLI.................................................................................................................. 60Enabling Quickconfig........................................................................................................................ 63Terminal setup.................................................................................................................................. 64Setting the default management interface........................................................................................ 64Enabling Serial Console Port Access............................................................................................... 65Setting Telnet access....................................................................................................................... 65Setting boot parameters................................................................................................................... 67Defaulting to BootP-when-needed................................................................................................... 67shutdown command......................................................................................................................... 69reload command............................................................................................................................... 69Configuring Packet Storm Control Settings...................................................................................... 70CLI Help........................................................................................................................................... 71Clearing the default TFTP server with CLI....................................................................................... 71Configuring a default TFTP server with CLI..................................................................................... 71Configuring default clock source...................................................................................................... 71Configuring daylight savings time with CLI....................................................................................... 72Configuring Dual Agent.................................................................................................................... 73Configuring local time zone with CLI................................................................................................ 75Customizing CLI banner with CLI..................................................................................................... 75Displaying the default TFTP server with CLI.................................................................................... 77Displaying complete GBIC information............................................................................................. 77Displaying hardware information...................................................................................................... 77Configuring Auto-Unit Replacement................................................................................................. 78Configuring the UI button................................................................................................................. 78

Avaya WLAN 8100 WC 8180 CLI Reference August 2011 3

Configuring USB Host Port............................................................................................................... 78Enabling Autosave........................................................................................................................... 79Setting the server for Web-based management with CLI................................................................. 79Setting the read-only and read-write passwords.............................................................................. 80Enabling and disabling passwords................................................................................................... 81Configuring RADIUS authentication................................................................................................. 82Configuring RADIUS server load balancing..................................................................................... 83Configuring RADIUS AAA offloading................................................................................................ 84Configuring Radius Health Check.................................................................................................... 86

Configuring system security...................................................................................................................... 87Configuring MAC address-based security using CLI........................................................................ 88Configuring RADIUS authentication using CLI................................................................................. 95SNMP configuration using CLI......................................................................................................... 98Configuring TACACS+ using CLI..................................................................................................... 118Configuring IP Manager using CLI................................................................................................... 121Configuring password security using CLI......................................................................................... 123Configuring Avaya Secure Network Access Options........................................................................ 125Displaying CLI Audit log using CLI................................................................................................... 125Enabling Audit Log Save Settings.................................................................................................... 126Configuring Secure Socket Layer services using CLI...................................................................... 126Configuring Secure Shell protocol using CLI.................................................................................... 128

Configuring VLANs and Link Aggregation................................................................................................ 133Configuring VLANs using CLI........................................................................................................... 134Configuring STP using CLI............................................................................................................... 146Configuring MLT using CLI............................................................................................................... 157Configuring LACP and VLACP using CLI......................................................................................... 160

Configuring IP routing............................................................................................................................... 169IP routing configuration using CLI.................................................................................................... 169Static route configuration using CLI................................................................................................. 176DHCP relay configuration using CLI................................................................................................. 179Directed broadcasts configuration using CLI.................................................................................... 185Static ARP and Proxy ARP configuration using CLI ......................................................................... 186IGMP snooping configuration using CLI........................................................................................... 190

Configuring Access Lists........................................................................................................................... 206Assigning ports to an access list...................................................................................................... 206Removing an access list assignment............................................................................................... 207Creating an IP access list................................................................................................................. 207Removing an IP access list.............................................................................................................. 208Creating a Layer 2 access list.......................................................................................................... 209Removing a Layer 2 access list........................................................................................................ 210

Configuring Elements, Classifiers, and Classifier Blocks.......................................................................... 210Configuring IP classifier element entries.......................................................................................... 211Viewing IP classifier entries.............................................................................................................. 212Removing IP classifier entries.......................................................................................................... 212Adding Layer 2 elements.................................................................................................................. 213Viewing Layer 2 elements................................................................................................................ 214Removing Layer 2 elements............................................................................................................. 214

4 Avaya WLAN 8100 WC 8180 CLI Reference August 2011

Linking IP and L2 classifier elements............................................................................................... 215Removing classifier entries.............................................................................................................. 215Combining individual classifiers....................................................................................................... 216Removing classifier block entries..................................................................................................... 217

Configuring wired Quality of Service......................................................................................................... 217Displaying QoS Parameters............................................................................................................. 218Displaying QoS capability policy configuration................................................................................. 222QoS Agent configuration.................................................................................................................. 223Configuring Default Buffering Capabilities........................................................................................ 225Configuring the CoS-to-Queue Assignments................................................................................... 226Configuring QoS Interface Groups................................................................................................... 227Configuring DSCP and 802.1p and Queue Associations................................................................. 229Configuring QoS system-element.................................................................................................... 232Configuring QoS Actions.................................................................................................................. 234Configuring QoS Interface Action Extensions.................................................................................. 236Configuring QoS Meters................................................................................................................... 237Configuring QoS Interface Shaper................................................................................................... 239Configuring QoS Policies................................................................................................................. 240QoS Generic Filter set configuration................................................................................................ 242Configuring User Based Policies...................................................................................................... 244Maintaining the QoS Agent.............................................................................................................. 247Configuring DoS Attack Prevention Package................................................................................... 251

Configuring Serviceability.......................................................................................................................... 253Configuring RMON with the CLI....................................................................................................... 253Configuring IPFIX using CLI............................................................................................................. 259

Configuring diagnostics and graphing....................................................................................................... 263System diagnostics and statistics using CLI.................................................................................... 263Network monitoring configuration using CLI..................................................................................... 267


6 Avaya WLAN 8100 WC 8180 CLI Reference August 2011

Chapter 1: Command Line Interfaceworkflows

The following section provides workflows for commonly used Command Line Interface procedures. Thissection contains the following topics:

• Basic controller configuration on page 7

• Enabling traps and logs on page 8

• Displaying system logs on page 9

• Troubleshooting client-related issues on page 9

• Troubleshooting AP-related issues on page 11

• Troubleshooting Layer 2 and Layer 3 issues on page 12

Basic controller configurationAbout this taskPerform the following procedure to place a basic configuration on a WC 8180 device:

Procedure

1. Log into the controller. If this is the first time accessing the device, connect a consolecable and start a terminal session using the guidelines provided in thedocumentation.

2. Press CTRL + Y on the keyboard to enter the CLI.

3. Enter Privileged mode using the enable command.

4. Enter General Configuration mode using the configure terminal command.

5. Specify the system IP address, subnet mask, and default gateway using the ipaddress command. This command has the following syntax:ip address <ip_address> netmask <subnet_mask> default-gateway<default_gateway>

6. Enable SNMP services using the command snmp-server enable.

7. Disable SNMP user lists using the command no ipmgr snmp.

8. Enable IP routing capabilities using the ip routing command.


9. Enter Wireless Configuration mode using the wireless command.

10. Specify the wireless IP address using the command interface-ip<ip_address> command.

11. Enable wireless capabilities using the enable command.

12. Enable MDC capability using the controller mdc-capable.

13. Enter the domain password at the prompt.

Enabling traps and logsAbout this taskPerform the following procedure to enable SNMP trap and logging functionality.

Procedure

1. Log into the controller.

2. Press CTRL + Y on the keyboard to enter the console menu.

3. Select Command Line Interface from the menu.

4. Type the enable command to enter Privileged mode.

5. Type the configure terminal command to enter Configuration mode.

6. Set the logging level using the command logging level {critical |informational | serious | none}.

7. Enable logging using the command logging enable.

8. Set the remote logging level using the command logging remote level{critical | informational | serious | none}.

9. Set the IP address of the remote log server using the command logging remoteaddress <ip_address>.

10. Enable remote logging using the command logging remote enable.

11. Enable individual SNMP traps using the command snmp-servernotification-control <snmp_trap>. For a list of available SNMP traps usethe command show snmp-server notification-control. Repeat this stepfor all traps that must be enabled.

12. Set the IP address of the SNMP server using the command snmp-server host<ip_address>.

Command Line Interface workflows



Displaying system logsAbout this taskPerform the following procedure to display system logs.

Procedure





5. Use the command show logging system to display logs concerning Layer 2and Layer 3 operations.

6. Use the command show logging wireless-controller volatile todisplay logs concerning controller operation.

Troubleshooting client-related issuesAbout this taskPerform the following procedure to troubleshoot client-related issues.

Procedure





5. Use the command show wireless ap status to view the overall status of allregistered access points.

6. Use the command show wireless ap status <ap_mac_address> detailto view detailed information about individual access points.

7. Use the command show wireless ap-profile network to view informationabout the correlation between network and AP profiles.

Displaying system logs


8. Use the command show wireless network-profile <profile_number>detail to view detailed information about a network profile.

9. Use the command show wireless switch vlan-map to view informationabout the correlation between wired and wireless VLANs.

10. Use the command show wireless security {mac-db | radius | user-db | wids-wips} to display information about wireless security settings.

11. Use the command show wireless client status to display information aboutthe current status of wireless clients.

12. Use the command show wireless radio TSpec <radio number> to displayinformation about overall system usage, the number of associated stations, themeasured channel utilization percentage, and the total available admission capacityin units of mediumTime.




Troubleshooting AP-related issuesAbout this taskPerform the following procedure to troubleshoot AP-related issues.

Procedure





5. Use the command show wireless to view the overall status of the wirelesssystem.

6. Use the command show wireless domain ap database to view informationabout the access points configured for the wireless domain.

7. Use the command show wireless domain ap discovered to view anyaccess points that have been discovered. Access points listed here need to beadded to main access point database to be used by the domain.

8. Use the command show wireless ap status to display all of the access pointsthat are part of the wireless domain and under which controller it falls.

9. Use the command show wireless ap status detail command to displaydetailed information about each AP that is part of the wireless domain.

10. Use the command show wireless controller status to determine thecurrent status of the wireless controller. This command should indicate the controlleris either the Active or Backup MDC.

Troubleshooting AP-related issues


11. Use the command show wireless ap radio TSpec-statusto displayAvailable Admission Capacity on a per User Priority or per Access Category basisinformation in Beacon and Probe Response messages.

12. Use the command show wireless client tspec-status to display thecurrent TSPEC inactivity level.

Troubleshooting Layer 2 and Layer 3 issuesAbout this taskPerform the following procedure to troubleshoot Layer 2 and 3 issues.

Procedure



3. Select IP Configuration/Setup from the console menu to check the controller IPconfiguration.

4. Press CTRL + R to return to the console menu.

5. Select SNMP Configuration from the console menu to check the controller SNMPconfiguration.


7. Select Switch Configuration from the console menu.




8. Use the options in this menu to track the various aspects of switch configuration.


10. Select Spanning Tree Configuration from the console menu.

11. Use the options in this menu to track the various aspects of the spanning treeconfiguration.




15. Use the command show ip to view the IP address configuration.

16. Use the command ping <ip_address> to ping another device on the network.

17. Use the command show wireless to view the overall status of the wirelesssystem.

Troubleshooting Layer 2 and Layer 3 issues





Chapter 2: Command Line InterfaceConfiguration

The following sections provide information and procedures for the configuration of the WLAN Controller8180 (WC 8180).

Configuring WLAN optionsAbout this taskThis section describes the procedures for the management and configuration of WLANController 8180 (WC 8180) wireless options.

Navigation

• Managing wireless communications on page 15• Configuring wireless communications on page 22

Managing wireless communicationsThe procedures in this section are used for the management of the various aspects of wirelesscommunications.

Navigation

• Managing AP operations on page 16

• Managing automatic radio frequency operations on page 17

• Managing portals on page 17

• Managing clients on page 21

• Managing wireless controller actions on page 21

• Managing wireless domains on page 22


Managing AP operations

About this taskUse the following procedure to manage access point operations

Procedure

1. Enter Privileged mode of the CLI.

2. Use the command wireless ap channel <ap_mac_address><radio_interface> <channel_number> to manage access point channeloptions.

3. Use the command wireless ap image-update <ap_mac_address> toupdate the access point's software image.

4. Use the command wireless ap power <ap_mac_address><radio_interface> <power_percentage> to adjust the access point radiotransmit power.

5. Use the command wireless ap reset to reset a managed access point.

6. Use the command wireless radio-profile clone<source_profile_id> <target_profile_id> to clone an existing radioprofile to the targeted radio profile.

7. Use the command wireless ap tech-dump <ap_mac_address><tftp_ip_address> filename <file_name> to save the current APconfiguration information to the specified TFTP server.

8. Use the command wireless radio-profile tspec X detail to configurethe TSPEC inactivity timeout interval. Default is 30 seconds. 1 second up to 10minutes is recommended as a reasonable range.

Displaying AP related information

Use the following commands to display information about AP hardware, model details, antennatypes and extension cable length.

Procedure

1. Use the command show wireless domain ap hardware to display thehardware capability of all supported APs.

2. Use the command show wireless domain ap database ap-model{ap8120 | ap8120-E | ap8120-O} to display the AP database entries with aspecific AP model.

Command Line Interface Configuration



3. Use the command show wireless domain ap discovered ap-model{ap8120| ap8120-E | ap8120-O} to display the discovered AP entries with aspecific AP model.

4. Use the command show wireless ap model {ap8120 | ap8120-E |ap8120-O} to display the list of managed APs with a specific AP model.

5. Use the command show wireless domain ap database [ap-mac]detail to display configured values for antenna type and extension cable lengthfor each radio of AP entries.

Managing automatic radio frequency operations

About this taskThis following procedure is used to manage automatic radio frequency functionality.

Procedure


2. Use the command wireless auto-rf channel-plan {a-n | b/g-n}start to run the channel adjustment algorithm.

3. Use the command wireless auto-rf channel-plan {a-n | b/g-n}apply to apply the proposed channel adjustment plan.

4. Use the command wireless auto-rf power-plan start to run the powerplanning algorithm.

5. Use the command wireless auto-rf power-plan apply to apply theproposed power plan.

Managing portals

About this taskThe following procedure is used to manage captive portals.

Configuring WLAN options


Procedure


2. Use the command wireless captive-portal certificate-generate togenerate HTTPS certificates.

3. Use the command wireless captive-portal client-deauthenticate<client_mac_address> to revoke authentication from a client.

Configuring captive portal profiles

The captive-portal IP address is used only for the captive-portal user access. All captive-portaluser clients send HTTP/HTTPS GET requests to this IP address which are then mapped tothe web host name internally. The WC8180 system provides a way to protect the wirelesssystem IP address from guest user access. The captive-portal IP should exist physically in oneof the WC8120 domain controllers.

One captive-portal profile can have two captive-portal IP addresses and the client HTTP/HTTPS GET requests are load-balanced based on the client MAC address.

Procedure

1. In Global Configuration Command mode, use the command WC8180(config)#interface vlan <1–4054> to create an IP interface on the L3 interfacemenu.

2. Use the command WC8180(config-if)# ip address <A.B.C.D> to set the IPaddress.

3. Enter Wireless Configuration mode of the CLI.

4. Use the command, WC8180(config-wireless)# captive-portal profile<ID> to configure a captive profile id. Use a profile id, for example profile 2.

5. Use the configuration captive profile command, WC8180(config-cp-profile)# ip <ip-address> to configure a captive portal IP interface. Use the command, no ip< ip-address> to remove the captive portal ip address.

6. Use the command, WC8180(config-cp-profile)# show wireless captive-portal profile <ID> detail to show details of the captive portal profile.

Redirecting the URL for captive portals

The redirect command is used in captive-portal POST authentication to specify the URL toredirect the user requests after the captive-portal authentication. By default, the displays the




default captive-portal welcome page. You can apply the redirect command in the followingcases:

• If the redirect is enabled but no redirect-url is configured. In this case, the user requestsare redirected to the initial requested URL.

• If the redirect is enabled and redirect-url configured, the user requests are redirected tothe configured “redirect-url” page. It can be a corporate portal, guest portal and any kindof Web page that is reachable from the wireless clients.

• If the redirect is disabled, then after user authentication the default welcome pagedisplays.

Use the following commands to redirect the URL

1. Enter captive portal configuration in the CLI.

2. Use the command redirect to enable redirection

3. Use the command redirect-url <url> to redirect the URL.

4. Use the command no redirect to disable redirection.

5. Use the command default redirect-url to reset the redirect-url to the defaultvalue.

Configuring the Web-hostname in captive portals

Your can configure the Web-hostname to hide the captive-portal IP address from the captive-portal users to restrict user accesses to the WC 8180 system.

The default web-hostname is <random-string>.cp-login.com. You cannot change the“hostname” section in the DNS name.

1. Enter the captive portal configuration in the CLI.

2. Use the captive-portal profile <ID> command to go to the captive portalprofile.

3. Use the web-hostname <avaya-guest.com> command to change the web-hostname.

4. Use the default web-hostname command to reset the web-hostname to thedefault value.



Customizing Portals

Administrators can customize the “captive-portal.html” for logon, logon error, and refreshpages. After the Administrator provides the zip file for the customization, the user cancustomize html files and images and to replace existing templates to the users.

About this taskUse the following instructions to customize captive portals:

WC8180(config)#wirelessWC8180(config-wireless)#capWC8180(config-wireless)#captive-portal profile 1Entering captive-portal-profile (id = 1) ...WC8180(config-cp-profile)#localeWC8180(config-cp-locale)#?Captive Portal Locale Configuration Commandscode : Set locale code(browser preferred language)custom: Set customization Modecustom-file: Set customization package filedefault: Set captive portal parameters to default settingsend: End configuration modeerror-msg: Configure captive portal locale error messageexit: Exit out of locale configuration modefont-list: Set captive-portal HTML page fontimage: Configure captive portal locale image nameSet locale link text for user identification.login-msg: Configure captive portal locale login messagelogout-msg: Configure captive portal locale logout messagepopup-msg: Set text to remind user to allow popups from our web site-msg: Set text to notify user if their browser has javascript disabledsuccess-msg: Configure captive portal locale logout success messagewelcome-msg: Configure captive portal locale welcome messagewip-msg: Set message indicating authentication in progress




WC8180(config-cp-locale)#

Managing clients

About this taskThis procedure is used to manage clients.

Procedure


2. Use the command wireless client disassociate<client_mac_address> to remove a client from an access point.

Managing wireless controller actions

About this taskThe following procedure is used to manage wireless controller actions.

Procedure


2. Use the command wireless controller ap image-update start toupdate the software image of all controlled access points. This action can bestopped at any time with the wireless controller ap image-update stopcommand.

3. Use the command wireless controller ap reset to reset all controlledaccess points.

4. Use the command wireless controller config-sync to synchronizeconfigurations with other controllers in the domain.

5. Use the command wireless controller join-domain domain-name<domain_name> mdc-address <ip_address> to join a domain.

6. Use the command wireless controller leave-domain to remove acontroller from its current domain.

7. Use the command wireless peer-controller ap image-update<ip_address> start to update the images of all controlled access points on apeer controller. This action can be stopped at any time using the commandwireless peer-controller ap image-update <ip_address> stop.



Managing wireless domains

About this taskThis procedure is used to manage wireless domains.

Procedure


2. Use the command wireless domain ap image-update start to update thesoftware image of all access points in a domain. This action can be stopped at anytime using the command wireless domain ap image-update stop.

3. Use the command wireless domain ap rebalance start to rebalance theaccess point distribution among all of the domain controllers. This action can bestopped at any time using the command wireless domain ap rebalancestop.

4. Use the command wireless domain ap redistribute start to rebalancethe access point distribution to their preferred domain controllers. This action canbe stopped at any time using the command wireless domain apredistribute stop.

5. Use the command wireless domain ap reset to reset all domain accesspoints.

6. Use the command wireless domain discovered-ap <ap_mac_address>{approve | discard} to take action on a discovered access point.

7. Use the command wireless domain purge-controller<controller_ip_address> to purge a controller from a domain.

8. Use the command wireless domain purge-stale-controllers to purgeall stale controllers from the domain.

Configuring wireless communicationsAbout this taskThe procedures in this section are used for the configuraton of the various aspects of wirelesscommunications.

Navigation

• Configuring general controller options on page 23• Configuring wireless profiles on page 25




• Configuring automatic radio frequency options on page 28• Configuring captive portals on page 28• Configuring domain options on page 29• Configuring wireless security on page 31

Configuring general controller options

About this taskThe following procedure is used to configure general wireless controller options.

Procedure


2. Use the command controller mdc-capable to mark a controller as availableto be a Mobility Domain Controller.

3. Use the command interface-ip <ip_address> to set the wireless systeminterface IP address.

4. Use the command tcp-udp-base-port <49152 - 64983> to set the wirelesssystem base port.

5. Use the command diffserv classifierblock <block_name> to configurea classifier block for the controller.This command has the options listed in the following table.

Command Option Descriptiondiffservclassifierblock<block_name>

match all Match all packets.

match cos Match CoS.

match ds-field Match IP DSCP.

match dst-ip Match destination IPaddress.

match dst-mac Match destination MACaddress.

match dstport Match destination Layer 4port.

match ethertype Match Ethernet Type.

match precedence Match IP precedence.

match protocol Match IP protocol.

match src-ip Match source IPaddress.



Command Option Descriptionmatch src-mac Match source MAC

address.

match srcport Match source Layer 4port

match tos Match ToS.

end End Classifier Block.

exit Exit Classifier Block.

6. Use the command diffserv policy <policy_name> to configure a policy forthe controller.This command has the options listed in the following table.

Command Option Descriptiondiffserv policy<policy_name>

allow Allow packets.

drop Drop packets.

remark-cos Remark CoS.

remark-dscp Remark DSCP.

remark-precedence

Remark precedence.

7. Use the command switch vlan-map <mobility_vlan_name> l3-mobility server to set the mobility role to server.

8. Use the command switch vlan-map <mobility_vlan_name> l3-mobility none to set the mobility role to none.

9. Use the command switch vlan-map <mobility_vlan_name> lvid <1 -4094> to set the local VLAN ID.

10. Use the command switch vlan-map <mobility_vlan_name> track<port_list> to track a set of ports.

11. Use the command switch vlan-map <mobility_vlan_name> weight <1- 7> to set the VLAN server preference.

12. Use the command enable to enable wireless operations on the device.




Configuring wireless profiles

About this taskThe following procedure is used to configure wireless profiles.

Procedure


2. Use the command ap-profile <1 - 32> to create an access point profile.

3. Use the command network-profile <1 - 64> to create a network profile.This command has the options listed in the following table.

Command Option Descriptionnetwork profile<1 — 64>

arp-suppression Enable wireless ARPsuppression.

captive-portal Configure captive portalmapping.

client-qos Configure client QoSsettings.

cos2wmm WMM values for CoSsettings.

default Set default networkprofile settings.

dot1x Configure 802.1xparameters.

end End configuration.

exit Exit configuration.

hide-ssid Enable SSID hiding innetwork beacons.

mac-validation Enable clientauthentication throughclient MAC addresses.

mobility-vlan Configure the defaultmobility VLAN.

probe-response Enable response tobroadcast probe request.

profile-name Configure the networkprofile name.



Command Option Descriptionradius Configure RADIUS

related parameters.

security-mode Configure the securitymode.

ssid Configure the networkSSID.

user-group Configure the local usergroup.

user-validation Configure user validationmethod if captive portal isenabled.

wep Configure WEP-relatedparameters.

wmm2cos CoS mapping for WMM.

wpa2 Configure WPA2settings.

4. Use the command radio-profile <1 - 64> to create a radio profile.This command has the options listed in the following table.

Command Options Descriptionradio-profile <1— 64>

apsd Enable auto powersavedelivery mode.

beacon-interval Set the beacon interval.

channel Configure radio channelsettings.

data-rates Configure basic/supported data rates.

default Set default profileparameters.

dot11–mode Configure the physicalmode of the radio.

dot11n Set the 802.11nconfiguration.

dot11n-protection-mode

Configure the 802.11nprotection mode.

dtim-period Configure the DeliveryTraffic Indication Map.




Command Options Descriptionend End configuration.

exit Exit configuration.

fragmentation-threshold

Configure packetfragmentation threshold.

incorrect-frame-no-ack

Enable No-Ack forincorrectly receivedframes on radio.

load-balance Configure load balancingparameters.

max-clients Configure the maximumnumber of simultaneousclients.

multicast-tx-rate

Configure the multicasttransfer rate.

no Disable the radio profile.

power Configure the radiopower settings.

profile-name Set the radio profilename.

qos Configure radio QoSqueues.

rate-limit Configure the broadcastand multicast rates.

rf-scan Configure the RF scanmode parameters.

rrm Enable Radio ResourceMeasurement.

rts-threshold Configure the thresholdbelow which MPDU RTS/CTS is not performed.

station-isolation

Enable station isolation.

tspec Configure TSPECsettings.

wmm-mode Enable WMM mode.



5. Use the command captive-portal profile <1 - 10> to create a captiveportal profile.

Configuring automatic radio frequency options

About this taskThis procedure is used to configure automatic radio frequency options

Procedure


2. Use the command auto-rf channel-plan {a-n | bg-n} history-depth<0 - 10> to set the number of saved historical channel plans.

3. Use the command auto-rf channel-plan {a-n | bg-n} interval <6 -24> to set the channel adjustment interval in hours.

4. Use the command auto-rf channel-plan {a-n | bg-n} mode{interval | manual | time} to set the channel adjustment mode.

5. Use the command auto-rf channel-plan {a-n | bg-n} time <hh:mm>to set the time of day to perform channel adjustment.

6. Use the command auto-rf power-plan interval <15 - 1440> to set thepower adjustment interval in minutes.

7. Use the command auto-rf power-plan {interval | manual} to set thepower adjustment mode.

Configuring captive portals

About this taskThe following procedure is used to configure the default captive portal.

Procedure


2. Use the command captive-portal auth-timeout <60 - 600> to set theauthentication timeout value in seconds.

3. Use the command captive-portal http-port <0 - 65535> to configurethe captive portal HTTP port.




4. Use the command captive-portal https-portal <0 - 65535> toconfigure the captive portal HTTPS port.

5. Use the command captive-portal stats-report-interval <15 -3600> to configure the statistics reporting interval in seconds.

6. Use the command captive portal profile <profile_number> block toblock profile traffic.

7. Use the command captive portal profile <profile_number> idle-timeout to set the session idle timeout value.

8. Use the command captive portal profile <profile_number> localeto set the captive portal locale settings.

9. Use the command captive portal profile <profile_number> max-bandwidth to configure the maximum transmit and receive bandwidth limits.

10. Use the command captive portal profile <profile_number> max-octets to configure the maximum session octets.

11. Use the command captive portal profile <profile_number>profile-name to set the profile name.

12. Use the command captive portal profile <profile_number>protocol-mode to the protocol mode.

13. Use the command captive portal profile <profile_number>session-timeout to set the session timeout value.

14. Use the command captive portal profile <profile_number> user-logout to enable user logout.

15. Use the command captive-portal enable to enable the captive portal.

Configuring domain options

About this taskThe following procedure is used to configure domain options.

Procedure


2. Use the command domain ap-client-qos to enable access point QoSoperations for clients.

3. Use the command domain auto-promote-discovered-ap to enable autopromotion of discovered access points.



4. Use the command domain client-roam-agetime <1 - 120> to configurethe client roaming timeout value in seconds.

5. Use the command domain country-code <country_code> to configure acode for domain operation.

Note:When creating an AP profile, specify a country code or use the default ‘primary’country code of the domain. To change a country code after a profile has beencreated you must delete the AP profile and create a new profile. Multiple-countrydomain names support a maximum of 32 countries.

6. Use the command domain tspec-violation-report-interval <0 -900> to configure the reporting interval in seconds.

7. Use the command domain ap image-update download-group-size <1 -100> to configure the percentage of access points forming a group.

8. Use the command domain ap image-update external-download todownload an image from an external web server.

9. Use the command domain ap image-update model <ap8120> version<1.0.0.0> filename <path/filename> server-ip <ip_addr>server-port <portnum> to configure the model, version number of the APimage, filename including http server path, server-ip address, and server portnumber.

10. Use the command domain ap lb-metric {least-load | local-CBF |local-CBFS | roundrobin} to set the domain load balancing metric.

11. Use the command domain ap reset-group-size <1 - 100> to configurethe percentage of access points in the domain that will be reset.

12. Use the command domain ap <ap_mac> alternate-controller toconfigure an alternate wireless controller.

13. Use the command domain ap <ap_mac> label to configure the AP label.

14. Use the command domain ap <ap_mac> location to configure the APlocation.

15. Use the command domain ap model {ap8120 | ap8120-E | ap8120-O}to configure the AP model.

16. Use the command domain ap <ap_mac> preferred-controller toconfigure the preferred AP controller.

17. Use the command domain ap <ap_mac> profile-id to assign the appropriateAP profile ID.

18. Use the command domain ap <ap_mac> radio to configure the AP radio.

19. Use the command domain ap <ap_mac> serial to configure the AP serialnumber.




20. Use the command domain mobility-vlan <vlan_name> to create a newmobility VLAN.

21. Use the command domain e911 address <ip_address> enable to enablethe E911 server.

22. Use the command domain ap radio <radio-id> antenna {70-degree |180-degree} to specify a type of an external antenna attached to an AP radio.

23. Use the command domain ap default radio [<radio-id> [antenna]]to restore the antenna the default.

24. Use the command domain ap radio <radio-id> ext-cable {3-ft |10-ft} to specify the length of an extension cable used to attach an externalantenna.

25. Use the command domain ap default radio [<radio-id> [ext-cable]] to restore the default value (3-ft) of an extension cable.

Configuring wireless security

About this taskThe following procedure is used to configure wireless security options.

Procedure


2. Use the command security to enter Security Configuration mode.

3. Use the command mac-db blacklist <mac_address> to add a device to theMAC address black list.

4. Use the command mac-db whitelist <mac_address> to add a device to theMAC address white list.

5. Use the command user-db group <group_name> to create a new userdatabase group.

6. Use the following commands to create a new user database entry:user-db user-name <member_name> start-date <yyyy-mm-dd>user-db user-name <member_name> end-date <yyyy-mm-dd>user-db user-name <member_name> idle-timeout <0 - 900>user-db user-name <member_name> max-bandwidth-down<down_bps>user-db user-name <member_name> max-bandwidth-up <up_bps>user-db user-name <member_name> max-input-octets <octets>



user-db user-name <member_name> max-output-octets <octets>user-db user-name <member_name> max-total-octets <octets>user-db user-name <member_name> password <password>user-db user-name <member_name> session-timeout<timeout_value>

7. Use the command user-db membership <member_name> <group_name> toadd a member to an existing group.

8. Use the following commands to configure Wireless Intrusion Detection (WIDS)timeout settings:wids ageout adhoc-clients <0 - 10080>wids ageout ap-failure <0 - 10080>wids ageout detected-clients <0 - 10080>wids ageout rf-scan <0 - 10080>

9. Use the following commands to configure WIDS known access point settings:wids known-ap <mac_address> channel <0 - 216>wids known-ap <mac_address> security {any | open | wep | wpa}wids known-ap <mac_address> ssid <ssid_string>wids known-ap <mac_address> type {known-foreign | local-enterprise | other}wids known-ap <mac_address> wds-mode {any | bridge | normal}wids known-ap <mac_address> wired-mode {allowed | not-allowed}

10. Use the following commands to configure WIDS rogue access point settings:wids rogue-ap ack {all | rogue_mac_address}wids rogue-ap trap-interval <60 - 3600>wids rogue-ap wired-detection-interval <1 - 3600>

11. Use the command wips mitigation ap-threat to enable access threatmitigation.

12. Use the command wips mitigation client-threat to enable client threatmitigation.

13. Use the command radius server-retries to configure RADIUS serverretries.

14. Use the command radius server-timeout to configure the RADIUS servertimeout.




15. Use the command radius profile to configure global RADIUS profiles.

16. Use the command radius server to configure global RADIUS servers.

Configuring Wireless Multi-Media (WMM) in radio-profiles using Tspecsettings

Voice and Video access categories provide a higher priority access to the wireless mediumthan Best Effort or Background access categories. The TSPEC/ Call Admission Control (CAC)provides controlled access to the wireless medium for Voice and Video access categories.Clients must obtain permission from the AP before using the Voice and Video categories. TheAP provides permission, in the form of a Tspec, that defines the amount of air time (mediumtime) a client can use. WMM allows used data to be sent over the air using the four followingAccess Categories: Voice, Video, Best Effort and Background.

Procedure

1. Enter wireless config mode in the CL.I

2. Enable Wireless Multi-Media in radio-profiles.WC8180>enableWC8180# configure terminalWC8180(config)# wirelessWC8180(config-wireless)# radio-profile 1Entering radio-profile (id = 1) configuration mode...WC8180(config-radio-profile)# wmm-mode

3. Enable Tspec in radio-profiles and set the percentages of medium time limitsreserved for Voice, Video, Shared and Roam access categories as suggested inthe following example. Do not allocate 10% to allow for Best Effort andBackground.

Note:Ensure that the total of these four allocations do not exceed 100%. When thetotal is less than 100%, a portion of the total medium time can be made availablefor Best Effort and Background traffic. Allocating 100% to only the four categoriescan impede access to air time for Best Effort and Background traffic when thereis a high load of voice/video traffic.

WC8180>enableWC8180# configure terminalWC8180(config)# wirelessWC8180(config-wireless)# radio-profile 1



Entering radio-profile (id = 1) configuration mode...WC8180(config-radio-profile)# tspec acm-limit voice 25 video 15 shared 40 roam-reserve 10Adjustment to these settings can be made based on the specific needs of adeployment. For example, if the APs are deployed in a scenario where video is notan important service then the Voice category should be increased and the Videoand Shared categories decreased.

4. Enable Tspec and Access Control Mandatory (ACM) voice and video acm-modesto force permission from the APs when clients are sending data using the voice orvideo access categories.WC8180>enableWC8180# configure terminalWC8180(config)# wirelessWC8180(config-wireless)# radio-profile 1Entering radio-profile (id = 1) configuration mode...WC8180(config-radio-profile)# tspec acm-mode voiceWC8180(config-radio-profile)# tspec acm-mode videoWC8180(config-radio-profile)# tspec enable

Note:Proper operation of Access Category based Call Admission Control dependsupon standard compliant clients that support Traffic Streams.

Clients that support Wireless Multi-Media (WMM) access categories but do notsupport Tspec will not use the Voice or Video access categories if thecorresponding acm-mode is set. To support a large number of clients of this type,it is recommended that you disable the acm-mode for Video. This allows theseclients to access the video access category which provides higher priority thanBest Effort or Background, while still allowing fully Tspec compliant clientsexclusive access to the voice access category. If the acm-mode is enabled forVideo as well, then these clients are forced to use the Best Effort accesscategory.

Clients that neither support Tspec nor obey the ACM bits (NOTE: these stationsare not WMM compliant or Wi-Fi Alliance Certified), attempt to send AC_VO and/or AC_VI traffic even though the ACM bits for these access categories areenabled and they have no valid Traffic Stream. In this case the client will attemptto send voice and video traffic using the admission controlled access categorieswithout first having obtained permission from the AP. Of course the AP will neversend data to the clients using a non-existant Tspec, but the client may stillincorrectly use an access category it does not have permission to use for clientto AP transmissions. The AP maintains statistics on these Tspec violations andif they persist an SNMP trap is rasied.




Configuring system optionsAbout this taskThis section describes the system configuration procedures for the WLAN Controller 8180 (WC8180).

General switch administrationAbout this taskThis section outlines the Command Line Interface commands used in general switchadministration. It contains information about the following topics:

• Multiple switch configurations on page 35• Configuring Asset-ID on page 36• Assigning and clearing IP addresses on page 37• Enabling Audit Log Save Settings on page 126• Displaying interfaces on page 39• Configuring Interface Options on page 40• Enabling Jumbo Frames on page 40• Configuring the EDM Help File Path on page 40• Configuring the HTTP Port on page 41• Setting port speed on page 41• Testing cables with the Time Domain Reflectometer on page 43• Enabling Autotopology on page 44• Enabling rate-limiting on page 47• Using Simple Network Time Protocol on page 49• Real time clock configuration on page 52• Custom Autonegotiation Advertisements on page 54• Connecting to another switch on page 55• Domain Name Server (DNS) Configuration on page 57

Multiple switch configurations

About this taskThe following CLI commands are used to configure and use multiple switch configuration:

Configuring system options


show nvram block command This command shows the configurations currently stored on theswitch. The syntax for this command is: show nvram blockThis command is executed in the Global Configuration command mode.

copy config nvram block command This command copies the current configuration to one ofthe flash memory spots. The syntax for this command is: copy config nvram block<1-2> name <block_name>The following table outlines the parameters for this command.

Table 1: copy config nvram block parameters

Parameter Descriptionblock <1-2> The flash memory location to store the configuration.

name <block_name> The name to attach to this block. Names can be up to40 characters in length with no spaces.

This command is executed in the Global Configuration command mode.

copy nvram config block command This command copies the configuration stored in flashmemory at the specified location and makes it the active configuration. The syntax for thiscommand is: copy nvram config block <1-2>Substitute <1-2> with the configuration file to load.

This command causes the switch to reset so that the new configuration can be loaded.


Configuring Asset-ID

About this taskUse the following procedure to configure unit and stack asset-ID

Procedure


2. Enter Configuration mode by entering the config command.

3. Use the command asset-id to configure asset ID options.

4. Use the command asset-id <WORD> to assign an asset-ID to the current unit.

5. Use the command asset- id stack <WORD> to assign an asset-ID of a stack.

6. Use the command asset- id unit <WORD> to assign an asset-ID of a specificunit in a stack.




Assigning and clearing IP addresses

You can assign, clear, and view IP addresses and gateway addresses with CLI. The commandsdiscussed in this section are used to perform these tasks.

Note:Users should not change the Wireless System IP address of the controller after the controllerjoins a domain. Do the following if a change is required after the controller joins a domain:

1. Remove the controller from the mobility domain.2. Disable wireless operations.3. Change the IP address.4. Join the controller to the domain.

ip address commandThe ip address command sets the IP address and subnet mask for the switch.

The syntax for the ip address command is: ip address <A.B.C.D> [netmask<A.B.C.D>] [default-gateway <A.B.C.D.DX>]The ip address command is executed in the Global Configuration command mode.

The following table describes the parameters for the ip address command.

Table 2: ip address parameters

Parameters DescriptionA.B.C.D Denotes the IP address in dotted-decimal notation; netmask

is optional.

netmask Signifies the IP subnet mask.

Default Gateway A.B.C.D Displays the IP address of the default gateway. Enter the IPaddress of the default IP gateway.

Note: When the IP address or subnet mask is changed, connectivity to Telnet and the Webcan be lost.

ip address source commandIf you want to automatically obtain an IP address, subnet mask and default gateway, you canuse the ip address command with the source parameter. When you use DHCP, the switch canalso obtain up to three DNS server IP addresses.

The syntax for the ip address source command is: ip address source {bootp-always | bootp-last-address | bootp-when-needed | configured-address| dhcp-always | dhcp-last-address | dhcp-when-needed}Execute the ip address source command in the Global Configuration command mode.

The following table describes the variables for the ip address source command:



Table 3: ip address source command parameters

Parameter Descriptionbootp-always Always use the bootp server.

bootp-last-address Use the last bootp server.

bootp-when-needed Use bootp server when needed.

dhcp-always Always use the DHCP server.

dhcp-last-address Use the last DHCP server.

dhcp-when-needed Use DHCP client when needed.

no ip address commandThe no ip address command clears the IP address and subnet mask for a switch. Thiscommand sets the IP address and subnet mask for a switch to all zeros (0).

The syntax for the no ip address command is: no ip address switchThe no ip address command is executed in the Global Configuration command mode.

Note: When the IP address or subnet mask is changed, connectivity to Telnet and the WebInterface can be lost. Any new Telnet connection can be disabled and is required to connectto the serial console port to configure a new IP address.

ip default-gateway commandThe ip default-gateway command sets the default IP gateway address for a switch to use.

The syntax for the ip default-gateway command is: ip default-gateway <A.B.C.D>The ip default-gateway command is executed in the Global Configuration commandmode.

The following table describes the parameters for the ip default-gateway command.

Table 4: ip default-gateway command parameters

Parameters DescriptionA.B.C.D Enter the dotted-decimal IP address of the default IP gateway.

Note: When the IP gateway is changed, connectivity to Telnet and the Web Interface can belost.

show ip commandThe show ip command displays the IP configurations, BootP/DHCP mode, switch address,subnet mask, and gateway address. This command displays these parameters for what isconfigured, what is in use, and the last BootP/DHCP.

The syntax for the show ip command is: show ip [bootp] [dhcp] [default-gateway] [address]The show ip command is executed in the User EXEC command mode.




If you do not enter any parameters, this command displays all IP-related configurationinformation.

The following table describes the parameters for the show ip command.

Parameters Descriptionbootp Displays BootP/DHCP-related IP information. The

possibilities for status returned are:

• BootP Always

• Disabled

• BootP or Last Address

• BootP When Needed

• DHCP Always

• DHCP or Last Address

• DHCP When Needed

dhcp client lease Displays DHCP client lease information. Thecommand displays information about configured leasetime and lease time granted by the DHCP server.

default-gateway Displays the IP address of the default gateway.

address Displays the current IP address.

address source Displays the BootP or DHCP clientinformation.Assigning and clearing IP addresses forspecific units

• DHCP always

• DHCP when needed

• DHCP or last address

• Disabled

• BootP always

• BootP when needed

• BootP or last address

Displaying interfaces

The status of all interfaces on the switch can be viewed, including Multi-Link Trunkmembership, link status, autonegotiation and speed using the following command.

show interfaces commandThe show interfaces command displays the current configuration and status of allinterfaces.



The syntax for the show interfaces command is: show interfaces [names][<portlist>]The show interfaces command is executed in the User EXEC command mode.

Table 5: show interfaces command parameters

Parameters Descriptionnames <portlist> Displays the interface names; enter specific ports if you

want to see only those.

Configuring Interface Options

About this taskUse the following procedure to configure Fast Ethernet and Layer 3 IP VLAN options.

Procedure



3. Use the command interface FastEthernet <list of ports> to set thelist of ports to support Fast Ethernet.

4. Use the command interface vlan <1–4094> to assign the Layer 3 IP VLAN ID.

Enabling Jumbo Frames

About this taskUse the following procedure to enable Jumbo Frames

Procedure



3. Use the command jumbo-frames enable to enable Jumbo Frames.

Configuring the EDM Help File Path

About this taskUse the following procedure to change the location of EDM help files




Procedure



3. Use the command edm help-file-path <help-file-path> to set the EDMhelp file path.

Configuring the HTTP Port

About this taskUse the following procedure to configure the HTTP Port.

Procedure



3. Use the command http-port <1024–65535> to set the HTTP port.

Setting port speed

To set port speed and duplexing with CLI, refer to the following:

• speed command on page 41• default speed command on page 42• duplex command on page 42• default duplex command on page 43

speed commandThe speed command sets the speed of the port.

The syntax for the speed command is: speed [port <portlist>] {10 | 100 | 1000| auto}The speed command is executed in the Interface Configuration command mode.

The following table describes the parameters for the speed command.



Table 6: speed command parameters

Parameters Descriptionport <portlist> Specifies the port numbers for which to

configure the speed. Enter the port numbersyou want to configure.Note: If you omit this parameter, the systemuses the port number you specified in theinterface command.

10|100|1000|auto Sets speed to:

• 10—10Mb/s

• 100— 100 Mb/s

• 1000— 1000 Mb/s or 1GB/s

• auto— autonegotiation

Note: Enabling and disabling autonegotiation for speed also enables and disables it for duplexoperation.When you set the port speed for autonegotiation, ensure that the other side of thelink is also set for autonegotiation.

default speed commandThe default speed command sets the speed of the port to the factory default speed.

The syntax for the default speed command is: default speed [port <portlist>]The default speed command is executed in the Interface Configuration command mode.

The following table describes the parameters for this command.

Parameters Descriptionport <portlist> Specifies the port numbers to set the speed to factory

default. Enter the port numbers you want to set.Note: If you omit this parameter, the system uses theport number you specified in the interfacecommand.

duplex commandThe duplex command specifies the duplex operation for a port.

The syntax for the duplex command is: duplex [port <portlist>] {full | half| auto}The duplex command is executed in the Interface Configuration command mode.





Parameters Descriptionport <portlist> Specifies the port numbers for which to reset the

duplex mode to factory default values. Enter the portnumber you want to configure. The default value isautonegotiation.Note: If you omit this parameter, the system uses theports you specified in the interface command.

full | half | auto Sets duplex to:

• full— full-duplex mode

• half —half-duplex mode

• auto—autonegotiation

Note: Enabling/disabling autonegotiation for speed also enables/disables it for duplexoperation.When you set the duplex mode for autonegotiation, ensure that the other side of thelink is also set for autonegotiation.

default duplex commandThe default duplex command sets the duplex operation for a port to the factory defaultduplex value.

The syntax for the default duplex command is: default duplex [port<portlist>]The default duplex command is executed in the Interface Configuration commandmode.


Parameters Descriptionport <portlist> Specifies the port numbers to reset the duplex mode to

factory default values. Enter the port numbers you wantto configure. The default value is autonegotiation.Note: If you omit this parameter, the system uses theports you specified in the interface command.

Testing cables with the Time Domain Reflectometer

The WC 8180 is equipped with a Time Domain Reflectometer (TDR). The TDR provides adiagnostic capability to test connected cables for defects (such as short pin and pin open). Youcan obtain TDR test results from CLI or Device Manager.

The cable diagnostic tests only apply to Ethernet copper ports; fiber ports cannot be tested.

You can initiate a test on multiple ports at the same time.

When you test a cable with the TDR, if the cable has a 10/100 MB/s link, the link is brokenduring the test and restored only when the test is complete. If the cable has a 10/100 MB/s



link, the test results may be incomplete as the test does not test all of the pins in the connector.Use of the TDR does not affect 1 GB/s links.

See the Troubleshooting Guide (NN47251-700) for more information on troubleshooting cablesand for connector pin tables.

Note: The accuracy margin of cable length diagnosis is between three to five meters. Avayasuggests the shortest cable for length information be five meters long.

With the following CLI commands, you can initiate a TDR cable diagnostic test and obtain testreports.

• tdr test command on page 44• show tdr command on page 44

tdr test commandThe tdr test command initiates a TDR test on a port or ports.

The syntax for this command is: tdr test <portlist>where <portlist> specifies the ports to be tested.

The tdr test command is in the privExec command mode.

show tdr commandThe show tdr command displays the results of a TDR test.

The syntax for this command is: show tdr <portlist>where <portlist> specifies the ports for which to display the test results.

The show tdr command is in the privExec command mode.

Enabling Autotopology

About this taskThe Optivity Autotopology protocol can be configured with CLI.

To enable autotopology with CLI, refer to the following:

• autotopology command on page 44• no autotopology command on page 45• default autotopology command on page 45• show autotopology settings command on page 45• show autotopology nmm-table command on page 45

autotopology commandThe autotopology command enables the Autotopology protocol.

The syntax for the autotopology command is: autotopologyThe autotopology command is executed in the Global Configuration command mode.




no autotopology commandThe no autotopology command disables the Autotopology protocol.

The syntax for the no autotopology command is: no autotopologyThe no autotopology command is executed in the Global Configuration command mode.

default autotopology commandThe default autotopology command enables the Autotopology protocol.

The syntax for the default autotopology command is: default autotopologyThe default autotopology command is executed in the Global Configuration commandmode.

show autotopology settings commandThe show autotopology settings command displays the global autotopology settings.

The syntax for the show autotopology settings command is: show autotopologysettingsThe show autotopology settings command is executed in the Privileged EXECcommand mode.

show autotopology nmm-table commandThe show autotopology nmm-table command displays the Autotopology networkmanagement module (NMM) table.

The syntax for the show autotopology nmm-table command is: show autotopology nmm-tableThe show autotopology nmm-table command is executed in the Privileged EXECcommand mode.

Enabling flow control

About this taskGigabit Ethernet, when used with the WC 8180, can control traffic on this port using theflowcontrol command.

To enable flow control with CLI, refer to the following:

• flow control command on page 45• no flowcontrol command on page 46• default flowcontrol command on page 46

flow control commandThe flowcontrol command is used only on Gigabit Ethernet ports and controls the trafficrates during congestion.

The syntax for the flowcontrol command is: flowcontrol [port <portlist>]{asymmetric | symmetric | auto | disable}



The flowcontrol command is executed in the Interface Configuration mode.


Table 7: flowcontrol command parameters

Parameters Descriptionport <portlist> Specifies the port numbers to configure for flow

control.Note: If you omit this parameter, the system uses theports you specified in the interface command but onlythose ports which have speed set to 1000/full.

asymmetric | symmetric | auto |disable

Sets the mode for flow control:

• asymmetric- PAUSE frames can only flow in onedirection.

• symmetric- PAUSE frames con flow in eitherdirection.

• auto- sets the port to automatically determine the flowcontrol mode (default)

• disable- disables flow control

no flowcontrol commandThe no flowcontrol command is used only on Gigabit Ethernet ports and disables flowcontrol.

The syntax for the no flowcontrol command is: no flowcontrol [port<portlist>]The no flowcontrol command is executed in the Interface Configuration mode.


Table 8: no flowcontrol command parameters

Parameters Descriptionport <portlist> Specifies the port numbers for which to

disable flow control.Note: If you omit this parameter, the systemuses the ports you specified in theinterface command, but only those portsthat have speed set to 1000/full.

default flowcontrol commandThe default flowcontrol command is used only on Gigabit Ethernet ports and sets theflow control to auto, which automatically detects the flow control.

The syntax for the default flowcontrol command is: default flowcontrol [port<portlist>]




The default flowcontrol command is executed in the Interface Configuration mode.


Parameters Descriptionport <portlist> Specifies the port numbers to default to auto flow

control.Note: If you omit this parameter, the system uses the portnumber you specified in the interface command.

default rate-limit commandThe default rate-limit command restores the rate-limiting value for the specified portto the default setting.

The syntax for the default rate-limit command is: default rate-limit [port<portlist>]The default rate-limit command is executed in the Interface Configuration commandmode.


Table 9: default rate-limit command parameters

Parameters Descriptionport <portlist> Specifies the port numbers on which to reset rate-limiting to

factory default. Enter the port numbers on which to set rate-limiting to default.Note: If you omit this parameter, the system uses the port numberyou specified in the interface command.

Enabling rate-limiting

About this taskThe percentage or packets per seconds of multicast traffic, or broadcast traffic, or both can belimited with CLI. For details, refer to the following:

• show rate-limit command on page 47• rate-limit command on page 48• no rate-limit command on page 48• default rate-limit command on page 47

show rate-limit commandThe show rate-limit command displays the rate-limiting settings and statistics.

The syntax for the show rate-limit command is: show rate-limitThe show rate-limit command is executed in the Privileged EXEC command mode.



rate-limit commandThe rate-limit command configures rate-limiting on the port.

The syntax for the rate-limit command is: rate-limit {multicast | broadcast| both} {percent <0-10>}The rate-limit command is executed in the Interface Configuration command mode.


Table 10: rate-limit command parameters

Parameters Descriptionmulticast | broadcast | both Applies rate-limiting to the type of traffic.

• multicast--applies rate-limiting to multicastpackets

• broadcast--applies rate-limiting tobroadcast packets

• both--applies rate-limiting to both multicastand broadcast packets

percent <0-10> Specifies the mode for setting the rates of theincoming traffic.

percent <0-10>--enter and integer from 1to 10 to set the rate-limiting percentage.

For 10 Gb/s links, the default value forlimiting both broadcast and multicast is 10percent.Rate limiting using packet per seconds canonly be configured using CLI.

no rate-limit commandThe no rate-limit command disables rate-limiting on the port.

The syntax for the no rate-limit command is: no rate-limit [port <portlist>]The no rate-limit command is executed in the Interface Configuration command mode.


Table 11: no rate-limit command parameters

Parameters Descriptionport <portlist> Specifies the port numbers to disable for rate-limiting. Enter the

port numbers you want to disable.Note: If you omit this parameter, the system uses the port numberyou specified in the interface command.




Configuring Energy Saver OptionsAbout this taskUse the following procedure to configure Energy Saver options.

Procedure



3. Use the command energy-saver enable to enable energy saver mode.

4. Use the command energy-saver efficiency-mode to enable efficiencymode.

5. Use the command energy-saver poe-power-saving to enable Power OverEthernet power saving mode.

Using Simple Network Time ProtocolThe Simple Network Time Protocol (SNTP) feature synchronizes the Universal CoordinatedTime (UCT) to an accuracy within 1 second. This feature adheres to the IEEE RFC 2030 (MIBis the s5agent). With this feature, the system can obtain the time from any RFC 2030-compliantNTP/SNTP server.

Note: If you have trouble using this feature, try various NTP servers. Some NTP servers canbe overloaded or currently inoperable.The system retries connecting with the NTP server amaximum of three times, with 5 minutes between each retry.

Using SNTP provides a real-time timestamp for the software, shown as Greenwich Mean Time(GMT).

If SNTP is enabled, the system synchronizes with the configured NTP server at boot-up andat user-configurable periods thereafter (the default synchronization interval is 24 hours). Thefirst synchronization is not performed until network connectivity is established.

SNTP supports primary and secondary NTP servers. The system tries the secondary NTPserver only if the primary NTP server is unresponsive.

To configure SNTP, refer to the following commands:

• show SNTP command on page 50• show sys-info command on page 50• SNTP enable command on page 50• no SNTP enable command on page 50



• SNTP server primary address command on page 51• SNTP server secondary address command on page 51• no SNTP server command on page 51• SNTP sync-now command on page 52• SNTP sync-interval command on page 52

show SNTP command

The show SNTP command displays the SNTP information, as well as the configured NTPservers.

The syntax for the show SNTP command is: show sntpThe show SNTP command is executed in the Privileged EXEC command mode.

show sys-info command

The show sys-info command displays the current system characteristics.

The syntax for the show sys-info command is: show sys-infoThe show sys-info command is executed in the Privileged EXEC command mode.

Note: You must have SNTP enabled and configured to display GMT time.

SNTP enable command

The SNTP enable command enables SNTP.

The syntax for the SNTP enable command is: sntp enableThe SNTP enable command is executed in the Global Configuration command mode.

Note: The default setting for SNTP is disabled.

no SNTP enable command

The no SNTP enable command disables SNTP.

The syntax for the no SNTP enable command is: no sntp enableThe no SNTP enable command is executed in the Global Configuration command mode.




SNTP server primary address command

The SNTP server primary address command specifies the IP addresses of the primaryNTP server.

The syntax for the SNTP server primary address command is: sntp serverprimary address <A.B.C.D>The SNTP server primary address command can be executed in the GlobalConfiguration command mode.


Table 12: sntp server primary address command parameters

Parameters Description<A.B.C.D> Enter the IP address of the primary NTP server in dotted-

decimal notation.

SNTP server secondary address command

The SNTP server secondary address command specifies the IP addresses of thesecondary NTP server.

The syntax for the SNTP server secondary address command is: sntp serversecondary address <A.B.C.D>The SNTP server secondary address command is executed in the Global Configurationcommand mode.


Table 13: sntp server secondary address command parameters

Parameters Description<A.B.C.D> Enter the IP address of the secondary NTP server in

dotted-decimal notation.

no SNTP server command

The no SNTP server command clears the NTP server IP addresses. The command clearsthe primary and secondary server addresses.

The syntax for the no SNTP server command is: no sntp server {primary |secondary}The no SNTP server command is executed in the Global Configuration command mode.




Table 14: no sntp server command parameters

Parameters Descriptionprimary Clear primary SNTP server address.

secondary Clear secondary SNTP server address.

SNTP sync-now command

The SNTP sync-now command forces a manual synchronization with the NTP server.

The syntax for the SNTP sync-now command is: sntp sync-nowThe SNTP sync-now command is executed in the Global Configuration command mode.

Note: SNTP must be enabled before this command can take effect.

SNTP sync-interval command

The SNTP sync-interval command specifies recurring synchronization with the secondaryNTP server in hours relative to initial synchronization.

The syntax for the SNTP sync-interval command is: sntp sync-interval <0-168>The SNTP sync-interval command is executed in the Global Configuration commandmode.


Table 15: sntp sync-interval command parameters

Parameters Descriptions<0-168> Enter the number of hours for periodic synchronization with

the NTP server.Note: 0 is boot-time only, and 168 is once a week.

Real time clock configurationIn addition to SNTP time configuration, a real-time clock (RTC) is available to provide the switchwith time information. This RTC provides the switch information in the instance that SNTP timeis not available.




Use the following commands to view and configure the RTC:

• clock set command on page 53• Clock sync rtc-with-SNTP enable command on page 53• no clock sync-rtc-with-SNTP enable command on page 53• Default clock sync-rtc-with-SNTP enable command on page 54• Clock source command on page 54• default clock source command on page 54

clock set command

This command is used to set the RTC. The syntax of the clock set command is: clockset {<LINE> | <hh:mm:ss>}The following table outlines the parameters for this command.

Table 16: clock set command parameters

Parameters Description<LINE> A string in the format of mmddyyyyhhmmss that

defines the current local time.

<hh:mm:ss> Numeric entry of the current local time in the mannerspecified.

This command is executed in the Privileged EXEC command mode.

Clock sync rtc-with-SNTP enable command

This command enables the synching of the RTC with the SNTP clock when the SNTP clocksynchronizes.

The syntax for this command is: clock sync-rtc-with-sntp enableThis command is executed in the Global Configuration command mode.

no clock sync-rtc-with-SNTP enable command

This command disables the synching of the RTC with the SNTP clock when the SNTP clocksynchronizes.

The syntax for this command is: no clock sync-rtc-with-sntp enableThis command is executed in the Global Configuration command mode.



Default clock sync-rtc-with-SNTP enable command

This command sets the synchronizing of the RTC with the SNTP clock to factory defaults.

The syntax for this command is: default clock sync-rtc-with-sntp enableThis command is executed in the Global Configuration command mode.

Clock source command

This command sets the default clock source for the switch.

The syntax for this command is: clock source {sntp | rtc | sysUpTime}Substitute {sntp | rtc | sysUpTime} with the clock source selection.


default clock source command

This command sets the clock source to factory defaults. The syntax of this command is:default clock sourceThis command is executed in the Global Configuration command mode.

Custom Autonegotiation AdvertisementsCustom Autonegotiation Advertisement (CANA) customizes the capabilities that areadvertised. It also controls the capabilities that are advertised by the WC 8180 as part of theauto-negotiation process.

The following sections describe configuring CANA with CLI:

• Configuring CANA on page 54• Viewing current autonegotiation advertisements on page 55• Setting default auto-negotiation-advertisements on page 55• no auto-negotiation-advertisements command on page 55

Configuring CANA

About this taskUse the auto-negotiation-advertisements command to configure CANA.




To configure port 5 to advertise the operational mode of 10 Mb/s and full duplex enter thefollowing command line: auto-negotiation-advertisements port 5 10-full

Viewing current autonegotiation advertisements

About this taskTo view the autonegotiation advertisements for the device, enter the following command: showauto-negotiation-advertisements [port <portlist>]

Setting default auto-negotiation-advertisements

The default auto-negotiation-advertisements command makes a port advertiseall its auto-negotiation-capabilities.

The syntax for the default auto-negotiation-advertisements command is:default auto-negotiation-advertisements [port <portlist>]To set default advertisements for port 5 of the device, enter the following command line:default auto-negotiation-advertisements port 5The default auto-negotiation-advertisements command can be executed in theInterface Configuration mode.

no auto-negotiation-advertisements command

The no auto-negotiation-advertisements command makes a port silent.

The syntax for the no auto-negotiation-advertisements command is: no auto-negotiation-advertisements [port <portlist>]The no auto-negotiation-advertisements command can be executed in the InterfaceConfiguration mode.

Connecting to another switchUsing the Command Line Interface (CLI), it is possible to communicate with another switchwhile maintaining the current switch connection. This is accomplished with the familiar pingand telnet commands.

ping command

Use the ping command to determine if communication with another switch can be established.The syntax for this command is: ping<dns_host_name> [datasize <64-4096>



[{count <1-999>} | continuous] [{timeout | -t} <1-120>] [interval<1-60] [debug]Substitute <dns_host_name> with the DNS host name of the unit to test.

Run this command in User EXEC command mode or any of the other command modes.


Table 17: ping command parameters

Parameters Description<dns_host_name> The DNS host name of the unit to test.

datasize <64–4096> Specify the size of the ICMP packet to be sent. Thedata size range is from 64 to 4096 bytes.

count <1–9999> | continuous Set the number of ICMP packets to be sent. Thecontinuous mode sets the ping running until theuser interrupts it by entering Ctrl+C.

timeout | -t | <1–120> Set the timeout using either the timeout with the -tparameter followed by the number of seconds theswitch must wait before timing out.

interval <1–60> Specify the number of seconds betweentransmitted packets.

debug Provide additional output information such as theICMP sequence number and the trip time.

telnet command

Use the telnet command to establish communications with another switch during the currentCLI session. Communication can be established to only one external switch at a time usingthe telnet command.

The syntax for this command is: telnet <dns_host_name>Substitute <dns_host_name> with the DNS hostname of the unit with which tocommunicate.

This command is executed in the User EXEC command mode.




Domain Name Server (DNS) ConfigurationDomain name servers are used when the switch needs to resolve a domain name to an IPaddress. The following commands allow for the configuration of the switch domain nameservers:

• show ip dns command on page 57• ip domain-name command on page 57• no ip domain-name command on page 57• default ip domain-name command on page 58• ip name-server command on page 58• no ip name-server command on page 58

show ip dns command

The show ip dns command is used to display DNS-related information. This informationincludes the default switch domain name and any configured DNS servers.

The syntax for this command is: show ip dnsThis command is executed in the User EXEC command mode.

ip domain-name command

The ip domain-name command is used to set the default DNS domain name for the switch.This default domain name is appended to all DNS queries or commands that do not alreadycontain a DNS domain name.

The syntax for this command is: ip domain-name <domain_name>Substitute <domain_name> with the default domain name to be used. A domain name isdetermined to be valid if it contains alphanumeric characters and contains at least one period(.).


no ip domain-name command

The no ip domain-name command is used to clear a previously configured default DNSdomain name for the switch.

The syntax for this command is: no ip domain-nameThis command is executed in the Global Configuration command mode.



default ip domain-name command

The default ip domain-name command is used to set the system default switch domainname. Because this default is an empty string, this command has the same effect as the noip domain-name command.

The syntax for this command is: default ip domain-nameThis command is executed in the Global Configuration command mode.

ip name-server command

The ip name-server command is used to set the domain name servers the switch uses toresolve a domain name to an IP address. A switch can have up to three domain name serversspecified for this purpose.

The syntax of this command is:

ip name-server <ip_address_1> ip name-server <ip_address_2> ip name-server <ip_address_3>Note: To enter all three server addresses you must enter the command three times, each witha different server address.

The following table outlines the parameters for this command.

Table 18: ip name-server command parameters

Parameters Description<ip_address_1> The IP address of the domain name server used by the

switch.

<ip_address_2> Optional. The IP address of a domain name server to add tothe list of servers used by the switch.

<ip_address_3> Optional. The IP address of a domain name server to add tothe list of servers used by the switch.


no ip name-server command

The no ip name-server command is used to remove domain name servers from the listof servers used by the switch to resolve domain names to an IP address.

The syntax for this command is:

no ip name-server <ip_address_1> no ip name-server [<ip_address_2>]no ip name-server [<ip_address_2>]




Note: To remove all three server addresses you must enter the command three times, eachwith a different server address.


Parameters Description<ip_address_1> The IP address of the domain name server to remove.

<ip_address_2> Optional. The IP address of a domain name server toremove from the list of servers used by the switch.

<ip_address_3> Optional. The IP address of a domain name server toremove from the list of servers used by the switch.


Changing switch softwareAbout this taskThe software download begins when the user initiates the download and follows the downloadprocess accordingly. This process deletes the contents of the flash memory and replaces itwith the desired software image. Do not interrupt the download process. Depending on networkconditions, this process make take up to 10 minutes.

The current WLAN 8180 image build is as follows:

Image name Image Version Image Sizewc8180_1.1.0.130s.imgsoftware image

1.1.0.130 47 megabytes

When the download process is complete, the switch automatically resets unless the no-resetparameter was used. The software image initiates a self-test and returns a message when theprocess is complete.

An example of this message is illustrated in the following table.

Table 19: Software download message output

Download Image [/] Saving Image [-] Finishing UpgradingImage

Note:Before upgrading to the latest software image, Avaya recommends to take the backup ofthe binary & ASCII configuration on the controller and save it.

During the download process the switch is not operational.

The progress of the download process can be tracked by observing the front panel LEDs.



To change the software version running on the switch with CLI, follow this procedure:

Procedure

1. Access CLI through the Telnet protocol or a Console connection.

2. Enter enable and then hit enter to enter Privileged Access.

3. Enter download and then hit enter.

4. Enter the IP address address <a.b.c.d> of the TFTP address of where theimage us stored and then hit enter.

5. Enter the image file name image <image name> and hit enter.

6. The image downloads, saves the image, and reboots.The following table explains the parameters for the download command.

Table 20: download command parameters

Parameter Descriptionaddress <a.b.c.d> This parameter is the IP address of the

TFTP server to be used. The address<ip> parameter is optional and ifomitted the switch defaults to theTFTP server specified by the tftp-server command unless softwaredownload is to take place using a USBMass Storage Device.

image <image name> This parameter is the name of thesoftware image to be downloadedfrom the TFTP server.

Configuration files in CLICLI provides many options for working with configuration files. Through CLI, configuration filescan be displayed, stored, and retrieved.

For details, refer to the following:

• Displaying the current configuration on page 61• Storing the current configuration on page 61• copy tftp config command on page 62• copy usb config command on page 62• Saving the current configuration on page 62




Importing action commands

The import and export of action commands in ASCII configuration files is not supported in thisrelease. This includes commands such as radius secret and mdc-join. Actioncommands that are part of a device configuration before an export operation will be excludedduring the export operation. Subsequent imports of the configuration file will not contain theexcluded commands. Excluded commands must be manually executed after the importprocess.

This is very important to keep in mind especially in regards to configuring a new device orupdating a device that has been returned to factory defaults. Note the action commands thatwere part of the pre-export configuration so they can be manually executed after theconfiguration file is imported.

Displaying the current configuration

The show running-config command displays the current configuration of switch.

The syntax for the show running-config command is:

show running-configThis command only can be executed in the Privileged EXEC mode and takes noparameters.

Storing the current configuration

The copy running-config command copies the contents of the current configuration fileto another location for storage. For all switches in the 8100 Series, the configuration file canbe saved to a TFTP server. The WC 8180 also provide the ability to save the configuration fileto a USB Mass Storage Device through the front panel USB drive.

The syntax for the copy running-config command is:

copy running-config {tftp | (usb) [u2] } address <A.B.C.D> filename<name>The following table outlines the parameters for this command.

Table 21: copy running-config parameters

Parameters Description{tftp | usb} This parameter specifies the general location in which

the configuration file is saved.

address <A.B.C.D> If a TFTP server is to be used, this parameter signifiesthe IP address of the server to be used.



Parameters Descriptionfilename <name> The name of the file that is created when the

configuration is saved to the TFTP server or USB MassStorage Device.

The copy running-config command only can be executed in the Privileged EXECmode.

copy tftp config command

Use this command to restore a configuration file stored on a TFTP server.


copy tftp config address <A.B.C.D> filename <name>The following table outlines the parameters for this command.

Table 22: copy tftp config command parameters

Parameter Descriptionaddress <A.B.C.D> The IP address of the TFTP server to be used.

filename <name> The name of the file to be retrieved.

copy usb config command

Use this command to restore a configuration file stored on a USB Mass Storage Device. Thesyntax is:

copy usb config filename <name>The only parameter for this command is the name of the file to be retrieved from the USBdevice.

Saving the current configuration

The configuration currently in use on a switch is regularly saved to the flash memoryautomatically. However, you can manually initiate this process using the copy confignvram command. This command takes no parameters and you must run it in Privileged EXECmode. If you have disabled the AutosaveToNvramEnabled function by removing the defaultcheck in the AutosaveToNvRamEnabled field, the configuration is not automatically saved tothe flash memory.




Automatically downloading a configuration file with CLI

This feature is enabled through CLI by using the configure network command. This commandenables a script to be loaded and executed immediately as well as configure parameters toautomatically download a configuration file when the switch is booted.

The syntax for the configure network command is: configure network load-on-boot{disable | use-bootp | use-config} address <A.B.C.D> filename <name>The following table outlines the parameters for this command.

Table 23: configure network command parameters

Parameter Descriptionload-on-boot {disable | use-bootp | useconfig}

Specifies the settings for automaticallyloading a configuration file when the systemboots:

• disable - disables the automatic loading ofconfig file

• use-bootp - specifies loading the ASCIIconfiguration file at boot and using BootPto obtain values for the TFTP address andfilename

• use-config - specifies loading the ASCIIconfiguration file at boot and using thelocally configured values for the TFTPaddress and filename

Note: If you omit this parameter, the systemimmediately downloads and runs the ASCIIconfig file.

address <A.B.C.D> The IP address of the desired TFTP server.

filename <name> The name of the configuration file to use inthis process

This command must be run in the Privileged EXEC mode.

The current switch settings relevant to this process can be viewed using the show config-network command. This command takes no parameters and must be executed in PrivilegedEXEC mode.

Enabling QuickconfigAbout this taskUse the following procedure to enable Quickconfig



Procedure



3. Use the command quickconfig enable to enable Quickconfig.

Terminal setupSwitch terminal settings can be customized to suit the preferences of a switch administrator.This operation must be performed in CLI.

The terminal command configures terminal settings. These settings are transmit and receivespeeds, terminal length, and terminal width.

The syntax of the terminal command is: terminal speed {2400 | 4800 | 9600 |19200 | 38400} length <0-132> width <1-132>The terminal command is executed in the User EXEC command mode.


Table 24: terminal command parameters

Parameters Descriptionspeed {2400|4800|19200|38400} Sets the transmit and receive baud rates for

the terminal. The speed can be set at one ofthe five options shown; the default is 9600.

length Sets the length of the terminal display inlines; the default is 23.Note: If the terminal length is set to a valueof 0, the pagination is disabled and thedisplay continues to scroll without stopping.

width Sets the width of the terminal display incharacters; the default is 79.

The show terminal command can be used at any time to display the current terminalsettings. This command takes no parameters and is executed in the EXEC command mode.

Setting the default management interfaceYou can set the default management interface with CLI to suit the preferences of the switchadministrator. This selection is stored in NVRAM. When the system is started, the bannerdisplays and prompts the user to enter Ctrl+Y. After these characters are entered, the systemdisplays either a menu or the command line interface prompt, depending on previously




configured defaults. When using the console port, you must log out for the new mode to display.When using Telnet, all subsequent Telnet sessions display the selection.

To change the default management interface, use the cmd-interface command. The syntax ofthis command is: cmd-interface {cli | menu}The cmd-interface command must be executed in the Privileged EXEC command mode.

Enabling Serial Console Port AccessAbout this taskUse the following procedure to enable serial console port access.

Procedure



3. Use the command serial-console unit <1–8> to set the unit you want toenable serial console port access.

4. Use the command serial-console enable to enable serial console portaccess.

Setting Telnet accessCLI can be accessed through a Telnet session. To access CLI remotely, the management portmust have an assigned IP address and remote access must be enabled.

Note: Multiple users can access CLI system simultaneously, through the serial port, Telnet,and modems. The maximum number of simultaneous users is four. All users can configuresimultaneously.

For details on viewing and changing the Telnet-allowed IP addresses and settings, refer to thefollowing:

• telnet-access command on page 65• default telnet-access command on page 66

telnet-access command

The telnet-access command configures the Telnet connection that is used to manage theswitch. The telnet-access command is executed through the console serial connection.

The syntax for the telnet-access command is:



telnet-access [enable | disable] [login-timeout <1-10>][retry<1-100>] [inactive-timeout <0-60>] [logging {none | access |failures | all}] [source-ip <1-50> <A.B.C.D> <WORD> [mask <A.B.C.D>]Execute the telnet-access command in the Global Configuration command mode.

The following table describes the parameters for the telnet-access command.

Table 25: telnet-access command parameters

Parameters Descriptionenable | disable Enables or disables Telnet connection.

login-timeout <1-10> Specify in minutes the time to wait for Telnetand Console login before the connectioncloses. Enter an integer between 1 and 10.

retry <1-100> Specify the number of times the user canenter an incorrect password before closingthe connection. Enter an integer between 1and 100.

inactive-timeout <0-60> Specify in minutes the duration for aninactive session to be terminated.

logging {none | access | failures | all} Specify the events whose details you want tostore in the event log:

• none-do not save access events in the log

• access-save only successful accessevents in the log

• failure-save failed access events in the log

• all-save all access events in the log

[source-ip <1-50> <A.B.C.D> [mask<A.B.C.D>] [source-ip <WORD>

Specify the source IP address from whichconnections are allowed. Enter the IPaddress in dotted-decimal notation. Maskspecifies the subnet mask from whichconnections are allowed; enter IP mask indotted-decimal notation.

default telnet-access command

The default telnet-access command sets the Telnet settings to the default values.

The syntax for the default telnet-access command is:

default telnet-accessThe default telnet-access command is executed in the Global Configuration commandmode.




Setting boot parametersThe command outlined in this section is used for booting the switch as well as setting bootparameters.

boot command

The boot command performs a soft-boot of the switch.

The syntax for the boot command is:

boot [default] [partial default]The boot command is executed in the Privileged EXEC command mode.

The following table describes the parameters for the boot command.

Table 26: boot command parameters

Parameters Descriptiondefault Reboot the switch and use the factory default

configurations

partial-default Reboot the switch and use partial factory defaultconfigurations

Note: When you reset to factory defaults, the switch retains the last reset count and reason forlast reset; these two parameters do not default to factory defaults.

Defaulting to BootP-when-neededThe BootP default value is BootP-when-needed. This enables the switch to be booted and thesystem to automatically seek a BootP server for the IP address.

If an IP address is assigned to the device and the BootP process times out, the BootP moderemains in the default mode of BootP-when-needed.

However, if the device does not have an assigned IP address and the BootP process timesout, the BootP mode automatically changes to BootP disabled. But this change to BootPdisabled is not stored, and the BootP reverts to the default value of BootP-when-needed afterrebooting the device.

When the system is upgraded, the switch retains the previous BootP value. When the switchis defaulted after an upgrade, the system moves to the default value of BootP-when-needed.



Refer to the following commands to configure BootP parameters:

• ip bootp server command on page 68• no ip bootp server command on page 68• default ip bootp server command on page 68

ip bootp server command

The ip bootp server command configures BootP on the current instance of the switch orserver. This command is used to change the value of BootP from the default value, which isBootP-when-needed.

The syntax for the ip bootp server command is:

ip bootp server {always | disable | last | needed}The ip bootp server command is executed in the Global Configuration command mode.


Table 27: ip bootp server command parameters

Parameters Descriptionalways | disable | last | needed Specifies when to use BootP:

• always-Always use BootP

• disable-never use BootP

• last-use BootP or the last known address

• needed-use BootP only when needed

Note: The default value is to use BootP whenneeded.

no ip bootp server command

The no ip bootp server command disables the BootP server.

The syntax for the no ip bootp server command is:

no ip bootp serverThe no ip bootp server command is executed in the Global Configuration commandmode.

default ip bootp server command

The default ip bootp server command uses BootP when needed.




The syntax for the default ip bootp server command is:

default ip bootp serverThe default ip bootp server command is executed in the Global Configurationcommand mode.

shutdown commandAbout this taskThe shutdown command proves a mechanism for safely shutting down a switch withoutinterfering with device processes or corrupting the software image. After this command isissued, the configuration is saved, auto-save functionality is temporarily disabled, andconfiguration changes are not allowed until the switch restarts. If the shutdown is cancelled,auto-save functionality returns to the state in which it was previously functioning.

The shutdown command has the following syntax: shutdown [force] [minutes-to-wait <1-60>] [cancel]The following table describes the parameters of the shutdown command.

Table 28: shutdown command parameter

Parameters Descriptionforce This parameter forces the shutdown without

confirmation.

minutes-to-wait <1-60> This parameter represents the number of minutes towait before the shutdown occurs. If no value isspecified, the default value of 10 minutes is used.

cancel This parameter cancels a scheduled shutdown anytime during the time period specified by theminutes-to-wait parameter.

reload commandAbout this taskThe reload command operates in a similar fashion to the shutdown command. However, thereload command is intended more to be used by system administrators using the commandfunctionality to configure remote devices and reset them when the configuration is complete.

The reload command differs from the shutdown command in that the configuration is notexplicitly saved after the command is issued. This means that any configuration changes mustbe explicitly saved before the switch reloads.



The reload command does temporarily disable auto-save functionality until the reload occurs.Cancelling the reload returns auto-save functionality to any previous setting.

The reload command has the following syntax: reload [force] [minutes-to-wait<1-60>] [cancel]The following table describes the parameters of the reload command.

Table 29: reload command parameters

Parameter Descriptionforce This parameter forces the reload without confirmation.

minutes-to-wait <1-60> This parameter represents the number of minutes towait before the reload occurs. If no value is specified,the default value of 10 minutes is used.

cancel This parameter cancels a scheduled reload any timeduring the time period specified by the minutes-to-waitparameter.

Configuring Packet Storm Control SettingsAbout this taskUse the following procedure to configure Packet Storm Control settings.

Procedure



3. Use the command storm-control and one of the following sub-commands toPacket Storm Control settings:

a. Use the enable sub-command to enable the feature.

b. Use the high-watermark <11–100000000> sub-command to set the highwatermark in packets per second.

c. Use the low-watermark <10–100000000> sub-command to set the lowwatermark in packets per second.

d. Use the poll-interval <5–300> sub-command to set the poll interval inseconds.

e. Use the trap-send-interval <0–1000> sub-command to set the trap sendinterval in poll cycles.




CLI HelpAbout this taskTo obtain help on the navigation and use of Command Line Interface (CLI), use the followingcommand: help {commands | modes}Use help commands to obtain information about the commands available in CLI organized bycommand mode. A short explanation of each command is also included.

Use help modes to obtain information about command modes available and CLI commandsused to access them.

These commands are available in any command mode.

Clearing the default TFTP server with CLIAbout this taskThe default TFTP server can be cleared from the switch and reset to 0.0.0.0 with the followingtwo commands:

• no tftp-server• default tftp-server

Configuring a default TFTP server with CLIAbout this taskThe switch processes that make use of a TFTP server often give the switch administrator theoption of specifying the IP address of a TFTP server to be used. Instead of entering this addressevery time it is needed, a default IP address can be stored on the switch.

A default TFTP server for the switch is specified with the tftp-server command. The syntax ofthis command is: tftp-server <A.B.C.D>To complete the command, replace <A.B.C.D> with the IP address of the default TFTP server.This command must be executed in the Privileged EXEC command mode.

Configuring default clock sourceAbout this taskThis command sets the default clock source for the switch.

The syntax for this command is: clock source {rtp | sntp | sysUpTime}



Substitute {rtp | sntp | sysUpTime}with the clock source selection.

Run this command in Global Configuration command mode.

Configuring daylight savings time with CLIAbout this taskUse the following procedure to configure the daylight savings time adjustment with CLI:

Procedure

1. In CLI, set the Global Configuration command mode.configure

2. Enable sntp server.

3. Set the date to change to daylight savings time.clock summer-time zone date day month year hh:mm day monthyear hh:mm [offset]

Job aid

The following table defines the variables for the clock summer-time command:

Table 30: clock summer-time command parameters

Parameters Descriptiondate Indicates that daylight savings time should

start and end on the specified days everyyear.

day Date to start daylight savings time.

month Month to start daylight savings time.

year Year to start daylight savings time.

hh:mm Hour and minute to start daylight savingstime.

day Date to end daylight savings time.

month Month to end daylight savings time.

year Year to end daylight savings time.

hh:mm Hour and minute to end daylight savingstime.




Parameters Descriptionoffset Number of minutes to add during the summer

time.

zone The time zone acronym to be displayed whendaylight savings time is in effect. If it isunspecified, it defaults to the time zoneacronym set when the time zone was set.

Configuring Dual AgentAbout this taskUse the following commands to configure the Dual Agent feature with CLI:

• Enhanced download command on page 73• toggle next boot image command on page 74• boot secondary command on page 74• Show agent images on page 74

Enhanced download command

You can update either active image or non-active image. Once the image download is done,the unit resets and restarts with the new image regardless of the value of the Next Boot imageindicator. In case of image download without reset, the new image in the flash will be the NextBoot image.

Use the download command to specify the download target image. The syntax for thiscommand is:

download [address <a.b.c.d>] {primary | secondary} {image <imagename> | image-if-newer <image name> | diag <image name>} [no-reset][usb]The following table defines the parameters for the download command.

Table 31: download command parameters

Parameters Variablea.b.c.d IP address in dot notation.

primary | secondary Choose which image to download.

image <image name> Download the specified image.

image-if-newer <image name> Only download the image if the version is newerthan the installed version.



Parameters Variablediag <image name> Download the specified diagnostic image.

no-reset Do not reset the switch.

usb Download the image from the USB drive.

Note: Dual Agent supports the WLAN switches NBUs through AAUR.

toggle next boot image command

You can use CLI commands to change the next boot image of the device.

Use the toggle-next-boot-image command to toggle the next boot image.


toggle-next-boot-imageYou must restart the switch after this command to use the next boot image as the new primaryimage.

boot secondary command

You can use CLI commands to change the next boot image of the device.

Use the boot secondary command to use the secondary boot image. The syntax for thiscommand is:

boot secondaryThe switch will restart automatically with the new image.

Show agent images

You can use CLI commands to list the following information about the agent images stored inflash memory:

• Primary image version• Secondary image name• Active image version

Use the show boot image command to show the agent image information for agent imagesstored in the flash memory. They syntax for this command is:

show boot image




Configuring local time zone with CLIAbout this taskSNTP uses Coordinated Universal Time (UTC) for all time synchronizations so it is not affectedby different time zones. To have the switch report the time in your local time zone, you needto use the clock commands to set the local time zone.

You must enable SNTP before you set the time zone. If SNTP is not enabled, this commandhas no effect. If you enable SNTP and do not specify a time zone, UTC is shown by default.

Use the following procedure to configure your switch for your local time zone with CLI:

Procedure

1. In CLI, set the Global Configuration command mode.configure

2. Enable sntp server.

3. Set clock time zone using the clock command.clock time-zone zone hours [minutes]

Job aid

The following table defines the variables for the clock time-zone command:

Table 32: clock time-zone command

Variables Descriptionzone Time zone acronym to be displayed when showing

system time (up to 4 characters).

hours Difference from UTC in hours. This can be any valuebetween -12 and +12.

minutes Optional: This is the number of minutes difference fromUTC. Minutes can be any value between 0 and 59.

Customizing CLI banner with CLI



show banner command

The show banner command displays the banner.

The syntax for the show banner command is:

show banner [static | custom]The show banner command is executed in the Privileged EXEC command mode.


Table 33: show banner command parameters

Parameters Descriptionstatic | custom Displays which banner is currently set to display:

• static

• custom

banner command

The banner command specifies the banner displayed at startup; either static or custom.

The syntax for the banner command is:

banner {static | custom} <line number> "<LINE>"The following table outlines the parameters for this command.

Table 34: banner command parameters

Parameters Descriptionstatic | custom Sets the display banner as:

• static

• custom

line number Enter the banner line number you are setting.The range is 1 to 19.

LINE Specifies the characters in the line number.

This command is executed in the Privileged EXEC command mode.




no banner command

The no banner command clears all lines of a previously stored custom banner. Thiscommand sets the banner type to the default setting (STATIC).

Displaying the default TFTP server with CLI

no bannerThe no banner command is executed in the Privileged EXEC command mode.

Displaying the default TFTP server with CLIAbout this taskThe default TFTP server configured for the switch can be displayed in CLI at any time by usingthe show tftp-server command. This command has no parameters and is executed in thePrivileged EXEC mode.

Displaying complete GBIC informationAbout this taskComplete information can obtained for a GBIC port using the following command: showinterfaces gbic-info <port-list>Substitute <port-list> with the GBIC ports for which to display information. If no GBIC isdetected, this command does not show any information.

This command is available in all command modes.

Displaying hardware informationAbout this taskTo display a complete listing of information about the status of switch hardware in CLI, use thefollowing command: show system [verbose]The inclusion of the [verbose] option displays additional information about fan status, powerstatus, and switch serial number.

Switch hardware information is displayed in a variety of locations in Web-based managementand Device Manager. No special options are needed in these interfaces to display theadditional information.



Configuring Auto-Unit ReplacementAbout this taskUse the following procedure to configure auto-unit replacement.

Procedure



3. Use the command stack auto-unit-replacement enable to enable auto-unit replacement.

4. Use the command stack auto-unit-replacement config restore unit<1–8> restore the configuration of a unit from the saved configuration on the savedunit.

5. Use the command stack auto-unit-replacement-image enable to enableauto-unit replacement image settings.

Configuring the UI buttonAbout this taskUse the following procedure to configure UI button options.

Procedure



3. Use the command ui-button unit <1–8> to set the unit to enable.

4. Use the command ui-button enable to enable the ui-button feature.

Configuring USB Host PortAbout this taskUse the following procedure to configure the USB host port.




Procedure



3. Use the command usb-host-port unit <1–8> to set the unit to enable.

4. Use the command usb-host-port enable to enable the usb host port.

Enabling AutosaveAbout this taskWith autosave enabled the system checks every minute to see if there is any new configurationdata. If there is, it will automatically be saved to NVRAM. While autosave is enabled, the AURfeature should perform normally.

Use the following command to enable the autosave feature.

autosave enable command

The autosave enable command is used to enable the autosave feature.


autosave enableThe autosave enable command is executed in Global Configuration command mode.

Setting the server for Web-based management with CLISetting the server for Web-based management with CLI You can use CLI to enable or disablea web server for use with Web-based management. For details, refer to the following:

• web-server command on page 79• no web-server command on page 80

web-server command

The web-server command enables or disables the web server used for Web-basedmanagement.

The syntax for the web-server command is:

web-server {enable | disable}



The web-server command is executed in the Global Configuration command mode.


Table 35: web-server command parameters

Parameter Descriptionenable | disable Enables or disables the web server.

no web-server command

The no web-server command disables the web server used for Web-basedmanagement.

The syntax for the no web-server command is:

no web-serverThe no web-server command is executed in the Global Configuration command mode.

Setting the read-only and read-write passwordsAbout this taskThe first step to requiring password authentication when the user logs in to the switch is to editthe password settings. To set the read-only and read-write passwords, perform the followingprocedure.

Procedure


2. From the command prompt, use the cli password command to change the desiredpassword.cli password {read-only | read-write} <password>The following table describes the parameters for this command.

Table 36: cli password command parameters

Parameter Description{read-only | read-write} This parameter specifies if the

password change is for read-onlyaccess or read-write access.

<password> If password security is disabled, thelength can be 1-15 chars. If password




Parameter Descriptionsecurity is enabled, the range for lengthis 10-15 chars.

3. Press Enter.

Enabling and disabling passwordsAbout this taskAfter the read-only and read-write passwords are set, they can be individually enabled ordisabled for the various switch access methods. When enabled, password security promptsyou for a password and the value is hidden. To enable or disable passwords, perform thefollowing procedure:

Procedure


2. From the command prompt, use the cli password command to enable or disablethe desired password.cli password {telnet | serial} {none | local | radius |tacacs}The following table describes the parameters for this command.

Table 37: cli password parameters

Parameter Description{telnet | serial} This parameter specifies if the

password is enabled or disabled fortelnet or the console. Telnet and webaccess are tied together so thatenabling or disabling passwords forone enables or disables it for theother.

{none | local | radius | tacacs} This parameter specifies if thepassword is to be disabled (none), or ifthe password to be used is the locallystored password created in theprevious procedure, or if RADIUSauthentication or TACACS +AAAservices is used.

3. Press Enter.



Configuring RADIUS authenticationAbout this taskThe Remote Authentication Dial-In User Service (RADIUS) protocol is a means to authenticateusers through the use of a dedicated network resource. This network resource contains a listingof eligible user names and passwords and their associated access rights. When RADIUS isused to authenticate access to a switch, the user supplies a user name and, when prompted,a password. The password value is hidden when entered. This information is checked againstthe preexisting list. If the user credentials are valid they can access the switch.

If RADIUS Authentication was selected when enabling passwords through CLI, the RADIUSserver settings must be specified to complete the process. Ensure that Global Configurationmode is entered in CLI before beginning this task.

To enable RADIUS authentication through CLI, follow these steps:

Procedure


2. From the command prompt, use the radius-server command to configure theserver settings.radius-server host <address> [secondary-host <address>] port<num> key <string> [password fallback]The following table describes the parameters for this command.

Table 38: radius-server parameters

Parameter Descriptionhost <address> This parameter is the IPv6 or IPv4

address of the RADIUS server that isused for authentication.

[secondary-host <address>] The secondary-host <address>address> parameter is optional. If abackup RADIUS server is to bespecified, include this parameter withthe IPv6 or IPv4 address of the backupserver.

port <num> This parameter is the UDP port numberthe RADIUS server uses to listen forrequests.

key This parameter prompts you to supplya secret text string or password that isshared between the switch and theRADIUS server. Enter the secret string,which is a string up to 16 characters in




Parameter Descriptionlength. The password is hidden whenentered.

[password fallback] This parameter is optional and enablesthe password fallback feature on theRADIUS server. This option is disabledby default.

3. Press Enter.

Related RADIUS Commands

About this taskDuring the process of configuring RADIUS authentication, there are three other CLI commandsthat can be useful to the process. These commands are:

Procedure

1. show radius-serverThe command takes no parameters and displays the current RADIUS serverconfiguration.

2. no radius-serverThis command takes no parameters and clears any previously configured RADIUSserver settings.

3. radius-server password fallbackThis command takes no parameters and enables the password fallback RADIUSoption if it was not done when the RADIUS server was configured initially.

Configuring RADIUS server load balancingUse the following procedure to configure RADIUS server load balancing to ease the serverload during heavy authentications requests. RADIUS server load balancing applies only toradius profiles of type authentication not for RADIUS accounting profiles.

Ensure to synchronize the server load balancing profile among controllers in a mobilitydomain.

About this taskUse the procedure to create a RADIUS profile for server load balancing.



Procedure


2. Use the command security to enter Security Configuration mode.

3. Use the command radius profile <profile-name> server-load-balancing to configure RADIUS server load balancing.

4. Use the command default radius profile <profile-name> server-load-balancing to create the default load balancing profile.

5. Use the command no radius profile <profile-name> server-load-balancing to disable RADIUS server load balancing.

6. Use the command show wireless security radius profile profile-name to show the RADIUS balancing profile.

Configuring RADIUS AAA offloadingUse RADIUS AAA offloading to reduce heavy loads between the RADIUS server and wirelessusers during authentication. AAA offloading applies only to PEAPv0-MSCHAPv2 userauthentication and needs to be enabled on a network for it to take effect.

Use the following procedure to do one or more of the following:

• Configure AAA RADIUS offloading: configure RADIUS AA offloading.

• Create a self-signed X.509 certificate: generates the self-signed certificate withoptions.

• Import an X.509 certificate from a PKCS#12: imports a 3rd party certificate.

• Map an application to an X.509 certificate: change (map) the RADIUS server certificatewith newly imported certificate.

Procedure

1. Enter the Network-profile configuration mode of the CLI.Configure RADIUS AAA offloading

2. Use the command radius offload to create a profile.

3. Use the command default radius offload to create a default.

4. Use the command no radius offload to disable Radius offload.

5. Chose step 6 to create a self-signed certificate or step 10 to import a 3rd partycertificate.Create a self-signed X.509 certificate




6. Enter the Crypto configuration mode of the CLI.

7. Use the command certificate self-signed certificate-index [key-size 1024 | 2048| 4096] [common-name common-name] [country-code country-code] [state-name state-name] [locality name locality-name] [organization org-name][organization-unit org-unit] [email email] [valid days] to create a certificate.Use the following variables to help you create a specified certificate.

key-size 1024 | 2048 | 4096 Size of the key

common-name A name such as user name or server name( 0–64 characters)

country-code A country code (2 characters)

state-name Name of the state or province ( 0–128characters)

locality-name Name of locality, for example, city name ( 0–64 characters)

organization Name of the organization ( 0–64 characters)

organization-unit Name of the organization unit such assection or subdivision ( 0–64 characters)

email E-mail address ( 0–128 characters)

valid Certificate's valid period in days

8. Use the command default certificate certificate-index to create a defaultcertificate.

9. Use the command no certificate certificate-index to disable the certificate.Import an X.509 certificate from a PKCS#12After creating the RADIUS offloading you can import a 3rd party certificate

10. Enter the Wireless Crypto configuration of the CLI.

11. Use the command certificate import pkcs12 certificate-index <tftpip tftp-ipaddress> <filename file-name> [encrypted <encrypted-passphrase>] toimport a certificate.Use the following variables to help you import a certificate

Variable Description

tftpip TFTP server IP address ( 0.0.0.0 –255.255.255.255)

filename Certification file in pkcs#12 format ( 0–127characters)

passphrase AES encrypted passphrase



12. Use the command default certificate certificate-index to create a defaultcertificate.

13. Use the command no certificate certificate-index to delete a certificate.Map an application to an X.509 certificateUse the following command to change (map) the RADIUS server certificate withnewly imported certificate.

14. In the NNCLI, enter the wireless/crypto configuration.

15. Use the command certificate mapping certificate-index {captive-portal | radius}to map the certificate to the captive portal.Use the following variables to help you map to a certificate

Variable Description

captive-portal Name of captive portal

radius Name of RADIUS server

16. Use the command default certificate mapping {captive-portal | radius} to createthe default.

17. Use the command no certificate mapping {captive-portal | radius} to delete themapping.

Configuring Radius Health CheckUse this procedure to determine if a RADIUS server is available for authentication process. Ifthe server is not available, health check selects a new server and incoming user authenticationrequests are forwarded to the new server.

About this taskComplete the following steps to configure a health check user name, password, or encryptedpassword. Synchronize the following configurations among controllers in a mobility domain.

Procedure


2. Use the command security to enter Security Configuration mode.Create user name

3. Use the command radius server-healthcheck-user <user name> toconfigure the RADIUS health check user name.

4. Use the command default radius server-healthcheck-user to create adefault Health Check.




5. Use the command no radius server-healthcheck-user (same as defaultcommand) to disable the RADIUS health check user name.Create password

6. Use the command radius server-healthcheck-password <password> tocreate the health check password.

7. Use the command default radius server-healthcheck-password tocreate a default password.

8. Use the command no radius server-healthcheck-password (same asdefault command) to disable the RADIUS health check password.Create encrypted user password

9. Use the command radius server-healthcheck-password encrypted<encrpt-password> to create the health check encrypted password.

10. Use the command default radius server-healthcheck-password tocreate a default encrypted password.

11. Use the command no radius server-healthcheck-password same asdefault command) to disable the RADIUS health check encrypted password.Show command

12. Use the command show wireless security radius to show the health checkconfiguration.The System prompts for a password input and is echo’d with “*”. . When you executethe show command, the AES-encrypted user password displays.

Configuring system securityAbout this taskThis chapter describes the methods and procedures necessary to configure system security.

Depending on the scope and usage of the commands listed in this chapter, you can needdifferent command modes to execute them.

Navigation

• Configuring MAC address-based security using CLI on page 88• Configuring RADIUS authentication using CLI on page 95• SNMP configuration using CLI on page 98• Configuring TACACS+ using CLI on page 118• Configuring IP Manager using CLI on page 121

Configuring system security


• Configuring password security using CLI on page 123• Displaying CLI Audit log using CLI on page 125• Configuring Secure Socket Layer services using CLI on page 126• Configuring Secure Shell protocol using CLI on page 128

Configuring MAC address-based security using CLIAbout this taskThe following CLI commands allow for the configuration of the BaySecureapplication usingMedia Access Control (MAC) addresses.

The CLI commands in this section are used to configure and manage MAC address security.

CLI commands for MAC address security

The CLI commands in this section are used to configure and manage MAC address security.

• show mac-security command on page 89• show mac-security mac-da-filter command on page 89• mac-security command on page 89• mac-security mac-address-table address command on page 90• show mac-security mac-address-table command on page 91• mac-security security-list command on page 91• no mac-security security-list command on page 92• mac-security command for specific ports on page 92• show mac-security command on page 93• mac-security mac-da-filter command on page 93• CLI commands for MAC address auto-learning on page 93• mac-security auto-learning aging-time command on page 93• no mac-security auto-learning aging-time command on page 94• default mac-security auto-learning aging-time command on page 94• mac-security auto-learning port command on page 94• no mac-security auto-learning command on page 95• default mac-security auto-learning command on page 95




show mac-security command

The show mac-security command displays configuration information for the BaySecureapplication.

The syntax for the show mac-security command is:

show mac-security {config|mac-address-table [address <macaddr>] |port|security-lists}The following table outlines the parameters for this command.

Table 39: show mac-security command parameters

Parameter Descriptionconfig Displays general BaySecure configuration.

mac-address-table [address <madaddr>] Displays contents of BaySecure table ofallowed MAC addresses:

address—specifies a single MAC addressto display; enter the MAC address

port Displays the BaySecure status of all ports.

security-lists Displays port membership of all securitylists.

The show mac-security command is executed in the Privileged EXEC command mode.

show mac-security mac-da-filter command

The show mac-security mac-da-filter command displays configuration informationfor filtering MAC destination addresses (DA). Packets can be filtered from up to 10 MACDAs.

The syntax for the show mac-security mac-da-filter command is

show mac-security mac-da-filterThe show mac-security mac-da-filter command is executed in the Privileged EXECcommand mode.

The show mac-security mac-da-filter command has no parameters or variables.

mac-security command

The mac-security command modifies the BaySecure configuration.

The syntax for the mac-security command is



mac-security [disable|enable] [filtering {enable|disable}][intrustion-detect {enable|disable|forever}] [intrusion-timer<1-65535>] [learning-ports <portlist>] [learning {enable|disable}][snmp-lock {enable|disable}] [snmp-trap {enable|disable}]The following table outlines the parameters for this command.

Table 40: mac-security parametersParameter Description

disable|enable Disables or enables MAC address-basedsecurity.

filtering {enable|disable} Enables or disables DA filtering on intrusiondetected.

intrusion-detect {enable|disable|forever} Specifies partitioning of a port when anintrusion is detected:

• enable—port is partitioned for a period oftime

• disabled—port is not partitioned ondetection

• forever—port is partitioned until manuallychanged

intrustion-timer <1-65535> Specifies, in seconds, length of time a port ispartitioned when an intrusion is detected;enter the number of seconds desired.

learning-ports <portlist> Specifies MAC address learning. Learnedaddresses are added to the table of allowedMAC addresses. Enter the ports to learn; asingle port, a range of ports, several ranges,all ports, or no ports can be entered.

learning {enable|disable} Specifies MAC address learning:

• enable—enables learning by ports

• disable—disables learning by ports

snmp-lock {enable|disable} Enables or disables a lock on SNMP write-access to the BaySecure MIBs.

snmp-trap {enable|disable} Enables or disables trap generation uponintrusion detection.

The mac-security command is executed in the Global Configuration mode.

mac-security mac-address-table address command

The mac-security mac-address-table address command assigns either a specificport or a security list to the MAC address. This removes the previous assignment to the




specified MAC address and creates an entry in the BaySecure table of allowed MACaddresses.

The syntax for the mac-security mac-address-table address command is

mac-security mac-address-table address <H.H.H.> {port <portlist>|security-list <1-32>}The following table outlines the parameters for this command.

Table 41: no mac-security mac-address-table parameters

Parameter Description<H.H.H> Enter the MAC address in the form of H.H.H.

port <portlist> Enter the port number.

security-list <1-32> Enter the security list number.

The no mac-security mac-address-table command executes in the GlobalConfiguration mode.

show mac-security mac-address-table command

The show mac-security mac-address-table command displays the current global MAC Addresssecurity table. The syntax for this command is

show mac-security mac-address-table.This command executes in the Privileged EXEC command mode.

mac-security security-list command

The mac-security security-list command assigns a list of ports to a security list.

The syntax for the mac-security security-list command is:

mac-security security-list <1-32> <portlist>The following table outlines the parameters for this command.

Table 42: mac-security security-list parameters

Parameter Description<1-32> Enter the number of the security list you want to use.

<portlist> Enter the port number.

The mac-security security-list command executes in the Global Configurationmode.



no mac-security security-list command

The no mac-security security-list command clears the port membership of asecurity list.

The syntax for the no mac-security security-list command is:

no mac-security security-list <1-32>Substitute the <1-32> with the number of the security list to be cleared.

The no mac-security security-list command executes in the Global Configurationmode.

mac-security command for specific ports

The mac-security command for specific ports configures the BaySecure status of specificports.

The syntax for the mac-security command for specific ports is

mac-security [port <portlist>] {disable|enable|learning}The following table outlines the parameters for this command.

Table 43: mac-security parameters

Parameter Descriptionport <portlist> Enter the port numbers.

disable|enable|learning Directs the specific port

• disable—disables BaySecure on the specifiedport and removes the port from the list of portsfor which MAC address learning is beingperformed

• enable—enables BaySecure on the specifiedport and removes the port from the list of portsfor which MAC address learning is beingperformed

• learning—disables BaySecure on the specifiedport and adds these port to the list of ports forwhich MAC address learning is being performed

The mac-security command for specific ports executes in the Interface Configurationmode.




show mac-security command

The show mac-security command displays the current MAC Address security table for theports entered. The syntax for this command is

show mac-security port <portlist>Substitute <portlist> with the ports to be displayed.

This command executes in the Privileged EXEC command mode.

mac-security mac-da-filter command

The mac-security mac-da-filter command allows packets to be filtered from up to tenspecified MAC DAs. This command also allows you to delete such a filter and then receivepackets from the specified MAC DA.

The syntax for the mac-security mac-da-filter command is

mac-security mac-da-filter {add|delete} <H.H.H>Substitute the {add|delete} <H.H.H> with either the command to add or delete a MACaddress and the MAC address in the form of H.H.H.

The mac-security mac-da-filter command executes in the Global Configurationmode.

CLI commands for MAC address auto-learning

The CLI commands in this section are used to configure and manage MAC auto-learning.

mac-security auto-learning aging-time command

The mac-security auto-learning aging-time command sets the aging time for theauto-learned addresses in the MAC Security Table.

The syntax for the command is

mac-security auto-learning aging-time <0-65535>Substitute <0-65535> with the aging time in minutes. An aging time of 0 means that thelearned addresses never age out. The default is 60 minutes.

The mac-security auto-learning aging-time command executes in the GlobalConfiguration mode.



no mac-security auto-learning aging-time command

The no mac-security auto-learning aging-time command sets the aging time forthe auto-learned addresses in the MAC Security Table to 0. In this way, it disables the removalof auto-learned MAC addresses.


no mac-security auto-learning aging-timeThe no mac-security aging-time command executes in the Global Configurationmode.

default mac-security auto-learning aging-time command

The default mac-security auto-learning aging-time command sets the agingtime for the auto-learned addresses in the MAC Security Table to the default of 60 minutes.


default mac-security auto-learning aging-timeThe default mac-security auto-learning aging-time command executes in theGlobal Configuration mode.

mac-security auto-learning port command

The mac-security auto-learning port command configures MAC security auto-learning on the ports.


mac-security auto-learning port <portlist> disabledisable|{enable[max-addrs <1-25>}The following table outlines the parameters for this command.

Table 44: mac-security auto-learning parameters

Parameter Description<portlist> The ports to configure for auto-learning.

disable|enable Disables or enables auto-learning on the specified ports.The default is disabled.

max-addrs <1-25> Sets the maximum number of addresses the port learns.The default is 2.




The mac-security auto-learning command executes in the Interface Configurationmode.

no mac-security auto-learning command

This command disables MAC security auto-learning for the specified ports on the switch. Thesyntax for this command is

no mac-security auto-learning port <portlist>The no mac-security auto-learning command executes in the Interface Configurationmode.

default mac-security auto-learning command

The default mac-security auto-learning command sets the default MAC securityauto-learning on the switch.


default mac-security auto-learning port <portlist> [enable] [max-addrs]The following table outlines the parameters for this command.

Table 45: default mac-security auto-learning parameters

Parameters Description<portlist> The ports to configure for auto-learning.

enable Sets to default the auto-learning status forthe port. The default is disabled.

max-addrs Sets to default the maximum number ofaddresses the port learns. The default is 2.

The default mac-security auto-learning command executes in the InterfaceConfiguration mode.

Configuring RADIUS authentication using CLIAbout this taskConfigure RADIUS to perform authentication services for system users by doing the following:

• Configure the RADIUS server itself. For specific configuration procedures, see the vendordocumentation. In particular, ensure that you set the appropriate Service-Type attributein the user accounts:



- for read-write access, Service-Type = Administrative- for read-only access, Service-Type = NAS-Prompt

• Configure RADIUS server settings on the switch (see “Configuring RADIUS serversettings” (page 100)).

• (Optional) Enable the RADIUS password fallback feature (see “Enabling RADIUSpassword fallback” (page 101)).

Use the following commands to configure RADIUS authentication:

• Configuring RADIUS server settings on page 96• Enabling RADIUS password fallback on page 97• Viewing RADIUS information on page 97

Configuring RADIUS server settings

About this taskAdd a RADIUS server using the following command in Global or Interface Configuration mode:

radius-serverThe following table describes the parameters for this command.

Table 46: radius-server command parameters

Parameter Descriptionhost <IPaddr> Specifies the IP address of the primary

server you want to add or configure.

key <key> Specifies the secret authentication andencryption key used for all communicationsbetween the NAS and the RADIUS server.The key, also referred to as the sharedsecret, must be the same as the one definedon the server. You are prompted to enter andconfirm the key.

[port <port>] Specifies the UDP port for RADIUS.

<port> is an integer in the range 0–65535.The default port number is 1812.

[secondary-host <IPaddr>] Specifies the IP address of the secondaryserver. The secondary server is used only ifthe primary server does not respond.

[timeout <timeout>] Specifies the number of seconds before theservice request times out. RADIUS allowsthree retries for each server (primary andsecondary).<timeout>




Parameter Descriptionis an integer in the range 1–60. The defaulttimeout interval is 2 seconds.

Delete a RADIUS server and restore default RADIUS settings by using one of the followingcommands in Global or Interface Configuration mode:

no radius-serverdefault radius-server

Enabling RADIUS password fallback

About this taskEnable the RADIUS password fallback feature by using the following command in Global orInterface Configuration mode:

radius-server password fallbackWhen RADIUS password fallback is enabled, users can log on to the switch using the localpassword if the RADIUS server is unavailable or unreachable.The default is disabled.

After you enable RADIUS password fallback, you cannot disable it without erasing all otherRADIUS server settings.

Important:You can use the Console Interface to disable the RADIUS password fallback without erasingother RADIUS server settings. From the main menu, choose Console/Comm PortConfiguration, then toggle the RADIUS Password Fallback field to No.

Disable the RADIUS password fallback feature by using one of the following commands inGlobal or Interface Configuration mode:

no radius-serverdefault radius-serverThe command erases settings for the RADIUS primary and secondary servers and secret key,and restores default RADIUS settings.

Viewing RADIUS information

About this taskDisplay RADIUS configuration status by using the following command from any mode:

show radius-server



SNMP configuration using CLIThis section describes how you can configure SNMP using CLI, to monitor devices runningsoftware that supports the retrieval of SNMP information.

Use the following commands to configure SNMP:

• Configuring SNMP v1, v2c, v3 Parameters using CLI on page 99• SNMPv3 table entries stored in NVRAM on page 100• show snmp-server command on page 100• snmp-server authentication-trap command on page 101• no snmp-server authentication-trap command on page 101• default snmp-server authentication-trap command on page 101• snmp-server community for read or write command on page 102• snmp-server community command on page 102• no snmp-server community command on page 103• default snmp-server community command on page 104• no snmp-server contact command on page 104• default snmp-server contact command on page 104• snmp-server command on page 105• no snmp-server command on page 105• snmp-server host command on page 105• show snmp-server host command on page 107• no snmp-server host command on page 107• default snmp-server host command on page 108• snmp-server location command on page 108• no snmp-server location command on page 109• default snmp-server location command on page 109• snmp-server name command on page 109• no snmp-server name command on page 110• default snmp-server name command on page 110• snmp-server user command on page 110• no snmp-server user command on page 112• snmp-server view command on page 112• no snmp-server view command on page 113• snmp-server bootstrap command on page 114




• show snmp-server notification-control on page 115• snmp-server notification-control command on page 115• no snmp-server notification-control on page 115• default snmp-server notification-control on page 116• spanning-tree rstp traps command on page 116• no spanning-tree rstp traps command on page 117• default spanning-tree rstp traps command on page 117• show spanning-tree rstp traps config conmmand on page 117

Configuring SNMP v1, v2c, v3 Parameters using CLI

Earlier releases of SNMP used a proprietary method for configuring SNMP communities andtrap destinations for specifying SNMPv1 configuration that included:

• A single read-only community string that can only be configured using the consolemenus.

• A single read-write community string that can only be configured using the consolemenus.

• Up to four trap destinations and associated community strings that can be configuredeither in the console menus, or using SNMP Set requests on the s5AgTrpRcvrTable

With the WLAN 8100 Series support for SNMPv3, you can configure SNMP using the newstandards-based method of configuring SNMP communities, users, groups, views, and trapdestinations.

Important:You must configure views and users using CLI before SNMPv3 can be used.

Important:You must have the secure version of the software image installed on your switch before youcan configure SNMPv3.

The WLAN 8100 Series also supports the previous proprietary SNMP configuration methodsfor backward compatibility.

All the configuration data configured in the proprietary method is mapped into the SNMPv3tables as read-only table entries. In the new standards-based SNMPv3 method of configuringSNMP, all processes are configured and controlled through the SNMPv3 MIBs. The CommandLine Interface commands change or display the single read-only community, read-writecommunity, or four trap destinations of the proprietary method of configuring SNMP. Otherwise,the commands change or display SNMPv3 MIB data.

The WLAN 8100 Series software supports MD5 and SHA authentication, as well as AES andDES encryption.

The SNMP agent supports exchanges using SNMPv1, SNMPv2c and SNMPv3. Support forSNMPv2c introduces a standards-based GetBulk retrieval capability using SNMPv1



communities. SNMPv3 support introduces industrial-grade user authentication and messagesecurity. This includes MD5 and SHA-based user authentication and message integrityverification, as well as AES- and DES-based privacy encryption.

Export restrictions on SHA and DES necessitate support for domestic and non-domesticexecutable images or defaulting to no encryption for all customers.

The traps can be configured in SNMPv1, v2, or v3 format. If you do not identify the version (v1,v2, or v3), the system formats the traps in the v1 format. A community string can be entered ifthe system requires one.

SNMPv3 table entries stored in NVRAM

The following list shows the number of nonvolatile entries (entries stored in NVRAM) allowedin the SNMPv3 tables. The system does not allow you to create more entries markednonvolatile when you reach these limits:

• snmpCommunityTable: 20• vacmViewTreeFamilyTable: 60• vacmSecurityToGroupTable: 40• vacmAccessTable: 40• usmUserTable: 20• snmpNotifyTable: 20• snmpTargetAddrTabel: 20• snmpTargetParamsTable: 20

show snmp-server command

The show snmp-server command displays SNMP configuration.

The syntax for the show snmp-server command is

show snmp-server {host|user|view}The show snmp-server command executes in the Privileged EXEC command mode.


Table 47: show snmp-server command parameters

Parameter Descriptionhost Displays the trap receivers configured in the SNMPv3

MIBs.

user Displays the SNMPv3 users, including views accessibleto each user.




Parameter Descriptionview Displays SNMPv3 views.

snmp-server authentication-trap command

The snmp-server authentication-trap command enables or disables the generationof SNMP authentication failure traps.

The syntax for the snmp-server authentication-trap command is

snmp-server authentication-trap {enable|disable}The snmp-server authentication-trap command executes in the Global Configurationmode.


Table 48: snmp-server authentication-trap command parameters

Parameter Descriptionenable|disable Enables or disables the generation of authentication failure

traps.

no snmp-server authentication-trap command

The no snmp-server authentication-trap command disables generation of SNMPauthentication failure traps.

The syntax for the no snmp-server authentication-trap command is

no snmp-server authentication-trapThe no snmp-server authentication-trap command executes in the GlobalConfiguration mode.

default snmp-server authentication-trap command

The default snmp-server authentication-trap command restores SNMPauthentication trap configuration to the default settings.

The syntax for the default snmp-server authentication-trap command is

default snmp-server authentication-trapThe default snmp-server authentication-trap command executes in the GlobalConfiguration mode.



snmp-server community for read or write command

This command configures a single read-only or a single read-write community. A communityconfigured using this command does not have access to any of the SNMPv3 MIBs. Thecommunity strings created by this command are controlled by the SNMP Configuration screenin the console interface. These community strings have a fixed MIB view.

The snmp-server community command for read/write modifies the community strings forSNMPv1 and SNMPv2c access.

The syntax for the snmp-server community for read/write command is

snmp-server community [ro|rw]The snmp-server community for read/write command executes in the Global Configurationmode.


Table 49: snmp-server community for read/write command

Parameter Descriptionro|rw (read-only I read-write) Specifies read-only or read-write access. Stations

with ro access can only retrieve MIB objects, andstations with rw access can retrieve and modify MIBobjects. If ro nor rw are not specified, ro is assumed(default).

snmp-server community command

The snmp-server community command allows you to create community strings withvarying levels of read, write, and notification access based on SNMPv3 views. Thesecommunity strings are separate from those created using the snmp-server community for read/write command.

This command affects community strings stored in the SNMPv3 snmpCommunity Table, whichallows several community strings to be created. These community strings can have any MIBview.

The syntax for the snmp-server community command is

snmp-server community {read-view <view-name>|write-view <view-name>|notify-view <view-name>}The snmp-server community command executes in the Global Configuration mode.





Table 50: snmp-server community command parameters

Parameter Description

read-view <view-name> Changes the read view used by the new communitystring for different types of SNMP operations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

write-view <view-name> Changes the write view used by the new communitystring for different types of SNMP operations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

notify-view <view-name> Changes the notify view settings used by the newcommunity string for different types of SNMPoperations.view-name—specifies the name of the view which isa set of MIB objects/instances that can be accessed;enter an alphanumeric string.

no snmp-server community command

The no snmp-server community command clears the snmp-server communityconfiguration.

The syntax for the no snmp-server community command is

no snmp-server community {ro|rw|<community-string>}The no snmp-server community command is executed in the Global Configurationmode.

If you do not specify a read-only or read-write community parameter, all community strings areremoved, including all the communities controlled by the snmp-server communitycommand and the snmp-server community for read-write command.

If you specify read-only or read-write, then just the read-only or read-write community isremoved. If you specify the name of a community string, then the community string with thatname is removed.


Table 51: no snmp-server community command parameters

Parameters Descriptionro |rw|<community-string> Changes the settings for SNMP:



Parameters Description

• ro|rw—sets the specified old-style communitystring value to NONE, thereby disabling it.

• community-string—deletes the specifiedcommunity string from the SNMPv3 MIBs (thatis, from the new-style configuration).

default snmp-server community command

The default snmp-server community command restores the community stringconfiguration to the default settings.

The syntax for the default snmp-server community command is

default snmp-server community [ro|rw]The default snmp-server community command executes in the Global Configurationmode.

If the read-only or read-write parameter is omitted from the command, then all communitiesare restored to their default settings. The read-only community is set to Public, the read-writecommunity is set to Private, and all other communities are deleted.


Table 52: default snmp-server community command parameters

Parameters Descriptionro|rw Restores the read-only community to Public, or the read-

write community to Private.

no snmp-server contact command

The no snmp-server contact command clears the sysContact value.

The syntax for the no snmp-server contact command is

no snmp-server contactThe no snmp-server contact command executes in the Global Configuration mode.

default snmp-server contact command

The default snmp-server contact command restores sysContact to the defaultvalue.




The syntax for the default snmp-server contact command is

default snmp-server contactThe default snmp-server contact command executes in the Global Configurationmode.

snmp-server command

The snmp-server command enables or disables the SNMP server.

The syntax for the snmp-server command is:

snmp-server {enable|disable}The following table describes the parameters for this command.

Table 53: snmp-server command parameters

Parameter Descriptionenable|disable Enables or disables the SNMP server.

no snmp-server command

The no snmp-server command disables SNMP access.

The syntax for the no snmp-server command is

no snmp-serverThe no snmp-server command executes in the Global Configuration mode.

The no snmp-server command has no parameters or variables.

Important:If you disable SNMP access to the switch, you cannot use Device Manager for the switch.

snmp-server host command

The snmp-server host command adds a trap receiver to the trap-receiver table.

In the proprietary method, the table has a maximum of four entries, and these entries cangenerate only SNMPv1 traps. This command controls the contents of the s5AgTrpRcvrTable,which is the set of trap destinations controlled by the SNMP Configuration screen in the consoleinterface.

The proprietary method syntax for the snmp-server host for command is



snmp-server host <host-ip> <community-string>Using the new standards-based SNMP method, you can create several entries in SNMPv3MIBs. Each can generate v1, v2c, or v3 traps.

Important:Before using the desired community string or user in this command, ensure that it isconfigured with a notify-view.

The new standards-based method syntax for the snmp-server host command is

snmp-server host <host-ip> [port <trap-port>] {v1 <community-string>|v2c <community-string>|v3 {auth|no-auth|auth-priv}<username>The snmp-server host command executes in the Global Configuration mode.


Table 54: snmp-server host command parameters

Parameter Descriptionhost-ip Enter a dotted-decimal IP address of a host

to be the trap destination.

community-string If you are using the proprietary method forSNMP, enter a community string that worksas a password and permits access to theSNMP protocol.

port <trap-port> Enter a value for the SNMP trap port between1 and 65535.

v1<community-string> To configure the new standards-basedtables, using v1 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v2c<community-string> To configure the new standards-basedtables, using v2c creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created.

v3{auth|no-auth|auth-priv} To configure the new standards-basedtables, using v3 creates trap receivers in theSNMPv3 MIBs. Multiple trap receivers withvarying access levels can be created. Enterthe following variables:




Parameter Description

• auth—auth specifies SNMPv3 traps aresent using authentication and no privacy.

• no-auth—no-auth specifies SNMPv3 trapsare sent using with no authentication andno privacy.

• auth-priv—specifies traps are sent usingauthentication and privacy; this parameteris available only if the image has full SHA/DES support.

username To configure the new standards-basedtables; specifies the SNMPv3 username fortrap destination; enter an alphanumericstring.

show snmp-server host command

The show snmp-server host command displays the current SNMP host informationincluding the configured trap port.

The syntax for the show snmp-server host command is

show snmp-server hostThe show snmp-server host executes in the Privileged EXEC mode.

no snmp-server host command

The no snmp-server host command deletes trap receivers from the table.

The proprietary method syntax for the no snmp-server host command is

no snmp-server host [<host-ip> [community-string>]]Using the standards-based method of configuring SNMP, a trap receiver matching the IPaddress and SNMP version is deleted.

The standards-based method syntax for the no snmp-server host command is

no snmp-server host <host-ip> [port<trap-port>] {v1|v2c|v3|<community-string>}The no snmp-server host command executes in the Global Configuration mode.

If you do not specify any parameters, this command deletes all trap destinations from thes5AgTrpRcvrTable and from SNMPv3 tables.




Table 55: no snmp-server host command parameters

Parameter Description<host-ip> [<community-string>] In the proprietary method, enter the following

variables:

• host-ip—the IP address of a trapdestination host.

• community-string—the community stringthat works as a password and permitsaccess to the SNMP protocol.

If both parameters are omitted, all hosts arecleared, proprietary and standards-based. Ifa host IP is included, the community-string isrequired or an error is reported.

<host-ip> Using the standards-based method, enterthe IP address of a trap destination host.

port <trap-port> Using the standards-based method, enterthe SNMP trap port.

v1|v2c|v3|<community-string> Using the standards-based method,specifies trap receivers in the SNMPv3 MIBs.<community-string>—the community stringthat works as a password and permitsaccess to the SNMP protocol.

default snmp-server host command

The default snmp-server host command restores the-old style SNMP server and thestandards based tables are reset (cleared).

The syntax for the default snmp-server host command is:

default snmp-server hostThe default snmp-server host command is executed in the Global Configurationmode.

The default snmp-server host command has no parameters or variables.

snmp-server location command

The snmp-server location command configures the SNMP sysLocation value.

The syntax for the snmp-server location command is:

snmp-server location <text>




The snmp-server location command is executed in the Global Configuration mode.


Table 56: snmp-server location command parameters

Parameter Descriptiontext Specify the SNMP sysLocation value; enter an

alphanumeric string of up to 255 characters.

no snmp-server location command

The no snmp-server location command clears the SNMP sysLocation value.

The syntax for the no snmp-server location command is:

no snmp-server locationThe no snmp-server location command is executed in the Global Configurationmode.

default snmp-server location command

The default snmp-server location command restores sysLocation to the defaultvalue.

The syntax for the default snmp-server location command is:

default snmp-server locationThe default snmp-server location command is executed in the Global Configurationmode.

snmp-server name command

The snmp-server name command configures the SNMP sysName value.

The syntax for the snmp-server name command is:

snmp-server name <text>The snmp-server name command is executed in the Global Configuration mode.




Table 57: snmp-server name command parameters

Parameter Descriptiontext Specify the SNMP sysName value; enter an

alphanumeric string of up to 255 characters.

no snmp-server name command

The no snmp-server name command clears the SNMP sysName value.

The syntax for the no snmp-server name command is:

no snmp-server nameThe no snmp-server name command is executed in the Global Configuration mode.

default snmp-server name command

The default snmp-server name command restores sysName to the default value.

The syntax for the default snmp-server name command is:

default snmp-server nameThe default snmp-server name command is executed in the Global Configurationmode.

snmp-server user command

The snmp-server user command creates an SNMPv3 user.

For each user, you can create three sets of read/write/notify views:

• for unauthenticated access• for authenticated access• for authenticated and encrypted access

The syntax for the snmp-server user command for unauthenticated access is:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]The syntax for the snmp-server user command for authenticated access is:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]




The syntax for the snmp-server user command for authenticated and encrypted accessis:

snmp-server user <username> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] md5|sha <password> [read-view<view-name>] [write-view<view-name>] [notify-view<view-name]] {3des|aes|des} <password> [read-view<view-name>] [write-view<view-name>][notify-view<view-name]The snmp-server user command is executed in the Global Configuration mode.

The sha and 3des/aes/des parameters are only available if the switch image has SSHsupport.

For authenticated access, you must specify the md5 or sha parameter. For authenticated andencrypted access, you must also specify the 3des, aes, or des parameter.

For each level of access, you can specify read, write, and notify views. If you do not specifyview parameters for authenticated access, the user will have access to the views specified forunauthenticated access. If you do not specify view parameters for encrypted access, the userwill have access to the views specified for authenticated access or, if no authenticated viewswere specified, the user will have access to the views specified for unauthenticated access.


Table 58: snmp-server user command parameters

Parameters Descriptionusername Specifies the user name. Enter an alphanumeric string

of up to 255 characters.

md5 <password> Specifies the use of an md5 password. <password>specifies the new user md5 password; enter analphanumeric string. If this parameter is omitted, the useris created with only unauthenticated access rights.

read-view <view-name> Specifies the read view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string of up to 255 characters.

write-view <view-name> Specifies the write view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string that can contain at least some ofthe nonalphanumeric characters.

notify-view <view-name> Specifies the notify view to which the new user hasaccess:

view-name—specifies the viewname; enter analphanumeric string that can contain at least some ofthe nonalphanumeric characters.



Parameters DescriptionSHA Specifies SHA authentication.

3DES Specifies 3DES privacy encryption.

AES Specifies AES privacy encryption.

DES Specifies DES privacy encryption.

engine-id Specifies the new remote user to receive notifications.

notify-view—specifies the viewname to notify.

Important:If a view parameter is omitted from the command, that view type cannot be accessed.

no snmp-server user command

The no snmp-server user command deletes the specified user.

The syntax for the no snmp-server user command is:

no snmp-server user [engine-id<engine ID>] <username>The no snmp-server user command is executed in the Global Configuration mode.

Important:If you do not specify any parameters, this command deletes all snmpv3 users from theSNMPv3 tables.


Table 59: no snmp-server user command parameters

Parameters Description[engine-id <engine ID>] Specifies the SNMP engine ID of the remote SNMP

entity.

username Specifies the user to be removed.

snmp-server view command

The snmp-server view command creates an SNMPv3 view. The view is a set of MIB objectinstances which can be accessed.

The syntax for the snmp-server view command is:




snmp-server view <view-name> <OID> [<OID> {<OID> [<OID> [<OID> [<OID>[<OID> [<OID> [<OID> [<OID>]]]]]]]]]The snmp-server view command is executed in the Global Configuration mode.


Table 60: snmp-server view command parameters

Parameters Descriptionviewname Specifies the name of the new view; enter an

alphanumeric string.

OID Specifies Object identifier. OID can be entered as adotted form OID. Each OID must be preceded by a+ or - sign (if this is omitted, a + sign is implied). The+ is not optional.For the dotted form, a sub-identifier can be anasterisk, indicating a wildcard. Here are someexamples of valid OID parameters:

• sysName

• +sysName

• -sysName

• +sysName.0

• +ifIndex.1

• -ifEntry..1 (this matches all objects in the ifTablewith an instance of 1; that is, the entry for interface#1)

• 1.3.6.1.2.1.1.1.0 (the dotted form of sysDescr)

The + or - indicates whether the specified OID isincluded in or excluded from, the set of MIB objectsaccessible using this view.There are 10 possible OID values.

no snmp-server view command

The no snmp-server view command deletes the specified view.

The syntax for the no snmp-server view is:

no snmp-server view <viewname>The no snmp-server view is executed in the Global Configuration mode.




Table 61: no snmp-server view command parameters

Parameter Descriptionviewname Specifies the name of the view to be removed. This is

not an optional parameter.

snmp-server bootstrap command

The snmp-server bootstrap command allows you to specify how you wish to secureSNMP communications, as described in the SNMPv3 standards. It creates an initial set ofconfiguration data for SNMPv3. This configuration data follows the conventions described inthe SNMPv3 standard (in RFC 3414 and 3415). This commands creates a set of initial users,groups and views.

Important:This command deletes all existing SNMP configurations, hence must be used with care.

The syntax for the snmp-server bootstrap command is:

snmp-server bootstrap <minimum-secure>|<semi-secure>|<very-secure>The snmp-server bootstrap command is executed in the Global Configuration mode.


Table 62: snmp-server bootstrap command parameters

Parameters Description<minimum-secure> Specifies a minimum security configuration that allows read

access and notify access to all processes (view restricted) withnoAuth-noPriv and read, write, and notify access to allprocesses (internet view) using Auth-noPriv and Auth-Priv.

Important:In this configuration, view restricted matches viewinternet.

<semi-secure> Specifies a minimum security configuration that allows readaccess and notify access to all processes (view restricted) withnoAuth-noPriv and read, write, and notify access to allprocesses (internet view) using Auth-noPriv and Auth-Priv.

Important:In this configuration, restricted contains a smaller subset ofviews than internet view. The subsets are defined accordingto RFC 3515 Appendix A.

<very-secure> Specifies a maximum security configuration that allows noaccess to the users.




show snmp-server notification-control

The show snmp-server notification-control command shows the current state ofthe applicable notifications.

The syntax for the show snmp-server notification-control command is

show snmp-server notification-controlThe show snmp-server notification-control command executes in PrivilegedEXEC mode.

snmp-server notification-control command

The snmp-server notification-control command enables the notification identifiedby the command parameter. The notification options are:

• DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap• Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort• IP Source Guard: bsSourceGuardReachedMaxIpEntries,

bsSourceGuardCannotEnablePortThe syntax for the snmp-server notification-control command is

snmp-server notification-control <WORD/1-128>The snmp-server notification-control command executes in Global Configurationmode.


Table 63: snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a

supported notification type.

no snmp-server notification-control

The no snmp-server notification-control command disables the notificationidentified by the command parameter. The notification options are:

• DHCP Snooping: bsDhcpSnoopingBindingTableFull, bsDhcpSnoopingTrap• Dynamic ARP Inspection: bsaiArpPacketDroppedOnUntrustedPort• IP Source Guard: bsSourceGuardReachedMaxIpEntries,

bsSourceGuardCannotEnablePort



The syntax for the no snmp-server notification-control command is

no snmp-server notification-control <WORD/1-128>The no snmp-server notification-control command executes in GlobalConfiguration mode.


Table 64: no snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a

supported notification type.

default snmp-server notification-control

The default snmp-server notification-control command returns the notificationidentified by the command parameter to its default state.

The syntax for the default snmp-server notification-control command is

default snmp-server notification-control <WORD/1-128>The default snmp-server notification-control command executes in GlobalConfiguration mode.


Table 65: default snmp-server notification-control command parameters

Parameter Description<WORD/1-128> Can either be the English description or the OID of a supported

notification type.

spanning-tree rstp traps command

The RSTP traps feature provides notifications for the following events:

• RSTP instance up/down• RSTP core memory allocation error• RSTP core buffer allocation error• New root bridge• Port protocol migration

The default settings of RSTP traps are enabled. The events are notified as SNMP traps andas system log messages.




The following messages for the RSTP traps will be logged into the system log:

• Trap: RSTP General Event (Up/Down)• Trap: RSTP Error Event (Mem Fail / Buff Fail)• Trap: RSTP New Root tt:tt:tt:tt:tt:tt:tt:tt• Trap: RSTP Topology Change• Trap: RSTP Protocol Migration Type: Send (RSTP/STP) for Port: t

If the traps are not received on the traps receiver host (should be configured) but the traps arelogged into the system log, the network connectivity should be checked.

The spanning-tree rstp traps command enables RSTP traps.

The syntax for the spanning-tree rstp traps command is

spanning-tree rstp trapsThe spanning-tree rstp traps command executes in the Global Configuration mode.

no spanning-tree rstp traps command

The no spanning-tree rstp traps command disables RSTP traps.

The syntax for the no spanning-tree rstp traps is

no spanning-tree rstp trapsThe no spanning-tree rstp traps command executes in the Global Configurationmode.

default spanning-tree rstp traps command

The default spanning-tree rstp traps command returns RSTP traps to their defaultstate.

The syntax for the default spanning-tree rstp traps is

default spanning-tree rstp trapsThe default spanning-tree rstp traps command executes in the GlobalConfiguration mode.

show spanning-tree rstp traps config conmmand

The show spanning-tree rstp traps config command shows the current state of theRSTP trap.

The syntax for the show spanning-tree rstp traps config command is



show spanning-tree rstp traps configThe show spanning-tree rstp traps config command executes in the PrivilegedEXEC mode.

Configuring TACACS+ using CLIAbout this taskTo configure TACACS+ to perform AAA services for system users, do the following:

1. Configure the TACACS+ server itself. For more information, see the vendordocumentation for your server for specific configuration procedures.

2. Configure TACACS+ server settings on the switch3. Enable TACACS+ services over serial or Telnet connections4. Enable TACACS+ authorization and specify privilege levels5. Enable TACACS+ accounting

Important:You can enable TACACS+ authorization without enabling TACACS+ accounting, and youcan enable TACACS+ accounting without enabling TACACS+ authorization.

Use the following commands to configure TACACS+:

• Configuring TACACS+ server settings on page 118• Enabling remote TACACS+ services on page 119• Enabling TACACS+ authorization on page 120• Setting authorization privilege levels on page 120• Viewing TACACS+ information on page 121

Configuring TACACS+ server settings

About this taskTo add a TACACS+ server, use the following command in Global or Interface Configurationmode:

tacacs serverThe following table describes the parameters for this command.

Table 66: tacas server command parameters

Parameter Descriptionhost <IPaddr> Specifies the IP address of the primary

server you want to add or configure.




Parameter Descriptionkey <key> Specifies the secret authentication and

encryption key used for all communicationsbetween the NAS and the TACACS+ server.The key, also referred to as the sharedsecret, must be the same as the one definedon the server. You are prompted to confirmthe key when you enter it.

Important:The key parameter is a requiredparameter when you create a new serverentry. The parameter is optional when youare modifying an existing entry.

[secondary host <IPaddr>] Specifies the IP address of the secondaryserver. The secondary server is used only ifthe primary server does not respond.

[port <port>] Specifies the TCP port for TACACS+ whereport is an integer in the range of 0-65535.The default port number is 49.

To delete a TACACS+ server, use one of the following commands in Global or InterfaceConfiguration mode:

no tacacsdefault tacacsThe commands erase settings for the TACACS+ primary and secondary servers and secretkey, and restore default port settings.

Enabling remote TACACS+ services

About this taskTo enable TACACS+ to provide services to remote users over serial or Telnet connections, usethe following commands in Global or Interface Configuration mode.

For serial connections:

cli password serial tacacsFor Telnet connections:

cli password telnet tacacsYou must configure a TACACS+ server on the switch before you can enable remote TACACS+ services. For more information about configuring the primary TACACS+ server and sharedsecret, see “Configuring TACACS+ server settings” (page 159).



Enabling TACACS+ authorization

About this taskTo enable TACACS+ authorization globally on the switch, use the following command in Globalor Interface Configuration mode:

tacacs authorization enableTo disable TACACS+ authorization globally on the switch, use the following command in Globalor Interface Configuration mode:

tacacs authorization disableThe default is disabled.

Setting authorization privilege levels

The preconfigured privilege levels control which commands can be executed. If a user hasbeen assigned a privilege level for which authorization has been enabled, TACACS+authorizes the authenticated user to execute a specific command only if the command isallowed for that privilege level.

To specify the privilege levels to which authorization applies, use the following command inGlobal or Interface Configuration mode:

tacacs authorization level all|<level>|noneThe following table describes the parameters for this command.

Table 67: tacas authorization command parameters

Parameter Descriptionall Authorization is enabled for all privilege levels.

<level> An integer in the range 0–15 that specifies theprivilege levels for which authorization is enabled.You can enter a single level, a range of levels, orseveral levels. For any levels you do not specify,authorization does not apply, and users assignedto these levels can execute all commands.

none Authorization is not enabled for any privilege level.All users can execute any command available onthe switch.




Viewing TACACS+ information

About this taskTo display TACACS+ configuration status, enter the following command from any mode:

show tacacs

Configuring IP Manager using CLIAbout this taskTo configure the IP Manager to control management access to the switch, do the following:

• Enable IP Manager.• Configure the IP Manager list.

Use the following commands to configure IP Manager:

• Enabling IP Manager on page 121• Configuring the IP Manager list on page 122• Removing IP Manager list entries on page 122• Viewing IP Manager settings on page 122

Enabling IP Manager

About this taskTo enable IP Manager to control Telnet, SNMP, SSH, or HTTP access, use the followingcommand in Global Configuration mode:

ipmgr {telnet|snmp|web|ssh}The following table describes the parameters for this command.

Table 68: Enabling IP manager command parameters

Parameter Descriptiontelnet Enables the IP Manager list check for Telnet access.

snmp Enables the IP Manager list check for SNMP, includingDevice Manager.

web Enables the IP Manager list check for Web-basedmanagement system.

ssh Enables the IP Manager list check for SSH access.



To disable IP Manager for a management system, use the no keyword at the start of thecommand.

Configuring the IP Manager list

About this taskTo specify the source IP addresses or address ranges that have access the switch when IPManager is enabled, use the following command in Global Configuration mode:

For Ipv4 entries with list ID between 1-50:

ipmgr source-ip <list ID> <Ipv4addr> [mask<mask>]The following table describes the parameters for this command.

Table 69: ipmgr source-ip command parameters

Parameter Description<list ID> An integer in the range 1-50 for Ipv4 entries and

51-100 for Ipv6 entries that uniquely identifies theentry in the IP Manager list.

<Ipv4addr> Specifies the source IP address from whichaccess is allowed. Enter the IP address either asan integer or in dotted-decimal notation.

[mask <mask>] Specifies the subnet mask from which access isallowed. Enter the IP mask in dotted-decimalnotation.

Removing IP Manager list entries

To deny access to the switch for specified source IP addresses or address ranges, use thefollowing command in Global Configuration mode:

no ipmgr source-ip [<list ID>]<list ID> is an integer in the range 1-50 for Ipv4 addresses that uniquely identifies the entry inthe IP Manager list.

The command sets both the IP address and mask for the specified entry to 255.255.255.255for Ipv4 entries. If you do not specify a <list ID> value, the command resets the whole listto factory defaults.

Viewing IP Manager settings

About this taskTo view IP Manager settings, use the following command in any mode:




show ipmgrThe command displays

• whether Telnet, SNMP, SSH, and Web access are enabled• whether the IP Manager list is being used to control access to Telnet, SNMP, SSH, and

Web-based management system• the current IP Manager list configuration

Configuring password security using CLIAbout this taskThe CLI commands detailed in this section are used to manage password security features.These commands can be used in the Global Configuration and Interface Configurationcommand modes.

• Enabling password security on page 123• Disabling password security on page 123• Creating user names and passwords on page 124• Configuring password retry attempts on page 124• Configuring password history on page 124• Defaulting password history on page 124• Displaying password history settings on page 125

Enabling password security

About this taskThe password security command enables the Password Security feature on the WLAN8100 Series.

The syntax of the password security command is

password security

Disabling password security

The no password security command disables the Password Security feature on theWLAN 8100 Series.

The syntax for the no password security command is

no password security



Creating user names and passwords

About this taskUse the username command to create custom user names and assign switch read-only andread-write passwords to them. These custom user names apply to local authentication only.

The syntax of this command is as follows:

username <username> {ro | rw}After entering this command the user is prompted to enter the password for the new user.

Custom users cannot have custom access rights and limitations. Use of the associated read-only password confers the same rights and limitations as the default read-only user. Use ofthe associated read-write password confers the same rights and limitation as the default read-write user.

Configuring password retry attempts

About this taskTo configure the number of times a user can retry a password, use the following command inGlobal or Interface Configuration mode:

telnet-access retry <number>Where number is an integer in the range 1 to 100 that specifies the allowed number of failedlog on attempts. The default is 3.

Configuring password history

About this taskUse the password password-history command to configure the number of passwordsstored in the password history table. This command has the following syntax:

password password-history <3-10>The parameter <3-10> represents the number of passwords to store in the history table. Usethe appropriate value when configuring the feature.

Defaulting password history

Use the default password password-history command to return the number ofpasswords stored in the password history table to the default value of 3.




Displaying password history settings

The show password password-history command is used to display the number ofpasswords currently stored in the password history table.

Configuring Avaya Secure Network Access OptionsAbout this taskUse the following procedure to configure Avaya Secure Network Access (formerly NortelSecure Network Access or NSNA).

Procedure



3. Use the command nsna fail-open and one of the following commands toconfigure fail-open options:

a. Use the command filter-vlan-id <1–4094> to set fail-open filter vlanID.

b. Use the command vlan-id <1–4094> to set fail-open vlan ID.

c. Use the command enable to enable secure network access fail-open.

4. Use the command nsnas <subnet address> to set the secure network accesssubnet.

5. Use the command nsnas phone-signature <WORD> to assign a securenetwork access phone signature.

6. Use the command nsnas vlan <1–4094> to set the secure network access vlanID.

Displaying CLI Audit log using CLIAbout this taskThe CLI audit provides a means for tracking CLI commands. The show audit log commanddisplays the command history audit log stored in NVRAM. The syntax for the show auditlog command is:

show audit log [asccfg | serial | telnet]The show audit log command is in the Privileged EXEC mode.



The following table describes the parameters and variables for the show audit logcommand.

Table 70: show audit log command parameters

Parameter Descriptionasccfg Displays the audit log for ASCII configuration.

serial Displays the audit log for serial connections.

telnet Displays the audit log for Telnet and SSHconnections.

Enabling Audit Log Save SettingsAbout this taskUse the following procedure to enable Audit Log save settings.

Procedure



3. Use the command audit log save enable to enable audit log save settings.

Configuring Secure Socket Layer services using CLIAbout this taskThe following table lists CLI commands available for working with Secure Socket Layer(SSL).

Table 71: SSL commands

Command Description[no] ssl Enables or disables SSL. The Web server operates

in a secure mode when SSL is enabled and innonsecure mode when the SSL server is disabled.

[no] ssl certificate Creates or deletes a certificate. The new certificate isused only on the next system reset or SSL serverreset. The new certificate is stored in the NVRAM withthe file name SSLCERT.DAT. The new certificate filereplaces the existing file. On deletion, the certificatein NVRAM is also deleted. The current SSL server




Command Descriptionoperation is not affected by the create or deleteoperation.

ssl reset Resets the SSL server. If SSL is enabled, the SSLserver is restarted and initialized with the certificatethat is stored in the NVRAM. Any existing SSLconnections are closed. If SSL is not enabled, theexisting nonsecure connection is also closed and thenonsecure operation resumes.

show ssl Shows the SSL server configuration and SSL serverstate.

show ssl certificate Displays the certificate which is stored in the NVRAMand is used by the SSL server.

The following table describes the output for the show ssl command.

Table 72: Server state information

Field DescriptionWEB Server SSL secured Shows whether the Web server is using an

SSL connection.

SSL server state Displays one of the following states:

• Un-initialized: The server is not running.

• Certificate Initialization: The server isgenerating a certificate during itsinitialization phase.

• Active: The server is initialized andrunning.

SSL Certificate: Generation in progress Shows whether SSL is in the process ofgenerating a certificate. The SSL servergenerates a certificate during server startupinitialization, or CLI user can regenerate anew certificate.

SSL Certificate: Saved in NVRAM Shows whether an SSL certificate exists inthe NVRAM. The SSL certificate is notpresent if the system is being initialized forthe first time or CLI user has deleted thecertificate.



Configuring Secure Shell protocol using CLIAbout this taskSecure Shell protocol is used to improve Telnet and provide a secure access to CLI interface.There are two versions of the SSH Protocol. The WLAN 8100 Series SSH supports SSH2.

The following CLI commands are used in the configuration and management of SSH.

• show ssh command on page 128• ssh dsa-host-key command on page 129• no ssh dsa-host-key command on page 129• ssh download-auth-key command on page 129• no ssh dsa-auth-key command on page 130• ssh command on page 130• no ssh command on page 130• ssh secure command on page 131• ssh dsa-auth command on page 131• no ssh dsa-auth on page 131• default ssh dsa-auth command on page 132• ssh pass-auth command on page 132• no ssh pass-auth command on page 132• default ssh pass-auth command on page 132• ssh port command on page 132• default ssh port command on page 133• ssh timeout command on page 133• default ssh timeout command on page 133

show ssh command

This command displays information about all active SSH sessions and on other general SSHsettings.

The syntax for the show ssh command is:

show ssh {global|session|download-auth-key}The following table describes the parameters for this command.




Table 73: show ssh command parameters

Parameter Descriptiondownload-auth-key Display authorization key and TFTP server IP address

global Display general SSH settings

session Display SSH session information

The show ssh global command is executed in the Privileged EXEC command mode.

ssh dsa-host-key command

The ssh dsa-host-key command triggers the DSA key regeneration.

The syntax for the ssh dsa-host-key command is:

ssh dsa-host-keyThe command is executed in the Global Configuration mode.

The ssh dsa-host-key command has no parameters or variables.

no ssh dsa-host-key command

The no ssh dsa-host-key command deletes the DSA keys in the switch. A new DSA keycan be generated by executing dsa-host-key or SSH enable commands.

The syntax for the no ssh dsa-host-key command is:

no ssh dsa-host-keyThe no ssh dsa-host-key command is executed in the Global Configuration mode.

The no ssh dsa-host-key command has no parameters or variables.

ssh download-auth-key command

The ssh download-auth-key command downloads the DSA authentication key into theswitch from the specified TFTP server or from the USB stick, if available.

The syntax for the ssh download-auth-key command is:

ssh download-auth-key [address] [<key-name>] [usb]The following table describes the parameters for this command.



Table 74: ssh download-auth-key command parameters

Parameter Descriptionaddress Specify the TFTP server IP address.

key-name Specify the TFTP/USB file name.

usb Specify whether download SSH auth key from theUSB stick.Available only if the device has USB port.

The ssh download-auth-key command is executed in the Global Configuration mode.

no ssh dsa-auth-key command

The no ssh dsa-auth-key command deletes the DSA authentication key stored in theswitch.

The syntax for the no ssh dsa-auth-key command is:

no ssh dsa-auth-keyThe no ssh dsa-auth-key command is executed in the Global Configuration mode.

ssh command

The ssh command enables SSH in a non secure mode. If the host keys do not exist, they aregenerated.

The syntax for the ssh command is:

sshThe ssh command is executed in the Global Configuration mode.

This command has no parameters.

no ssh command

The no ssh command disables SSH.

The syntax for the no ssh command is:

no ssh {dsa-auth|dsa-auth-key|dsa-host-key|pass-auth}The following table describes the parameters for this command.




Table 75: no ssh command parameters

Parameter Descriptiondsa-auth Disable SSH DSA authentication.

dsa-auth-key Delete SSH DSA auth key.

dsa-host-key Delete SSH DSA host key.

pass-auth Disable SSH password authentication.

The no ssh command is executed in the Global Configuration mode.

ssh secure command

The ssh secure command disables web, SNMP, and Telnet management interfacespermanently.

The no ssh command does NOT turn them back on; they must be re-enabled manually. Awarning message is issued to the user to enable one of the other interfaces before turning offSSH secure mode.

The syntax for the ssh secure command is:

ssh secureThe ssh secure command is executed in the Global Configuration mode.

ssh dsa-auth command

The ssh dsa-auth command enables the user log on using DSA key authentication.

The syntax for the command is:

ssh dsa-authThe ssh dsa-auth command is executed in the Global Configuration mode.

no ssh dsa-auth

The no ssh dsa-auth command disables user log on using DSA key authentication.

The syntax for the no ssh dsa-auth command is:

no ssh dsa-authThe no ssh dsa-auth command is executed in the Global Configuration mode.



default ssh dsa-auth command

The default ssh dsa-auth command enables the user log on using the DSA keyauthentication.

The syntax for the default ssh dsa-auth command is:

default ssh dsa-authThe default ssh dsa-auth command is executed in the Global Configuration mode.

ssh pass-auth command

The ssh pass-auth command enables user log on using the password authenticationmethod.

The syntax for the ssh pass-auth command is:

ssh pass-authThe ssh pass-auth command is executed in the Global Configuration mode.

no ssh pass-auth command

The no ssh pass-auth command disables user log on using password authentication.

The syntax for the no ssh pass-auth command is:

no ssh pass-authThe no ssh pass-auth command is executed in the Global Configuration mode.

default ssh pass-auth command

The default ssh pass-auth command enables user log on using passwordauthentication.

The syntax for the default ssh pass-auth command is:

default ssh pass-authThe default ssh pass-auth command is executed in the Global Configuration mode.

ssh port command

The ssh port command sets the TCP port for the SSH daemon.




The syntax for the ssh port command is:

ssh port <1-65535>Substitute the <1-65535> with the number of the TCP port to be used.

The ssh port command is executed in the Global Configuration mode.

default ssh port command

The default ssh port command sets the default TCP port for the SSH daemon.

The syntax for the default ssh port command is:

default ssh portThe default ssh port command is executed in the Global Configuration mode.

ssh timeout command

The ssh timeout command sets the authentication timeout, in seconds.

The syntax of the ssh timeout command is:

ssh timeout <1-120>Substitute <1-120> with the desired number of seconds.

The ssh timeout command is executed in the Global Configuration mode.

default ssh timeout command

The default ssh timeout command sets the default authentication timeout to 60seconds.

The syntax for the default ssh timeout command is:

default ssh timeoutThe default ssh timeout command is executed in the Global Configuration mode.

Configuring VLANs and Link AggregationAbout this taskThis chapter describes the methods and procedures necessary to configure VLANs, SpanningTree and Link Aggregation on the WC 8180.

Configuring VLANs and Link Aggregation


Navigation

• Configuring VLANs using CLI on page 134• Configuring STP using CLI on page 146• Configuring MLT using CLI on page 157• Configuring LACP and VLACP using CLI on page 160

Configuring VLANs using CLIAbout this taskThe Command Line Interface commands detailed in this section allow for the creation andmanagement of VLANs. Depending on the type of VLAN being created or managed, thecommand mode needed to execute these commands can differ.

Navigation

This section contains information about the following topics:

• Displaying VLAN information on page 134• Displaying VLAN interface information on page 136• Displaying VLAN port membership on page 136• Setting the management VLAN on page 136• Resetting the management VLAN to default on page 137• Creating a VLAN on page 137• Deleting a VLAN on page 138• Modifying VLAN MAC address flooding on page 138• Configuring VLAN name on page 139• Enabling automatic PVID on page 139• Configuring VLAN port settings on page 139• Configuring VLAN members on page 140• Configuring VLAN Configuration Control on page 141• Managing the MAC address forwarding database table on page 142• IP Directed Broadcasting on page 145

Displaying VLAN information

About this taskUse the following procedure to display the number, name, type, protocol, user PID, state of aVLAN and whether it is a management VLAN.




Procedure

To display VLAN information, use the following command from Privileged EXECmode.show vlan [configcontrol] [dhcp-relay <1-4094>] [igmp{<1-4094>| unknown-mcast-allow-flood | unknown-mcast-no-flood}] [interface { info | vids}] [ip <vid>] [mgmt] [multicast<membership>] [type {port | protocol-ipEther2| protocol-ipx802.3 | protocol-ipx802.2 | protocol-ipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-Netbios | protocol-xnsEther2 | protocol-vi nesEther2 |protocol-ipv6Ether2 | protocol-Userdef |protocol-RarpEther2][vid <1-4094>]

Variable definitions

The following table describes the variables for this command.

Variable Valuevid <1-4094> Enter the number of the VLAN to display.

type Enter the type of VLAN to display:

• port - port-based

• protocol - protocol-based (see following list)

protocol-ipEther2 Specifies an ipEther2 protocol-based VLAN.

protocol-ipx802.3 Specifies an ipx802.3 protocol-based VLAN.


protocol-ipxSnap Specifies an ipxSnap protocol-based VLAN.

protocol-ipxEther2 Specifies an ipxEther2 protocol-based VLAN.

protocol-decEther2 Specifies a decEther2 protocol-based VLAN.

protocol-snaEther2 Specifies an snaEther2 protocol-based VLAN.

protocol-Netbios Specifies a NetBIOS protocol-based VLAN.

protocol-xnsEther2 Specifies an xnsEther2 protocol-based VLAN.

protocol-vinesEther2 Specifies a vinesEther2 protocol-based VLAN.

protocol-ipv6Ether2 Specifies an ipv6Ether2 protocol-based VLAN.

protocol-Userdef Specifies a user-defined protocol-based VLAN.

protocol-RarpEther2 Specifies a RarpEther2 protocol-based VLAN.



Displaying VLAN interface information

About this taskUse the following procedure to display VLAN settings associated with a port, including tagginginformation, PVID number, priority, and filtering information for tagged, untagged, andunregistered frames.

Procedure

To display VLAN interface information, use the following command from PrivilegedEXEC mode.show vlan interface info [<portlist>]

Displaying VLAN port membership

About this taskUse the following procedure to display port memberships in VLANs.

Procedure

To display VLAN port memberships, use the following command from Privileged EXECmode.show vlan interface vids [<portlist>]

Setting the management VLAN

About this taskUse the following procedure to set a VLAN as the management VLAN.

Procedure

To set the management VLAN, use the following command from Global Configurationmode.vlan mgmt <1-4094>




Resetting the management VLAN to default

About this taskUse the following procedure to reset the management VLAN to VLAN1.

Procedure

To reset the management VLAN to default, use the following command from GlobalConfiguration mode.default vlan mgmt

Creating a VLAN

About this taskUse the following procedure to create a VLAN. A VLAN is created by setting the state of apreviously nonexistent VLAN.

Procedure

To create a VLAN, use the following command from Global Configuration mode.vlan create <1-4094> [name<line>] type {port | protocol-ipEther2 | protocol-ipx802.3 | protocolipx802.2 | protocol-ipxSnap | protocol-ipxEther2 | protocol-decEther2 | protocol-snaEther2 | protocol-N etbios | protocol-xnsEther2 | protocol-vinesEther2 | protocol-ipv6Ether2 | protocol-Userdef<4096-65534>| protocol-RarpEther2}

Variable definitions

Variable Value<1-4094> Enter the number of the VLAN to create.

name <line> Enter the name of the VLAN to create.

type Enter the type of VLAN to create:

• port - port-based

• protocol - protocol-based (see following list)

protocol-ipEther2 Specifies an ipEther2 protocol-based VLAN.



Variable Valueprotocol-ipx802.3 Specifies an ipx802.3 protocol-based VLAN.


protocol-ipxSnap Specifies an ipxSnap protocol-based VLAN.

protocol-ipxEther2 Specifies an ipxEther2 protocol-based VLAN.

protocol-decEther2 Specifies a decEther2 protocol-based VLAN.

protocol-snaEther2 Specifies an snaEther2 protocol-based VLAN.

protocol-Netbios Specifies a NetBIOS protocol-based VLAN.

protocol-xnsEther2 Specifies an xnsEther2 protocol-based VLAN.

protocol-vinesEther2 Specifies a vinesEther2 protocol-based VLAN.

protocol-Userdef <4096-65534> Specifies a user-defined protocol-based VLAN.

protocol-ipv6Ether2 Specifies an ipv6Ether2 protocol-based VLAN.

Deleting a VLAN

About this taskUse the following procedure to delete a VLAN.

Procedure

To delete a VLAN, use the following command from Global Configuration mode.vlan delete <2-4094>

Modifying VLAN MAC address flooding

About this taskUse the following procedure to remove MAC addresses from the list of addresses for whichflooding is allowed. This procedure can also be used as an alternate method of deleting aVLAN.

Procedure

To modify VLAN MAC address flooding, or to delete a VLAN, use the followingcommand from Global Configuration mode.no vlan [<2-4094>] [igmp unknown-mcast-allow-flood <H.H.H>]




Configuring VLAN name

About this taskUse the following procedure to configure or modify the name of an existing VLAN.

Procedure

To configure the VLAN name, use the following command from Global Configurationmode.vlan name <1-4094> <line>

Enabling automatic PVID

About this taskUse the following procedure to enable the automatic PVID feature.

Procedure

To enable automatic PVID, use the following command from Global Configurationmode.[no] auto-pvidUse the no form of this command to disable

Configuring VLAN port settings

About this taskUse the following procedure to configure VLAN-related settings for a port.

Procedure

To configure VLAN port settings, use the following command from Global Configurationmode.vlan ports [<portlist>] [tagging {enable | disable | tagAll |untagAll | tagPvidOnly | untagPvidOnly}] [pvid <1-4094>][filter-untagged-frame {enable | disable}] [filter-unregistered-frames {enable | disable}] [priority <0-7>] [name<line>]



Variable Definitions

Variable Value<portlist> Enter the port numbers to be configured for a VLAN.

tagging {enable|disable|tagAll|untagAll| tagPvidOnly|untagPvidOnly}

Enables or disables the port as a tagged VLANmember for egressing packet.

pvid <1-4094> Sets the PVID of the port to the specified VLAN.

filter-untagged-frame {enable|disable}

Enables or disables the port to filter received untaggedpackets.

filter-unregistered-frames {enable |disable}

Enables or disables the port to filter receivedunregistered packets. Enabling this feature on a portmeans that any frames with a VID to which the portdoes not belong to are discarded.

priority <0-7> Sets the port as a priority for the switch to consider asit forwards received packets.

name <line> Enter the name you want for this port.Note: This option can only be used if a single port isspecified in the <portlist>

Configuring VLAN members

About this taskUse the following procedure to add or delete a port from a VLAN.

Procedure

To configure VLAN members, use the following command from Global Configurationmode.vlan members [add | remove] <1-4094> <portlist>


Variable Valueadd | remove Adds a port to or removes a port from a VLAN.

Note: If this parameter is omitted, set the exact portmembership for the VLAN; the prior port membership of theVLAN is discarded and replaced by the new list of ports.

<1-4094> Specifies the target VLAN.

portlist Enter the list of ports to be added, removed, or assigned to theVLAN.




Configuring VLAN Configuration Control

About this taskVLAN Configuration Control (VCC) allows a switch administrator to control how VLANs aremodified. VLAN Configuration Control is a superset of the existing AutoPVID functionality andincorporates this functionality for backwards compatibility. VLAN Configuration Control isglobally applied to all VLANs on the switch.

VLAN Configuration Control offers four options for controlling VLAN modification:

• Strict• Automatic• AutoPVID• Flexible

Note: The factory default setting is Strict.

VLAN Configuration Control is only applied to ports with the tagging modes of Untag All andTag PVID Only.

To configure VCC using the CLI, refer to the following commands:

• Displaying VLAN Configuration Control settings on page 141• Modifying VLAN Configuration Control settings on page 141

Displaying VLAN Configuration Control settingsAbout this taskUse the following procedure to display the current VLAN Configuration Control setting.

Procedure

To display VLAN Configuration Control settings, use the following command fromGlobal Configuration mode.show vlan configcontrol

Modifying VLAN Configuration Control settingsAbout this taskUse the following procedure to modify the current VLAN Configuration Control setting. Thiscommand applies the selected option to all VLANs on the switch.

Procedure

To modify VLAN Configuration Control settings, use the following command fromGlobal Configuration morevlan configcontrol <vcc_option>




Variable Value<vcc_option> This parameter denotes the VCC option to use on the

switch. The valid values are:

• automatic -- Changes the VCC option to Automatic.

• autopvid -- Changes the VCC option to AutoPVID.

• flexible -- Changes the VCC option to Flexible.

• strict -- Changes the VCC option to Strict. This is thedefault VCC value.

Managing the MAC address forwarding database table

About this taskThis section shows you how to view the contents of the MAC address forwarding databasetable, as well as setting the age-out time for the addresses.

The MAC flush feature is a direct way to flush MAC addresses from the MAC address table.The MAC flush commands allow flushing of:

• a single MAC address (see “Removing a single address from the MAC address table”(page 157))

• all addresses from the MAC address table (see “Clearing the MAC address table” (page156)

• a port or list of ports (see “Clearing the MAC address table on a FastEthernet interface”(page 156))

• a trunk (see “Clearing the MAC address table on a trunk” (page 156))• a VLAN (see “Clearing the MAC address table on a VLAN” (page 156))

MAC flush deletes dynamically learned addresses. MAC flush commands may not be executedinstantly when the command is issued. Since flushing the MAC address table is not consideredan urgent task, MAC flush commands are assigned the lowest priority and placed in aqueue.

The MAC flush commands are supported in CLI, SNMP, DM, and Web-based Management.

Use the following commands to manage the MAC address forwarding database table:

• Displaying MAC address forwarding table on page 143• Configuring MAC address retention on page 143• Setting MAC address retention time to default on page 144• Clearing the MAC address table on page 144• Clearing the MAC address table on a VLAN on page 144




• Clearing the MAC address table on a FastEthernet interface on page 144• Clearing the MAC address table on a trunk on page 145

Displaying MAC address forwarding tableAbout this taskUse the following procedure to display the current contents of the MAC address forwardingdatabase table. You can filter the MAC Address table by port number. The MAC address tablecan store up to 16000 addresses.

Procedure

To displaying the MAC address forwarding table, use the following command fromPrivileged EXEC modeshow mac-address-table [vid<1-4094>] [aging-time][address<H.H.H>] [port<portlist>]


Variable Valuevid <1-4094> Enter the number of the VLAN for which you want to

display the forwarding database. Default is to displaythe management VLAN’s database.

aging-time Displays the time in seconds after which an unusedentry is removed from the forwarding database.

address <H.H.H> Displays a specific MAC address if it exists in thedatabase. Enter the MAC address you wantdisplayed.

Configuring MAC address retentionAbout this taskUse the following procedure to set the time during which the switch retains unseen MACaddresses.

Procedure

To configure unseen MAC address retention, use the following command from GlobalConfiguration mode.mac-address-table aging-time <10-1 000 000>


Variable Valuevid <10-1 000 000> Enter the aging time in seconds that you want for

MAC addresses before they expire.



Setting MAC address retention time to defaultAbout this taskUse the following procedure to set the retention time for unseen MAC addresses to 300seconds.

Procedure

To set the MAC address retention time to default, use the following command fromGlobal Configuration mode.default mac-address-table aging-time

Clearing the MAC address tableAbout this taskUse the following procedure to clear the MAC address table.

Procedure

To flush the MAC address table, use the following command from Privileged EXECmode.clear mac-address-table

Clearing the MAC address table on a VLANAbout this taskUse the following procedure to flush the MAC addresses for the specified VLAN.

Procedure

To flush the MAC address table for a specific VLAN, use the following command fromPrivileged EXEC mode.clear mac-address-table interface vlan <vlan#>

Clearing the MAC address table on a FastEthernet interfaceAbout this taskUse the following procedure to flush the MAC addresses for the specified ports. This commanddoes not flush the addresses learned on the trunk.

Procedure

To clear the MAC address table on a FastEthernet interface, use the followingcommand from Privileged EXEC mode.clear mac-address-table interface FastEthernet <port-list|ALL>




Clearing the MAC address table on a trunkAbout this taskUse the following procedure to flush the MAC addresses for the specified trunk. This commandflushes only addresses that are learned on the trunk.

Procedure

To flush a single MAC address, use the following command from Privileged EXECmode.clear mac-address-table address <H.H.H>

IP Directed Broadcasting

About this taskIP directed broadcasting takes the incoming unicast Ethernet frame, determines that thedestination address is the directed broadcast for one of its interfaces, and then forwards thedatagram onto the appropriate network using a link-layer broadcast.

IP directed broadcasting in a VLAN forwards direct broadcast packets in two ways:

• Through a connected VLAN subnet to another connected VLAN subnet.• Through a remote VLAN subnet to the connected VLAN subnet.

By default, this feature is disabled.

The following CLI commands are used to work with IP directed broadcasting:

Enabling IP directed broadcast on page 145Enabling IP directed broadcast

About this taskUse the following procedure to enable IP directed broadcast.

Procedure

To enable IP directed broadcast, use the following command from Global Configurationmode.[no] ip directed-broadcast enableUse the no form of this command to disable.



Configuring STP using CLIAbout this taskUse the following procedures to configure STP for the WLAN 8100 Series using the CLI.

• Setting the STP mode using the CLI on page 146• Configuring STP BPDU Filtering using the CLI on page 146• Creating and Managing STGs using the CLI on page 147• Managing RSTP using the CLI on page 154

Setting the STP mode using the CLI

About this taskUse the following procedure to set the STP operational mode.

Procedure

To set the STP mode, use the following command from Global Configuration mode.spanning-tree op-mode {stpg | rstp }

Configuring STP BPDU Filtering using the CLI

About this taskUse the following procedure to configure STP BPDU Filtering on a port. This command isavailable in all STP modes (STPG, RSTP, and MSTP).

Procedure

1. To enable STP BPDU filtering, use the following command from InterfaceConfiguration mode.[no] spanning-tree bpdu-filtering [port<portlist>] [enable][timeout <10-65535> | 0>]Use the no form of this command to disable.

2. To set the STP BPDU Filtering properties on a port to their default values, use thefollowing command from the Interface Configuration command mode:default spanning-tree bpdu-filtering [port<portlist>][enable] [timeout]

3. To show the current status of the BPDU Filtering parameters, use the followingcommand from the Privileged EXEC mode:




show spanning-tree bpdu-filtering [<interface-type>][port<portlist>]


Variable Valueport <portlist> Specifies the ports affected by the command.

enable Enables STP BPDU Filtering on the specified ports.The default value is disabled.

timeout <10-65535| 0> When BPDU filtering is enabled, this indicates thetime (in seconds) during which the port remainsdisabled after it receives a BPDU. The port timer isdisabled if this value is set to 0. The default value is120 seconds.

Creating and Managing STGs using the CLI

About this taskTo create and manage Spanning Tree Groups, you can refer to the Command Line Interfacecommands listed in this section. Depending on the type of Spanning Tree Group that you wantto create or manage, the command mode needed to execute these commands can differ.

In the following commands, the omission of any parameters that specify a Spanning TreeGroup results in the command operating against the default Spanning Tree Group (SpanningTree Group 1).

To configure STGs using the CLI, refer to the following:

• Configuring path cost calculation mode on page 148• Configuring STG port membership mode on page 148• Displaying STP configuration information on page 148• Creating a Spanning Tree Group on page 149• Deleting a Spanning Tree Group on page 149• Enabling a Spanning Tree Group on page 149• Disabling a Spanning Tree Group on page 150• Configuring STP values on page 150• Restoring default Spanning Tree values on page 151• Adding a VLAN to a STG on page 152• Removing a VLAN from a STG on page 152• Configuring STP and MSTG participation on page 152• Resetting Spanning Tree values for ports to default on page 153



Configuring path cost calculation modeAbout this taskUse the following procedure to set the path cost calculation mode for all Spanning Tree Groupson the switch.

Procedure

To configure path cost calculation mode, use the following command from PrivilegedEXEC mode.spanning-tree cost-calc-mode {dot1d | dot1t}

Configuring STG port membership modeAbout this taskUse the following procedure to set the STG port membership mode for all Spanning TreeGroups on the switch.

Procedure

To configure STG port membership mode, use the following command from PrivilegedEXEC mode.spanning-tree port-mode {auto | normal}

Displaying STP configuration informationAbout this taskUse the following procedure to display spanning tree configuration information that is specificto either the Spanning Tree Group or to the port.

Procedure

To display STP configuration information, use the following command from PrivilegedEXEC mode.show spanning-tree [stp <1-8>] {config | port| port-mode |vlans}


Variable Valuestp <1-8> Displays specified Spanning Tree Group

configuration; enter the number of the groupto be displayed.

config | port | port-mode | vlans Displays spanning tree configuration for:




Variable Value

• config--the specified (or default) SpanningTree Group

• port--the ports within the Spanning TreeGroup

• port-mode--the port mode

• vlans--the VLANs that are members of thespecified Spanning Tree Group

Creating a Spanning Tree GroupAbout this taskUse the following procedure to create a Spanning Tree Group.

Procedure

To create a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> create

Deleting a Spanning Tree GroupAbout this taskUse the following procedure to delete a Spanning Tree Group.

Procedure

To delete a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> delete

Enabling a Spanning Tree GroupAbout this taskUse the following procedure to enable a Spanning Tree Group.

Procedure

To enable a Spanning Tree Group, use the following command from GlobalConfiguration mode.spanning-tree stg <1-8> enable



Disabling a Spanning Tree GroupAbout this taskUse the following procedure to disable a Spanning Tree Group.

Procedure

To disable a Spanning tree Group, use the following command from GlobalConfiguration mode.spanning-tree stp <1-8> disable

Configuring STP valuesAbout this taskUse the following procedure to set STP values by STG.

Procedure

To configure STP values, use the following command from Global Configurationmode.spanning-tree [stp <1-8>] [forward-time <4-30>] [hello-time<1-10>] [max-age <6-40> [priority {0*0000 | 0*1000| 0*2000 |0*3000 | ... | 0*E000 | 0*F000}] [tagged-bpdu {enable |disable}] [tagged-bpdu-vid >1-4094>] [multicast-address<H.H.H>] [add-vlan] [remove-vlan]


Variable Valuestp <1-8> Specifies the Spanning Tree Group; enter

the STG ID.

forward-time <4-30> Enter the forward time of the STG inseconds; the range is 4 -- 30, and the defaultvalue is 15.

hello-time <1-10> Enter the hello time of the STG in seconds;the range is 1 --10, and the default value is2.

max-age <6-40> Enter the max-age of the STG in seconds;the range is 6 -- 40, and the default value is20.

priority {0x000 | 0x1000 | 0x2000 | 0x3000| .... | 0xE000 | 0xF000}

Sets the spanning tree priority (in Hex); if802.1T compliant, this value must be amultiple of 0x1000.

tagged-bpdu {enable | disable} Sets the BPDU as tagged or untagged. Thedefault value for Spanning Tree Group 1




Variable Value(default group) is untagged; the default forthe other groups is tagged.

tagged-bpdu-vid <1-4094> Sets the VLAN ID (VID) for the tagged BPDU.The default value is 4001 -- 4008 for STG 1-- 8, respectively.

multicast-address <H.H.H> Sets the spanning tree multicast address.

add-vlan Adds a VLAN to the Spanning Tree Group.

remove-vlan Removes a VLAN from the Spanning TreeGroup.

Restoring default Spanning Tree valuesAbout this taskUse the following procedure to restore default spanning tree values for the Spanning TreeGroup.

Procedure

To restore Spanning Tree values to default, use the following command from GlobalConfiguration mode.default spanning-tree [stp <1-8> [forward-time] [hello-time][max-age] [priority] [tagged-bpdu] [multicast address]


Variable Valuestp <1-8> Disables the Spanning Tree Group; enter the

STG ID.

forward-time Sets the forward time to the default value of15 seconds.

hello-time Sets the hello time to the default value of 2seconds.

max-age Sets the maximum age time to the defaultvalue of 20 seconds.

priority Sets spanning tree priority (in Hex); if 802.1Tcompliant, this value must be a multiple of0x1000.

tagged-bpdu Sets the tagging to the default value. Thedefault value for Spanning Tree Group 1(default group) is untagged; the default forthe other groups is tagged.



Variable Valuemulticast address Sets the spanning tree multicast MAC

address to the default.

Adding a VLAN to a STGAbout this taskUse the following procedure to add a VLAN to a specified Spanning Tree Group.

Procedure

To add a VLAN to a STG, use the following command from Global Configurationmode.spanning-tree [stp <1-8>] add-vlan <1-4094>

Removing a VLAN from a STGAbout this taskUse the following procedure to remove a VLAN from a specified Spanning Tree Group.

Procedure

To remove a VLAN from a STG, use the following command from Global Configurationmode.spanning-tree [stp <1-8>] remove-vlan <1-4094>

Configuring STP and MSTG participationAbout this taskUse the following procedure to set the Spanning Tree Protocol (STP) and multiple SpanningTree Group (STG) participation for the ports within the specified Spanning Tree Group.

Procedure

To configure STP and MSTG participation, use the following command from InterfaceConfiguration mode.[no] spanning-tree [port <portlist>] [stp <1-8>] [learning{disable | normal | fast}] [cost <1-65535>] [priority]Use the no form of this command to disable.





Variable Valueport <portlist> Enables the spanning tree for the specified

port or ports; enter port or ports you wantenabled for the spanning tree.Note: If you omit this parameter, the systemuses the port number you specified when youissued the interface command to enter theInterface Configuration mode.

stp <1-8> Specifies the spanning tree group; enter theSTG ID.

learning {disable|normal|fast} Specifies the STP learning mode:

• disable -- disables FastLearn mode

• normal -- changes to normal learning mode

• fast -- enables FastLearn mode

cost <1-65535> Enter the path cost of the spanning tree;range is 1 -- 65535.

priority Sets the spanning tree priority for a port as ahexadecimal value. If the Spanning TreeGroup is 802.1T compliant, this value mustbe a multiple of 0x10.

Resetting Spanning Tree values for ports to defaultAbout this taskUse the following procedure to set the spanning tree values for the ports within the specifiedSpanning Tree Group to the factory default settings.

Procedure

To reset Spanning Tree values to default, use the following command from InterfaceConfiguration mode.default spanning-tree [port <portlist>] [stp <1-8>] [learning][cost] [priority]


Variable Valueport <portlist> Enables spanning tree for the specified port or ports;

enter port or ports to be set to factory spanning treedefault values.Note: If this parameter is omitted, the system usesthe port number specified when the interface



Variable Valuecommand was used to enter Interface Configurationmode.

stp <1-8> Specifies the Spanning Tree Group to set to factorydefault values; enter the STG ID. This commandplaces the port into the default STG. The defaultvalue for STG is 1.

learning Sets the spanning tree learning mode to the factorydefault value.The default value for learning is Normal mode.

cost Sets the path cost to the factory default value.The default value for path cost depends on the typeof port.

priority Sets the priority to the factory default value.The default value for the priority is 0x8000.

Managing RSTP using the CLIAbout this taskUse the following command to configure RSTP:

• Configuring RSTP parameters on page 154• Configuring RSTP on a port on page 156• Displaying RSTP configuration on page 156• Displaying RSTP port configuration on page 155

Configuring RSTP parametersAbout this taskUse the following procedure to set the RSTP parameters which include forward delay, hellotime, maximum age time, default path cost version, bridge priority, transmit holdcount, andversion for the bridge.

Procedure

To configure RSTP parameters, use the following command from Global Configurationmode.spanning-tree rstp [ forward-time <4-30>] [hello-time <1-10>][max-age <6-40>] [pathcost-type {bits16 | bits32}] [priority{0000|1000|2000| ...| F000}] [tx-holdcount <1-10>] [version{stp-compatible | rstp}]





Variable Valueforward-time <4-30> Sets the RSTP forward delay for the bridge

in seconds; the default is 15.

hello-time <1-10> Sets the RSTP hello time delay for the bridgein seconds; the default is 2.

max-age <6-40> Sets the RSTP maximum age time for thebridge in seconds; the default is 20.

pathcost-type {bits16 | bits32} Sets the RSTP default path cost version; thedefault is bits32.

priority {0000 | 1000 | ... | F000} Sets the RSTP bridge priority (in hex); thedefault is 8000.

tx-hold count Sets the RSTP Transmit Hold Count; thedefault is 3.

version {stp-compatible | rstp} Sets the RSTP version; the default is rstp.

Displaying RSTP port configurationAbout this taskUse the following procedure to display the Rapid Spanning Tree Protocol (RSTP) related port-level configuration details.

Procedure

To display RSTP port configuration, use the following command from Privileged EXECmode.show spanning-tree rstp port {config | status | statistics |role} [<portlist>]


Variable Valueconfig Displays RSTP port-level configuration.

status Displays RSTP port-level role information.

statistics Displays RSTP port-level statistics.

role Displays RSTP port-level status.



Configuring RSTP on a portAbout this taskUse the following procedure to set the RSTP parameters, which include path cost, edge-portindicator, learning mode, point-to-point indicator, priority, and protocol migration indicator onthe single or multiple port.

Procedure

To configure RSTP on a port, use the following command from Interface Configurationmode.spanning-tree rstp [port <portlist>] [cost <1-200000000> [edge-port {false | true}] [learning {disable | enable}] [p2p {auto |force-false | force-true}] [priority {00 | 10 | ... | F0}][protocol-migration {false | true}]


Variable Valueport <portlist> Filter on list of ports.

cost <1-200000000> Sets the RSTP path cost on the single ormultiple ports; the default is 200000.

edge-port {false | true} Indicates whether the single or multiple portsare assumed to be edge ports. Thisparameter sets the Admin value of edge portstatus; the default is false.

learning {disable | enable} Enables or disables RSTP on the single ormultiple ports; the default is enable.

p2p {auto | force-false | force-true} Indicates whether the single or multiple portsare to be treated as point-to-point links. Thiscommand sets the Admin value of P2PStatus; the default is force-true.

priority {00 | 10 |... | F0} Sets the RSTP port priority on the single ormultiple ports; the default is 80.

protocol-migration {false | true} Forces the single or multiple port to transmitRSTP BPDUs when set to true, whileoperating in RSTP mode; the default isfalse.

Displaying RSTP configurationAbout this taskUse the following procedure to display the Rapid Spanning Tree Protocol (RSTP) relatedbridge-level configuration details.




Procedure

To display RSTP configuration details, use the following command from PrivilegedEXEC mode.show spanning-tree rstp {config | status | statistics}


Variable Valueconfig Displays RSTP bridge-level configuration.

status Displays RSTP bridge-level role information.

statistics Displays RSTP bridge-level statistics.

Configuring MLT using CLIAbout this taskThe Command Line Interface commands detailed in this section allow for the creation andmanagement of Multi-Link trunks. Depending on the type of Multi-Link trunk being created ormanaged, the command mode needed to execute these commands can differ.

Refer to the following sections to configure MLT:

• Displaying MLT configuration and utilization on page 157• Configuring a Multi-Link trunk on page 158• Disabling a MLT on page 158• Displaying MLT properties on page 159• Configuring STP participation for MLTs on page 159

Displaying MLT configuration and utilization

About this taskUse the following procedure to display Multi-Link Trunking (MLT) configuration andutilization.

Procedure

To display MLT configuration and utilization, use the following command fromPrivileged EXEC mode.show mlt [utilization <1-32>]



Configuring a Multi-Link trunk

About this taskUse the following procedure to configure a Multi-Link trunk (MLT).

Procedure

To configure a Multi-Link trunk, use the following command from Global Configurationmode.mlt <id> [name<trunkname>] [enable | disable] [member<portlist>] [learning {disable | fast | normal}] [bpdu {all-ports | single-port}] loadbalance {basic | advance}


Variable Valueid Enter the trunk ID; the range is 1 to 32.

name <trunkname> Specifies a text name for the trunk; enter upto 16 alphanumeric characters.

enable | disable Enables or disables the trunk.

member <portlist> Enter the ports that are members of thetrunk.

learning <disable | fast | normal> Sets STP learning mode.

bpdu {all-ports | single-port} Sets trunk to send and receive BPDUs oneither all ports or a single port.

loadbalance {basic | advance} Sets the MLT load-balancing mode:

• basic: MAC-based load-balancing

• advance: IP-based load-balancing

Disabling a MLT

About this taskUse the following procedure to disable a Multi-Link trunk (MLT), clearing all the portmembers.

Procedure

To disable a MLT, use the following command from Global Configuration mode.




no mlt [<id>]

Displaying MLT properties

About this taskUse the following procedure to display the properties of Multi-Link trunks (MLT) participatingin Spanning Tree Groups (STG).

Procedure

To display MLT properties, use the following command from Global Configurationmode.show mlt spanning-tree <1-32>

Configuring STP participation for MLTs

About this taskUse the following procedure to set Spanning Tree Protocol (STP) participation for Multi-Linktrunks (MLT).

Procedure

To configure STP participation for MLTs, use the following command from GlobalConfiguration mode.mlt spanning-tree <1-32> [stp <1-8>, ALL>] [learning {disable |normal | fast}]


Variable Value<1-32> Specifies the ID of the MLT to associate with

the STG.

stp <1-8> Specifies the spanning tree group.

learning {disable | normal | fast} Specifies the STP learning mode:

• disable -- disables learning

• normal -- sets the learning mode to normal

• fast -- sets the learning mode to fast



Configuring LACP and VLACP using CLIAbout this taskThis section contains information on the following topics:

• Configuring Link Aggregation using CLI on page 160• Configuring VLACP using CLI on page 165

Configuring Link Aggregation using CLI

About this taskThis section describes the commands necessary to configure and manage Link Aggregationusing the Command Line Interface (CLI).

To configure Link Aggregation using the CLI, refer to the fo

• Displaying LACP system settings on page 161• Displaying LACP per port configuration on page 161• Displaying LACP port mode on page 160• Displaying LACP port statistics on page 161• Clearing LACP port statistics on page 162• Displaying LACP port debug information on page 162• Displaying LACP aggregators on page 162• Configuring LACP system priority on page 162• Enabling LACP port aggregation mode on page 163• Configuring the LACP administrative key on page 163• Configuring LACP operating mode on page 163• Configuring per port LACP priority on page 164• Configuring LACP periodic transmission timeout interval on page 164• Configuring LACP port mode on page 165

Displaying LACP port modeAbout this taskUse the following procedure to display the current port mode (default or advanced).

Procedure

To display the port mode, use the following command from Privileged EXEC mode.show lacp port-mode




Displaying LACP system settingsAbout this taskUse the following procedure to display system-wide LACP settings.

Procedure

To display system settings, use the following command from Privileged EXEC mode.show lacp system

Displaying LACP per port configurationAbout this taskUse the following procedure to display information on the per-port LACP configuration. Selectports either by port number or by aggregator value.

Procedure

To display per port configuration, use the following command from Privileged EXECmode.show lacp port [<portList> | aggr <1-65535>]


Variable Value<portList> Enter the specific ports for which to display LACP

information.

aggr <1-65535> Enter the aggregator value to display ports that aremembers of it.

Displaying LACP port statisticsAbout this taskUse the following procedure to displayLACP port statistics. Select ports either by port numberor by aggregator value.

Procedure

To display port statistics, use the following command from Privileged EXEC mode.show lacp stats [<portList> | aggr <1-65535>]


Variable Value<portList> Enter the specific ports for which to display LACP

information.



Variable Valueaggr <1-65535> Enter the aggregator value to display ports that are

members of it.

Clearing LACP port statisticsAbout this taskUse the following procedure to clear existing LACP port statistics.

Procedure

To clear statistics, use the following command from Interface Configuration mode.lacp clear-stats <portList>

Displaying LACP port debug informationAbout this taskUse the following procedure to display port debug information.

Procedure

To display port debug information, use the following command from Privileged EXECmode.show lacp debug member [<portList>]

Displaying LACP aggregatorsAbout this taskUse the following procedure to display LACP aggregators or LACP trunks.

Procedure

To display aggregators, use the following command from Privileged EXEC mode.show lacp aggr <1-65535>

Configuring LACP system priorityAbout this taskUse the following procedure to configure the LACP system priority. It is used to set the system-wide LACP priority. The factory default priority value is 32768.

Procedure

To configure system priority, use the following command from Global Configurationmode.




lacp system-priority <0-65535>

Enabling LACP port aggregation modeAbout this taskUse the following procedure to enable the port aggregation mode.

Procedure

To enable the port aggregation mode, use the following command from InterfaceConfiguration mode.[no] lacp aggregation [port <portList>] enableUse the no form of the command to disable.

Configuring the LACP administrative keyAbout this taskUse the following procedure to configure the administrative LACP key for a set of ports.

Procedure

To set the administrative key, use the following command from Interface Configurationmode.lacp key [port <portList>] <1-4095>


Variable Valueport <portList> The ports to configure the LACP key for.

<1-4095> The LACP key to use.

Configuring LACP operating modeAbout this taskUse the following procedure to configure the LACP mode of operations for a set of ports.

Procedure

To configure the operating mode, use the following command from InterfaceConfiguration mode.lacp mode [port <portList>] {active | passive | off}




Variable Valueport <portList> The ports for which the LACP mode is to be

set.

{active | passive | off} The type of LACP mode to set for the port.The LACP modes are:

• active -- The port will participate as anactive Link Aggregation port. Ports inactive mode send LACPDUs periodically tothe other end to negotiate for linkaggregation.

• passive -- The port will participate as apassive Link Aggregation port. Ports inpassive mode send LACPDUs only whenthe configuration is changed or when itslink partner communicates first.

• off -- The port does not participate in LinkAggregation.

LACP requires at least one end of each linkto be in active mode.

Configuring per port LACP priorityAbout this taskUse the following procedure to configure the per-port LACP priority for a set of ports.

Procedure

To configure priority, use the following command from Interface Configuration mode.lacp priority [port <portList> <0-65535>


Variable Valueport <portList> The ports for which to configure LACP priority.

<0-65535> The priority value to assign.

Configuring LACP periodic transmission timeout intervalAbout this taskUse the following procedure to configure the LACP periodic transmission timeout interval fora set of ports.




Procedure

To configure the interval, use the following command from Interface Configurationmode.lacp timeout-time [port <portList>] {long | short}


Variable Valueport <portList> The ports for which to configure the timeout

interval.

{long | short} Specify the long or short timeout interval.

Configuring LACP port modeAbout this taskUse the following procedure to configure the LACP port mode on the switch.

Procedure

To configure the port mode, use the following command from Interface Configurationmode.lacp port-mode {default | advance}


Variable Valuedefault Default LACP port mode.

advance Advanced LACP port mode.

Configuring VLACP using CLI

About this taskTo configure VLACP using the CLI, refer to the following commands:

• Enabling VLACP globally on page 166• Configuring VLACP multicast MAC address on page 168• Configuring VLACP port parameters on page 166• Displaying VLACP status on page 168• Displaying VLACP port configuration on page 168



Enabling VLACP globallyAbout this taskUse the following procedure to globally enable VLACP for the device.

Procedure

To enable VLACP, use the following command from Global Configuration mode.[no] vlacp enableUse the no form of this command to disable.

Configuring VLACP port parametersAbout this taskUse the following procedure to configure VLACP parameters on a port.

Procedure

To configure parameters, use the following command from Interface Configurationmode.[no] vlacp port <port> [enable | disable] [timeout <long/short>][fast-periodic-time <integer>] [slow-periodic-time<integer>] [timeout-scale <integer>] [funcmac-addr <mac>][ethertype <hex>]Use the no form of this command to remove parameters.


Variable Value<port> Specifies the port number.

enable|disable Enables or disables VLACP.

timeout <long/short> Specifies whether the timeout control valuefor the port is a long or short timeout.

• long sets the port timeout value to:(timeout-scale value) × (slow-periodic-timevalue).

• short sets the port’s timeout value to:(timeout-scale value) × (fast-periodic-timevalue).

For example, if the timeout is set to shortwhile the timeout-scale value is 3 and thefast-periodic-time value is 400 ms, the timerexpires after 1200 ms.Default is long.




Variable Valuefast-periodic-time <integer> Specifies the number of milliseconds

between periodic VLACPDU transmissionsusing short timeouts.The range is 400-20000 milliseconds.Default is 500.

slow-periodic-time <integer> Specifies the number of millisecondsbetween periodic VLACPDU transmissionsusing long timeouts.The range is 10000-30000 milliseconds.Default is 30000.

timeout-scale <integer> Sets a timeout scale for the port, wheretimeout = (periodic time) × (timeout scale).The range is 1-10. Default is 3.Note: With VLACP, a short interval existsbetween a port transmitting a VLACPDU andthe partner port receiving the sameVLACPDU. However, if the timeout-scale isset to less than 3, the port timeout value doesnot take into account the normal travel timeof the VLACPDU. The port expects to receivea VLACPDU at the same moment the partnerport sends it. Therefore, the delayedVLACPDU results in the link being blocked,and then enabled again when the packetarrives. To prevent this scenario fromhappening, set the timeout-scale to a valuelarger than 3. VLACP partners must also wait3 synchronized VLACPDUs to have the linkenabled. If VLACP partner miss 3consecutive packets from the other partner,sets the link as VLACP down.

funcmac-addr <mac> Specifies the address of the far-end switchconfigured to be the partner of this switch. Ifnone is configured, any VLACP-enabledswitch communicating with the local switchthrough VLACP PDUs is considered to bethe partner switch.Note: VLACP has only one multicast MACaddress, configured using the vlacpmacaddress command, which is the Layer 2destination address used for theVLACPDUs.The port-specific funcmac-addr parameterdoes not specify a multicast MAC address,but instead specifies the MAC address of theswitch to which this port is sendingVLACPDUs.



Variable ValueYou are not always required to configurefuncmac-addr. If not configured, the firstVLACP-enabled switch that receives thePDUs from a unit assumes that it is theintended recipient and processes the PDUsaccordingly.If you want an intermediate switch to dropVLACP packets, configure the funcmac-addrparameter to the desired destination MACaddress. With funcmac-addr configured, theintermediate switches do not misinterpret theVLACP packets.

ethertype <hex> Sets the VLACP protocol identification forthis port. Defines the ethertype value of theVLACP frame. The range is 8101-81FF.Default is 8103.

Configuring VLACP multicast MAC addressAbout this taskUse the following procedure to set the multicast MAC address used by the device forVLACPDUs.

Procedure

To configure the multicast MAC address, use the following command from GlobalConfiguration mode.[no] vlacp macaddress <macaddress>Use the no form of this command to delete the address.

Displaying VLACP statusAbout this taskUse the following procedure to display the status of VLACP on the switch.

Procedure

To display VLACP status, use the following command from Privileged EXEC mode.show vlacp

Displaying VLACP port configurationAbout this taskUse the following procedure to display the VLACP configuration details for a port or list ofports.




Procedure

To display port configuration, use the following command from Privileged EXECmode.show vlacp interface <slot/port>where <slot/port> specifies a port or list of ports.

Among other properties, the show vlacp interface command displays a columncalled HAVE PARTNER, with possible values of yes or no.If HAVE PARTNER is yes when ADMIN ENABLED and OPER ENABLED are true,then that port has received VLACPDUs from a port and those PDUs were recognizedas valid according to the interface settings.If HAVE PARTNER is no, when ADMIN ENABLED is true and OPER ENABLED isFALSE, then the partner for that port is down (that port received at least one correctVLACPDU, but did not receive additional VLACPDUs within the configured timeoutperiod). In this case VLACP blocks the port. This scenario is also seen if only one unithas VLACP enabled and the other has not enabled VLACP.The show vlacp interface command is in the privExec command mode.

Note: If VLACP is enabled on an interface, the interface will not forward traffic unlessit has a valid VLACP partner. If one partner has VLACP enabled and the other is notenabled, the unit with VLACP enabled will not forward traffic, however the unit withVLACP disabled will continue to forward traffic.

Configuring IP routing

IP routing configuration using CLIAbout this taskThis chapter describes the procedures you can use to configure routable VLANs using theCLI.

The WC 8180 can function as a Layer 3 (L3) switch. This means that a regular Layer 2 VLANbecomes a routable Layer 3 VLAN if an IP address and MAC address are attached to theVLAN. When routing is enabled in Layer 3 mode, every Layer 3 VLAN is capable of routing aswell as carrying the management traffic. You can use any Layer 3 VLAN instead of theManagement VLAN to manage the switch.



Refer to the following sections to configure IP routing using CLI:

• IP routing configuration procedures on page 170• Configuring global IP routing status on page 171• Displaying global IP routing status on page 171• Configuring an IP address for a VLAN on page 171• Configuring IP routing status on a VLAN on page 172• Configuring a secondary IP address for a VLAN on page 172• Displaying the IP address configuration and routing status for a VLAN on page 173• Displaying IP routes on page 174• Performing a traceroute on page 175

IP routing configuration procedures

About this taskTo configure inter-VLAN routing on the switch, perform the following steps:

Procedure

1. Enable IP routing globally.

2. Assign an IP address to a specific VLAN or brouter port.Routing is automatically enabled on the VLAN or brouter port when you assign anIP address to it.

IP routing configuration navigation

About this task

• Configuring global IP routing status• Displaying global IP routing status• Configuring an IP address for a VLAN• Configuring IP routing status for a VLAN• Displaying the IP address configuration and routing status for a VLAN• Displaying IP routes• Performing a traceroute• Entering Router Configuration mode




Configuring global IP routing status

About this taskUse this procedure to enable and disable global routing at the switch level. By default, routingis disabled.

Procedure

To configure the status of IP routing on the switch, enter the following from the GlobalConfiguration mode:[no] ip routing


Variable Valueno Disables IP routing on the switch

Displaying global IP routing status

About this taskUse this command to display the status of IP blocking on the switch.

Procedure

To display the status of IP blocking on the switch, enter the following from the UserEXEC mode:show ip routing

Configuring an IP address for a VLAN

About this taskTo enable routing an a VLAN, you must first configure an IP address on the VLAN.

Procedure

To configure an IP address on a VLAN, enter the following from the VLAN InterfaceConfiguration mode:[no] ip address <ipaddr> <mask> [<MAC-offset>]




Variable Value[no] Removes the configured IP address and

disables routing on the VLAN.

<ipaddr> Specifies the IP address to attach to theVLAN.

<mask> Specifies the subnet mask to attach to theVLAN

[<MAC-offset>] Specifies the value used to calculate theVLAN MAC address, which is offset from theswitch MAC address. The valid range is1-256. Specify the value 1 for theManagement VLAN only. If no MAC offset isspecified, the switch applies oneautomatically.

Configuring IP routing status on a VLAN

About this taskUse this procedure to enable and disable routing for a particular VLAN.

Procedure

To configure the status of IP routing on a VLAN, enter the following from the VLANInterface Configuration mode:[default] [no] ip routing


Variable Valuedefault Disables IP routing on the VLAN.

no Disables IP routing on the VLAN.

Configuring a secondary IP address for a VLAN

About this taskUse this procedure to configure a secondary IP interface to a VLAN (also known asmultinetting). You can have a maximum of eight secondary IP addresses for every primaryaddress, and you must configure the primary address before configuring any secondaryaddresses.




Primary and secondary interfaces must reside on different subnets.

To remove a primary IP address from a VLAN, you must first remove all secondary addressesfrom the VLAN.

Prerequisites

Configure a primary IP address on the VLAN.

Procedure

To configure the secondary IP interface on the VLAN, enter the following from the VLANInterface Configuration mode.[no] ip address <ip address> <mask> [<mac offset>] secondary


Variable Valueno Removes the configured IP address. To remove a

primary IP address from a VLAN, you must first removeall secondary addresses from the VLAN.

<ipaddr> Specifies the IP address to attach to the VLAN.

<mask> Specifies the subnet mask to attach to the VLAN

[<MAC-offset>] Specifies the value used to calculate the VLAN MACaddress, which is offset from the switch MAC address.The valid range is 1-256. Specify the value 1 for theManagement VLAN only. If no MAC offset is specified,the switch applies one automatically.

Job aid: Example of adding a secondary IP interface to a VLANAbout this taskPrimary and secondary interfaces must reside on different subnets. In the following example,4.1.0.10 is the primary IP and 4.1.1.10 is the secondary IP.

(config)# interface vlan 4(config)# ip address 4.1.0.10 255.255.255.0 6(config-if)# ip address 4.1.1.10 255.255.255.0 7 secondary

Displaying the IP address configuration and routing status for a VLAN

About this taskUse this procedure to display the IP address configuration and the status of routing on aVLAN.



Procedure

To display the IP address configuration on a VLAN, enter the following from the VLANPrivileged Exec mode:show vlan ip [vid <vid>]


Variable Value[vid <vid>] Specifies the VLAN ID of the VLAN to be displayed.

Range is 1-4094.

Job aidThe following table shows the field descriptions for the show vlan ip command.

Field DescriptionVid Specifies the VLAN ID.

ifindex Specifies an index entry for the interface.

Address Specifies the IP address associated with the VLAN.

Mask Specifies the mask.

MacAddress Specifies the MAC address associated with theVLAN.

Offset Specifies the value used to calculate the VLAN MACaddress, which is offset from the switch MACaddress.

Routing Specifies the status of routing on the VLAN: enabledor disabled.

Displaying IP routes

About this taskUse this procedure to display all active routes in the routing table.

Route entries appear in ascending order of the destination IP addresses.

Procedure

To display all active routes in the routing table, enter the following from the User EXECcommand mode:show ip route [<dest-ip>] [-s <subnet><mask>] [summary]





Variable Value[<dest-ip>] Specifies the destination IP address of the route to

display.

[-s <subnet><mask>] Specifies the destination subnet of the routes todisplay.

[summary] Displays a summary of IP route information.

Performing a traceroute

About this taskUse this procedure to display the route taken by IP packets to a specified host.

Procedure

1. To perform a traceroute, enter the following from the Global Configuration mode:traceroute <Hostname|A.B.C.D.> <-m> <-p> <-q> <-v> <-w><1-1464>

2. Type CTRL+C to interrupt the command.


Variable ValueHostname Specifies the name of the remote host.

A.B.C.D Specifies the IP address of the remote host.

-m Specifies the maximum time to live (ttl). The valuefor this parameter is in the rage from 1-255. Thedefault value is 10. Example: traceroute 10.3.2.134-m 10

-p Specifies the base UDP port number. The value forthis parameter is in the range from 0-65535.Example: traceroute 1.2.3.4 -p 87

-q Specifies the number of probes per time to live. Thevalue for this parameter is in the range from 1-255.The default value is 3. Example: traceroute10.3.2.134 -q 3

-v Specifies verbose mode. Example: traceroute10.3.2.134 -v



Variable Value-w Specifies the wait time per probe. The value for this

parameter is in the range from 1-255. The defaultvalue is 5 seconds. Example: traceroute 10.3.2.134-w 15

<1-1464> Specifies the UDP probe packet size. TIP: probepacket size is 40 plus specified data length in bytes.Example: traceroute 10.3.2.134 -w 60

Static route configuration using CLIAbout this taskThis chapter describes the procedures you can use to configure static routes using the CLI.

Static route configuration navigation

• Configuring a static route on page 176• Displaying static routes on page 177• Configuring a management route on page 178• Displaying the management routes on page 179

Configuring a static route

About this taskUse this procedure to configure a static route. Create static routes to manually configure a pathto destination IP address prefixes.

Prerequisites

• Enable IP routing globally• Enable IP routing and configure an IP address on the VLANs to be routed.

Procedure

To configure a static route, enter the following from the Global Configuration commandmode:[no] ip route <dest-ip> <mask> <next-hop> [<cost>] [disable][enable] [weight<cost>]





Variable Value[no] Removes the specified static route.

<dest-ip> Specifies the destination IP address for the route beingadded. 0.0.0.0 is considered the default route.

<mask> Specifies the destination subnet mask for the route beingadded.

<next-hop> Specifies the next hop IP address for the route beingadded.

[<cost>] Specifies the weight, or cost, of the route being added. Rangeis 1-65535.

[disable] Disables the specified static route.

[enable] Enables the specified static route.

[weight<cost>] Changes the weight, or cost, of an existing static route. Rangeis 1-65535.

Displaying static routes

About this taskUse this procedure to display all static routes, whether these routes are active or inactive.

Procedure

To display a static route, enter the following from the User EXEC command mode:show ip route static [<dest-ip>] [-s<subnet><mask>]


Variable Value<dest-ip> Specifies the destination IP address of the

static routes to display.

[-s<subnet><mask>] Specifies the destination subnet of the routesto display.

Job aidThe following table shows the field descriptions for the show ip route staticcommand.



Field DescriptionDST Identifies the route destination.

MASK Identifies the route mask.

NEXT Identifies the next hop in the route.

COST Identifies the route cost.

VLAN Identifies the VLAN ID on the route.

PORT Specifies the ports.

PROT Specifies the routing protocols. For static routes, optionsare LOC (local route) or STAT (static route).

TYPE Indicates the type of route as described by the TypeLegend on the CLI screen.

PRF Specifies the route preference.

Configuring a management route

About this taskUse this procedure to create a management route to the far end network, with a next-hop IPaddress from the management VLAN’s subnet. A maximum of 4 management routes can beconfigured on the switch.

Prerequisites

• Enable IP routing globally• Enable IP routing and configure an IP address on the management VLAN interface.

Procedure

To configure a static management route, enter the following from the GlobalConfiguration command mode:[no] ip mgmt route <dest-ip><mask><next-hop>


Variable Value[no] Removes the specified management route.

<dest-ip> Specifies the destination IP address for the route beingadded.

<mask> Specifies the destination subnet mask for the route beingadded.




Variable Value<next-hope> Specifies the next hop IP address for the route being

added.

Displaying the management routes

About this taskUse this procedure to display the static routes configured for the management VLAN.

Procedure

To display the static routes configured for the management VLAN, enter the followingfrom the User EXEC mode:show ip mgmt route

Job aid

The following table shows the shows the field descriptions for the show ip mgmt routecommand.

Field DescriptionDestination IP Identifies the route destination.

Subnet Mask Identifies the route mask.

Gateway IP Identifies the next hop in the route.

DHCP relay configuration using CLIAbout this taskThis chapter describes the procedures you can use to configure DHCP relay using the CLI.

Important:DHCP relay uses a hardware resource that is shared by switch Quality of Serviceapplications. When DHCP relay is enabled globally, the Quality of Service filter manager willnot be able to use precedence 11 for configurations.



Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be set as the DHCP relay

agent.• Ensure that a route to the destination DHCP server is available on the switch.

DHCP relay configuration procedures

About this taskTo configure DHCP relay, perform the following steps:

Procedure

1. Ensure that DHCP relay is enabled globally. (DHCP relay is enabled by default.)

2. Configure the DHCP relay forwarding path, specifying the VLAN IP as the DHCPrelay agent and the remote DHCP server as the destination.

3. Enable DHCP for the specific VLAN.

DHCP relay configuration navigation

About this task

• Configuring global DHCP relay status on page 180• Displaying the global DHCP relay status on page 181• Specifying a local DHCP relay agent and remote DHCP server on page 181• Displaying the DHCP relay configuration on page 182• Configuring DHCP relay status and parameters on a VLAN on page 183• Displaying the DHCP relay configuration for a VLAN on page 184• Displaying DHCP relay counters on page 184• Clearing DHCP relay counters for a VLAN on page 185

Configuring global DHCP relay status

About this taskUse this procedure to configure the global DHCP relay status. DHCP relay is enabled bydefault.




Procedure

To configure the global DHCP relay status, enter the following from the GlobalConfiguration mode:[no] ip dhcp-relay


Variable Value[no] Disables DHCP relay.

Displaying the global DHCP relay status

About this taskUse this procedure to display the current DHCP relay status for the switch.

Procedure

To display the global DHCP relay status, enter the following from the User EXECcommand mode:show ip dhcp-relay

Specifying a local DHCP relay agent and remote DHCP server

About this taskUse this procedure to specify a VLAN as a DHCP relay agent on the forwarding path to aremote DHCP server. The DHCP relay agent can forward DHCP client requests from the localnetwork to the DHCP server in the remote network.

The DHCP relay feature is enabled by default, and the default mode is BootP-DHCP.

Prerequisites

Enable IP routing and configure an IP address on the VLAN to configure as a DHCP relayagent.

Procedure

To configure a VLAN as a DHCP relay agent, enter the following from the GlobalConfiguration mode:[no] ip dhcp-relay fwd-path <relay-agent-ip> <DHCP-server>[enable] [disable] [mode {bootp | bootp-dhcp | dhcp}]




Variable Value[no] Removes the specified DHCP forwarding path.

<relay-agent-ip> Specifies the IP address of the VLAN that servesas the local DHCP relay agent.

<DHCP-server> Specifies the address of the remote DHCPserver to which DHCP packets are to berelayed.

[enable] Enables the specified DHCP relay forwardingpath.

[disable] Disables the specified DHCP relay forwardingpath.

[mode {bootp | bootp-dhcp | dhcp}] Specifies the mode for DHCP relay.

• BootP only

• BootP and DHCP

• DHCP only

If you do not specify a mode, the default DHCPand BootP is used.

Displaying the DHCP relay configuration

About this taskUse this procedure to display the current DHCP relay agent configuration.

Procedure

To display the DHCP relay configuration, enter the following from the User EXECcommand mode:show ip dhcp-relay fwd-path

Job aid

The following table shows the field descriptions for the show ip dhcp-relay fwd-pathcommand.

Field DescriptionINTERFACE Specifies the interface IP address of the DHCP relay

agent.




Field DescriptionSERVER Specifies the IP address of the DHCP server.

ENABLE Specifies whether DHCP is enabled.

MODE Specifies the DHCP mode.

Configuring DHCP relay status and parameters on a VLAN

About this taskUse this procedure to configure the DHCP relay parameters on a VLAN. To enable DHCP relayon the VLAN, enter the command with no optional parameters.

Procedure

To configure DHCP relay on a VLAN, enter the following from the VLAN InterfaceConfiguration mode:[no] ip dhcp-relay [broadcast] [min-sec <min-sec>] [mode {bootp| dhcp | bootp_dhcp}]


Variable Value

[no] Disables DHCP relay on the specified VLAN.

[broadcast] Enables the broadcast of DHCP reply packets tothe DHCP clients on this VLAN interface.

min-sec <min-sec> The switch immediately forwards a BootP/DHCPpacket if the ’secs’ field in the BootP/DHCPpacket header is greater than the configured min-sec value; otherwise, the packet is dropped.Range is 0-65535. The default is 0.

mode {bootp | dhcp | bootp_dhcp} Specifies the type of DHCP packets this VLANsupports:

• bootp - Supports BootP only

• dhcp - Supports DHCP only

• bootp_dhcp - Supports both BootP and DHCP



Displaying the DHCP relay configuration for a VLAN

About this taskUse this procedure to display the current DHCP relay parameters configured for a VLAN.

Procedure

To display the DHCP relay VLAN parameters, enter the following from the PrivilegedEXEC command mode:show vlan dhcp-relay [<vid>]


Variable Value[<vid>] Specifies the VLAN ID of the VLAN to be displayed. Range is

1-4094.

Job aidThe following table shows the field descriptions for the show ip dhcp-relay command.

Field DescriptionIfIndex Indicates the VLAN interface index.

MIN_SEC Indicates the minimum time, in seconds, to waitbetween receiving a DHCP packet and forwarding theDHCP packet to the destination device. A value ofzero indicates forwarding is done immediately withoutdelay.

ENABLED Indicates whether DHCP relay is enabled on theVLAN.

MODE Indicates the type of DHCP packets this interfacesupports. Options include none, BootP, DHCP, andboth.

ALWAYS_BROADCAST Indicates whether DHCP reply packets are broadcastto the DHCP client on this VLAN interface.

Displaying DHCP relay counters

About this taskUse this procedure to display the current DHCP relay counters. This includes the number ofrequests and the number of replies.




Procedure

To display the DHCP relay counters, enter the following from the User EXEC commandmode:show ip dhcp-relay counters

Job aid

The following table shows the field descriptions for the show ip dhcp-relay counterscommand.

Field DescriptionINTERFACE Indicates the interface IP address of the DHCP relay

agent.

REQUESTS Indicates the number of DHCP requests.

REPLIES Indicates the number of DHCP replies.

Clearing DHCP relay counters for a VLAN

About this taskUse this procedure to clear the DHCP relay counters for a VLAN.

Procedure

To clear the DHCP relay counters, enter the following from the VLAN InterfaceConfiguration command mode:ip dhcp-relay clear-counters

Directed broadcasts configuration using CLIAbout this taskThis chapter describes procedures you can use to configure and display the status of directedbroadcasts using CLI.

Navigation

• Configuring directed broadcasts on page 186• Displaying the directed broadcast configuration on page 186



Configuring directed broadcasts

About this taskUse this procedure to enable directed broadcasts on the switch. By default, directed broadcastsare disabled.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be configured as a

broadcast interface.• Ensure that a route (local or static) to the destination address is available on the switch.

Procedure

To enable directed broadcasts, enter the following from the Global Configuration mode:ip directed-broadcast enable

Displaying the directed broadcast configuration

About this taskUse this procedure to display the status of directed broadcasts on the switch. By default,directed broadcasts are disabled.

Procedure

To display directed broadcast status, enter the following from the User EXEC mode:show ip directed-broadcast

Static ARP and Proxy ARP configuration using CLIAbout this taskThis chapter describes the procedures you can use to configure Static ARP, Proxy ARP, anddisplay ARP entries using the CLI.

Static ARP and Proxy ARP configuration navigation

• Static ARP configuration on page 187• Displaying the ARP table on page 187• Proxy ARP configuration on page 189




Static ARP configuration

About this taskThis section describes how to configure Static ARP using the CLI.

Configuring a static ARP entryAbout this taskUse this procedure to create and enable a static ARP entry.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the target VLAN.

Procedure

To configure a static ARP entry, enter the following from the Global Configuration mode:[no] ip arp <A.B.C.D> <aa:bb:cc:dd:ee:ff> <port> [vid <1-4094>]


Variable Value[no] Removes the specified ARP entry.

<A.B.C.D> Specifies the IP address of the device being setas a static ARP entry.

<aa:bb:cc:dd:ee:ff> Specifies the MAC address of the device being setas a static ARP entry.

< port> Specifies the port number to which the static ARPentry is being added.

vid <1-4094> Specifies the VLAN ID to which the static ARPentry is being added.

Displaying the ARP tableAbout this taskUse the following procedures to display the ARP table, configure a global timeout for ARPentries, and clear the ARP cache.

Navigation

• Displaying ARP entries on page 188• Configuring a global timeout for ARP entries on page 188• Clearing the ARP cache on page 189



Displaying ARP entriesAbout this taskUse this procedure to display ARP entries.

Procedure

To display ARP entries, enter the following from the User Exec mode:show arp-tableORshow ip arp [static | dynamic] [<ip-addr> | {-s <subnet><mask>{] [summary]The show ip arp command is invalid if the switch is not in Layer 3 mode.


Variable Value<ip-addr> Specifies the IP address of the ARP entry to be

displayed.

-s <subnet> <mask> Displays ARP entries for the specified subnet only.

static Displays all configured static entries, including thosewithout a valid route.

Job aidThe following table shows the field descriptions for the show ip arp command.

Field DescriptionIP Address Specifies the IP address of the ARP entry.

Age (min) Displays the ARP age time.

MAC Address Specifies the MAC address of the ARP entry.

VLAN-Unit/Port/Trunk Specifies the VLAN/port of the ARP entry.

Flags Specifies the type of ARP entry. S=Static,D=Dynamic, L=Local, B=Broadcast.

Configuring a global timeout for ARP entriesAbout this taskUse this procedure to configure an aging time for the ARP entries.

Procedure

To configure a global timeout for ARP entries, enter the following from the GlobalConfiguration mode:




ip arp timeout <timeout>


Variable Value<timeout> Specifies the amount of time in minutes before an ARP entry

ages out. Range is 5-360. The default value is 360 minutes.

Clearing the ARP cacheAbout this taskUse this procedure to clear the cache of ARP entries.

Procedure

To clear the ARP cache, enter the following from the Global Configuration mode:clear arp-cache

Proxy ARP configuration

About this taskThis section describes how to configure Proxy ARP using the CLI.

Navigation

• Configuring proxy ARP status on page 189• Displaying proxy ARP status on a VLAN on page 190

Configuring proxy ARP statusAbout this taskUse this procedure to enable proxy ARP functionality on a VLAN. By default, proxy ARP isdisabled.

Prerequisites

• Enable IP routing globally.• Enable IP routing and configure an IP address on the VLAN to be configured as a Proxy

ARP interface.

Procedure

To configure proxy ARP status, enter the following from the VLAN InterfaceConfiguration mode:[default] [no] ip arp-proxy enable




Variable Valuedefault Disables proxy ARP functionality on the VLAN.

no Disables proxy ARP functionality on the VLAN.

Displaying proxy ARP status on a VLANAbout this taskUse this procedure to display the status of proxy ARP on a VLAN.

Procedure

To display proxy ARP status for a VLAN, enter the following from the User EXEC mode:show ip arp-proxy interface [vlan<vid>]


Variable Value<vid> Specifies the ID of the VLAN to display. Range is 1-4094.

Job aidThe following table shows the field descriptions for the show ip arp-proxy interfacescommand.

Field DescriptionVlan Identifies a VLAN.

Proxy ARP status Specifies the status of Proxy ARP on the VLAN.

IGMP snooping configuration using CLIAbout this taskThis chapter describes the procedures you can use to configure IGMP snooping on a VLANusing CLI.

IGMP snooping configuration procedures

Procedure

To configure IGMP snooping, the only required configuration is to enable snooping onthe VLAN.




All related configurations, listed below, are optional and can be configured to suit therequirements of your network.

IGMP snooping configuration navigation

About this task

• Configuring IGMP snooping on a VLAN on page 191• Configuring IGMP send query on a VLAN on page 192• Configuring IGMP proxy on a VLAN on page 192• Configuring the IGMP version on a VLAN on page 193• Configuring static mrouter ports on a VLAN on page 194• Displaying IGMP snoop, proxy, and mrouter configuration on page 194• Configuring IGMP parameters on a VLAN on page 195• Configuring the router alert option on a VLAN on page 197• Displaying IGMP interface information on page 197• Displaying IGMP group membership information on page 199• Configuring unknown multicast packet filter on page 200• Displaying the status of unknown multicast packet filtering on page 201• Specifying a multicast MAC address to be allowed to flood all VLANs on page 201• Displaying the multicast MAC addresses for which flooding is allowed on page 202• Displaying IGMP cache information on page 203• Flushing the router table on page 203• Configuring IGMP selective channel block on page 204

Configuring IGMP snooping on a VLAN

About this taskEnable IGMP snooping on a VLAN to forward the multicast data to only those ports that aremembers of the group.

IGMP snooping is disabled by default.

Procedure

To enable IGMP snooping, enter the following from the VLAN Interface Configurationcommand mode:[default] [no] ip igmp snooping



OREnter the following from the Global Configuration command mode:[default] vlan igmp <vid> [snooping {enable | disable}]


Variable Valuedefault Disables IGMP snooping on the selected VLAN.

no Disables IGMP snooping on the selected VLAN.

enable Enables IGMP snooping on the selected VLAN.

disable Disables IGMP snooping on the selected VLAN.

Configuring IGMP send query on a VLAN

About this taskUse this procedure to enable IGMP send query on a snoop-enabled VLAN. When IGMPsnooping send query is enabled, the IGMP snooping querier sends out periodic IGMP queriesthat trigger IGMP report messages from the switch or host that wants to receive IP multicasttraffic. IGMP snooping listens to these IGMP reports to establish appropriate forwarding.

IGMP send query is disabled by default.

Prerequisites

You must enable snoop on the VLAN.

Procedure

To enable IGMP send query, enter the following command from the VLAN InterfaceConfiguration mode:ip igmp send-query

Configuring IGMP proxy on a VLAN

About this taskUse this procedure to enable IGMP proxy on a snoop-enabled VLAN. With IGMP proxyenabled, the switch consolidates incoming report messages into one proxy report for thatgroup.

IGMP proxy is disabled by default.




Prerequisites

You must enable snoop on the VLAN.

Procedure

To enable IGMP proxy, enter the following from the VLAN Interface Configurationmode:[default] [no] ip igmp proxyOREnter the following from the Global Configuration command mode:[default] [no] vlan igmp <vid> [proxy {enable | disable}]


Variable Valuedefault Disables IGMP proxy on the selected VLAN.

no Disables IGMP proxy on the selected VLAN.

<vid> Specifies the VLAN ID.

enable Enables IGMP proxy on the selected VLAN.

disable Disables IGMP proxy on the selected VLAN.

Configuring the IGMP version on a VLAN

About this taskUse this procedure to configure the IGMP version running on the VLAN. You can specify theversion as IGMPv1, IGMPv2, or IGMPv3 (IGMPv3 is supported for IGMP snooping only; it isnot supported with PIM-SM). The default is IGMPv2.

Procedure

To configure the IGMP version, enter the following from the VLAN InterfaceConfiguration mode:[default] ip igmp version <1-3>


Variable Valuedefault Restores the default IGMP protocol version (IGMPv2).

<1-3> Specifies the IGMP version.



Configuring static mrouter ports on a VLAN

About this taskIGMP snoop considers the port on which the IGMP query is received as the active IGMPmulticast router (mrouter) port. By default, the switch forwards incoming IGMP MembershipReports only to the active mrouter port.

To forward the IGMP reports to additional ports, you can configure the additional ports as staticmrouter ports.

Procedure

To configure static mrouter ports on a VLAN (IGMPv1, IGMPv2, and IGMPv3 accordingto the supported version on the VLAN), enter the following from the VLAN InterfaceConfiguration mode:[default] [no] ip igmp mrouter <portlist>ORTo configure IGMPv1 or IGMPv2 static mrouter ports, enter the following from theGlobal Configuration command mode:[no] vlan igmp <vid> {v1-members | v2-members} [add | remove]<portlist>


Variable Valuedefault Removes all static mrouter ports.

no Removes the specified static mrouter port.

<portlist> Specifies the list of ports to add or remove as staticmrouter ports.

{v1-members | v2-members} Specifies whether the static mrouter ports areIGMPv1 or IGMPv2.

[add | remove] Specifies whether to add or remove the staticmrouter ports.

Displaying IGMP snoop, proxy, and mrouter configuration

About this taskUse this procedure to display the IGMP snoop, proxy, and mrouter configuration per VLAN.




Procedure

To display IGMP snoop information, enter:show ip igmp snooping


Variable ValueVlan Indicates the Vlan ID.

Snoop Enable Indicates whether snoop is enabled (true) or disabled(false).

Proxy Snoop Enable Indicates whether IGMP proxy is enabled (true) or disabled(false).

Static Mrouter Ports Indicates the static mrouter ports in this VLAN that provideconnectivity to an IP multicast router.

Active Mrouter Ports Displays all dynamic (querier port) and static mrouter portsthat are active on the interface.

Mrouter Expiration Time Specifies the time remaining before the multicast router isaged out on this interface. If the switch does not receivequeries before this time expires, it flushes out all groupmemberships known to the VLAN. The Query MaxResponse Interval (obtained from the queries received) isused as the timer resolution.

Configuring IGMP parameters on a VLAN

About this taskUse this procedure to configure the IGMP parameters on a VLAN.

Important:The query interval, robustness, and version values must be the same as those configuredon the interface (VLAN) of the multicast router (IGMP querier).

Procedure

To configure IGMP parameters, enter the following from the VLAN InterfaceConfiguration mode:[default] ip igmp [last-member-query-interval<last-mbr-query-in>] [query-interval<query-int>] [query-max-response<query-max-resp>] [robust-value<robust-val>] [version<1-3>]OR



enter the following from the Global Configuration command mode:[default] vlan igmp <vid> [query-interval<query-int<] [robust-value<robust-val>]


Variable Valuedefault Sets the selected parameter to the default value. If no

parameters are specified, snoop is disabled and all IGMPparameters are set to their defaults.

<last-mbr-query-int> Sets the maximum response time (in 1/10 seconds) thatis inserted into group-specific queries sent in response toleave group messages. This parameter is also the timebetween group-specific query messages. This value isnot configurable for IGMPv1.Decreasing the value reduces the time to detect the lossof the last member of a group.The range is from 0–255, and the default is 10 (1 second).Avaya recommends configuring this parameter to valueshigher than 3. If a fast leave process is not required,Avaya recommends values above 10. (The value 3 isequal to 0.3 of a second, and 10 is equal to 1.0 second.)

<query-int> Sets the frequency (in seconds) at which host querypackets are transmitted on the VLAN.The range is 1–65535. The default value is 125seconds.

<query-max-resp> Specifies the maximum response time (in 1/10 seconds)advertised in IGMPv2 general queries on this interface.The range is 0–255. The default value is 100 (10seconds).

<robust-val> Specifies tuning for the expected packet loss of anetwork. This value is equal to the number of expectedquery packet losses for each serial query interval, plus 1.If you expect a network to lose query packets, you mustincrease the robustness value.Ensure that the robustness value is the same as theconfigured value on the multicast router (IGMP querier).The range is from 2 to 255, and the default is 2. Thedefault value of 2 means that one query for each queryinterval can be dropped without the querier aging out.




Configuring the router alert option on a VLAN

About this taskUse this command to enable the router alert feature. This feature instructs the router to dropcontrol packets that do not have the router-alert flag in the IP header.

Important:To maximize your network performance, Avaya recommends that you set the router alertoption according to the version of IGMP currently in use: IGMPv1—Disable IGMPv2—Enable IGMPv3—Enable

Procedure

To configure the router alert option on a VLAN, enter the following from the VLANInterface Configuration mode:[default] [no] ip igmp router-alert


Variable Valuedefault Disables the router alert option.

no Disables the router alert option.

Displaying IGMP interface information

About this taskUse this procedure to display IGMP interface parameters.

Procedure

To display the IGMP interface information, enter:show ip igmp interface [vlan <vid>]OREnter:show vlan igmp <vid>



Job aid

The following table shows the field descriptions for the show ip igmp interfacecommand command.

Field DescriptionVLAN Indicates the VLAN on which IGMP is configured.

Query Intvl Specifies the frequency (in seconds) at which host querypackets are transmitted on the interface.

Vers Specifies the version of IGMP configured on thisinterface.

Oper Vers Specifies the version of IGMP running on this interface.

Querier Specifies the IP address of the IGMP querier on the IPsubnet to which this interface is attached.

Query MaxRsp T Indicates the maximum query response time (in tenths ofa second) advertised in IGMPv2 queries on this interface.

Wrong Query Indicates the number of queries received whose IGMPversion does not match the Interface version. You mustconfigure all routers on a LAN to run the same version ofIGMP. Thus, if queries are received with the wrong version,a configuration error occurs.

Joins Indicates the number of times a group membership wasadded on this interface.

Robust Specifies the robust value configured for expected packetloss on the interface.

LastMbr Query Indicates the maximum response time (in tenths of asecond) inserted into group-specific queries sent inresponse to leave group messages, and is also the amountof time between group-specific query messages. Use thisvalue to modify the leave latency of the network. A reducedvalue results in reduced time to detect the loss of the lastmember of a group. This does not apply if the interface isconfigured for IGMPv1.

Send Query Indicates whether the ip igmp send-query feature isenabled or disabled. Values are YES of NO. Default isdisabled.

The following table shows the field descriptions for the show vlan igmp command.

Field DescriptionSnooping Indicates whether snooping is enabled or disabled.




Field DescriptionProxy Indicates whether proxy snoop is enabled or

disabled.

Robust Value Indicates the robust value configured for expectedpacket loss on the interface.

Query Time Indicates the frequency (in seconds) at which hostquery packets are transmitted on the interface.

IGMPv1 Static Router Ports Indicates the IGMPv1 static mrouter ports.

IGMPv2 Static Router Ports Indicates the IGMPv2 static mrouter ports.

Send Query Indicates whether the ip igmp send-query feature isenabled or disabled. Values are YES of NO. Defaultis disabled.

Displaying IGMP group membership information

About this taskDisplay the IGMP group information to show the learned multicast groups and the attachedports.

Procedure

To display IGMP group information, enter:show ip igmp group [count] [group <A.B.C.D>] [member-subnet<A.B.C.D>/<0-32>]OREnter:show vlan multicast membership <vid>


Variable Valuecount Displays the number of IGMP group

entries.

group <A.B.C.D> Displays group information for the specifiedgroup.

member-subnet <A.B.C.D>/<0-32 Displays group information for the specifiedmember subnet.

Job aidThe following table shows the field descriptions for the show ip igmp group command.



Field DescriptionGroup Address Indicates the multicast group address.

VLAN Indicates the VLAN interface on which the group exists.

Member Address Indicates the IP address of the IGMP receiver (host orIGMP reporter). The IP address is 0.0.0.0 if the type isstatic.

Expiration Indicates the time left before the group report expires. Thisvariable is updated upon receiving a group report.

Type Specifies the type of membership: static or dynamic.

In Port Identifies the member port for the group. This is the port onwhich group traffic is forwarded and in those case wherethe type is dynamic, it is the port on which the IGMP joinwas received.

The following table shows the field descriptions for the show vlan multicastmembership command.

Field DescriptionMulticast Group Address Indicates the multicast group address.

In Port Indicates the physical interface or a logical interface(VLAN) that received group reports from varioussources.

Configuring unknown multicast packet filter

About this taskThe default switch behavior is to flood all packets with unknown multicast addresses. Use thisprocedure to prevent the flooding of packets with unknown multicast addresses and enablethe forwarding of these packets to static mrouter ports only.

Procedure

To configure unknown multicast packet flooding, enter the following from the GlobalConfiguration mode:[no] [default] vlan igmp <vid> unknown-mcast-no-flood {enable |disable}


Variable Valueno Enables the flooding of multicast packets on the VLAN.




Variable Valuedefault Enables the flooding of multicast packets on the VLAN.

enable Prevents the flooding of multicast packets on theVLAN.

disable Enables the flooding of multicast packets on the VLAN.

Displaying the status of unknown multicast packet filtering

About this taskUse this procedure to display the status of unknown multicast filtering: enabled (no flooding)or disabled (flooding allowed).

Procedure

To display the unknown multicast flooding configuration, enter:show vlan igmp unknown-mcast-no-flood

Job aid

The following table shows the field descriptions for the show vlan igmp unknown-mcast-no-flood command.

Field DescriptionUnknown Multicast No-Flood Specifies the status of unknown multicast

filtering: enabled or disabled.

Specifying a multicast MAC address to be allowed to flood all VLANs

About this taskUse this procedure to allow particular unknown multicast packets to be flooded on all switchVLANs.

To add MAC addresses starting with 01.00.5E to the allow-flood table, you must specify thecorresponding multicast IP address. For instance, you cannot add MAC address01.00.5E.01.02.03 to the allow-flood table, but instead you must specify IP address224.1.2.3.

For all other types of MAC address, you can enter the MAC address directly to allowflooding.



Procedure

To allow particular unknown multicast packets to be flooded, enter the following fromthe Global Configuration mode:vlan igmp unknown-mcast-allow-flood {<H.H.H> |<mcast_ip_address>}


Variable Value<H.H.H> Specifies the multicast MAC address to be flooded.

Accepted formats are:

• H.H.H

• xx:xx:xx:xx:xx:xx

• xx.xx.xx.xx.xx.xx

• xx-xx-xx-xx-xx-xx

<mcast_ip_address> Specifies the multicast IP address to be flooded.

Displaying the multicast MAC addresses for which flooding is allowed

About this taskUse this procedure to display the multicast MAC addresses for which flooding is allowed onall switch VLANs.

Procedure

To display the multicast MAC addresses for which flooding is allowed, enter:show vlan igmp unknown-mcast-allow-flood

Job aid

The following table shows the field descriptions for the show vlan igmp unknown-mcast-allow-flood command.

Field DescriptionAllowed Multicast Addresses Indicates multicast addresses that can flood.




Displaying IGMP cache information

About this taskDisplay the IGMP cache information to show the learned multicast groups in the cache andthe IGMPv1 version timers.

Note: Using the show ip igmp cache command may not display the expected results in someconfigurations. If the expected results are not displayed, use the show ip igmp group commandto view the information.

Procedure

To display the IGMP cache information, enter:show ip igmp cache

Job aid

The following table shows the field descriptions for the show ip igmp cache command.

Field DescriptionGroup Address Indicates the multicast group address.

Vlan ID Indicates the VLAN interface on which the groupexists.

Last Reporter Indicates the last IGMP host to join the group.

Expiration Indicates the group expiration time (in seconds).

V1 Host Timer Indicates the time remaining until the local routerassumes that no IGMP version 1 members exist onthe IP subnet attached to the interface. Uponhearing an IGMPv1 membership report, this valueis reset to the group membership timer.When the time remaining is nonzero, the localinterface ignores IGMPv2 leave messages that itreceives for this group.

Type Indicates whether the entry is learned dynamicallyor is added statically.

Flushing the router table

About this taskUse this procedure to flush the router table.



Procedure

To flush the router table, enter the following from the Global Configuration mode:ip igmp flush vlan <vid> {grp-member|mrouter}


Variable Value{grp-member|mrouter} Flushes the table specified by type.

Configuring IGMP selective channel block

About this taskIn certain deployment scenarios it might be required not to allow multicast streaming fromspecific group addresses to users connected to certain ports. With the IGMP selective channelblock feature this type of control can be implemented. When configured it will control the IGMPmembership of ports by blocking IGMP reports received from users on that port destined forthe specific group address/addresses. The filter can be configured to block a single multicastaddress or range of addresses.

This feature will work regardless of whether the switch is in Layer 2 IGMP snooping mode orthe full IGMP mode (PIM-SM enabled). It will also be applicable for IGMPv1 and v2.

Configuring IGMP selective channel block navigation

About this task

• Creating an IGMP profile on page 204• Deleting an IGMP profile on page 205• Applying the IGMP filter profile on interface on page 205• Removing a profile from an interface on page 205• Displaying an IGMP profile on page 206

Creating an IGMP profile

About this taskUse this procedure to create an IGMP profile.




Procedure

1. From Global Configuration mode, enter the ip igmp profile <profilenumber (1-65535)> command.

2. Enter the deny command.

3. Enter the range <ip multicast address><ip multicast address>command.

Deleting an IGMP profile

About this taskUse this procedure to delete an IGMP profile.

Procedure

To delete an IGMP profile enter the following command from Global Configurationmode:no ip igmp profile <profile number (1-65535)>

Applying the IGMP filter profile on interface

About this taskUse this procedure to apply the IGMP filter profile on an interface.

Procedure

1. From Global Configuration mode enter the interface <interface-id>command.

2. Enter the ip igmp filter <profile number> command.

Removing a profile from an interface

About this taskUse this procedure to remove a profile from an interface.



Procedure

1. From Global Configuration mode enter the interface <interface-id>command.

2. Enter the no ip igmp filter <profile number> command.

Displaying an IGMP profile

About this taskUse this procedure to display an IGMP profile.

Procedure

To display an IGMP profile enter the following command from Global Configurationmode:show ip igmp profile <cr> or <profile number>

Configuring Access ListsAbout this taskThe CLI commands detailed in this section allow for the configuration and management ofaccess lists.

Navigation

• Assigning ports to an access list on page 206• Removing an access list assignment on page 207• Creating an IP access list on page 207• Removing an IP access list on page 208• Creating a Layer 2 access list on page 209• Removing a Layer 2 access list on page 210

Assigning ports to an access listAbout this taskAssign ports to an access list by performing this the procedure.




Procedure

Assign ports to an access list by using the following command in Global Configurationmode.qos acl-assign port <port_list> acl-type {ip | l2} name <name>


Variable Valueport <port_list> Specifies the list of ports assigned to the specified access list.

acl-type {ip | l2} Specifies the type of access list used; IP or Layer 2.

name <name> Specifies the name of the access list to be used. Access listsmust be configured before ports can be assigned to them.

Removing an access list assignmentAbout this taskRemove an access list assignment by performing this procedure.

Procedure

Remove an access list assignment by using the following command from GlobalConfiguration mode.no qos acl-assign <aclassignid>

Creating an IP access listAbout this taskCreate an IP access list by performing this procedure.

Procedure

Create an access list by using the following procedure from Global Configurationmode.qos ip-acl name <name> [addr-type <addrtype>] [src-ip<source_ip>] [dst-ip <destination_ip>] [ds-field <dscp>][{protocol <protocol_type> | next_header <header>}] [src-port-min <port> src-port-max <port>] [dst-port-min <port> dst-port-

Configuring Access Lists


max <port>] [flow-id <flowid>] [drop-action {drop | pass}][update-dscp <0 - 63>] [update-1p <0 - 7>] [set-drop-prec {highdrop | low drop}] [block <block_name>]


Variable Valuename <name> Specifies the name assigned to this access list.

addr-type <addrtype> Specifies the IP address type to use for the access list.

src-ip <source_ip> Specifies the source IP address to use for this access list.

dst-ip <destination_ip> Specifies the destination IP address to use for this access list.

ds-field <dscp> Specifies the DSCP value to use for this access list.

{protocol <protocol_type>| next_header <header>}

Specifies the protocol type or IP header to use with this accesslist.

src-port-min <port> src-port-max <port>

Specifies the minimum and maximum source ports to use withthis access list. Both values must be specified.

dst-port-min <port> dst-port-max <port>

Specifies the minimum and maximum destination ports to usewith the access list. Both values must be specified.

flow-id <flowid> Specifies the flow ID to use with this access list.

drop-action {drop | pass} Specifies the drop action to use for this access list.

update-dscp <0 - 63> Specifies the DSCP value to update for this access list.

update-1p <0 - 7> Specifies the 802.1p value to update for this access list.

set-drop-prec {high drop |low drop}

Specifies the drop precedence to configure for this access list.

block <block_name> Specifies the block name to associate with the access list.

Removing an IP access listAbout this taskRemove an IP access list by performing this procedure.

Procedure

Remove an access list by using the following command from Global Configurationmode.




no qos ip-acl <aclid>

Creating a Layer 2 access listAbout this taskCreate a Layer 2 access list by performing this procedure.

Procedure

Create an access list by using the following command from Global Configurationmode.qos l2-acl name <name> [src-mac <source_mac_address>] [src-mac-mask <source_mac_address_mask>] [dst-mac<destination_mac_address>] [dst-mac-mask<destination_mac_address_mask>] [vlan-min <vid_min> vlan-max<vid_max>] [vlan-tag <vtag>] [ethertype <etype>] [priority<ieee1p_seq>] [drop-action {drop | pass}] [update-dscp <0 -63>] [update-1p <0 - 7>] [set-drop-prec {high-drop | low-drop}][block <block_name>]Note: Possible values for vlan-max are based on the binary value of vlan-min, and areobtained by replacing consecutive trailing zeros in this binary value with ones, startingat the right-most position. For example, if vlan-min = 200, then there are 4 possiblevalues for vlan-max: 11001000 (200) 11001001 (201) 11001011 (203) 11001111 (207)The value of vlan-max is vlan-min + 2n - 1, where n is the number of consecutive trailingzeros replaced.


Variable Valuename <name> Specifies the name assigned to this access list.

src-mac<source_mac_address>

Specifies the source MAC address to use for this access list.

src-mac-mask<source_mac_address_mask>

Specifies the source MAC address mask to use for this accesslist.

[dst-mac<destination_mac_address>]

Specifies the destination MAC address to use for this accesslist.

Configuring Access Lists


Variable Valuedst-mac-mask<destination_mac_address_mask>

Specifies the destination MAC address mask to use for thisaccess list.

vlan-min <vid_min> vlan-max <vid_max>

Specifies the minimum and maximum VLANs to use with thisaccess list. Both values must be specified.

vlan-tag <vtag> Specifies the VLAN tag to use with this access list.

ethertype <etype> Specifies the Ethernet protocol type to use with the accesslist.

priority <ieee1p_seq> Specifies the priority value to use with this access list.

drop-action {drop | pass} Specifies the drop action to use for this access list.

update-dscp <0 - 63> Specifies the DSCP value to update for this access list.

update-1p <0 - 7> Specifies the 802.1p value to update for this access list.

set-drop-prec {high-drop |low-drop}

Specifies the drop precedence to configure for this access list.

block <block_name> Specifies the block name to associate with the access list.

Removing a Layer 2 access listAbout this taskRemove a Layer 2 access list by performing this procedure.

Procedure

Remove an access list by using the following command from Global Configurationmode.no qos l2-acl <aclid>

Configuring Elements, Classifiers, and Classifier BlocksAbout this taskUse the CLI commands in this section to configure elements, classifiers, and classifierblocks.




Navigation

• Configuring IP classifier element entries on page 211• Viewing IP classifier entries on page 212• Removing IP classifier entries on page 212• Adding Layer 2 elements on page 213• Viewing Layer 2 elements on page 214• Removing Layer 2 elements on page 214• Linking IP and L2 classifier elements on page 215• Removing classifier entries on page 215• Combining individual classifiers on page 216• Removing classifier block entries on page 217

Configuring IP classifier element entriesAbout this taskUse the following procedure to add and configure classifier entries.

Procedure

Add and configure classifier entries by using the following command from GlobalConfiguration mode.qos ip-element <cid> [addr-type <addrtype>] [ds-field <dscp>][dst-ip <dst-ip-info>] [dst-port-min <port>] [flow-id <flowid>][ip-flag <ip-flags>] [ipv4-options <no-opt | with-opt>] [next-header <nextheader>] [session-id] [src-ip <src-ip-info>] [src-port-min <port>] [tcp-control <tcp-flags>]


Variable Value<cid> Specifies the element ID, value ranges from 1–

55000.

addr-type <addrtype> Specifies the address type. Use the value ipv4 toindicate an IPv4 address or the value ipv6 to indicatean IPv6 address. The default value is ipv4.

ds-field <0-63> Specifies a 6-bit DSCP value; value ranges from 0–63.Default is ignore.

Configuring Elements, Classifiers, and Classifier Blocks


Variable Valuedst-ip <dst-ip-info> Specifies the source IP address and mask in the form

of a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6.Default is 0.0.0.0.

dst-port-min <port> Specifies the L4 destination port minimum value.

flow-id <flowid> Specifies the IPv6 flow identifier.

ip-flag <ip-flags> Specifies the flags present in an IPv4 header.

ipv4-options <no-opt | with-opt> Specifies whether the Option field is present in thepacket header. Valid values are

• no-opt—indicates that only IPv4 packets withoutoptions will match this classifier element.

• with-opt—indicates that only IPv4 packets withoptions will match this classifier element.

next-header Specifies the IPv6 next header classifier criteria; rangeis 0–255.

src-ip <src-ip-info> Specifies the source IP address and mask in the formof a.b.c.d/x for IPv4, or x:x:x:x:x:x:x:x/z for IPv6.Default is 0.0.0.0.

session-id Specifies the session ID.

src-port-min <port> Specifies the L4 source port minimum value.

tcp-control <tcp-flags> Specifies the control flags present in an TCP header.

Viewing IP classifier entriesAbout this taskView IP classifier entries by performing this procedure.

Procedure

View IP classifier element entries by using the following commands from the PrivilegedEXEC Configuration mode.show qos ip-element [<1-65535>] [all] [system] [user]

Removing IP classifier entriesAbout this taskUse the following procedure to remove IP classifier entries.




Note: An IP element that is referenced in a classifier cannot be deleted.

Procedure

Remove IP classifier entries by using the following command from GlobalConfiguration mode.no qos ip-element <1-55000>

Adding Layer 2 elementsAbout this taskUse the following procedure to add Layer 2 elements.

Note: A Layer 2 element referenced in a classifier cannot be deleted.

Procedure

Add Layer 2 elements by using the following command from the Global Configurationmode.qos l2-element <1-55000> [dst-mac <dst-mac>] [dst-mac-mask<dst-mac-mask>] [ethertype <etype>] [ivlan-min <vid-min>] [pkt-type <etherII | llc | snap>] [priority <ieee1p-seq>] [session-id <session-id>] [src-mac <src-mac>] [src-mac-mask <src-mac-mask>] [vlan-min <vid-min>] [vlan-tag <vtag>]


Variable Value<1-55000> Specifies the element ID; range is 1–55000.

dst-mac <dst-mac> Specifies the destination MAC element criteria.Valid format is H.H.H.

dst-mac-mask <dst-mac-mask> Specifies the destination MAC mask elementcriteria. Valid format is H.H.H.

ethertype <etype> Specifies the Ethernet type. Valid format is0xXXXX, for example, 0x0801. Default isignore.

ivlan-min <vid-min> Specifies the inner VLAN ID minimum valueelement criteria. Range is 1–4094.

pkt-type <etherII | llc | snap> Specifies the packet frame format.



Variable Value

• etherII—indicates that only Ethernet II formatframes match this classifier component.

• snap—indicates that only EEE 802 SNAPformat frames match this classifiercomponent.

• llc—indicates that only IEEE 802 LLC formatframes match this classifier component.

priority <ieee1p-seq> Specifies the 802.1p priority values; range from0–7 or all. Default is ignore.

session-id <session-id> Specifies the session ID.

src-mac <src-mac> Specifies the source MAC element criteria. Enterin the format H.H.H.

src-mac-mask <src-mac-mask> Specifies the source MAC mask element criteria.Valid format is H.H.H.

vlan-min <vid-min> Specifies the VLAN ID minimum value elementcriteria. Range is 1–4094.

vlan-tag <format> Specifies the packet format element criteria:

• untagged

• tagged

The default is Ignore.

Viewing Layer 2 elementsAbout this taskView Layer 2 elements by performing this procedure.

Procedure

View Layer 2 element entries by using the following commands from the PrivilegedEXEC Configuration mode.show qos l2-element [<1-65535>] [all] [system] [user]

Removing Layer 2 elementsAbout this taskUse the following procedure to delete Layer 2 element entries.




Procedure

Delete element entries by using the following command from Global Configurationmode.no qos l2-element <1-55000>

Linking IP and L2 classifier elementsAbout this taskUse the following procedure to link IP and L2 classifier elements.

Note: A classifier that is referenced in a classifier block or installed policy cannot be deleted.

Procedure

Link elements by using the following command from Global Configuration mode.qos classifier <1-55000> set-id <1-55000> [name <WORD>]element-type {ip | l2 | system} element-id <1-55000>


Variable Valueclassifier <1-55000> Specifies the classifier ID; range is 1–55000.

set-id <1-55000> Specifies the classifier set ID; range is 1–55000.

name <WORD> Specifies the set label; maximum is 16 alphanumericcharacters.

element-type {ip| l2 |system} Specifies the element type; either ip or l2, or systemclassifier.

element-id <1-55000> Specifies the element ID; range is 1–55000.

Removing classifier entriesAbout this taskUse the following procedure to delete classifier entries.



Note: Each classifier can have only a single IP classifier element plus a single L2 classifierelement or system classifier element. However, a classifier can be created using only one IPclassifier element or only one L2 classifier element or only one system classifier element.

Procedure

Delete classifier entries by using the following command from Global Configurationmode.no qos classifier <1-55000>

Combining individual classifiersAbout this taskUse the following procedure to combine individual classifiers.

Note: A classifier block that is referenced in an installed policy cannot be deleted.

Procedure

Combine individual classifiers by using the following command from GlobalConfiguration mode.qos classifier-block <1-55000> block-number <1-55000> [name<WORD>]{set-id <1-55000> | set-name <WORD>} [{in-profile-action<1-55000> | in-profile-action-name <WORD>} | {meter <1-55000> |meter-name <WORD>}]


Variable Valueclassifier-block<1-55000> Specifies an the classifier block ID; range is 1–55000.

block-number <1-55000> Specifies the classifier block number; range is 1–55000.

name <WORD> Specifies the label for the classifier block; maximum is 16alphanumeric characters.

set-id <1-55000> Specifies the classifier set to be linked to the classifier block;range is 1–55000.

set-name <WORD> Specifies the classifier set name to be linked to the classifierblock; maximum is 16 alphanumeric characters.

in-profile-action<1-55000>

Specifies the in profile action to be linked to the filter block;range is 1–55000.




Variable Valuein-profile-action-name<WORD>

Specifies the in profile action name to be linked to the classifierblock; maximum is 16 alphanumeric characters.

meter <1-55000> Specifies the meter to be linked to the classifier block; rangeis 1–55000.

meter-name <WORD> Specifies the meter name to be linked to the classifier block;maximum is 16 alphanumeric characters.

Removing classifier block entriesAbout this taskUse the following procedure to delete classifier block entries.

Procedure

Delete classifier block entries by using the following command from GlobalConfiguration mode.no qos classifier-block <1-55000>

Configuring wired Quality of ServiceAbout this taskThis chapter discusses how to configure DiffServ and Quality of Service (QoS) parameters forpolicy-enabled networks.

Note: When the ignore value is used in QoS, the system matches all values for thatparameter.

Navigation

• Displaying QoS Parameters on page 218• Displaying QoS capability policy configuration on page 222• Configuring Access Lists on page 206• QoS Agent configuration on page 223• Configuring Default Buffering Capabilities on page 225• Configuring the CoS-to-Queue Assignments on page 226• Configuring QoS Interface Groups on page 227• Configuring DSCP and 802.1p and Queue Associations on page 229

Configuring wired Quality of Service


• Configuring Elements, Classifiers, and Classifier Blocks on page 210• Configuring QoS system-element on page 232• Configuring QoS Actions on page 234• Configuring QoS Interface Action Extensions on page 236• Configuring QoS Meters on page 237• Configuring QoS Interface Shaper on page 239• Configuring QoS Policies on page 240• QoS Generic Filter set configuration on page 242• Configuring User Based Policies on page 244• Maintaining the QoS Agent on page 247• Configuring DoS Attack Prevention Package on page 251

Displaying QoS ParametersAbout this taskDisplay QoS parameters by performing this procedure.

Procedure

Display QoS parameters by using the following command from Privileged EXECmode.show qos { acl-assign <1 - 65535> | action [user | system | all| <1-65535>] | agent [details]| arp {spoofing [port] } | bpdu{blocker [port] } | capability [meter|shaper] | classifier[user | system | all | <1-65535>] | classifier-block [user |system | all |<1-65535> ] | dhcp {snooping [port] | spoofing[port] } | diag [unit] | dos {nachia [port] | sqlslam [port] |tcp-dnsport [port] | egressmap [ds| status]| if-action-extension [user | system | all | <1-65535>] | if-assign [port]| if-group | if-shaper [port] | ingressmap | ip-acl <1 - 65535>| ip-element [user | system | all | <1-65535>] | l2-acl <1 -65535> | l2-element [user | system | all | <1-65535>] | meter[user | system | all | <1-65535>] | nsna | policy [user | system| all | <1-65535>] | queue-set | queue-set-assignment |statistics <1-65535> | system-element [user | system | all |<1-65535>] | ubp | user-policy}





Variable Valueacl-assign <1 - 65535> Displays the specified access list assignment entry.

<1-65535>—Displays a particular entry.

action [<1-65535> | all |system | user]

Displays the base action entries. The applicable values are:

• <1-65535>—displays a particular entry.

• all—displays user-created, default, and system entries.

• system—displays only system entries.

• user—displays only user-created and default entries.

Default is all.

agent <details> Displays the global QoS parameters.details—displays the policy class support table.

arp spoofing Displays QoS ARP spoofing prevention settings. Thisparameter not available on 8100 Series.

bpdu blocker Displays QoS BPDU settings.blocker—displays QoS BPDU blocker settings.This parameter not available on 8100 Series.

capability [meter | shaper] Displays the current QoS meter and shaper capabilities ofeach interface. The applicable values are:

• meter—displays QoS port meter capabilities.

• shaper—displays QoS port shaper capabilities.

classifier [<1-65535> | all |system user]

Displays the classifier set entries. The applicable values are:


• all—displays all user-created, default, and system entries.



Default is all.

classifier-block [<1-65535>| all | system | user]

Displays the classifier block entries. The applicable values are:





Default is all.



Variable Valuedhcp [snooping | spoofing] Displays QoS DHCP settings. The applicable values are:

• snooping—displays QoS DHCP snooping settings.

• spoofing—displays QoS DHCP spoofing preventionsettings.

This parameter not available on 8100 Series.

diag [unit] Displays the diagnostics entries.unit <1-8>—displays diagnostic entries for particular unit

dos [nachia | sqlslam | tcp-dnsport | tcp-ftpport | tcp-synfinscan | xmas]

Displays QoS DoS settings. The applicable values are:

• nachia—displays QoS DoS Nachia settings.

• sqlslam—displays QoS DoS SQLSlam settings.

• tcp-dnsport—displays QoS DoS TCP DnsPort settings.

• tcp-ftpport—displays QoS DoS TCP FtpPort settings.

• tcp-synfinscan—displays QoS DoS TCP SynFinScansettings.

• xmas—displays QoS DoS Xmas settings.

This parameter not available on 8100 Series.

egressmap Displays the association between the DSCP and the 802.1ppriority and drop precedence.

if-action-extension[<1-65535> | all | system |user]

Displays the interface action extension entries. The applicablevalues are:





Default is all.

if-assign [port] Displays the list of interface assignments.port—List of ports. Displays the configuration for particularports

if-group Displays the interface groups.

if-shaper [port] Displays the interface shaping parameters.port—List of ports. Displays the configuration for particularports

ingressmap Displays the 802.1p priority to DSCP mapping.

ip-acl <1 - 65535> Displays the specified IP access list assignment entry.

<1-65535>—displays a particular entry.




Variable Valueip-element [<1-65535> | all| system | user]

Displays the IP classifier element entries. The applicablevalues are:





Default is all.

l2-acl <1 - 65535> Displays the specified Layer 2 access list assignment entry.


l2-element [<1-65535> | all| system | user]

Displays the Layer 2 classifier element entries. The applicablevalues are:





Default is all.

meter [<1-65535> | all |system | user]

Displays the meter entries. The applicable values are:





Default is all.

nsna [classifier | interface |name]

Displays QoS NSNA entries. The applicable values are:

• classifier—displays QoS NSNA classifier entries.

• interface—displays QoS NSNA interface entries.

• name—specifies the label to display a particular NSNAtemplate entry.

policy [<1-65535> | all |system | user]

Displays the policy entries. The applicable values are:





Default is all.



Variable Valuequeue-set Displays the queue set configuration.

queue-set-assignment Displays the association between the 802.1p priority to that ofa specific queue.

statistics <1-65535> Displays the policy and filter statistics values.


system-element[<1-65535> | all | system |user]

Displays the system classifier element entries. The applicablevalues are:





ubp [classifier | interface |name]

Displays QoS UBP entries. The applicable values are:

• classifier—displays QoS UBP classifier entries.

• interface—displays QoS UBP interface entries.

• name—specifies the label to display a particular UBPtemplate entry.

user-policy Displays QoS User Policy entries.

Displaying QoS capability policy configurationAbout this taskDisplay QoS meter and shaper capabilities for system ports by performing this procedure.

Procedure

Display QoS capability policy configuration by using the following command fromPrivileged EXEC mode:show qos capability {meter [port] | shaper [port]}





Variable Valuemeter [port] Displays granularity for committed rate, maximum committed

rate and maximum bucket that can be used on ports formeters.port—specifies list of ports. Displays the information forparticular ports

shaper [port] Displays granularity for committed rate, maximum committedrate and maximum bucket that can be used on ports forshapers.port—specifies list of ports. Displays the information forparticular ports

QoS Agent configurationAbout this taskThe CLI commands detailed in this section allow for the configuration and management of theQoS Agent.

Navigation

• Globally enabling and disabling QoS Agent support on page 223• Configuring a default queue set on page 224• Modifying default queue configuration on page 225

Globally enabling and disabling QoS Agent support

About this taskPerform this procedure to globally enable or disable QoS Agent support. The commands usedin this procedure are available in Global Configuration mode.

QoS Agent support is enabled by default. QoS Agent support cannot be disabled if QoSfunctionality is currently used by NSNA or UBP.

Procedure

1. Globally enable QoS Agent support using the following command:qos agent oper-mode [enable]OR



default qos agent [oper-mode]2. Globally disable QoS Agent support using the following commands:

qos agent oper-mode [disable]ORno qos agent oper-mode [enable]


Variable Valueenable Enables QoS Agent functionality for the system.

disable Disables QoS Agent functionality for the system.

Configuring a default queue set

About this taskUse the following procedure to specify the default queue set.

Note: The default qos agent command has the same result as the qos agent reset-defaultcommand.

Procedure

Configure the queue set by using the following command from Global Configurationmode.default qos agent [buffer | dos-attack-prevention | nt-mode |nvram-delay | queue-set | statistics-tracking | ubp]


Variable Valuebuffer Restores default QoS resource buffer allocation.

dos-attack-prevention Restores default QoS DoS Attack Prevention. This parameteris only available on the 5600 Series switch.

nt-mode Restores default QoS NT application traffic processing mode.

nvram-delay Restores default maximum time in seconds to writeconfiguration data to a nonvolatile storage.

queue-set Restores default QoS queue set.

statistics-tracking Restores default QoS statistics tracking support.

ubp Restores default QoS UBP support level.




Job aid: Viewing the QoS agentAbout this taskThe following is an example for viewing the qos agent5530-24TFD(config)#show qos agent QoS Operational Mode: Enabled QoSNVRam Commit Delay: 10 seconds QoS Queue Set: 2 QoS Buffering: LargeQoS UBP Support Level: Low Security Local Data QoS Default StatisticsTracking: Aggregate QoS DOS Attack Prevention: Disabled Minimum TCPHeader Length: 20 Maximum IPv4 ICMP Length: 512 Maximum IPv6 ICMPLength: 512 QoS NT mode: Disabled

Modifying default queue configuration

About this taskUse the following procedure to modify the default queue configuration.

Note: The queue-set value sets the number of queues in a queue set for each port type. Thedefault value is 2.

Procedure

Modify the configuration by using the following command from Global Configurationmode.qos agent queue-set <1-8>

Configuring Default Buffering CapabilitiesAbout this taskUse the following CLI commands to display and modify the buffer allocation mode.

Navigation

• Configuring default QoS resource buffer on page 225• Modifying QoS resource buffer allocation on page 226

Configuring default QoS resource buffer

About this taskUse the following procedure to allocate the default QoS resource buffer.



Procedure

Restore the default the resource buffer by using the following command from GlobalConfiguration mode.default qos agent buffer

Modifying QoS resource buffer allocation

About this taskUse the following procedure to modify QoS resource buffer allocation.

Procedure

Modify resource buffer allocation by using the following command from GlobalConfiguration mode.qos agent buffer <regular | large | maximum>


Variable Valuebuffer Modifies the QoS resource buffer allocation. The

allowed buffer allocation modes for all QoS interfacesare as follows:

• regular

• large

• maximum

Note: The buffer mode determines the level of resourcesharing across interfaces sharing the same porthardware.

Configuring the CoS-to-Queue AssignmentsAbout this taskUse the following CLI commands to display and modify CoS-to-queue assignments.




Configuring 802.1p priority values

About this taskUse the following procedure to associate the 802.1p priority values with a specific queue withina specific queue set. This association determines the egress scheduling treatment that trafficwith a specific 802.1p priority value receives.

Procedure

Configure priority values by using the following command from Global Configurationmode.qos queue-set-assignment queue-set <1-56> 1p <0-7> queue <1-8>


Variable Valuequeue-set <1-56> Specifies the queue-set, value ranges from 1–56.

1p <0-7> Specifies the 802.1p priority value for which the queueassociation is being modified; value ranges from 0–7.

queue <1-8> Specifies the queue within the identified queue set to assign the802.1p priority traffic at egress, value ranges from 1–8.

Configuring QoS Interface GroupsAbout this taskUse the CLI commands in this section to add or delete ports to or from an interface group, oradd or delete the interface groups themselves.

Navigation

• Configuring ports for an interface group on page 227• Removing ports from an interface group on page 228• Creating an interface group on page 228• Removing an interface group on page 229

Configuring ports for an interface group

About this taskUse the following procedure to add ports to a defined interface group.



Note: The system automatically removes the port from an existing interface group to assign itto a new interface group.

Procedure

Add ports by using the following command from Interface Configuration mode.qos if-assign [port <portlist>] name [<WORD>]


Variable Valueport <portlist> Specifies the ports to add to interface group.

name <WORD> Specifies name of interface group.

Removing ports from an interface group

About this taskUse the following procedure to delete ports from a defined interface group.

Note: Ports not associated with an interface are considered QoS-disabled and may not haveQoS operations applied until assigned to an interface group.

Procedure

Delete ports by using the following command from Interface Configuration mode.no qos if-assign [port <portlist>]

Creating an interface group

About this taskUse the following procedure to create interface groups.

Procedure

Create interface groups by using the following command from Global Configurationmode.qos if-group name <WORD> class <trusted | untrusted |unrestricted>





Variable Valuename <WORD> Specifies the name of the interface group; maximum is 32 US-

ASCII. Name must begin with a letter a..z or A..Z.

class <trusted | untrusted| unrestricted>

Defines a new interface group and specifies the class of trafficreceived on interfaces associated with this interface group:

• trusted

• untrusted

• unrestricted

Removing an interface group

About this taskUse the following procedure to delete interface groups.

Note 1: An interface group referenced by an installed policy cannot be deleted.

Note 2: An interface group associated with ports cannot be deleted.

Procedure

Delete interface groups by using the following command from Global Configurationmode.no qos if-group name <WORD>

Configuring DSCP and 802.1p and Queue AssociationsAbout this taskThis section contains procedures used to configure DSCP, 802.1p priority and queue setassociations.

Navigation

• Configuring DSCP to 802.1p priority on page 230• Restoring egress mapping entries to default on page 230• Configuring 802.1p priority to DSCP on page 231• Restoring ingress mapping entries to default on page 231



Configuring DSCP to 802.1p priority

About this taskUse the following procedure to configure DSCP-to-802.1p priority and drop precedenceassociations that are used for assigning these values at packet egress, based on the DSCPin the received packet.

Procedure

Configure priority by using the following command from Global Configuration mode.qos egressmap [name <WORD>] ds <0-63> 1p <0-7> dp <low-drop |high-drop>


Variable Valuename <WORD> Specifies the label for the egress mapping.

ds <0-63> Specifies the DSCP value used as a lookup key for 802.1ppriority and drop precedence at egress when appropriate; rangeis between 0 and 63.

1p <0-7> Specifies the 802.1p priority value associated with the DSCP;range is between 0 and 7.

dp <low-drop | high-drop> Specifies the drop precedence values associated with theDSCP:

• low-drop

• high-drop

Restoring egress mapping entries to default

About this taskUse the following procedure to reset the egress mapping entries to factory default values.

Procedure

Reset the entries by using the following command from Global Configuration mode.default qos egressmap




Configuring 802.1p priority to DSCP

About this taskUse the following procedure to configure 802.1p priority-to-DSCP associations that are usedfor assigning default values at packet ingress based on the 802.1p value in the ingressingpacket.

Procedure

Configure priority by using the following command from Global Configuration mode.qos ingressmap [name <WORD>] 1p <0-7> ds <0-63>


Variable Valuename <WORD> Specifies the label for the ingress mapping.

1p <0-7> Specifies the 802.1p priority used as lookup key for DSCPassignment at ingress; range is between 0 and 7.

ds <0-63> Specifies the DSCP value associated with the target 802.1ppriority; range is between 0 and 63.

Restoring ingress mapping entries to default

About this taskUse the following procedure to reset the ingress mapping entries to factory default values.

Procedure

Reset the entries by using the following command from Global Configuration mode.default qos ingressmap



Configuring QoS system-elementAbout this taskNavigation

• Configuring system classifier element parameters on page 232• Viewing system classifier elements parameters on page 233• Removing system classifier element entries on page 233

Configuring system classifier element parameters

About this taskUse the following procedure to configure system classifier element parameters that may beused in QoS policies.

Procedure

Configure system classifier element parameters by using the following command fromGlobal Configuration mode.qos system-element <1-55000> [known-mcast | unknown-mcast |unknown-ucast] [pattern-format {tagged | untagged}] [pattern-ip-version {ipv4 | ipv6 | non-ip}] [pattern-data <WORD>pattern-mask <WORD>] [session-id]


Variable Value<1-55000> Specifies the system classifier element entry id; range

is 1–55000.

known-mcast Specifies the filter on known multicast destinationaddress.

unknown-mcast Specifies the filter on unknown multicast destinationaddress.

unknown-ucast Specifies the Filter on unknown unicast destinationaddress.

pattern-format { tagged | untagged } Specifies the format of data/mask pattern. Specifiesthe available values are:




Variable Value

• tagged— Data/mask pattern describes a taggedpacket

• untagged—Data/mask pattern describes anuntagged packet

pattern-data <WORD> Specifies the byte pattern data to filter on.Note: The format of the WORD string is in the form ofXX:XX:XX:....:XX.

pattern-mask <WORD> Specifies the byte pattern mask to filter on.Note: The format of the WORD string is in the form ofXX:XX:XX:....:XX.

pattern-ip-version Specifies the IP version of the pattern data or mask.

• ipv4—Filter IPv4 Header

• ipv6—Filter IPv6 Header

• non-ip—Filter non-ip packets

session-id Specifies the session ID.

Viewing system classifier elements parameters

About this taskView system classifier elements parameters by performing this procedure.

Procedure

View system classifier elements parameters by using the following commands fromthe Privileged EXEC Configuration mode.show qos system-element [<1-65535>] [all] [system] [user]

Removing system classifier element entries

About this taskUse the following procedure to remove system classifier element entries.

Procedure

Remove system classifier element entries by using the following command from GlobalConfiguration mode.



no qos system-element <1-55000>

Configuring QoS ActionsAbout this taskThe configuration of QoS actions directs the WC 8180 to take specific action on each packet.This section covers the following CLI commands.

Navigation

• Creating and updating QoS actions on page 234• Removing QoS actions on page 235

Creating and updating QoS actions

About this taskUse the following procedure to create and update QoS actions.

Note: Certain options can be restricted based on the policy associated with the specific action.An action that is referenced in a meter or an installed policy cannot be deleted.

Procedure

Create or update QoS actions by using the following command from GlobalConfiguration mode.qos action <10-55000> [name <WORD>] [drop-action <enable |disable | deferred-pass>] [update-dscp <0-63>] [update-1p{<0-7> | use-tos-prec | use-egress}] [set-drop-prec <low-drop |high-drop>] [action-ext <1-55000> | action-ext-name <WORD>]


Variable Value<10-55000> Specifies the QoS action; range is 10–55000.

name <WORD> Assigns a name to a QoS action with the designated actionID. Enter the name for the action; maximum is 16alphanumeric characters

drop-action<enable | disable| deferred-pass>

Specifies whether packets are dropped or not:




Variable Value

• enable—drop the traffic flow

• disable—do not drop the traffic flow

• deferred-pass—traffic flow decision deferred to otherinstalled policies

Default is deferred pass.Note: If you omit this parameter, the default value applies.

update-dscp <0-63> Specifies whether DSCP value are updated or leftunchanged; unchanged equals ignore. Enter the 6-bit DSCPvalue; range is 0 to 63.Default is ignore.

update-1p<0-7> Specifies whether 802.1p priority value are updated or leftunchanged; unchanged equals ignore:

• ieee1p—enter the value you want; range is 0 to 7

• use-egress—uses the egress map to assign value

• use-tos-prec—uses the type of service precedence toassign value.

Default is ignore.Note: Requires specification of update-dscp value.

set-drop-prec <low-drop |high-drop>

Specifies the drop precedence value:

• low-drop

• high-drop

Default is low-drop.

action-ext <1-55000> Specifies the action extension; range is 1–55000.

action-ext-name <WORD> Specifies a label for the action extension; maximum is 16alphanumeric characters.

Removing QoS actions

About this taskUse the following procedure to delete QoS action entries.

Note: An action cannot be deleted if referenced by a policy, classifier block, or meter.

Procedure

Delete QoS action entries by using the following command from Global Configurationmode.



no qos action <10-55000>

Configuring QoS Interface Action ExtensionsAbout this taskQoS interface action extensions direct the WC 8180 to take specific action on each packet.This section covers the following CLI commands.

Navigation

• Creating interface action extension entries on page 236• Removing interface action extension entries on page 237

Creating interface action extension entries

About this taskUse the following procedure to create interface action extension entries.

Note: An interface extension that is referenced in an action entry cannot be deleted.

Procedure

Create interface action extension entries by using the following command from GlobalConfiguration mode.qos if-action-extension <1-55000> [name <WORD>] {egress-ucast<port> | egress-non-ucast <port>}


Variable Value<1-55000> Specifies the QoS action. The range is 1–55000

name <WORD> Assigns a name to a QoS action with the designatedaction ID. Enter the name for the action; maximum is16 alphanumeric characters

egress-ucast <port> | egress-non-ucast <port>

Specifies redirection of unicast/non-unicast tospecified port.




Removing interface action extension entries

About this taskUse the following procedure to remove interface action extension entries.

Procedure

Remove interface action extension entries by using the following command fromGlobal Configuration mode.no qos if-action-extension <1-55000>

Configuring QoS MetersAbout this taskUse the following CLI commands to set the meters, if you want to meter or police the traffic,configure the committed rate, burst rate, and burst duration.

Navigation

• Creating QoS meter entries on page 237• Removing QoS meter entries on page 238

Creating QoS meter entries

About this taskUse the following procedure to create QoS meter entries.

Procedure

Create QoS meter entries by using the following command from Global Configurationmode.qos meter <1-55000> [name <WORD>] committed-rate <64-10230000>{burst-size <burst-size> max-burst-rate <64-4294967295> [max-burst-duration <1-4294967295>]} {in-profile-action <1-55000> |in-profile-action-name <WORD>} {out-profile-action <1,9-55000>| out-profile-action-name <WORD>}




Variable Value<1-55000> Specifies the QoS meter; range is 1–55000.

name <WORD> Specifies name for meter; maximum is 16alphanumeric characters.

committed-rate <64-10230000> Specifies rate that traffic must not exceed for extendedperiods to be considered in-profile. Enter the rate inKb/s for in-profile traffic in increments of 1000 Kbits/sec; range is 64 to 10230000 Kbits/sec.

burst-size <4,8,16,...,16384> Committed burst size in Kilobytes. The value range is:4, 8, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096,8192, 16384.

max-burst-rate <64-4294967295> Specifies the largest burst of traffic that can bereceived a given time for the traffic to be consideredin-profile. Used in calculating the committed burst size.Enter the burst size in Kb/s for in-profile traffic; rangeis 64 to 4294967295 Kbits/sec.

max-burst-duration<1-4294967295>

Specifies the amount of time that the largest burst oftraffic that can be received for the traffic to beconsidered in-profile. Used in calculating thecommitted burst size. Enter the burst duration in msfor in-profile traffic; range is 1–4294967295 ms.

in-profile-action <1-55000> Specifies the in-profile action ID; range is 1–55000.

in-profile-action-name <WORD> Specifies the in-profile action name.

out-profile-action <1,9-55000> Specifies the out-of-profile action ID; range is 1,9 to55000.

out-profile-action-name <word> Specifies the out of profile action name.

Removing QoS meter entries

About this taskUse the following procedure to delete QoS meter entries.

Note: A meter that is referenced in an installed policy or classifier block cannot be deleted.

Procedure

Remove QoS meter entries by using the following command from Global Configurationmode.no qos meter <1-55000>




Configuring QoS Interface ShaperAbout this taskNavigation

• Configuring interface shaping on page 239• Disabling interface shaping on page 240

Configuring interface shaping

About this taskUse the following procedure to configure interface shaping.

Procedure

Configure interface shaping by using the following command from InterfaceConfiguration mode.qos if-shaper [port <portlist>] [name <WORD>] shape-rate<64-10230000> {burst-size <burst-size> max-burst-rate<64-4294967295> [max-burst-duration <1-4294967295>]}


Variable Valueburst-size <4,8,16, ..., 16384> Specifies the committed burst size in Kilobytes. The

value range is: 4, 8, 16, 32, 64, 128, 256, 512, 1024,2048, 4096, 8192, 16384.

port <portlist> Specifies the ports to configure shaping parameters.

name <WORD> Specifies name for if-shaper; maximum is 16alphanumeric characters.

shape-rate <64-10230000> Specifies the shaping rate in kilobits/sec; range is64-10230000 kilobits/sec.

max-burst-rate <64-4294967295> Specifies the largest burst of traffic that can bereceived a given time for the traffic to be consideredin-profile. Used in calculating the committed burst size.Enter the burst size in Kb/s for in-profile traffic; rangeis 64 to 4294967295 Kbits/sec.

max-burst-duration<1-4294967295>

Specifies the amount of time that the largest burst oftraffic that can be received for the traffic to beconsidered in-profile. Used in calculating the



Variable Valuecommitted burst size. Enter the burst duration in msfor in-profile traffic; range is 1–4294967295 ms.

Disabling interface shaping

About this taskUse the following procedure to disable interface shaping.

Procedure

Disable interface shaping by using the following command from Interface Configurationmode.no qos if-shaper [port <portlist>]

Configuring QoS PoliciesAbout this taskUse the following CLI commands to configure QoS policies.

Navigation

• Configuring QoS policies on page 240• Removing QoS policies on page 242

Configuring QoS policies

About this taskUse the following procedure to create and configure QoS policies.

Note: All components associated with a policy, including the interface group, element,classifier, classifier block, action, and meter, must be defined before referencing thosecomponents in a policy.

Procedure

Create a QoS policy by using the following command from Global Configurationmode.qos policy <1-55000> {enable|disable [name <WORD>] {port<port_list> | if-group <WORD>} clfr-type {classifier | block}{clfr-id <1-55000> | clfr-name <WORD>} {{in-profile-action<1-55000> | in-profile-action-name <WORD>} | meter <1-55000> |meter-name <WORD>}} [non-match-action <1-55000> | non-match-




action-name <WORD>] precedence <1-15> [track-statistics<individual | aggregate>]}


Variable Value<1-55000> Specifies the QoS policy; range is 1–55000.

enable|disable Enables or disables the QoS policy.

name <WORD> Specifies the name for the policy; maximum is 16alphanumeric characters.

port <portlist> Specifies the ports to which to directly apply thispolicy.

if-group <WORD> Specifies the interface group name to which this policyapplies; maximum number of characters is 32 US-ASCII. The group name must begin with a letter withinthe range a..z or A..Z.

clfr-type <classifier | block> Specifies the classifier type; classifier or block.

clfr-id <1-55000> Specifies the classifier ID; range is 1–55000.

clfr-name <WORD> Specifies the classifier name or classifier block name;maximum is 16 alphanumeric characters.

in-profile-action <1-55000> Specifies the action ID for in-profile traffic; range is 1–55000.

in-profile-action-name <WORD> Specifies the action name for in-profile traffic;maximum is 16 alphanumeric characters.

meter <1-55000> Specifies meter ID associated with this policy; rangeis 1–55000.

meter-name <WORD> Specifies the meter name associated with this policy;maximum of 16 alphanumeric characters.

non-match-action <1-55000> Specifies the action ID for non-match traffic; range is1–55000. This parameter is not applicable to 5600Series switches.

non-match-action-name <WORD> Specifies the action name for non-match traffic;maximum is 16 alphanumeric characters.

precedence <1-15> Specifies the precedence of this policy in relation toother policies associated with the same interfacegroup. Enter precedence number; range is 1–15.Note: Policies with a lower precedence value areevaluated after policies with a higher precedencenumber. Evaluation goes from highest value tolowest.



Variable Valuetrack-statistics <individual |aggregate>

Specifies statistics tracking on this policy, either:

• individual—statistics on individual classifiers

• aggregate—aggregate statistics

Removing QoS policies

About this taskUse the following procedure to disable QoS policy entries. Policies can be enabled using theqos policy <policynum> enable command.

Procedure

Remove QoS policy entries by using the following command from Global Configurationmode.no qos policy <1-55000>

QoS Generic Filter set configurationAbout this taskThis section contains procedures used to configure and manipulate a generic filter set.

Navigation

• Configuring a traffic profile set on page 242• Deleting a classifier, classifier block, or an entire filter set on page 246• Viewing filter descriptions on page 247

Configuring a traffic profile set

About this taskConfigure a traffic profile set by performing the following procedure.

Procedure

Use the following command to configure a traffic profile classifier entry.qos traffic-profile set port <port> name <name> [commited-rate<64-10230000>] [drop-nm-action <drop | pass>] [enable]




This command is used in the Global Configuration mode.


Variable Valueport <port> Specifies the ports to apply the traffic profile

to.

name <name> Specifies the name of the traffic profile.

commited-rate <64-10230000> Specifies the committed rate in Kilobits persecond.

drop-nm-action <drop | pass> Specifies the action to take when the packetis nonmatching. This action is applied to alltraffic that was not previously matched by thespecified filtering data. Options are drop(packet is dropped) and pass (packet is notdropped).

enable Enables the traffic profile.

Deleting a classifier, classifier block, or an entire filter set

About this taskDelete a filter classifier or set by performing this procedure.

Procedure

1. Delete a Traffic Profile classifier by using the following command from the GlobalConfiguration mode.no qos traffic-profile classifier name <classifier-name>

2. Delete a Traffic Profile set by using the following command from the GlobalConfiguration mode.no qos traffic-profile set {name <name> | port <port>}

Viewing filter descriptions

About this taskView filter descriptions by performing this procedure.



Procedure

1. View classifier entries by using the following commands from the Privileged EXECConfiguration mode.show qos traffic-profile classifierORshow qos traffic-profile classifier name <classifier name>

2. View the parameters for a specific set by using the following command from thePrivileged EXEC Configuration mode.show qos traffic-profile set <set name> port <port>

3. View ports and the filter sets assigned to those ports by using the followingcommand from the Privileged EXEC Configuration mode.show qos traffic-profile interface

Configuring User Based PoliciesAbout this taskUse the following procedure to configure User Based Policies.

Procedure

Configure User Based Policies by using the following command from the Globalconfiguration mode.qos ubpNote: To modify an entry in a filter set, you must delete the entry and add a new entrywith the desired modifications.


Variable Valueclassifier name [addr-type {ipv4|ipv6}] [block] [drop-action] [ds-field][dst-ip] [dst-mac] [dst-port-min][ethertype] [eval-order] [flow-id][next-header] [priority] [protocol][set-drop-prec] [src-ip] [src-mac][src-port-min] [update-1p] [update-dscp] [vlan-min] [ vlan-tag]

Creates the User Based Policy classifier entry.Optional parameters:

• addr-type {ipv4|ipv6} specifies the type of IP addressused by this classifier entry. The type is limited toIPv4 and IPv6 addresses.

• block specifies the label to identify access listelements that are of the same block.




Variable Value

• drop-action specifies whether or not to drop non-conforming traffic.

• ds-field specifies the value for the DiffServCodepoint (DSCP) in a packet.

• dst-ip specifies the IP address to match against thedestination IP address of a packet.

• dst-mac specifies the MAC address against whichthe MAC destination address of incoming packets iscompared.

• dst-port-min specifies the minimum value for thelayer 4 destination port number in a packet. dst-port-max must be terminated prior to configuringthis parameter.

• ethertype specifies a value indicating the version ofEthernet protocol being used.

• eval-order specifies the evaluation order for allelements with the same name.

• flow-id specifies the flow identifier for IPv6 packets.

• next-header specifies the IPv6 next-header value.Values are in the range 0-255.

• priority specifies a value for the 802.1p userpriority.

• protocol specifies the IPv4 protocol value.

• set-drop-prec specifies drop precendence

• src-ip specifies the IP address to match against thesource IP address of a packet.

• src-mac specifies the MAC source address ofincoming packets.

• src-port-min specifies the minimum value for theLayer 4 source port number in a packet. src-port-max must be terminated prior to configuringthis parameter.

• update-1p specifies an 802.1p value used to updateuser priority.

• update-dscp specifies a value used to update theDSCP field in an IPv4 packet.



Variable Value

• vlan-min specifies the minimum value for the VLANID in a packet. vlan-max must be terminated priorto configuring this parameter.

• vlan-tag specifies the type of VLAN tagging in apacket.

set name [commited-rate] [drop-nm-action] [drop-out-action] [max-burst-rate] [max-burst-duration][update-dscp-out-action] [set-priority]

Creates the User Based Policy set.Optional parameters:

• commited-rate specifies the commited rate inKbps.

• drop-nm-action specifies the action to take when thepacket is non-matching. This action is applied to alltraffic that was not previously matched by thespecified filtering data. Options are enable (packetis dropped) and disable (packet is not dropped).

• drop-out-action specifies the action to take when apacket is out-of-profile. This action is only applied ifmetering is being enforced, and if the traffic isdeemed out of profile based on the level of traffic andthe metering criteria. Options are enable (packetis dropped) and disable (packet is not dropped).

• max-burst-rate specifies the maximum number ofbytes allowed in a single transmission burst.

• max-burst-duration specifies the maximum burstduration in milliseconds.

• update-dscp-out-action specifies an updated DSCPvalue for an IPv4 packet for out of profile traffic..

• set-priority specifies the priority level of this filterset.

Deleting a classifier, classifier block, or an entire filter set

About this taskUse the following procedure to delete a classifier, classifier block, or filter set.

Note: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBPfilter set.

Procedure

1. Delete an entire filter set by using the following command from the Globalconfiguration mode.




no qos ubp name <filter name>Note: You cannot delete a filter set while it is in use.

2. Delete a classifier by using the following command from the Global configurationmode.no qos ubp name <filter name> eval-order <value>

Viewing filter descriptions

About this taskUse the following procedure to view User-based Policy filter parameters, view parameters fora specific filter set, view ports and associated filter sets, and view classifier entries.

Procedure

1. View User Based Policy filter parameters by using the following command from thePrivileged EXEC configuration mode.show qos ubp

2. View the parameters for a specific filter set by using the following command fromthe Privileged EXEC configuration mode.show qos ubp name <filter name>

3. View ports and the filter sets assigned to those ports by using the followingcommand from the Privileged EXEC configuration mode.show qos ubp interface

4. View classifier entries by using the following command from the Privileged EXECconfiguration mode.show qos ubp classifier

Maintaining the QoS AgentAbout this taskUse the following CLI commands to maintain the QoS agent.

Navigation

• Resetting QoS to factory default state on page 248• Configuring QOS NT mode on page 248• Configuring QoS UBP support on page 249• Configuring QoS statistics tracking type on page 249



• Configuring NVRAM delay on page 250• Resetting NVRAM delay to default on page 250• Resetting the QoS agent on page 250

Resetting QoS to factory default state

About this taskUse the following procedure to delete all user-defined entries, remove all installed policies, andreset the system to its QoS factory default values.

Note 1: You cannot reset QoS defaults if the NSNA application references a QoS NSNA filterset.

Note 2: You cannot reset QoS defaults if the EAP/NEAP UBP support references a QoS UBPfilter set.

Procedure

Reset QoS to factory defaults by using the following command from GlobalConfiguration mode.qos agent reset-default

Configuring QOS NT mode

About this taskThis procedure describes how to configure the QoS Agent NT mode.

Procedure

Configure QoS NT mode by using the following command from Global Configurationmode.qos agent nt-mode [pure|mixed|disabled]


Variable Valuedisabled NT application traffic processing is disabled on all ports.

mixed NT application traffic processing enabled on all port with egress DSCPmapping.

pure NT application traffic processing enabled on all ports without egress DSCPmapping.




Configuring QoS UBP support

About this taskUse the following procedure to configure the UBP support level.

Procedure

Configure the UBP support level by using the following command from GlobalConfiguration mode.qos agent ubp [disable|epm|high-security-local|low-security-local]


Variable Valuedisable QoS agent rejects information forwarded by other applications.

epm QoS Agent notifications generated for EPM based on userinformation forwarded by other applications.

high-security-local User may be rejected if resources needed to install the UBP filter setare not available.

low-security-local User may be accepted even if the UBP filter set could not beapplied.

Configuring QoS statistics tracking type

About this taskThis procedure describes the steps necessary to configure the type of statistics tracking usedwith QoS.

Procedure

Configure the QoS statistics tracking type by using the following command from GlobalConfiguration mode.qos agent statistics-tracking [aggregate|disable|individual]


Variable Valueaggregate Allocates a single statistics counter to track data for all classifiers

contained in the QoS policy being created.



Variable Valuedisable Disable statistics tracking.

individual Allocates individual statistics counters to track data for each classifiercontained in the QoS policy being created.

Configuring NVRAM delay

About this taskUse the following procedure to specify the maximum amount of time, in seconds, before non-volatile QoS configuration is written to non-volatile storage. Delaying NVRAM access can beused to minimize file input and output. This can aid QoS agent efficiency if a large amount ofQoS data is being configured.

Procedure

Configure NVRAM delay by using the following command from Global Configurationmode.qos agent nvram-delay <0-604800>Default is 10 seconds.

Resetting NVRAM delay to default

About this taskUse the following procedure to reset the NVRAM delay time to factory default.

Procedure

Reset NVRAM delay to default by using the following command from GlobalConfiguration mode.default qos agent nvram-delay

Resetting the QoS agent

About this taskUse the following procedure to delete all user-defined entries, remove all installed policies, andreset the system to its QoS factory default values.




Procedure

Reset the QoS agent by using the following command from Global Configurationmode.default qos agent

Configuring DoS Attack Prevention PackageAbout this taskThis section contains procedures used to configure the DoS Attack Prevention Package(DAPP). This feature is only applicable to the 8100 Series switch.

Navigation

• Enabling DAPP on page 251• Configuring DAPP status tracking on page 251• Configuring DAPP minimum TCP header size on page 252• Configuring DAPP maximum IPv4 ICMP length on page 252• Configuring DAPP maximum IPv6 ICMP length on page 252

Enabling DAPP

About this taskThis procedure describes the steps necessary to enable DAPP.

Procedure

Enable DAPP by using the following command from Global Configuration mode:[no] qos agent dos-attack-prevention enableUse the no form of this command to disable.

Configuring DAPP status tracking

About this taskThis procedure describes how to configure DAPP status tracking.

Note: If adequate resources are not available to enable this feature the command will fail.



Procedure

Enable DAPP status tracking by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention status-tracking [enable | max-ipv4-icmp | max-ipv6-icmp | min-tcp-header]

Configuring DAPP maximum IPv6 ICMP lengthAbout this taskThis procedure describes how to set the maximum IPv6 ICMP length used by DAPP.

Procedure

Set the maximum IPv6 ICMP length by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention max-ipv6-icmp <0-16383>

Configuring DAPP minimum TCP header size

About this taskThis procedure describes how to set the minimum TCP header size used by DAPP.

Procedure

Set the minimum TCP header size by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention min-tcp-header <0-255>

Configuring DAPP maximum IPv4 ICMP length

About this taskThis procedure describes how to set the maximum IPv4 ICMP length used by DAPP.

Procedure

Set the maximum IPv4 ICMP length by using the following command from GlobalConfiguration mode:qos agent dos-attack-prevention max-ipv4-icmp <0-1023>




Configuring ServiceabilityAbout this taskThis chapter describes the methods and procedures necessary to configure RMON andIPFIX.

Navigation

• Configuring RMON with the CLI on page 253• Configuring IPFIX using CLI on page 259

Configuring RMON with the CLIAbout this taskThis section describes the CLI commands used to configure and manage RMON.

Navigation

• Viewing RMON alarms on page 253• Viewing RMON events on page 254• Viewing RMON history on page 254• Viewing RMON statistics on page 254• Setting RMON alarms on page 255• Deleting RMON alarm table entries on page 256• Configuring RMON event log and traps on page 256• Deleting RMON event table entries on page 257• Configuring RMON history on page 257• Deleting RMON history table entries. on page 258• Configuring RMON statistics on page 258• Disabling RMON statistics on page 258

Viewing RMON alarms

About this taskUse the following procedure to view RMON alarms.

Configuring Serviceability


Procedure

1. Enter Privileged Executive mode.

2. Use the show rmon alarm command to display information about RMONalarms.

Viewing RMON events

About this taskUse the following procedure to display information regarding RMON events.

Procedure


2. Enter the show rmon event command.

Viewing RMON history

About this taskUse this procedure to display information regarding the configuration of RMON history.

Procedure


2. Enter the show rmon history [<port>] command.


Variable Definition<port> The specified port number for which RMON

history settings is displayed.

Viewing RMON statistics

About this taskUse the following procedure to display information regarding the configuration of RMONstatistics.




Procedure


2. Enter the show rmon stats command.

Setting RMON alarms

About this taskUse the following procedure to set

Procedure

1. Enter Global Configuration mode.

2. Enter the rmon alarm <1-65535> <WORD> <1-2147483647> {absolute |delta} rising-threshold <-2147483648-2147483647> [<1-65535>]falling-threshold <-2147483648-2147483647> [<1-65535>][owner <LINE>] command.


Parameter Description<1-65535> Unique index for the alarm entry.

<WORD> The MIB object to be monitored. This object identifier can be anEnglish name.

<1-2147483647> The sampling interval, in seconds.

absolute Use absolute values (value of the MIB object is compareddirectly with thresholds).

delta Use delta values (change in the value of the MIB object betweensamples is compared with thresholds).

rising-threshold<-2147483648-2147483647 > [<1-65535>]

The first integer value is the rising threshold value. The optionalsecond integer specifies the event entry to be triggered after therising threshold is crossed. If omitted, or if an invalid event entryis referenced, no event is triggered.

falling-threshold<-2147483648-2147483647 > [<1-65535>]

The first integer value is the falling threshold value. The optionalsecond integer specifies the event entry to be triggered after thefalling threshold is crossed. If omitted, or if an invalid event entryis referenced, no event is triggered.

[owner <LINE>] Specify an owner string to identify the alarm entry.



Deleting RMON alarm table entries

About this taskUse the following procedure to delete RMON alarm table entries.

Procedure


2. Enter the no rmon alarm [<1-65535>] command.


Variable Definition[<1-65535>] The number assigned to the alarm. If no

number is selected, all RMON alarm tableentries are deleted.

Configuring RMON event log and traps

About this taskUse the following procedure to configure RMON event log and trap settings.

Procedure


2. Enter the rmon event <1-65535> [log] [trap] [description <LINE>][owner <LINE>] command.


Parameter Description<1-65535> Unique index for the event entry.

[log] Record events in the log table.

[trap] Generate SNMP trap messages for events.

[description <LINE>] Specify a textual description for the event.

[owner <LINE>] Specify an owner string to identify the event entry.




Deleting RMON event table entries

About this taskUse the following procedure to clear entries in the table.

Procedure


2. Enter the no rmon event [<1-65535>] command to delete the entries.


Variable Definition[<1-65535>] Unique identifier of the event. If not given, all

table entries are deleted.

Configuring RMON history

About this taskUse the following procedure to configure RMON history settings.

Procedure


2. Enter the rmon history <1-65535> <LINE> <1-65535> <1-3600>[owner <LINE>] command to configure the RMON history..


Parameter Description<1-65535> Unique index for the history entry.

<LINE> Specify the port number to be monitored.

<1-65535> The number of history buckets (records) to keep.

<1-3600> The sampling rate (how often a history sample is collected).

[owner <LINE>] Specify an owner string to identify the history entry.



Deleting RMON history table entries.

About this taskUse this procedure to delete RMON history table entries.

Procedure


2. Enter the no rmon history [<1-65535>] command to delete the entries.


Variable Definition[<1-65535>] Unique identifier of the event. If not given, all

table entries are deleted.

Configuring RMON statistics

About this taskUse this procedure to configure RMON statistics settings.

Procedure


2. Enter the rmon stats <1-65535> <LINE> [owner <LINE>] command toconfigure RMON statistics.


Parameter Description<1-65535> Unique index for the stats entry.

[owner <LINE>] Specify an owner string to identify the stats entry.

Disabling RMON statistics

About this taskUse this procedure to disable RMON statistics. If the variable is omitted, all entries in the tableare cleared.




Procedure


2. Enter the no rmon stats [<1-65535>] command to disable RMONstatistics.


Variable Definition<1-65535> Unique index for the statistics entry. If

omitted, all statistics are disabled.

Configuring IPFIX using CLIAbout this taskThis section describes the commands used in the configuration and management of IP FlowInformation Export (IPFIX) using the CLI.

Navigation

• Configuring IPFIX collectors on page 259• Enabling IPFIX globally on page 260• Configuring unit specific IPFIX on page 260• Enabling IPFIX on the interface on page 261• Enabling IPFIX export through ports on page 261• Deleting the IPFIX information for a port on page 262• Viewing the IPFIX table on page 262

Configuring IPFIX collectors

About this taskThe ip ipfix collector command is used to configure IPFIX collectors. IPFIX collectorsare used to collect and analyze data exported from an IPFIX compliant switch. In WLANRelease 1.1, the only external collector supported is NetQOS. At this time, up to two collectorscan be supported.

IPFIX data is exported from the switch in Netflow version 9 format. Data is exported using UDPport 9995.

IPFIX data is not load balanced when two collectors are in use. Identical information is sent toboth collectors.



Use the following procedure to configure the IPFIX collectors.

Procedure


2. Use the ip ipfix collector <unit_number> <collector_ip_address>command to configure the IPFIX collector.


Parameter Description<unit_number> The unit number of the collector. Currently up to two collectors

are supported so the values 1 or 2 are valid.

<collector_ip_address> The IP address of the collector.

Enabling IPFIX globally

About this taskUse the following procedure to globally enable IPFIX on the switch.

Procedure


2. Use the ip ipfix enable command to enable IPFIX on the switch.

Configuring unit specific IPFIX

About this taskUse the following command to configure unit specific IPFIX parameters.

Procedure


2. Use the ip ipfix slot <unit_number> [aging-interval<aging_interval>] [export-interval <export_interval>][exporter-enable] [template-refresh-interval<template_refresh_interval>] [template-refresh-packets<template_refresh_packets>] command to enable IPFIX on the switch.





Parameter Description<unit_number> The unit number of the collector. Currently up to two collectors

are supported so the values 1 or 2 are valid.

<aging_interval> The IPFIX aging interval. This value is in seconds from 0 to2147400.

<export_interval> The IPFIX export interval. This interval is the value at whichIPFIX data is exported in seconds from 10 to 3600.

<template_refresh_interval>

The IPFIX template refresh interval. This value is in secondsfrom 300 to 3600.

<template_refresh_packets>

The IPFIX template refresh packet setting. This value is thenumber of packets from 10000 - 100000.

Enabling IPFIX on the interface

About this taskUse the following procedure to enable IPFIX on the interface.

Procedure

1. Enter Interface Configuration mode.

2. Use the ip ipfix enable command to enable IPFIX on the interface.

Enabling IPFIX export through ports

About this taskUse the following procedure to enable the ports exporting data through IPFIX.

Procedure

1. Enter Interface Configuration mode.

2. Use the ip ipfix port <port_list> command to enable IPFIX on theinterface.


Variable Definitionport-list Single or comma-separated list of ports.



Deleting the IPFIX information for a port

About this taskUse the following procedure to delete the collected IPFIX information for a port.

Procedure


2. Use the ip ipfix flush port <port_list> [export-and-flush]command to delete the collected IPFIX information for the port or ports.


Variable Definitionport-list Single or comma-separated list of ports.

export-and-flush Export data to a collector before it isdeleted.

Viewing the IPFIX table

About this taskUse the following procedure to display IPFIX data collected from the switch.

Procedure


2. Use the show ip ipfix table <unit_number> sort-by <sort_by>sort-order <sort_order> display <num_entries> command view theIPFIX data.


Variable Definition<unit_number> The unit number of the collector. Currently up to two collectors are

supported so the values 1 or 2 are valid.

<sort_by> The value on which the data is sorted. Valid options are:

• byte-count

• dest-addr

• first-pkt-time




Variable Definition

• last-pkt-time

• pkt-count

• port

• protocol

• source-addr

• TCP-UDP-dest-port

• TCP-UDP-src-port

• TOS

<sort_order> The order in which the data is sorted. Valid options are ascending anddescending.

<num_entries> The number of data rows to display. Valid options are:

• all

• top-10

• top-25

• top-50

• top-100

• top-200

Configuring diagnostics and graphingAbout this taskThis chapter describes the methods and procedures necessary to configure diagnostics andgraphing.

Navigation

• System diagnostics and statistics using CLI on page 263• Network monitoring configuration using CLI on page 267

System diagnostics and statistics using CLIAbout this taskThis chapter describes the procedures you can use to perform system diagnostics and gatherstatistics using CLI.

Configuring diagnostics and graphing


Navigation

• Viewing port-statistics on page 264• Displaying port operational status on page 265• Validating port operational status on page 265• Showing port information on page 266

Viewing port-statistics

About this taskUse this procedure to view the statistics for the port on both received and transmitted traffic.

Procedure


2. Enter the show port-statistics [port <portlist>] command.





Variable Definitionport <portlist> The ports to display statistics for. When no port list is

specified, all ports are shown.

Displaying port operational status

About this taskUse this procedure to display the port operational status.

Important:If you use a terminal with a width of greater than 80 characters, the output is displayed in atabular format.

Procedure


2. Enter the show interfaces [port list] verbose command. If you issuethe command with no parameters the port status is shown for all ports.

3. Observe the CLI output.

Validating port operational status

About this taskVLACP: Configure VLACP on port 1 from a 8100 series unit and on port 2 on 5000 series unit.Have a link between these 2 ports. When the show interfaces command is typed, VLACPstatus is up for port on the unit where the command is typed. Pull out the link from the otherswitch, VLACP status goes Down.

STP: After switch boots, type show interfaces command. STP Status is Listening (wait afew seconds and try again). STP Status becomes Learning.

After a while (15 seconds is the forward delay default value, only if you did not configure anothertime interval for STP forward delay), if you type show interfaces again, STP Status shouldbe forwarding.



Showing port information

About this taskPerform this procedure to display port configuration information.

Procedure


2. Enter the show interfaces <portlist> config command.

3. Observe the CLI output.




Network monitoring configuration using CLIAbout this taskThis section describes using CLI to view and configure network monitoring.

Navigation

• Viewing CPU utilization on page 268• Viewing memory utilization on page 268• Configuring the system log on page 269• Configuring remote logging on page 271• Configuring port mirroring on page 274• Displaying Many-to-Many port-mirroring on page 276• Configuring Many-to-Many port-mirroring on page 276• Disabling Many-to-Many port-mirroring on page 277



Viewing CPU utilization

About this taskUse this procedure to view the CPU utilization

Procedure


2. Enter the show cpu-utilization command.

3. Observe the displayed information.

Viewing memory utilization

About this taskUse this procedure to view the memory utilization

Procedure


2. Enter the show memory-utilization command.





Configuring the system log

About this taskThis section outlines the CLI commands used in the configuration and management of thesystem log.

Navigation

• Displaying the system log on page 269• Configuring the system log on page 269• Disabling the system log on page 270• Setting the system log to default on page 270• Clearing the system log on page 270

Displaying the system logAbout this taskUse this procedure to displays the configuration, and the current contents, of the system eventlog.

Procedure

Enter the show show logging [config] [critical] [serious][informational] [sort-reverse] command Privileged Executive mode.


Variable Valueconfig Display configuration of event logging.

critical Display critical log messages.

serious Display serious log messages.

informational Display informational log messages.

sort-reverse Display informational log messages in reversechronological order (beginning with most recent).

Configuring the system logAbout this taskUse this procedure to configure the system settings for the system event log.



Procedure

Enter the logging [enable | disable] [level critical | serious |informational | none] [nv-level critical | serious | none]command Privileged Executive mode.


Variable Valueenable | disable Enables or disables the event log (default is

Enabled).

level critical | serious | informational| none

Specifies the level of logging stored in DRAM.

nv-level critical | serious | none Specifies the level of logging stored in NVRAM.

Disabling the system logAbout this taskUse this procedure to disable the system event log.

Procedure

Enter the no logging command in global configuration mode.

Setting the system log to defaultAbout this taskUse this procedure to default the system event log configuration.

Procedure

Enter the default logging command in global configuration mode.

Clearing the system logAbout this taskUse this procedure to clear all log messages in DRAM.

Procedure

Enter the clear logging system [non-volatile] [nv] [volatile]command in global configuration mode.





Variable Valuenon-volatile Clears log messages from NVRAM.

nv Clears log messages from NVRAM and DRAM.

volatile Clears log messages from DRAM.

Configuring remote logging

About this taskUse the CLI to configure remote logging. This section discusses the commands that enableremote logging.

Navigation

• Displaying logging on page 271• Enabling remote logging on page 271• Disabling remote logging on page 272• Setting the remote logging address on page 272• Clearing the remote server IP address on page 272• Setting the log severity on page 273• Resetting the severity level on page 273• Setting the default remote logging level on page 273

Displaying loggingAbout this taskUse this procedure to display the configuration and the current contents of the system eventlog.

Procedure


2. Enter the show logging command to display the log.

Enabling remote loggingAbout this taskUse this procedure to enable remote logging. By default, remote logging is disabled.



Procedure


2. Enter the logging remote enable command to enable the use of a remotesyslog server.

Disabling remote loggingAbout this taskUse this procedure to disable remote logging.

Procedure


2. Enter the no logging remote enable command to disable the use of a remotesyslog server.

Setting the remote logging addressAbout this taskUse this procedure to set the address of the remote server for the syslog.

Procedure


2. Enter the logging remote address <A.B.C.D> command to disable the useof a remote syslog server.


Parameters and variables Description<A.B.C.D> Specifies the IP address of the remote server in

dotted-decimal notation. The default address is0.0.0.0.

Clearing the remote server IP addressAbout this taskUse this procedure to clear the IP address of the remote server.




Procedure


2. Enter the no logging remote address command to clear the IP address ofthe remote syslog server.

Setting the log severityAbout this taskUse this command to set the severity level of the logs sent to the remote server.

Procedure


2. Enter the logging remote level {critical | informational |serious | none} command to set the severity level of the logs that will be sentto the server.


Parameters and variables Description{critical | serious | informational |none}

Specifies the severity level of the log messages to besent to the remote server:

• critical

• informational

• serious

• none

Resetting the severity levelAbout this taskUse this command to remove severity level setting

Procedure


2. Enter the no logging remote level command to remove the severity level ofthe logs that will be sent to the server. The level is set to none.

Setting the default remote logging levelAbout this taskUse this procedure to set the remote logging level to default.



Procedure


2. Enter the default logging remote level command to sets the severity levelof the logs sent to the remote server. The default level is none.

Configuring port mirroring

About this taskPort mirroring can be configured with the CLI commands detailed in this section.

Navigation

• Displaying the port-mirroring configuration on page 274• Configure port-mirroring on page 274• Disabling port-mirroring on page 276

Displaying the port-mirroring configurationAbout this taskUse this procedure to display the existing port-mirroring configuration.

Procedure


2. Enter the show port-mirroring command to display the port-mirroringconfiguration.

Configure port-mirroringAbout this taskUse this procedure to set the port-mirroring configuration

Procedure


2. Enter the port-mirroring mode {disable | Xrx monitor-port<portlist> mirror-ports <portlist> | Xtx monitor-port<portlist> mirror-ports <portlist> | ManytoOneRx monitor-port<portlist> mirror-ports <portlist> | ManytoOneTx monitor-port<portlist> mirror-port-X <portlist> | ManytoOneRxTx monitor-port <portlist> mirror-port-X <portlist> | XrxOrXtx monitor-port <portlist> mirror-port-X <portlist> | XrxOrYtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y<portlist> | XrxYtxmonitor-port <portlist> mirror-port-X




<portlist> mirror-port-Y <portlist> | XrxYtxOrYrxXtx monitor-port <portlist> mirror-port-X <portlist> mirror-port-Y<portlist> | Asrc monitor-port <portlist> mirror-MAC-A<macaddr> | Adst monitor-port <portlist> mirror-MAC-A<macaddr> | AsrcOrAdst monitor-port <portlist> mirror-MAC-A<macaddr> | AsrcBdst monitor-port <portlist> mirror-MAC-A<macaddr> mirror-MAC-B <macaddr> | AsrcBdstOrBsrcAdstmonitor-port <portlist> mirror-MAC-A <macaddr> mirror-MAC-B<macaddr>} command to display the port-mirroring configuration.


Parameter Descriptiondisable Disables port-mirroring.

monitor-port Specifies the monitor port.

mirror-port-X Specifies the mirroring port X.

mirror-port-Y Specifies the mirroring port Y.

mirror-MAC-A Specifies the mirroring MAC address A.

mirror-MAC-B Specifies the mirroring MAC address B.

portlist Enter the port numbers.

ManytoOneRx Many to one port mirroring on ingress packets.

ManytoOneTx Many to one port mirroring on egress packets.

ManytoOneRxTx Many to one port mirroring on ingress and egresstraffic.

Xrx Mirror packets received on port X.

Xtx Mirror packets transmitted on port X.

XrxOrXtx Mirror packets received or transmitted on port X.

XrxYtx Mirror packets received on port X and transmitted onport Y. This mode is not recommended for mirroringbroadcast and multicast traffic.

XrxYtxOrXtxYrx Mirror packets received on port X and transmitted onport Y or packets received on port Y and transmittedon port X.

XrxOrYtx Mirror packets received on port X or transmitted onport Y.

macaddr Enter the MAC address in format H.H.H.

Asrc Mirror packets with source MAC address A.

Adst Mirror packets with destination MAC address A.



Parameter DescriptionAsrcOrAdst Mirror packets with source or destination MAC

address A.

AsrcBdst Mirror packets with source MAC address A anddestination MAC address B.

AsrcBdstOrBsrcAdst Mirror packets with source MAC address A anddestination MAC address B or packets with sourceMAC address B and destination MAC address A.

Disabling port-mirroringAbout this taskUse this procedure to disable port-mirroring

Procedure

1. Enter Global Configuration mode

2. Enter the no port-mirroring command to disable port-mirroring.

Displaying Many-to-Many port-mirroringAbout this taskUse this procedure to display Many-to-Many port-mirroring settings

Procedure

1. Enter Privileged Executive mode

2. Enter the show port-mirroring command.


Configuring Many-to-Many port-mirroringAbout this taskUse this procedure to configure Many-to-Many port-mirroring

Procedure


2. Enter the port-mirroring <1-4> mode {disable | Adst | Asrc |AsrcBdst | AsrcBdstOrBsrcAdst | AsrcOrAdst | ManyToOneRx |ManyToOneRxTx | ManyToOneTx | Xrx | XrxOrXtx | XrxOrYtx |XrxYtx | XrxYtxOrYrxXtx | Xtx} command.

3. Enter the command from step 2 for up to four instances.





Variable Valuedisable Disable mirroring.

Adst Mirror packets with destination MAC addressA

Asrc Mirror packets with source MAC address A.

AsrcBdst Mirror packets with source MAC address Aand destination MAC address B.

AsrcBdstOrBsrcAdst Mirror packets with source MAC address Aand destination MAC address B or packetswith source MAC address B and destinationMAC address A.

AsrcOrAdst Mirror packets with source or destinationMAC address A.

ManyToOneRx Mirror many to one port mirroring on ingresspackets.

ManyToOneRxTx Mirror many to one port mirroring on ingressand egress packets.

ManyToOneTx Mirror many to one port mirroring on egresspackets.

Xrx Mirror packets received on port X.

XrxOrXtx Mirror packets received on port X andtransmitted on port Y.

XrxYtx Mirror packets received on port X andtransmitted on port Y.

XrxYtxOrYrxXtx Mirror packets received on port X andtransmitted on port Y or packets received onport Y and transmitted on port X.

Xtx Mirror packets received on port X ortransmitted on port Y

Disabling Many-to-Many port-mirroringAbout this taskUse this procedure to disable Many-to-Many port-mirroring



Procedure


2. Enter the port-mirroring [<1-4>] mode disable or no port-mirroring [<1-4>] command to disable a specific instance.

3. Enter the no port-mirroring command to disable all instances.


Variable Definition<1-4> The port-mirroring instance.




Date post:	17-Nov-2021
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Avaya WLAN 8100 WC 8180 CLI Reference

Documents