Manuals / Brands / Computer Equipment / Network Card / Alcatel Carrier Internetworking Solutions / Computer Equipment / Network Card

Alcatel Carrier Internetworking Solutions 6300-24 4-75, Port Security Commands, port security

1 462

Download 462 pages, 4.98 Mb

Authentication Commands

4-75

4

Port Security Commands

These commands can be used to disable the learning function or manually specify

secure addresses for a port. You may want to leave port security off for an initial

training period (i.e., enable the learning function) to register all the current VLAN

members on the selected port, and then enable port security to ensure that the port

will drop any incoming frames with a source MAC address that is unknown or has

been previously learned from another port.

port security

This command enables or configures port security. Use the no form without any

keywords to disable port security. Use the no form with the appropriate keyword to

restore the default settings for a response to security violation or for the maximum

number of allowed addresses.

Syntax

port security [action {shutdown | trap | trap-and-shutdown}

|max-mac-countaddress-count]

no port security [action | max-mac-count]

•action - Response to take when port security is violated.

-shutdown - Disable port only.

-trap - Issue SNMP trap message only.

-trap-and-shutdown - Issue SNMP trap message and disable port.

• max-mac-count

-address-count - The maximum number of MAC addresses that can be

learned on a port. (Range: 0 - 20)

Default Setting

Status: Disabled

Action: None

Maximum Addresses: 0

Command Mode

Interface Configuration (Ethernet)

Command Usage

• If you enable port security, the switch will stop dynamically learning new

addresses on the specified port. Only incoming traffic with source addresses

already stored in the dynamic or static address table will be accepted.

Table4-30. Port Security Comm ands

Command Function Mode Page

port security Configures a secure port IC 4-75

mac-address-table static Maps a static address to a port in a VLAN GC 4-157

show mac-address-table Displays entries in the brid ge-forwarding database PE 4-158

Contents

Main Page Page Page Contents Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page 1-1 Chapter 1: Introduction Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 System Defaults 1-5 System Defaults 1-6 System Defaults 1-7 Page 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings 2-7 Trap Receivers Saving Configuration Settings 2-8 Managing System Files 3-1 Chapter 3: Configuring the Switch Using the Web Interface 3-2 Navigating the Web Browser Interface Home Page Configuration Options 3-3 Panel Display Main Menu 3-4 3-5 3-6 3-7 3-8 Basic Configuration Displaying System Information 3-9 Figure 3-5. System Information CLI Specify the hostname, location and contact information. 3-10 Displaying Switch Hardware/Software Versions 3-11 Displaying Bridge Extension Capabilities 3-12 Setting the Switchs IP Address 3-13 Manual Configuration 3-14 Using DHCP/BOOTP 3-15 Enabling Jumbo Frames Managing Firmware 3-16 Downloading System Software from a Server 3-17 Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server 3-18 Console Port Settings 3-19 3-20 3-21 Telnet Settings 3-22 3-23 Configuring Event Logging System Logs 3-24 System Logs Configuration 3-25 Remote Logs Configuration 3-26 3-27 Sending Simple Mail Transfer Protocol Alerts Page 3-29 Resetting the System Setting the System Clock 3-30 Configuring SNTP 3-31 Setting the Time Zone Simple Network Management Protocol 3-32 3-33 Enabling SNMP Setting Community Access Strings 3-34 Specifying Trap Managers and Trap Types 3-35 Configuring SNMPv3 Management Access Setting an Engine ID 3-36 Configuring SNMPv3 Users 3-37 3-38 Configuring SNMPv3 Groups 3-39 3-40 Setting SNMPv3 Views 3-41 User Authentication Configuring the Logon Password 3-42 Configuring Local/Remote Logon Authentication 3-43 3-44 3-45 Configuring HTTPS 3-46 Replacing the Default Secure-site Certificate 3-47 Configuring the Secure Shell 3-48 3-49 Generating the Host Key Pair 3-50 3-51 Configuring the SSH Server 3-52 Configuring Port Security 3-53 3-54 Configuring 802.1x Port Authentication 3-55 Displaying 802.1x Global Settings 3-56 3-57 Configuring 802.1x Global Settings 3-58 Configuring Port Authorization Mode 3-59 Displaying 802.1x Statistics 3-60 Figure 3-31. 802.1X Statistics CLI This example displays the 802.1x statistics for port 4. 3-61 Access Control Lists Configuring Access Control Lists 3-62 Setting the ACL Name and Type Configuring a Standard IP ACL 3-63 Configuring an Extended IP ACL 3-64 3-65 3-66 Configuring a MAC ACL Page 3-68 Configuring ACL Masks Specifying the Mask Type 3-69 Configuring an IP ACL Mask 3-70 3-71 Configuring a MAC ACL Mask 3-72 Binding a Port to an Access Control List Filtering IP Addresses for Management Access 3-73 Filtering IP Addresses for Management Access 3-74 3-75 Port Configuration Displaying Connection Status 3-76 3-77 Configuring Interface Connections 3-78 3-79 Creating Trunk Groups 3-80 Statically Configuring a Trunk } active links statically configured 3-81 Enabling LACP on Selected Ports } } 3-82 3-83 Configuring LACP Parameters Page 3-85 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Counter Information 3-86 Displaying LACP Settings and Status for the Local Side 3-87 Figure 3-48. LACP Settings - Local Side 3-88 Displaying LACP Settings and Status for the Remote Side 3-89 3-90 Setting Broadcast Storm Thresholds 3-91 Configuring Port Mirroring 3-92 Configuring Rate Limits 3-93 Showing Port Statistics 3-94 Statistical Values 3-95 3-96 Page 3-98 Alcatel Mapping Adjacency Protocol (AMAP) Configuring AMAP Alcatel Mapping Adjacency Protocol (AMAP) 3-99 Displaying AMAP Detected Devices 3-100 Address Table Settings Setting Static Addresses Address Table Settings 3-101 Displaying the Address Table 3-102 Changing the Aging Time 3-103 Spanning Tree Algorithm Configuration x x 3-104 Displaying Global Settings 3-105 3-106 3-107 Configuring Global Settings 3-108 3-109 Page 3-111 Displaying Interface Settings x x 3-112 3-113 3-114 Configuring Interface Settings 3-115 3-116 Configuring Multiple Spanning Trees 3-117 3-118 CLI This displays STA settings for instance 1, followed by settings for each port. CLI This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Displaying Interface Settings for MSTP 3-120 3-121 Configuring Interface Settings for MSTP 3-122 VLAN Configuration Overview 3-123 Assigning Ports to VLANs 3-124 3-125 Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) 3-126 Displaying Basic VLAN Information 3-127 Displaying Current VLANs 3-128 3-129 Creating VLANs 3-130 Adding Static Members to VLANs (VLAN Index) 3-131 3-132 Adding Static Members to VLANs (Port Index) 3-133 Configuring VLAN Behavior for Interfaces 3-134 3-135 Configuring Private VLANs x Enabling Private VLANs 3-136 Configuring Uplink and Downlink Ports Configuring Protocol-Based VLANs 3-137 Configuring Protocol Groups Mapping Protocols to VLANs 3-138 3-139 Class of Service Configuration Setting the Default Priority for Interfaces 3-140 3-141 Mapping CoS Values to Egress Queues 3-142 3-143 Selecting the Queue Mode Setting the Service Weight for Traffic Classes 3-144 3-145 Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-146 Mapping IP Precedence 3-147 Mapping DSCP Priority 3-148 3-149 Mapping IP Port Priority 3-150 Mapping CoS Values to ACLs 3-151 Changing Priorities Based on ACL Rules 3-152 3-153 Quality of Service Configuring Quality of Service Parameters 3-154 Configuring a Class Map Page 3-156 Creating QoS Policies 3-157 Page 3-159 Attaching a Policy Map to Ingress and Egress Queues 3-160 Multicast Filtering Layer 2 IGMP (Snooping and Query) 3-161 Configuring IGMP Snooping and Query Parameters 3-162 Displaying Interfaces Attached to a Multicast Router 3-163 Specifying Static Interfaces for a Multicast Router 3-164 Displaying Port Members of Multicast Services 3-165 Assigning Ports to Multicast Services 3-166 Configuring Domain Name Service 3-167 Configuring General DNS Server Parameters 3-168 3-169 Configuring Static DNS Host to Address Entries 3-170 3-171 Displaying the DNS Cache 3-172 CLI - This example displays all the resource records learned from the designated name servers. 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection 4-2 Entering Commands 4-4 Showing Commands The command show interfaces ? will display the following information: Entering Commands 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History 4-6 Exec Commands Configuration Commands Entering Commands 4-7 Command Line Processing 4-8 Command Groups 4-9 Command Groups The system commands can be broken down into the functional groups s hown below 4-10 Line Commands line 4-11 login 4-12 password 4-13 timeout login response 4-14 exec-timeout password-thresh 4-15 silent-time 4-16 databits parity 4-17 speed stopbits 4-18 disconnect show line General Commands 4-19 General Commands enable 4-20 disable configure General Commands 4-21 show history 4-22 reload end exit 4-23 System Management Commands 4-24 Device Designation Commands prompt 4-25 hostname User Access Commands username 4-26 enable password 4-27 IP Filter Commands management 4-28 show management 4-29 Web Server Commands ip http port 4-30 ip http server ip http secure-server 4-31 ip http secure-port 4-32 Secure Shell Commands 4-33 4-34 ip ssh server 4-35 ip ssh timeout 4-36 ip ssh authentication-retries ip ssh server-key size 4-37 delete public-key ip ssh crypto host-key generate 4-38 ip ssh crypto zeroize ip ssh save host-key 4-39 show ip ssh show ssh 4-40 show public-key 4-41 Event Logging Commands logging on 4-42 logging history 4-43 logging host logging facility 4-44 logging trap clear logging 4-45 show logging 4-46 The following example displays settings for the trap function. show logging sendmail (4-49) SMTP Alert Commands 4-47 logging sendmail host logging sendmail level 4-48 logging sendmail source-email logging sendmail destination-email 4-49 logging sendmail show logging sendmail 4-50 Time Commands sntp client 4-51 sntp server 4-52 sntp poll show sntp 4-53 clock timezone calendar set 4-54 show calendar System Status Commands show startup-config 4-55 4-56 Example show running-config (4-57) 4-57 show running-config 4-58 Example show startup-config (4-54) 4-59 show system 4-60 show users show version 4-61 Frame Size Commands jumbo frame 4-62 Flash/File Commands copy Flash/File Commands 4-63 4-64 delete Flash/File Commands 4-65 dir 4-66 whichboot boot system 4-67 Authentication Commands Authentication Sequence 4-68 authentication login 4-69 authentication enable 4-70 RADIUS Client radius-server host radius-server port 4-71 radius-server key radius-server retransmit 4-72 radius-server timeout show radius-server 4-73 TACACS+ Client tacacs-server host tacacs-server port 4-74 tacacs-server key show tacacs-server 4-75 Port Security Commands port security 4-76 802.1x Port Authentication 4-77 authentication dot1x default dot1x default 4-78 dot1x max-req dot1x port-control 4-79 dot1x operation-mode dot1x re-authenticate 4-80 dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod 4-81 dot1x timeout tx-period show dot1x 4-82 4-83 Access Control List Commands 4-84 4-85 IP ACLs access-list ip 4-86 permit, deny (Standard ACL) 4-87 permit, deny (Extended ACL) 4-88 4-89 show ip access-list access-list ip mask-precedence 4-90 mask (IP ACL) 4-91 4-92 4-93 show access-list ip mask-precedence 4-94 ip access-group show ip access-group 4-95 map access-list ip 4-96 show map access-list ip match access-list ip 4-97 show marking 4-98 MAC ACLs access-list mac 4-99 permit, deny (MAC ACL) 4-100 show mac access-list 4-101 access-list mac mask-precedence 4-102 mask (MAC ACL) 4-103 This example creates an Egress MAC ACL. 4-104 show access-list mac mask-precedence mac access-group 4-105 show mac access-group map access-list mac 4-106 show map access-list mac match access-list mac 4-107 ACL Information show access-list 4-108 show access-group SNMP Commands 4-109 snmp-server community 4-110 snmp-server contact snmp-server location 4-111 snmp-server host 4-112 snmp-server enable traps 4-113 show snmp 4-114 snmp-server snmp-server engine-id 4-115 show snmp engine-id snmp-server view 4-116 show snmp view 4-117 snmp-server group show snmp group 4-118 Example Table4-3. SNMP Group 4-119 snmp-server user show snmp user 4-120 DHCP Commands DHCP Client ip dhcp client-identifier DHCP Commands 4-121 ip dhcp restart client 4-122 DNS Commands ip host 4-123 clear host ip domain-name 4-124 ip domain-list 4-125 ip name-server 4-126 ip domain-lookup 4-127 show hosts show dns 4-128 show dns cache This command displays entries in the DNS cache. Command Mode Example clear dns cache Interface Commands 4-130 interface 4-131 description speed-duplex 4-132 negotiation 4-133 capabilities 4-134 flowcontrol 4-135 combo-forced-mode shutdown 4-136 switchport broadcast packet-rate 4-137 clear counters 4-138 show interfaces status 4-139 show interfaces counters 4-140 show interfaces switchport Mirror Port Commands 4-141 Mirror Port Commands port monitor 4-142 show port monitor AMAP Configuration 4-143 AMAP Configuration 4-144 amap enable amap run amap discovery timer AMAP Configuration 4-145 amap common timer show amap 4-146 Rate Limit Commands rate-limit 4-147 Link Aggregation Commands 4-148 channel-group 4-149 lacp 4-150 lacp system-priority 4-151 lacp admin-key (Ethernet Interface) 4-152 lacp admin-key (Port Channel) 4-153 lacp port-priority show lacp 4-154 Default Setting Port Channel: all Command Mode Example 4-155 4-156 Address Table Commands 4-157 Address Table Commands mac-address-table static 4-158 clear mac-address-table dynamic show mac-address-table Address Table Commands 4-159 mac-address-table aging-time 4-160 show mac-address-table aging-time Spanning Tree Commands 4-161 spanning-tree 4-162 spanning-tree mode 4-163 spanning-tree forward-time 4-164 spanning-tree hello-time spanning-tree max-age 4-165 spanning-tree priority 4-166 spanning-tree pathcost method spanning-tree transmission-limit 4-167 spanning-tree mst-configuration mst vlan 4-168 mst priority 4-169 name revision 4-170 max-hops 4-171 spanning-tree spanning-disabled spanning-tree cost 4-172 spanning-tree port-priority spanning-tree edge-port 4-173 spanning-tree portfast 4-174 spanning-tree link-type 4-175 spanning-tree mst cost 4-176 spanning-tree mst port-priority spanning-tree protocol-migration 4-177 show spanning-tree 4-178 show spanning-tree mst configuration 4-179 VLAN Commands Editing VLAN Groups 4-180 vlan database vlan 4-181 Configuring VLAN Interfaces interface vlan 4-182 switchport mode 4-183 switchport acceptable-frame-types switchport ingress-filtering 4-184 switchport native vlan 4-185 switchport allowed vlan 4-186 switchport forbidden vlan 4-187 Displaying VLAN Information show vlan Configuring Protocol-based VLANs 4-188 protocol-vlan protocol-group (Configuring Groups) 4-189 protocol-vlan protocol-group (Configuring Interfaces) 4-190 show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group 4-191 Configuring Private VLANs pvlan 4-192 show pvlan GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands 4-193 bridge-ext gvrp show bridge-ext 4-194 switchport gvrp show gvrp configuration GVRP and Bridge Extension Commands 4-195 garp timer 4-196 show garp timer 4-197 Priority Commands Priority Commands (Layer 2) switchport priority default 4-198 queue mode 4-199 queue bandwidth 4-200 queue cos-map 4-201 show queue mode show queue bandwidth 4-202 show queue cos-map Priority Commands (Layer 3 and 4) 4-203 map ip port (Global Configuration) map ip port (Interface Configuration) 4-204 map ip precedence (Global Configuration) map ip precedence (Interface Configuration) 4-205 map ip dscp (Global Configuration) 4-206 map ip dscp (Interface Configuration) 4-207 map access-list ip 4-208 show map ip port show map ip precedence 4-209 show map ip dscp 4-210 Example Quality of Service Commands 4-211 class-map 4-212 match 4-213 policy-map 4-214 class set 4-215 police 4-216 service-policy show class-map 4-217 show policy-map show policy-map interface 4-218 Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping 4-219 ip igmp snooping vlan static 4-220 ip igmp snooping version show ip igmp snooping 4-221 show mac-address-table multicast 4-222 IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count 4-223 ip igmp snooping query-interval 4-224 ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time 4-225 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-226 show ip igmp snooping mrouter 4-227 IP Interface Commands Basic IP Configuration ip address 4-228 ip default-gateway 4-229 ip dhcp restart show ip interface 4-230 show ip redirects ping 4-231 Page A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Page Glossary Page Page Page Page Page Index Index-1 Numerics A B Index-2 Index H I J L Index-3 Index Q R S