Manuals / Enterasys Networks / Computer Equipment / Switch

Enterasys Networks 9034313-07 manual Dhcp Snooping Dynamic ARP Inspection, Dhcp Snooping Overview

Models: 9034313-07

1 872

Download 872 pages 24.54 Kb

Page 511

Image 511

DHCP Snooping and

Dynamic ARP Inspection

This chapter describes two security features:

•DHCP snooping, which monitors DHCP messages between a DHCP client and DHCP server to filter harmful DHCP messages and to build a database of authorized address bindings

•Dynamic ARP inspection, which uses the bindings database created by the DHCP snooping feature to reject invalid and malicious ARP packets

For information about...	Refer to page...

DHCP Snooping Overview	17-1

DHCP Snooping Commands	17-4

Dynamic ARP Inspection Overview	17-15

Dynamic ARP Inspection Commands	17-20

DHCP Snooping Overview

DHCP snooping monitors DHCP messages between DHCP clients and DHCP servers to filter harmful DHCP messages and to build a bindings database of {MAC address, IP address, VLAN ID, port} tuples that are considered authorized.

DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default. DHCP snooping must be enabled globally and on specific VLANs. Ports within the VLANs must be configured as trusted or untrusted. DHCP servers must be reached through trusted ports.

DHCP snooping enforces the following security rules:

•DHCP packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if received on an untrusted port.

•DHCP RELEASE and DHCP DECLINE messages are dropped if they are for a MAC address in the snooping database but the bindingʹs interface in the database is different from the interface where the message was received.

•On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not match the client hardware address. This feature is a configurable option.

DHCP Message Processing

The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP packets to the CPU. On trusted ports,

SecureStack C3 Configuration Guide 17-1

Page 511

Image 511

Enterasys Networks 9034313-07 manual Dhcp Snooping Dynamic ARP Inspection, Dhcp Snooping Overview, Dhcp Message Processing

Contents

Enterasys SecureStack C3 Page Page Enterasys Networks, Inc. Firmware License Agreement Iii Page Contents Page Activating Licensed Features Discovery Protocol Configuration Configuring System Power and PoEPort Configuration Show port broadcast Set port broadcast Clear port broadcast Snmp Configuration Spanning Tree Configuration Configuring Spanning Tree Port Parameters Purpose Commands 802.1Q Vlan Configuration Port Priority Configuration Policy Classification ConfigurationLogging and Network Management Igmp Configuration14-3 Rmon Configuration Dhcp Server Configuration IP Configuration Preparing for Router ModeDhcp Snooping and Dynamic ARP Inspection IPv4 Routing Protocol Configuration 20-11 IPv6 Management IPv6 ConfigurationIPv6 Proxy Routing DHCPv6 ConfigurationOSPFv3 Configuration Authentication and Authorization Configuration 26-37 TACACS+ Configuration Tables SFlow ConfigurationAppendix a Policy and Authentication Capacities Index10-4 22-26 Xxxii Important Notice Using This GuideAbout This Guide Structure of This GuideStructure of This Guide Related Documents SecureStack C3 Installation GuidesFollowing conventions are used in the text of this document Conventions Used in This GuideFollowing icons are used in this guide Support@enterasys.com Getting HelpGetting Help Xxxviii About This Guide Introduction Switch Management MethodsSecureStack C3 CLI Overview Default Settings for Basic Switch Operation Factory Default SettingsFeature Default Setting Sntp Default Settings for Router OperationDvmrp Connecting Using the Console Port Using the Command Line InterfaceStarting a CLI Session Logging Connecting Using TelnetUsing a Default User Account Using an Administratively Configured User AccountGetting Help with CLI Syntax Navigating the Command Line InterfaceCLI Command Defaults Descriptions CLI Command ModesDisplaying Scrolling Screens Abbreviating and Completing CommandsBasic Line Editing Commands Basic Line Editing CommandsAbout SecureStack C3 Switch Operation in a Stack Configuring Switches in a StackInstalling a New Stackable System of Up to Eight Units Creating a Virtual Switch Configuration Installing Previously-Configured Systems in a StackAdding a New Unit to an Existing Stack SID Configuration Considerations About Using Clear Config in a StackIssues Related to Mixed Type Stacks Feature SupportPurpose Stacking Configuration and Management CommandsShow switch CommandsExamples Show switch switchtypeNone Show switch stack-portsPriority value Set switchSwitch command, read‐write ExampleThis example shows how to renumber switch 5 to switch Set switch copy-fwSet switch description This example shows how to assign priority 3 to switchSet switch member Set switch movemanagementUse this command to remove a member entry from the stack Clear switch memberQuick Start Setup Commands Basic ConfigurationRequired CLI Setup Commands Optional CLI Setup Commands Setting User Accounts and PasswordsShow system login Output Details Show system loginParameters Super‐user read‐write read‐only Set system loginClear system login Use this command to remove a local login user accountThis example shows how to remove the netops user account Set passwordSwitch command, read‐write Switch command, super‐user Set system password aging Set system password lengthDisable Set system password historyShow system lockout Time time Set system lockoutShow system lockout Output Details Attempts attemptsSetting Basic Switch Properties Show ip address Set ip address Use this command to clear the system IP addressClear ip address Show ip protocol This example shows how to clear the system IP addressSet ip protocol Show system This example shows how to display system informationShow system Output Details Show system hardwareSlot Hardware Information Show system utilizationSet system utilization Default threshold value is 80%This example sets the CPU utilization threshold to 75% Show system enhancedbuffermode Clear system utilizationSet system enhancedbuffermode Set system temperatureEnable disable Enables or disables enhanced buffer mode This example shows how to enable enhanced buffer modeTrap enable disable Clear system temperatureSyslog enable DisableSet time Show timeUse this command to display daylight savings time settings This example shows how to set the system clock to 750 a.mShow summertime If an offset is not specified, none will be applied Set summertimeSet summertime date If a zone name is not specified, none will be appliedSet summertime recurring Set prompt Use this command to modify the command promptThis example shows how to set the command prompt to Switch Clear summertimeSet banner motd Show banner motdShow version Clear banner motdShow version Output Details ‐5 provides an explanation of the command outputUse this command to configure a name for the system Set system nameSet system contact Use this command to identify the location of the systemThis example shows how to set the system location string Set system locationSet length This example shows how to set the system contact stringThis example shows how to set the terminal columns to Set widthSet logout This example shows how to set the terminal length toThis example shows how to display the CLI logout setting Show logoutShow console Use this command to display console settingsThis example shows how to display all console settings Use this command to set the console port baud rateDownloading via the Serial Port This example shows how to set the console port baud rate toDownloading a Firmware Image Downloading from a Tftp ServerType 2. The following baud rate selection screen displays Reverting to a Previous Image Show boot system Reviewing and Selecting a Boot Firmware ImageReboot the system using the reset command page 3‐50 Compatibility platform specific Set boot systemShow telnet Starting and Configuring TelnetThis example shows how to display Telnet status Use this command to enable or disable Telnet on the switchOutbound all Enable disableTelnet InboundConfiguration Persistence Mode Managing Switch Configuration and FilesSet snmp persistmode Show snmp persistmodeManual Save configDir AutoShow file Use this command to display the contents of a fileShow config All ConfigureOutfile Append CopySystemimage This example shows how to download an image via Tftp Show tftp settingsDelete This example sets the timeout period to 4 seconds Set tftp timeoutClear tftp timeout This example shows the output of this commandClear tftp retry Set tftp retryThis example sets the retry count to To clear the CLI screen or to close your CLI session This example shows how to clear the CLI screenClearing and Closing the CLI Cls clear screenThis example shows how to exit a CLI session Resetting the SwitchReset Use either of these commands to leave a CLI sessionThis example shows how to reset unit Clear configIf no unit ID is specified, the entire system will be reset This example shows how to reset the systemUse this command to display WebView status Using and Configuring WebViewShow webview Show ssl Set webviewThis example shows how to enable SSL This example shows how to display SSL statusSet ssl To gather common technical support information CommandGathering Technical Support Information Show supportSet system hostprotect Configuring HostprotectHostprotect is enabled by default Show system hostprotectClear system hostprotect This feature is disabled by defaultThis example disables hostprotect Default state is enabledUsage Licensing Procedure in a Stack Environment Activating Licensed FeaturesLicense Key Field Descriptions Adding a New Member to a Licensed Stack Clearing, Showing, and Applying LicensesUsage Set licenseClear license Use this command to clear the license key settingsFeatureID feature The name of the feature being cleared Show licenseC3rw-clear license featureId advrouter Clear license Activating Licensed Features Use this command to display system power properties Configuring System Power and PoECommands Show inlinepowerThis example shows how to display system power properties Set inlinepower thresholdShow inlinepower Output Details Set inlinepower detectionmode Set inlinepower trapSending of traps is disabled by default Ieee Show port inlinepowerHigh low Set port inlinepowerAdmin off auto Priority criticalSet port inlinepower Configuring System Power and PoE Configuring CDP Discovery Protocol ConfigurationShow cdp Output Details Show cdpEnable Auto disableSet cdp state Set cdp auth Use this command to set a global CDP authentication codeSet cdp interval Clear cdp Set cdp hold-timeShow neighbors Show ciscodp Configuring Cisco Discovery ProtocolShow ciscodp Output Details ‐2 provides an explanation of the command output‐3 provides an explanation of the command output Show ciscodp port infoShow ciscodp port info Output Details Set ciscodp timerThis example shows how to globally enable CiscoDP Set ciscodp statusSet ciscodp port Set ciscodp holdtimeTrusted VvidDot1p UntaggedClear ciscodp To review and configure Llpd and LLPD‐MED Configuring Link Layer Discovery Protocol and LLDP-MEDOverview Configuration Tasks Show lldp Use this command to display Lldp configuration informationShow lldp port trap Show lldp port statusShow lldp port location-info Show lldp port tx-tlvShow lldp port tx‐tlv port‐string Show lldp port local-info 1000BASE-TFD Show lldp port local-info Output DetailsECS Elin Show lldp port remote-info Voice Voice‐signalingGuest‐voice‐signaling Show lldp port network-policyVideo‐conferencing Video‐signalingSet lldp tx-interval Softphone‐voiceSet lldp trap-interval Set lldp hold-multiplierThis example sets the transmit interval to 20 seconds Set lldp med-fast-repeat Set lldp port trap Tx‐enableRx‐enable Set lldp port statusSet lldp port location-info Set lldp port med-trapElin Set lldp port tx-tlv Link‐aggr GvrpMac‐phy PoeVid vlan‐id dot1p State enable disableSet lldp port network-policy Tag tagged untaggedTrap‐interval Clear lldpTx‐interval Hold‐multiplierClear lldp port trap Clear lldp port statusClear lldp port location-info Clear lldp port med-trapCleared Dscp Clear lldp port network-policyTag VidClear lldp port tx-tlv Disables the LLDP‐MED Extended Power via MDI TLV from being Disables the LLDP‐MED Location Identification TLV from beingPort type.unitorslot number.port number Port ConfigurationPort Configuration Summary Port String Syntax Used in the CLIPort Slot/Unit Parameters Used in the CLI Reviewing Port StatusShow port status Show portShow port counters Switch mib2Show port status Output Details Show port counters Output Details Show port cablestatus Clear port countersThis example clears the port counters for ge.3.1 This example shows the cable status for 1 GE port ge.1.31 Disabling / Enabling and Naming PortsShow port cablestatus Output Details This example shows how to enable ge.1.3 Set port disableSet port enable This example shows how to disable ge.1.1Show port alias Use this command to assign an alias name to a portSet port alias This example shows how to clear the alias for ge.3.3 This example shows how to assign the alias Admin to ge.3.3Show port speed Setting Speed and Duplex ModeMbps Set port speedShow port duplex 10 100Set port duplex This example shows how to set ge.1.17 to full duplexFull half Show port jumbo Enabling / Disabling Jumbo Frame SupportSet port jumbo Enables or disables jumbo frame supportClear port jumbo Show port negotiation Setting Auto-Negotiation and Advertised AbilitySet port negotiation Enable disableShow port advertise Set port advertise Clear port advertise Mdi Show port mdixSet port mdix Forced‐autoConfigure ports to use Mdix mode only Configure ports to use MDI mode onlyOptional Specify the port or ports to configure Show flowcontrol Setting Flow ControlSet flowcontrol This example shows how to enable flow control Show port trap Setting Port Link Traps and Link Flap DetectionSet port trap Following example disables sending trap on ge.3.1Show linkflap Metrics GlobalstatePortstate ParametersShow linkflap metrics Output Details Show linkflap parameters Output DetailsSet linkflap portstate Disable enableDisables or enables the link flap detection function Set linkflap globalstateSet linkflap action Set linkflap intervalClear linkflap action Use this command to set the link flap action trigger countSet linkflap threshold Clear linkflap down Set linkflap downtimeThreshold interval Clear linkflapAll stats ParameterShow port broadcast Configuring Broadcast SuppressionClear port broadcast Set port broadcastSyntax Used in the CLI on page 7‐1 Port Mirroring Mirroring FeaturesRemote Port Mirroring Procedures Configuring Smon MIB Port MirroringOverview Show port mirroring To review and configure port mirroring on the deviceCan be configured per stack, if applicable Create disableSet port mirroring Clear port mirroring Use this command to clear a port mirroring relationshipSet mirror vlan Clear mirror vlan Lacp Operation Link Aggregation Control Protocol LacpLacp Terms and Definitions ‐6 defines key terminology used in Lacp configurationLacp Terminology SecureStack C3 Usage ConsiderationsCommands Show lacp ‐7 provides an explanation of the command outputShow lacp Output Details Disable enable Disables or enables LacpThis example shows how to disable Lacp Set lacpSet lacp asyspri Set lacp aadminkeyAsyspri Clear lacp Disable enable Disables or enables static link aggregationSet lacp static Clear lacp static Set lacp singleportlag This example enables the formation of single port LAGsClear lacp singleportlag Status detail Show port lacpSummary Counters Set port lacp AadminkeyPadminport AadminstateLacptimeout PadminkeyClear port lacp C3su-clear port lacp port ge.3.16 Set port protected Configuring Protected PortsProtected Port Operation Clear port protected Show port protectedRead‐only Show port protected name Set port protected nameClear port protected name Use this command to clear the name of a protected groupClear port protected name Port Configuration Snmp Configuration Summary Snmp ConfigurationSNMPv3 SNMPv1 and SNMPv2cAbout Snmp Security Models and Levels Snmp Security Levels Using Snmp Contexts to Access Specific MIBsConfiguration Considerations Reviewing Snmp StatisticsShow snmp engineid This example shows how to display Snmp engine propertiesShow snmp engineid Output Details This example shows how to display Snmp counter values Use this command to display Snmp traffic counter valuesShow snmp counters Show snmp counters Output Details Engine or otherwise unavailable Show snmp user Configuring Snmp Users, Groups, and CommunitiesSet snmp user This example shows how to display an Snmp user list‐4 provides an explanation of the command output Use this command to create a new SNMPv3 userNonvolatile AesSha VolatileShow snmp group Clear snmp userRemote remote V2c usm Volatile Set snmp groupUser user Security‐modelShow snmp community Clear snmp groupV2c usm Context context Use this command to configure an Snmp community groupSet snmp community SecuritynameClear snmp community Configuring Snmp Access RightsUse this command to delete an Snmp community name This example shows how to delete the community name vipNonvolatile read‐ Only Show snmp accessNoauthentication Authentication Privacy Context context‐6 provides an explanation of the command output This example shows how to display Snmp access informationShow snmp access Output Details Set snmp access Configuring Snmp MIB Views Clear snmp accessShow snmp view Set snmp view Show snmp contextShow snmp view Output Details Clear snmp view Read‐only Configuring Snmp Target ParametersShow snmp targetparams Volatile nonvolatileMessage‐ ‐8 provides an explanation of the command outputSet snmp targetparams Show snmp targetparams Output DetailsProtected from disclosure AuthenticationClear snmp targetparams PrivacyUse this command to display Snmp target address information Configuring Snmp Target AddressesShow snmp targetaddr Udpport udpport Timeout timeoutSet snmp targetaddr Param paramTag 1 tag Use this command to delete an Snmp target address entryClear snmp targetaddr Taglist taglistAbout Snmp Notify Filters Configuring Snmp Notification ParametersShow newaddrtrap By default, this function is disabled globally and per portSet newaddrtrap Show snmp notify Trap inform ‐10 provides an explanation of the command outputSet snmp notify 10 show snmp notify Output DetailsClear snmp notify Use this command to clear an Snmp notify configurationShow snmp notifyfilter Subtree oid‐or‐ Set snmp notifyfilterClear snmp notifyfilter Set snmp notifyprofile Show snmp notifyprofileTargetparam This example shows how to delete Snmp notify profile area51 Creating a Basic Snmp Trap ConfigurationClear snmp notifyprofile Example 11 Basic Snmp Trap ConfigurationHow Snmp Will Use This Configuration Configuring the Snmp Management InterfaceShow snmp interface Loopback loop‐ID Set snmp interfaceClear snmp interface Clear snmp interface Snmp Configuration Spanning Tree Configuration Summary Spanning Tree ConfigurationLoop Protect Spanning Tree FeaturesConfiguring Spanning Tree Bridge Parameters For information about Sid sid Show spantree statsActive Show spantree Output Details ‐1 shows a detailed explanation of command outputSet spantree Disable enable Globally disables or enables Spanning TreeShow spantree version Set spantree version Clear spantree version This example shows how to reset the Spanning Tree versionShow spantree bpdu-forwarding Set spantree bpdu-forwarding Disable enable Disables or enables Bpdu forwardingBy default Bpdu forwarding is disabled This example shows how to enable Bpdu forwarding8021t Set spantree bridgeprioritymodeClear spantree bridgeprioritymode 8021dSet spantree msti Show spantree mstilistCreate delete Show spantree mstmap Clear spantree mstiFid fid Clear spantree mstmap This example shows how to map FID 3 to SIDUse this command to map a FID back to SID Set spantree mstmapShow spantree vlanlist This example shows how to map FID 2 back to SIDShow spantree mstcfgid Set spantree mstcfgid Cfgname name Specifies an MST configuration nameClear spantree mstcfgid Set spantree priority Use this command to set the device’s Spanning Tree priorityClear spantree priority Set spantree hello This example shows how to reset the bridge priority on SIDClear spantree hello Set spantree maxage Use this command to set the bridge maximum aging timeUse this command to set the Spanning Tree forward delay Set spantree fwddelayClear spantree maxage Show spantree backuproot Clear spantree fwddelayClear spantree backuproot Set spantree backuprootSet spantree tctrapsuppress Show spantree tctrapsuppressSet spantree protomigration Clear spantree tctrapsuppressShow spantree spanguard Enable disable Enables or disables the SpanGuard functionSet spantree spanguard Clear spantree spanguard This example shows how to enable the SpanGuard functionSet spantree spanguardtimeout Show spantree spanguardtimeoutShow spantree spanguardlock Clear spantree spanguardtimeoutThis example shows how to unlock port ge.1.16 Show spantree spanguardtrapenableClear / set spantree spanguardlock Clear spantree spanguardtrapenable Set spantree spanguardtrapenableIs enabled Set spantree legacypathcost Show spantree legacypathcostThis example clears the legacy path cost to 802.1t values Clear spantree legacypathcostShow spantree autoedge Set spantree autoedgeClear spantree autoedge To display and set Spanning Tree port parameters Configuring Spanning Tree Port ParametersSet spantree portadmin Disable enableShow spantree portadmin Clear spantree portadminThis example shows how to disable Spanning Tree on ge.1.5 Show spantree portpri Use this command to set a port’s Spanning Tree prioritySet spantree portpri Clear spantree portpri Set spantree adminpathcost Show spantree adminpathcostShow spantree adminedge Clear spantree adminpathcostTrue false Set spantree adminedgeClear spantree adminedge This example shows how to set ge.1.11 as an edge portShow spantree operedge This example shows how to reset ge.1.11 as a non‐edge portConfiguring Spanning Tree Loop Protect Parameters If no SID is specified, SID 0 is assumed This example shows how to enable Loop Protect on ge.2.3Set spantree lp Show spantree lpShow spantree lplock Clear spantree lpSID Locked Clear spantree lplockShow spantree lpcapablepartner Set spantree lpcapablepartnerClear spantree lpcapablepartner Use this command to set the Loop Protect event thresholdSet spantree lpthreshold Show spantree lpthreshold None. The default event threshold isClear spantree lpthreshold Show spantree lpwindow Set spantree lpwindowDisabled Set spantree lptrapenableClear spantree lpwindow Clear spantree lptrapenable Show spantree lptrapenableSet spantree disputedbpduthreshold Clear spantree disputedbpduthreshold Show spantree disputedbpduthresholdShow spantree nonforwardingreason Vlan Configuration Summary 802.1Q Vlan ConfigurationCreating a Secure Management Vlan Command Set for Creating a Secure Management VlanPortinfo Viewing VLANsShow vlan StaticVlan Vlan ID Name Show vlan Output DetailsSet vlan Create enable Creates, enables or disables VLANs. disableThis example shows how to create Vlan Creating and Naming Static VLANsSet vlan name This example shows how to set the name for Vlan 7 to greenClear vlan Clear vlan name This example shows how to clear the name for VlanShow port vlan Assigning Port Vlan IDs PVIDs and Ingress FilteringNo‐modify‐egress Set port vlanClear port vlan Modify‐egressShow port ingress filter Show port discard Set port ingress filterTagged untagged both none Set port discardShow port egress Configuring the Vlan Egress ListSet vlan forbidden Untagged forbidden tagged Use this command to remove ports from a VLAN’s egress listSet vlan egress Clear vlan egressForbidden Show vlan dynamicegressThis example shows how to enable dynamic egress on Vlan Enable disable Enables or disables dynamic egressSet vlan dynamicegress Show host vlan Setting the Host VlanSet host vlan Clear host vlan This example shows how to set Vlan 7 as the host VlanAbout Garp Vlan Registration Protocol Gvrp Enabling/Disabling Gvrp Garp Vlan Registration ProtocolHow It Works Example of Vlan Propagation via Gvrp Use this command to display Gvrp configuration information Show garp timerShow gvrp Disables or enables Gvrp on the device Show gvrp configuration Output DetailsSet gvrp This example shows how to enable Gvrp on ge.1.3 Set garp timerClear gvrp Leave Clear garp timerLeaveall timer‐ JoinC3su-clear garp timer leave ge.1.1 Policy Classification Configuration Summary Policy Classification Configuration‐verbose Configuring Policy ProfilesUse this command to display policy profile information Show policy profileShow policy profile Output Details Set policy profile This example shows how to delete policy profile Use this command to delete a policy profile entryClear policy profile All admin‐ profile profile‐ index Configuring Classification RulesShow policy rule Udpdestport Not‐in‐service Not‐ready Storage‐type non‐Admin‐pid TcpsourceportShow policy rule Output Details Show policy capabilityVlan Set policy rule Admin‐profileVlantag data Ipsourcesocket EtherIpproto IpdestsocketData value Mask bits Valid Values for Policy Classification RulesAll‐pid‐entries Following parameters apply to deleting an admin ruleClear policy rule Range from 1 to 4094 or 0xFFFClear policy all-rules Use this command to remove all policy classification rulesTo assign and unassign ports to policy profiles Use this command to assign ports to a policy profileAssigning Ports to Policy Profiles Set policy portClear policy port About Policy-Based CoS Configurations Configuring Policy Class of Service CoSProcedure 11-1 User-Defined CoS Configuration Configuring Policy Class of Service CoS About CoS-Based Flood Control ProcedureSet cos state Use this command to enable or disable Class of ServiceShow cos state This example shows how to enable Class of ServiceClear cos state Irl‐reference Set cos settingsPriority priority Tos‐value tos‐valueTos‐value Clear cos settingsShow cos settings PrioritySet cos port-config Should be displayed Show cos port-configPorts Clear cos port-configEntry NameSet cos port-resource irl Multicast Set cos port-resource flood-ctrlGroup#.port‐type UnicastGroup#.port‐type Show cos port-resourceType Clear cos port-resource irlUnit RateMulticast Clear cos port-resource flood-ctrlSet cos reference UnicastRate‐limit irl‐index Specifies that an IRL reference is being configuredShow cos reference IRL reference number associated with this entryClear cos reference Pps Show cos unitPort‐typ e index KbpsShow cos port-type Clear cos all-entriesThis example shows flood control information for port type Port Priority Configuration Summary Port Priority ConfigurationShow port priority Configuring Port PriorityClear port priority Set port priorityShow port priority-queue Configuring Priority to Transmit Queue MappingSet port priority-queue Clear port priority-queue Show port txq Configuring Quality of Service QoSSet port txq Clear port txq By default, transmit queues are defined as followsClear port txq Port Priority Configuration Igmp Overview Igmp ConfigurationAbout IP Multicast Group Management To configure Igmp snooping from the switch CLI Configuring Igmp at LayerAbout Multicasting Use this command to enable or disable Igmp on the system Set igmpsnooping adminmodeUse this command to display Igmp snooping information This example shows how to display Igmp snooping informationSet igmpsnooping interfacemode This example shows how to enable Igmp on the systemEnable disable Enables or disables Igmp This example shows how to enable Igmp on port ge.1.10Set igmpsnooping maxresponse If no ports are specified, all ports are added to the entry Set igmpsnooping mcrtrexpiretimeSet igmpsnooping add-static ModifyShow igmpsnooping static Set igmpsnooping remove-staticIf modify is not specified, a new entry is created Stats Optional Displays Mfdb statistics Show igmpsnooping mfdbGroup group This example displays the static Igmp ports for VlanThis example shows how to clear all Igmp snooping entries Use this command to clear all Igmp snooping entriesClear igmpsnooping Ip igmp Configuring Igmp on Routing InterfacesTo configure Igmp on routing interfaces Global configuration C3su‐routerConfig#Ip igmp version Ip igmp enableThis example shows how to enable Igmp on the router Interface configuration C3su‐routerConfig‐ifVlan 1#Show ip igmp interface Any router modeIp igmp query-interval Show ip igmp groupsIp igmp startup-query-interval Ip igmp query-max-response-timeIp igmp last-member-query-interval Ip igmp startup-query-countIp igmp robustness Ip igmp last-member-query-countInterface configuration C3 su‐routerConfig‐ifVlan 1# Ip igmp robustness Igmp Configuration Logging and Network Management Configuring System LoggingShow logging server Set logging server Clear logging server Show logging defaultUse this command to set logging default values Set logging defaultSeverity Clear logging defaultShow logging application FacilityShow logging application Output Details Set logging applicationIf level is not specified, none will be applied Level levelShow logging local Clear logging applicationClear logging local Set logging localShow logging buffer This example shows how to clear local loggingShow logging interface Set logging interface Clear logging interface History Monitoring Network Events and StatusSet history Use this command to set the size of the history bufferDefault Show historyShow users PingThis example, the host at IP address is not responding Show netstat DisconnectConsole Following table describes the output of this command Following example shows the output of this commandShow netstat Output Details Use this command to display the switch’s ARP table Managing Switch Network Addresses and RoutesShow arp Set arp This example shows how to display the ARP tableShow arp Output Details Traceroute Clear arpSelf mgmt Show macEach response Type other learnedShow mac Output Details Show mac agetimeClear mac agetime This example shows how to display the MAC timeout periodThis example shows how to set the MAC timeout period Set mac agetimeSet mac algorithm Default MAC algorithm is mac‐crc16‐upperbitsShow mac algorithm Set mac multicast Clear mac algorithmClear mac address Use this command to remove a multicast MAC addressAppend clear Set mac unreserved-flood Show mac unreserved-floodShow sntp Configuring Simple Network Time Protocol SntpThis example enables multicast flood protection Use this command to display Sntp client settingsShow sntp Output Details This example shows how to display Sntp client settingsClear sntp client Set sntp clientClear sntp server Set sntp serverIf precedence is not specified, 1 will be applied Clear sntp poll-interval Set sntp poll-intervalSet sntp poll-retry This example shows how to clear the Sntp poll intervalClear sntp poll-retry This example shows how to clear the Sntp poll timeout Set sntp poll-timeoutClear sntp poll-timeout Use this command to clear the Sntp poll timeoutSet timezone Set sntp interface Show sntp interfaceClear sntp interface C3rw-show sntp interface Vlan 100 C3rw-clear sntp interface Show nodealias config Configuring Node AliasesSet nodealias Show nodealias config Output DetailsMaxentries maxentries Clear nodealias config Rmon Monitoring Group Functions and Commands Rmon ConfigurationRmon Monitoring Group Functions Design Considerations Group What It Does What It Monitors CLI CommandsTo display, configure, and clear Rmon statistics Statistics Group CommandsShow rmon stats Use this command to configure an Rmon statistics entrySet rmon stats If owner is not specified, monitor will be applied To‐defaultsThis example shows how to delete Rmon statistics entry Clear rmon statsShow rmon history History Group CommandsInterval interval Set rmon historyClear rmon history Buckets bucketsThis example shows how to delete Rmon history entry Show rmon alarm Alarm Group CommandsThis example shows how to display Rmon alarm entry Type absolute Set rmon alarm propertiesShow rmon alarm Output Details Object objectSet rmon alarm status Use this command to delete an Rmon alarm entry Clear rmon alarmEnable This example shows how to enable Rmon alarm entryShow rmon event Event Group CommandsUse this command to display Rmon event entry properties This example shows how to display Rmon event entryTrap both Set rmon event propertiesDescription Type none logSet rmon event status This example shows how to enable Rmon event entryClear rmon event This example shows how to clear Rmon event Show rmon channel Filter Group CommandsFailed Use this command to configure an Rmon channel entrySet rmon channel Accept matchedChannel channel Clear rmon channelShow rmon filter Index indexSet rmon filter This example shows how to clear Rmon filter entry Use this command to clear an Rmon filter entryClear rmon filter Show rmon capture Packet Capture CommandsNodata Loadsize loadsize Set rmon captureAction lock Slice sliceThis example shows how to clear Rmon capture entry Use this command to clears an Rmon capture entryClear rmon capture Dhcp Server Dhcp Server ConfigurationDhcp Overview Dhcp Relay AgentConfiguring a Dhcp Server Configuring General Dhcp Server Parameters This example enables Dhcp server functionality Set dhcp bootpSet dhcp Show dhcp conflict This example enables address allocation for Bootp clientsThis example enables Dhcp conflict logging Set dhcp conflict loggingClears the conflict information for all IP addresses Logging Disables conflict loggingThis example disables Dhcp conflict logging Clear dhcp conflictSet dhcp exclude 100, with the set dhcp exclude commandClear dhcp exclude Clear dhcp ping Set dhcp pingThis example sets the number of ping packets sent to Clear dhcp binding Show dhcp bindingClear dhcp server statistics Use this command to display Dhcp server statisticsUse this command to clear all Dhcp server counters Show dhcp server statisticsThis example clears all Dhcp server counters Manual Pool Configuration Considerations Configuring IP Address PoolsThis example creates an address pool named auto1 Set dhcp poolThis example deletes the address pool named auto1 Use this command to delete a Dhcp server pool of addressesClear dhcp pool Set dhcp pool networkSet dhcp pool hardware-address Clear dhcp pool networkSet dhcp pool host Clear dhcp pool hardware-addressIf no type is specified, Ethernet is assumed Set dhcp pool client-identifier Clear dhcp pool hostClear dhcp pool client-identifier Clear dhcp pool client-name Set dhcp pool client-nameClear dhcp pool bootfile Set dhcp pool bootfileClear dhcp pool next-server Set dhcp pool next-serverClear dhcp pool lease Set dhcp pool leaseInfinite Clear dhcp pool default-router Set dhcp pool default-routerClear dhcp pool dns-server Set dhcp pool dns-serverClear dhcp pool domain-name Set dhcp pool domain-nameClear dhcp pool netbios-name-server Set dhcp pool netbios-name-serverClear dhcp pool netbios-node-type Set dhcp pool netbios-node-type‐node Ascii string Set dhcp pool optionClear dhcp pool option Show dhcp pool configurationThis example removes option 19 from address pool auto1 Show dhcp pool configuration Dhcp Snooping Overview Dhcp Snooping Dynamic ARP InspectionDhcp Message Processing Building and Maintaining the Database Rate Limiting Basic ConfigurationConfiguration Notes Procedure 17-1 Basic Configuration for Dhcp SnoopingDisabled globally Dhcp Snooping CommandsSet dhcpsnooping Set dhcpsnooping vlan Set dhcpsnooping database write-delaySet dhcpsnooping trust By default, ports are untrustedSet dhcpsnooping binding This example configures port ge.1.1 as a trusted portSet dhcpsnooping verify Set dhcpsnooping log-invalid Source MAC address verification is enabled by defaultAgainst the client hardware address Burst interval secs Set dhcpsnooping limitNone Rate ppsThis example configures rate limit parameters on port ge.1.1 Show dhcpsnooping port Show dhcpsnooping databaseDynamic static Show dhcpsnooping bindingEntry, either dynamic or static Show dhcpsnooping statistics Clear dhcpsnooping statistics Clear dhcpsnooping bindingClear dhcpsnooping database Dynamic ARP Inspection Overview Write‐delayDefault value of 300 seconds Clear dhcpsnooping limitStatic Mappings Functional DescriptionOptional ARP Packet Validation Eligible Interfaces Logging Invalid PacketsPacket Forwarding Rate LimitingStep Task Commands Procedure 17-2 Basic Dynamic ARP Inspection ConfigurationRouter Configuration Example ConfigurationVlan Configuration Dynamic ARP Inspection Configuration Dynamic ARP Inspection CommandsSet arpinspection vlan Dhcp Snooping ConfigurationLogging Set arpinspection trustLogging is disabled by default By default, all physical ports and LAGs are untrustedSrc‐mac Set arpinspection validateDst‐mac Set arpinspection limit Mac host Set arpinspection filterShow arpinspection access-list PermitThis example displays the ARP configuration of lag.0.1 Show arpinspection portsShow arpinspection statistics Show arpinspection vlanWith an invalid address Clear arpinspection validateThis example removes all 3 additional validation conditions Clear arpinspection vlan Clear arpinspection filter This example removes the ARP ACL named staticARP from Vlan Clear arpinspection limitThis example clears all DAI statistics from the switch Clear arpinspection statisticsPage Pre-Routing Configuration Tasks Preparing for Router ModeEnabling the Switch for Routing Enabling Router Configuration ModesRouter CLI Configuration Modes Router CLI Configuration Modes Page Configuring Routing Interface Settings IP ConfigurationVlan vlan ‐id Show interfaceVlan vlan‐ id Use this command to configure interfaces for IP routingRouter global configuration mode C3su‐routerConfig# InterfaceShow ip interface This example shows how to enter configuration mode for VlanSecondary Router interface configuration C3su‐routerConfig‐ifVlan 1#Ip address Show ip interface Output DetailsNo shutdown Show running-configNo ip routing This example shows how to enable Vlan 1 for IP routingUse this command to configure a tunnel interface Configuring Tunnel InterfacesInterface tunnel Router interface configuration C3su‐routerConfig‐ifTnnl 1# This example creates a configured tunnel interfaceTunnel source No form of this command removes the mode of the tunnel Tunnel modeThis command specifies the mode of the tunnel interface Ipv6ip Specifies that the tunnel mode is IPv6 over IPv4Show interface tunnel This example sets the tunnel mode to IPv6 over IPv4Show ip arp Reviewing and Configuring the ARP TableArp This example shows how to use the show ip arp commandShow ip arp Output Details Ip proxy-arp This example shows how to enable proxy ARP on VlanPrivileged Exec C3su‐router# Arp timeoutClear arp-cache 14,400 secondsInterface configuration C3su‐Router1Config‐ifVlan 1# Configuring Broadcast SettingsIp directed-broadcast Are forwarded Ip forward-protocolUdp Specifies UDP as the IP forwarding protocolIp helper-address Show ip route Reviewing IP Traffic and Configuring RoutesOSPF, IA Ping Ip routePreference in route selection There is also a traceroute command available in switch mode This command is also available in switch modeTraceroute Ip icmp redirect enable Configuring Icmp RedirectsInterface Show ip icmp redirectActivating Advanced Routing Features IPv4 Routing Protocol ConfigurationRouter rip Configuring RIPRIP Configuration Task List and Commands RIP Configuration Task List and CommandsThis example shows how to enable RIP Ip rip enableDistance R1compatible Ip rip send versionSpecifies RIP version Ip rip authentication-keySpecifies RIP version 1. This is the default setting Ip rip receive versionMd5 Ip rip message-digest-keySplit-horizon poison Use this command to disable automatic route summarizationRouter configuration C3su‐routerConfig‐router# No auto-summaryPassive-interface Ospf Receive-interfaceRedistribute ConnectedSubnetted will be redistributed Command detailed in ip route on page 19‐21Protocol SubnetsAdvanced License Required Configuring OspfOspf Configuration Task List and Commands Ospf Configuration Task List and CommandsRoutes Router idRouter ospf This example shows how to enable routing for Ospf process1583compatibility This example shows how to enable RFC 1583 compatibility Ip ospf enableIp ospf areaid Ip ospf priority Ip ospf costTimers spf Ip ospf retransmit-interval Ip ospf transmit-delayIp ospf dead-interval Ip ospf hello-interval65535 Ip ospf authentication-key Distance ospf Ip ospf message digest key md5Intra‐area routes Area rangeExternal inter‐ Area intra‐areaAdvertise If not specified, advertise mode will be setArea stub Advertise no‐Area nssa Area default costInformation‐ Default‐This example shows how to configure area 10 as an Nssa area Area virtual-linkDead‐interval Authentication‐Transmit‐delay Key keyRip Show ip ospfMetric‐type type Use this command to display the Ospf link state database This example shows how to display Ospf informationShow ip ospf database Show ip ospf database Output Details Show ip ospf interfaceShow ip ospf interface Output Details Show ip ospf neighbor Output Details Show ip ospf neighborClear ip ospf process Show ip ospf virtual-linksShow ip ospf virtual links Output Details This example shows how to reset Ospf process Enabling Dvmrp on an Interface Configuring DvmrpIp dvmrp Ip dvmrp enableCommands to Enable Dvmrp on an Interface This example shows how to enable the Dvmrp processIp dvmrp metric Use this command to display Dvmrp routing informationShow ip dvmrp This example shows how to display Dvmrp status information Ip irdp enable Configuring IrdpIp irdp minadvertinterval Ip irdp maxadvertintervalIp irdp preference Ip irdp holdtime9000 Ip irdp broadcast Use this command to display Irdp informationShow ip irdp Configuration Tasks on page 18‐1 Router vrrp Configuring VrrpCreate This example shows how enable Vrrp configuration modeAddress Advertise-interval PriorityPreempt Described in Pre‐Routing Configuration Tasks on page 18‐1Enable Show ip vrrp Ip vrrp authentication-keyUse this command to display Vrrp routing information This example shows how to display Vrrp informationDesign Considerations Configuring PIM-SMIp pimsm staticrp Global router configuration C3su‐routerConfig#This example shows how to globally enable and disable PIM Ip pimsmIp pimsm enable Ip pimsm query-interval This example shows how to display PIM informationShow ip pimsm Show ip pimsm componenttable This example shows how to display PIM router informationShow ip pimsm Output Details Stats This example shows how to display PIM interface informationShow ip pimsm interface Show ip pimsm componenettable Output Details10 show ip pimsm interface stats Output Details This example shows how to display PIM interface statisticsShow ip pimsm neighbor Show ip pimsm interface vlan Output DetailsCandidate ‐11 provides an explanation of the command outputShow ip pimsm rp 11 show ip pimsm neighbor Output DetailsShow ip pimsm rphash ‐12 provides an explanation of the command output12 show ip pimsm rp Output Details Show ip pimsm staticrp ‐13 provides an explanation of the command outputDisplay the PIM‐SM static Rendezvous Point information Show ip mroute Use this command to display the IP multicast routing table13 show ip pimsm staticrp Output Details 20-60 IPv4 Routing Protocol Configuration Show ipv6 status IPv6 ManagementThis example shows how to enable IPv6 management By default, IPv6 management is disabledSet ipv6 Set ipv6 address No global unicast IPv6 address is defined by defaultEui64 Show ipv6 address Use this command to clear IPv6 global addressesClear ipv6 address Set ipv6 gateway Clear ipv6 gateway Use this command to clear an IPv6 gateway addressShow ipv6 neighbors Use this command to display IPv6 netstat information This example shows example output of this commandShow ipv6 netstat Ping ipv6 This command is also available in router modeSize num Traceroute ipv6 Traceroute ipv6 21-10 IPv6 Management Overview IPv6 ConfigurationIPv6 Routing License Required Following table lists the default IPv6 conditions Default ConditionsIpv6 forwarding General Configuration CommandsIpv6 hop-limit This example sets the hop limit to Default maximum number of IPv6 hops isThis command configures static IPv6 routes Ipv6 routeIpv6 route distance Default preference or administrative distance isIpv6 unicast-routing This command sets the default distance value toLink‐local‐address Ping ipv6 interfaceRouter privileged exec C3 su‐router# 20010db8123455551 Ipv6 address Interface Configuration CommandsNo IPv6 addresses are defined for any interface IPv6 is disabled Ipv6 enableBytes Ipv6 mtuThis example sets the MTU value to 1500 bytes Clear ipv6 neighbors Neighbor Cache and Neighbor Discovery CommandsThis example clears all dynamically learned cache entries Ipv6 nd dad attempts Duplicate address detection enabled, for 1 attemptIpv6 nd ns-interval This example sets the NS interval to 2 seconds By default, a value of 0 is advertised in RA messagesRouter interface configurationC3su‐routerConfig‐ifVlan 1# Ipv6 nd reachable-timeThis example sets the reachable time to 60 seconds Ipv6 nd other-config-flagFlag is set to false by default Router interface configuration C3su‐routerConfig‐if Vlan 1#Ipv6 nd ra-lifetime Ipv6 nd ra-intervalIpv6 nd prefix Suppression disabledThis example disables router advertisement transmission Ipv6 nd suppress-raRouter interface configurationC3su‐routerConfig‐if Vlan 1# No‐autoconfigOff‐link Example Router privileged execution C3su‐router# Query CommandsShow ipv6 Show ipv6 interfaceThis example displays information about IPv6 interface Vlan This example displays the neighbors in the cache This command displays IPv6 Neighbor Cache informationInterface interface This command displays the IPv6 routing tableShow ipv6 route Show ipv6 neighbor Output DetailsShow ipv6 route Output Details This example displays all active IPv6 routesShow ipv6 route preferences Output Details Show ipv6 route preferencesShow ipv6 route summary This command displays the summary of the routing tableNon‐best routes Show ipv6 traffic Following example displays the output of this commandShow ipv6 summary Output Details Show ipv6 traffic Output Details Options, etc Counter would include datagrams counted Send. Note that this counter includes all those counted by Router privileged executionC3su‐router# Clear ipv6 statisticsThis example clears the statistics for Vlan IPv6 Proxy Routing Limitations Preparing a Mixed Stack for IPv6 Proxy RoutingIpv6 proxy-routing IPv6 proxy routing is disabled by defaultRouter global configuration C2su‐routerConfig# This example enables IPv6 proxy routingAny routing mode DHCPv6 Configuration This command enables DHCPv6 on the router Global Configuration CommandsIpv6 dhcp enable Following table lists the default DHCPv6 conditionsThis example enables DHCPv6 By default, DHCPv6 is disabledIpv6 dhcp relay-agent-info-opt Ipv6 dhcp pool Ipv6 dhcp relay-agent-info-remote-id-suboptIpv6 dhcp pool Domain-name Address Pool Configuration CommandsPrefix-delegation Dns-serverPreferred‐lifetime Valid‐lifetime secsSecs infinite C3su-routerConfig-dhcp6s-pool# exit C3su-routerConfig# Preference pref By default, DHCPv6 functionality is disabledIpv6 dhcp server Rapid‐commitRemote‐id duid‐ifid Ipv6 dhcp relayDestination dest‐addr Interface intfExamples Show ipv6 dhcp DHCPv6 Show CommandsStatistics Show ipv6 dhcp interfaceThis example displays the DHCPv6 statistics for Vlan Output of show ipv6 dhcp interface CommandOutput of show ipv6 dhcp statistics Command This example displays the output of this commandShow ipv6 dhcp statistics This example clears DHCPv6 statistics for Vlan Clear ipv6 dhcp statisticsShow ipv6 dhcp pool This command displays information about DHCPv6 bindingsShow ipv6 dhcp binding If no IPv6 address is specified, all bindings are displayed Show ipv6 dhcp binding DHCPv6 Configuration OSPFv3 Configuration Following table lists the default OSPFv3 conditions Use this command to configure the OSPFv3 router ID Global OSPFv3 Configuration CommandsIpv6 router id Metric value Default-information originateIpv6 router ospf AlwaysRouter OSPFv3 configuration C3su-routerConfig-router# Default-metricRouter OSPFv3 configuration C3su‐routerConfig‐router# No default metric is configuredType1 Exit-overflow-intervalIntra InterThis example sets the exit overflow interval to 10 seconds This command configures the external Lsdb limit for OSPFv3Default value is ‐1 External-lsdb-limitConnected static Maximum-pathsTag tag Metric = unspecified Metric type = Type Tag = Area default-cost Area Configuration CommandsThese commands are used to configure area parameters This example shows how to configure area 20 as an Nssa This example sets the default route cost to 50 for areaComparable Area nssa default-info-originateDefault metric value is Area nssa no-redistributeArea nssa no-summary Area nssa translator-stab-intv This command configures the translator role of the routerBy default, the translator role is disabled Area nssa translator roleNssaexternallink Default interval is 40 secondsArea address ranges are not configured by default SummarylinkThis command creates a stub area for the specified area ID Area stub no-summary Example disables the import of summary LSAs into stub areaThis example creates a stub area with the ID Area virtual-link dead-interval Default dead interval is 40 secondsArea virtual-link hello-interval Default hello interval is 10 secondsArea virtual-link retransmit-interval Default retransmit interval is 5 seconds Area virtual-link transmit-delayDefault transmit delay is 1 second OSPFv3 is disabled by default Ipv6 ospf enableIpv6 ospf cost Ipv6 ospf areaidIpv6 ospf dead-interval Default dead interval value is 40 secondsIpv6 ospf mtu-ignore Ipv6 ospf hello-intervalDefault network type is broadcast By default, MTU mismatch detection is enabledIpv6 ospf network Ipv6 ospf priority Default priority value isIpv6 ospf retransmit-interval Default value is 4 seconds Ipv6 ospf transmit-delayDefault value is 1 second Ipv6 ospf transmit-delay Show ipv6 ospf OSPFv3 Show CommandsThis command displays OSPFv3 router information This example shows how to display OSPFv3 router informationShow ipv6 ospf Output Details Show ipv6 ospf area Output Details Show ipv6 ospf areaShow ipv6 ospf abr Output Details Show ipv6 ospf abrShow ipv6 ospf asbr Output Details Show ipv6 ospf asbrShow ipv6 ospf database Adv Router Link Id Age Sequence Csum Options Rtr Opt Show ipv6 ospf database Output Details Show ipv6 ospf database database-summary Output Details Show ipv6 ospf interface This command displays information about OSPFv3 interfacesLoopback loopid Show ipv6 ospf interface Command Output Details Show ipv6 ospf interface stats This example shows how to display statistics for VlanShow ipv6 ospf interface stats Output Details Specify the tunnel interface to display This command displays information about OSPFv3 neighborsShow ipv6 ospf neighbor Specify the Vlan interface to display information aboutShow ipv6 ospf neighbor Output Details 10 show ipv6 ospf neighbor routerid Output Details Show ipv6 ospf rangeThis example displays range information for area 12 show ipv6 ospf stub table Output Details Show ipv6 ospf stub table11 show ipv6 ospf range Output Details This example displays the OSPFv3 stub table information13 show ipv6 ospf virtual-link Output Details Show ipv6 ospf virtual-linkShow ipv6 ospf virtual-link Show ipv6 ospf virtual-link OSPFv3 Configuration Overview of Authentication and Authorization Methods Authentication and Authorization ConfigurationOverview of Authentication and Authorization Methods Filter-ID Attribute Formats Use this command to set the authentication login method Setting the Authentication Login MethodShow authentication login Set authentication loginRadius Clear authentication loginAny LocalRetries Configuring RadiusTimeout Show radiusServers or a specific Radius server as defined by an index Optional Displays Radius server configuration informationSet radius ServerRealm management‐ access any network‐access Timeout timeoutServer index Realm Clear radiusSet radius accounting Show radius accountingRetries retries Retries This example shows how to set Radius accounting retries toTimeout Clear radius accountingSet radius interface Show radius interfaceClear radius interface Example Auth‐stats Configuring 802.1X AuthenticationShow dot1x Auth‐diagThis example shows how to display 802.1X status Show dot1x auth-config Init reauth Set dot1xTrue false Set dot1x auth-config Portcontrol Maxreq Clear dot1x auth-configShow eapol Show eapol Output Details Connecting state, via disconnectedForced‐auth Set eapolClear eapol Auth‐modeOptional Globally clears the Eapol authentication mode Show macauthentication Configuring MAC AuthenticationNopassword Show macauthentication Output DetailsThis example shows how to display MAC session information Show macauthentication sessionShow macauthentication session Output Details Set macauthentication password Set macauthenticationUse this command to set a MAC authentication password Enables or disables MAC authentication Clear macauthentication passwordSet macauthentication port Use this command to clear the MAC authentication passwordSet macauthentication portquietperiod Set macauthentication portinitializeSet macauthentication macinitialize Clear macauthentication portquietperiodThis example resets the default quiet period on port Set macauthentication portreauthenticate Set macauthentication reauthenticationEnables or disables MAC reauthentication Set macauthentication reauthperiod Set macauthentication macreauthenticateClear macauthentication reauthperiod Clear macauthentication significant-bits Set macauthentication significant-bitsC3su-clear macauthentication significant-bits About Multiple Authentication Types Configuring Multiple Authentication MethodsAbout Multi-User Authentication Show multiauth Strict Set multiauth modeClear multiauth mode MultiSet multiauth precedence Default precedence order is dot1x, pwa, macClear multiauth precedence Set multiauth port Show multiauth portClear multiauth port Show multiauth session Show multiauth stationAgent dot1x mac Show multiauth idle-timeoutIdle timeout value is provided by the authenticating server Set multiauth idle-timeoutAuthentication method for which to set the timeout value Which to set the timeout valueWhich to reset the timeout value to its default Clear multiauth idle-timeoutShow multiauth session-timeout DefaultWhich to set the session timeout value Set multiauth session-timeoutConfiguring User + IP Phone Authentication Clear multiauth session-timeoutConfiguring Vlan Authorization RFC Set vlanauthorization egress Set vlanauthorizationTagged Show vlanauthorization Clear vlanauthorizationBy default, administrative egress is set to untagged Show vlanauthorization Output Details Configuring Policy Maptable ResponseOperational Description When Policy Maptable Response is BothWhen Policy Maptable Response is Tunnel When Policy Maptable Response is PolicyShow policy maptable Policy Set policy maptableResponse BothClear policy maptable To review, disable, enable, and configure MAC locking Configuring MAC LockingShow maclock Connected to MAC locked ports Show maclock stationsShow maclock Output Details FirstarrivalSet maclock enable port‐string Set maclock enableShow maclock stations Output Details Set maclock Set maclock disableThis example shows how to enable MAC locking on ge.2.3 This example shows how to disable MAC locking on ge.2.3Create Clear maclockSpecified MAC address and port Clear maclock static Set maclock staticSet maclock firstarrival Set maclock agefirstarrival Clear maclock firstarrivalSet maclock move This example enables first arrival aging on port ge.1.1This example disables first arrival aging on port ge.1.1 Clear maclock agefirstarrivalSet maclock trap About PWA Configuring Port Web Authentication PWAShow pwa Output Details Show pwaThis example shows how to enable port web authentication Enable disable Enables or disables port web authenticationSet pwa Show pwa banner This example shows how to display the PWA login bannerSet pwa banner Display hide This example shows how to hide the Enterasys Networks logoClear pwa banner Set pwa displaylogoSet pwa protocol Set pwa ipaddressChap pap Clear pwa guestname Use this command to clear the PWA guest user nameThis example shows how to clear the PWA guest user name Set pwa guestnameAuthradius Set pwa guestpasswordSet pwa gueststatus AuthnoneSet pwa initialize This example shows how to initialize ports ge.1.5‐7Set pwa quietperiod Set pwa portcontrol Set pwa maxrequestShow pwa session Enables or disables PWA on specified portsThis example shows how to enable PWA on ports 1‐22 This example shows how to display PWA session informationThis example shows how to enable PWA enhancedmode Enable disable Enables or disables PWA enhancedmodeSet pwa enhancedmode Set ssh Configuring Secure Shell SSHThis example shows how to display SSH status on the switch Show ssh statusThis example shows how to regenerate SSH keys This example shows how to disable SSHSet ssh hostkey Show access-lists Configuring Access ListsShow access‐lists number Deny permit Access-list standardInsert replace Access-list extendedThis example moves entry 16 to the beginning of ACL Insert replace Interface configuration C3su‐routerConfig‐ifVlan vlanid# Ip access-groupFilters inbound frames Example Page TACACS+ Configuration State Optional Displays only the TACACS+ client status Show tacacsShow tacacs Output Details Set tacacs Use this command to enable or disable the TACACS+ clientEnable disable Enables or disables the Tacacs client This example shows how to enable the TACACS+ clientSet tacacs server Timeout secondsSpecifies one TACACS+ server to be affected Clear tacacs serverThis example removes TACACS+ server Show tacacs sessionSet tacacs session Super‐user ServiceClear tacacs session Read‐writeSet tacacs command Show tacacs commandSet tacacs singleconnect Show tacacs singleconnectConnection Set tacacs interface Show tacacs interfaceClear tacacs interface Clear tacacs interface TACACS+ Configuration 27-14 Using sFlow in Your Network SFlow ConfigurationAdvantages of using sFlow include SFlow Definitions DefinitionsSFlow Agent Functionality Sampling MechanismsCounter Sampling Packet Flow SamplingUsage Notes 28-5 Show sflow receivers Contents of the sFlow Receivers Table is displayedThis example displays the sFlow Receivers Table Show sflow receivers Output Descriptions Following table describes the output fieldsSet sflow receiver ip Set sflow receiver ownerMaxdatagram bytes Default IP address isDefault maximum datagram size is 1400 bytes Set sflow receiver maxdatagramMaxdatagram Default port value isSet sflow receiver port Clear sflow receiverOwner Set sflow port pollerPort port Show sflow pollers This example removes the poller instance on port ge.1.1 Clear sflow port pollerSet sflow port sampler IntervalShow sflow samplers Rate Clear sflow port samplerSet sflow interface MaxheadersizeShow sflow interface Clear sflow interface Show sflow agent 28-18 Policy Capacities Policy and Authentication CapacitiesTable A-1 Policy Capacities Table A-2 Authentication Capacities Authentication CapacitiesNumerics IndexOspf 20-30Network Management Tftp Index

DHCP Snooping and

Dynamic ARP Inspection

For information about...

DHCP Snooping Overview

DHCP Message Processing