Port-security max-dynamic | Force10 Networks S2410s guide

port-security

Implementation Notes

•If port security is enabled on a port, and then an ACL is applied to the port, the ACL is given precedence and port security is ignored. For example, if port security is applied, and then an ACL with a permit rule for a particular source address is applied, frames with that source address will be permitted.

•Logically, then, if a port that does not have port security enabled has an ACL applied, and then port security is enabled, the ACL takes precedence and port security is ignored, as above.

•In either case, if all ACLs are removed from the port, port security will become active if it is still configured as such.

•When port security is disabled on a port after having been enabled, all MAC table entries associated with that port are flushed.

port-security

Syntax

Default

Modes

Command

History

Related

Commands

This command enables port locking at the system level (Global Config) or port level (Interface Config).

The no version of this command disables port locking at the system level (Global Config) or port level (Interface Config).

[no] port-security

Disabled

Global Config and Interface Config; Interface Range, which is indicated by the (conf-if-range-interface)# prompt, such as (conf-if-range-vlan 10-20)#.

Version 2.3	Added Interface VLAN and Interface Range modes.

interface	Identifies an interface and enters the Interface Config mode.

interface range	Defines an interface range and accesses the Interface Range mode

port-security max-dynamic

This command sets the maximum of dynamically locked MAC addresses allowed on a specific port.

The no version of this command resets the maximum of dynamically locked MAC addresses allowed on a specific port to its default value.

164	Security Commands

Image 164

Force10 Networks S2410s manual Port-security max-dynamic, No port-security, Security Commands

Contents

Sftos Command Reference for the S2410 Copyright 2008 Force10 Networks Other Changes Sftos Command Reference for the S2410, VersionMajor Changes Deprecated Commands New Features Contents Using the Command Line Interface Contents Show running-config Chapter System Configuration Commands 105 127 System Log Port-securitymac-address move 166 Dhcp Server Commands Sntp Commands Chapter Igmp Snooping Commands 235 Chapter LAG/Port Channel Commands 249 Chapter Quality of Service QoS Commands 275 List of Figures 141 List of Tables Page About This Guide Objectives About This Guide How to Use this GuideAudience Contact Information Products and Services LiabilityRelated Documents and Sources of Additional Information Documentation Feedback Sftos Command Reference for the S2410, Version About This Guide Chapter Sftos Overview Sftos 2.4.1 Features Sftos Overview Ingress Rate Limiting Login Access Control Igmp Snooping Layer 2 Multicast Forwarding Sftos Overview Starting the Switch Chapter Quick Start Using the Boot Menu Press 2 and Enter quickly to access the Boot menu Show hardware System Info and System SetupBoot Menu Options Physical Port Data User Account Management Management IP Address SSH Managementethernet Address command Ip address ipaddr Default gatewayServiceport protocol None bootp dhcp Uploading from the Switch through Xmodem Downloading to the Switch through Xmodem Using Factory Defaults Clear configDownloading from a Tftp Server Copy tftp//ip address Parameter Command Syntax ConventionsKeyword Using the Command Line Interface Loc is a parameter-a placeholder for a required valueIp address ipaddr subnetmask Mtrace sourceipaddr destination group No Form of a Command Macaddr Network Address SyntaxIpaddr Obtaining Help at the Command Line Keyboard Shortcuts Using Command Modes Partial Keyword Example Mode-based Topology CLI Mode Diagram Pool-name command Enter logout or quitEnter the ip dhcp pool Enter the interface range Mode-based Command Hierarchy Enter the mac access-listExtended command Enter the tacacs-server Command Prompt hostname Interface # Flow of CLI Operation Using the Web User Interface Configuring for Web Access To enable Web browser access to the switchFollow these steps to bring up the switch Web UI Web Page Layout Command Buttons Switch Navigation Icon in Web UI Using the Web User Interface General System Management and Information Commands This section describes the following commands System Management Commands DirNone Privileged Exec Dir Hostname Change the text that appears as part of the CLI promptCharacters Hostname hostname Interface managementethernet Ip address managementInterface managementethernet Syntax ip address ipaddr subnetmask Mac-address Mac-typeNone Interface ManagementEthernet Mac-address mac-address Management route default Management route defaultManagement route default gateway Use no management route default to remove the gateway Syntax no mtu MtuMtu Network mac-address Network mac-typeNetwork parms Network protocol Serviceport ip Protocol none bootp dhcpServiceport ip ipaddr netmask gateway Protocol Serviceport protocol Show arp switchCommunicating with the switch Report fields include This command displays inventory information for the switch Show hardwareShow interface Syntax show interface unit/slot/port Fields in Output of show interface unit/slot/port Command Show interface 3965 Show interface ethernetUnit/slot/port Example of show interface ethernet switchport Output Show interface ethernet Recent reboot Address Entries Currently in Use Packets Received Packets Received Successfully Packets Transmitted Octets Packets Transmitted Successfully Statistics for this port were last cleared Show interface managementethernet Show interface managementethernetShow interface managementethernet Show interface switchport Show interface switchportShow interface switchport Fields in Output of show interface switchport Command Show interfaces Show interfacesDescription unit/slot/port Port Show logging Show loggingShow mac-addr-table Count S2410, If Index values areAll Show msglog Show msglog Show running-config EnabledShow running-config all scriptname Show network Show serviceport Show serviceport This command displays switch information Show sysinfoShow sysinfo Syntax show sysinfo Fields in Output of show sysinfo Command Fields in Output of show version CommandShow version Show version Show version Fields in Output of show version Command SNMP-COMMUNITY-MIB Syntax show tech-support Show tech-support Fields in Output of show version CommandShow tech-support Telnet Commands This command assigns the management Vlan of the switchThis section describes the following Sftos Telnet commands Vlan participation management Ip telnet timeout Minutes, to the defaultIp telnet maxsessions Time is a decimal value from 1to Session-limit Ip telnet server enableSession-timeout Telnet Telnetcon timeoutShow telnet Serial Commands Telnetcon maxsessionsSerial baudrate Telnetcon maxsessions Serial timeout 9600 defaultConsole activity to the 5-minute default Show serial Show serial Fields of show serial Command Output Snmp Management Commands Global Config modeRouter Ospf Config mode Show serial Show snmpcommunity Show snmptrapShow snmpcommunity Syntax show snmptrap Show trapflags Fields of show snmptrap Command Report Fields of show trapflags Command ReportShow trapflags Show trapflags Snmp-server Snmp-server communityNo snmp-server community None Snmp-server community mode Snmp-server community ipaddrSnmp-server community ipmask Syntax snmp-server community ipaddr ipaddr name Snmp-server community rw Snmp-server enable traps bcaststormSnmp-server community ro Snmp-server enable traps linkmode Snmp-server enable traps multiusersNo version of this command disables Multiple User traps Syntax no snmp-server enable traps linkmode Snmp-server enable traps stpmode Snmp-server enable trap violationSnmp-server traps enable This command enables the Authentication traps Snmptrap ipaddr Snmptrap modeSnmptrap Snmptrap snmpversion Snmp trap link-statusSnmp trap link-status all Snmptrap snmpversion 104 System Management Commands System Configuration Commands Sftos Command Reference for the S2410, Version 105 Configure 106 System Configuration CommandsBridge aging-time Bridge aging-time Enable Modes to which the Global Config mode provides a gatewayPassword for the command User Exec Configuration InterfaceInterface range Specified interface Ethernet Port-channelRange,range Vlan Commands Available in Ethernet Range Mode 110 System Configuration Commands Bulk Configuration Warning Message Single Range Bulk Configuration Monitor session Be only one destination portDestination interface Mode Monitor session 1 mode Syntax no monitor session 1 modeNo monitor Syntax no monitor This command displays the timeout for address aging No monitor sessionShow forwardingdb agetime Show mac-address-table Show mac-address-table multicast By specifying the MAC address as an optional parameterFor 1-3965, you have the option of entering a valid Vlan ID Show mac-address-table multicast macaddr Show mac-address-table stats Show monitor sessionDisplays the Multicast Forwarding Database Mfdb Information Sftos Command Reference for the S2410, Version 117 Show portShow port Syntax show monitor session Show port all Command Output Example 118 System Configuration Commands Show port protocol Shutdown InterfaceShutdown all For the indicated group Virtual LAN Vlan Commands Virtual LAN Vlan commands in this section are Sftos Command Reference for the S2410, Version 121 Clear vlanClear vlan Syntax clear vlan 122 System Configuration Commands DescriptionEnter a description for the selected interface port or Vlan Description Sftos Command Reference for the S2410, Version 123 Encapsulation VlanInterface vlan Interface Vlan 124 System Configuration Commands MakestaticMakestatic Syntax makestatic Mtu Vlan Name Vlan 126 System Configuration Commands Network mgmtvlanParticipation Vlan Priority Vlan Except when Gvrp is expected to create the Vlan Protocol groupGroup that is identified by this groupid Such as conf-if-range-vlan 10-20# Configure the Vlan ID for a specific port Interface Vlan Protocol vlan group allPvid Vlan Fail and the interfaces will not be added to the group Show vlan Show vlan brief id vlanid name port BriefId vlanid Name 130 System Configuration Commands Show vlan portDisplay 802.1Q port parameters Show vlan port Sftos Command Reference for the S2410, Version 131 TaggedTagged Tagged unit/slot/port 132 System Configuration Commands UntaggedVlan Untagged Vlan acceptframe Vlan databaseVlan ingressfilter Vlan participation interface This command changes the Vlan ID for all interfaces Vlan participation allVlan port acceptframe Vlan port ingressfilter all Sftos Command Reference for the S2410, Version 135 Vlan port tagging allVlan port untagging all Vlan port tagging all Vlan protocol group remove Vlan protocol groupVlan protocol group add protocol Sftos Command Reference for the S2410, Version 137 Vlan pvidVlan tagging Vlan untagging Clear config System Utility CommandsSyntax clear config Clear counters Clear port-channel Clear traplogClear igmpsnooping Copy Trap log nvramtraplog Specify a URL for the destination in this formCopy Copy systemrunning-config nvramstartup-config Nvramstartup-config and copy tftp //tftpserveripaddressPath/filename nvramstartup-config Copy clibanner Enable passwd No clibanner command removes the CLI bannerCopy nvramclibanner tftp//tftpserveripaddress/filepath Tftpserveripaddress Enable passwd password LogoutQuit Quit Ping ReloadShow terminal length Reload Terminal length TracerouteLines Use Exec or Privileged Exec Destination through the network on a hop-by-hop basis Configuration Scripting Commands in this section areWrite Functionality of this Script apply Script deleteScript list Present Format of display is Line no Line contents Script showScript validate Script file Syntax logging buffered severitylevel Sftos Command Reference for the S2410, Version 149Logging buffered Logging cli-command Commands issued on the systemNo logging cli-command Logging buffered wrap Logging console Logging host Logging host reconfigure This command removes the identified hostLogging host remove Logging persistent Use no logging syslog to disable syslog logging Disabled local0Logging syslog Logging syslog This command displays buffered logging the System log Show logging bufferedShow logging buffered Show logging buffered This command displays configured logging hosts Show logging hostsUnit variable is the host index Show logging hosts unit Show logging traplogs Show logging traplogsShow logging traplogs 156 System Log Syntax clear pass Sftos Command Reference for the S2410, Version 157Clear pass Show loginsession Login Session IDDisconnect Show users Username passwd Users snmpv3 encryption Users snmpv3 accessmodeUsers snmpv3 authentication Sftos Command Reference for the S2410, Version 161 Associated with the specified encryptionNo encryption Users snmpv3 encryption Users snmpv3 encryption 162 User Account Commands This section contains the following commands Sftos Command Reference for the S2410, Version 163 164 Security Commands Port-securityPort-security max-dynamic Port-security Sftos Command Reference for the S2410, Version 165 Port-security max-staticPort-security mac-address Port-security max-static Port-security mac-address move Show port-security Sftos Command Reference for the S2410, Version 167 Show port-security dynamicMAC Address MAC address of the dynamically locked MAC Show port-security dynamic Show port-security static Show port-security violationMAC Address-MAC Address of statically locked MAC Locked port Authentication login Authentication loginNo authentication login listname Sftos Command Reference for the S2410, Version 169 Dot1x defaultlogin Clear dot1x statisticsClear radius statistics Clear dot1x statistics unit/slot/port all Dot1x login Be a configured authentication login listDot1x initialize Dot1x max-req Dot1x port-control Dot1x port-control allDot1x port-control force-unauthorized force-authorized auto Auto Dot1x re-authenticate Dot1x re-authenticationUnauthorized Authorized Dot1x timeout SwitchDot1x system-auth-control Can be changed, but is not activated Show authentication Sftos Command Reference for the S2410, Version 175Dot1x user Dot1x user Show authentication users Show dot1xUser column Displayed Sftos Command Reference for the S2410, Version 177 Show dot1x Example of Output from the show dot1x detail Command 178 Security Commands Show users authentication Show users authenticationShow dot1x users Show dot1x users unit/slot/port Users defaultlogin Users loginUsers will be authenticated using local authentication only Accidental lockout from the switch Radius server host Radius accounting modeValue i.e. the Radius accounting function is disabled Authentication server 182 Security CommandsRadius server key Radius server key Previously configured Radius authentication server Radius server msgauthRadius server primary Radius server retransmit Radius server timeout Show radius Radius Accounting Mode Show radius accounting statisticsShow radius accounting statistics Show radius accounting statistics IP address Show radius statistics authentication 186 Security CommandsRadius Accounting Server Otherwise all the following listed fields are displayed Show radius statistics authentication Sftos Command Reference for the S2410, Version 187 Not configured Tacacs-server hostTacacs-server key To delete a key, use the no tacacs-server key key Tacacs-server timeout Specify a global timeout value for all TACACS+ hostsTo restore the default, enter no tacacs-server timeout Seconds Global Config Port PrioritySpecify a server port number for a particular Tacacs host Priority priority Timeout Specify the timeout value for a particular Tacacs hostSingle-connection Show tacacs 192 Security Commands Ip ssh maxsessionsIp ssh maxsessions Ip ssh maxsessions Ip ssh server enable Enable SSH No version of this command disables SSHDisabled Global Config Ip ssh protocol Ip ssh timeout This command displays the SSH settingsShow ip ssh Report fields Sshcon timeout Sftos Command Reference for the S2410, Version 195Sshcon maxsessions Sshcon maxsessions Ip http javamode enable This command is used to set the Sslt portSSL3 and TLS1 Global Config Ip http secure-port Ip http secure-server enable Ip http server enableNo ip http secure-server enable disabled No ip http server enable Show ip http Show ip httpShow ip http This command displays switch configuration information Show storm-controlShow storm-control Show storm-control unit/slot/port all This command enables 802.3x flow control for the switch Storm-control broadcastStorm-control flowcontrol No storm-control broadcast Sftos Command Reference for the S2410, Version 201 Storm-control flowcontrol Storm-control flowcontrol 202 Security Commands Dhcp Server Commands Sftos Command Reference for the S2410, Version 203 Bootfile Mode Dhcp Pool ConfigClear ip dhcp binding Clear ip dhcp server statistics Client-name Clear ip dhcp conflictClient-identifier Domain-name Default-routerDns-server Hardware-address HostFrom 0 to 255. IP address 0.0.0.0 is invalid Prefix-length is an integer from 0 to Ip dhcp excluded-address Ip dhcp bootp automaticIp dhcp conflict logging Lease Ip dhcp ping packetsIp dhcp pool Network Netbios-name-serverNetbios-node-type Next-server Option Service dhcp Service dhcpShow ip dhcp binding No option code Show ip dhcp global configuration Show ip dhcp pool configurationShow ip dhcp global configuration Show ip dhcp pool configuration name all This command displays Dhcp server statistics Show ip dhcp server statisticsShow ip dhcp conflict Specified, all the conflicting addresses are displayed Where poll-interval can be a value from 6 to Sftos Command Reference for the S2410, Version 215Sntp broadcast client poll-interval Sntp broadcast client poll-interval poll-interval Sntp client mode This command sets the Sntp client port ID to a value fromSntp client port Processed Sntp unicast client poll-retry Sntp unicast client poll-timeoutSntp unicast client poll-interval This command is used to display Sntp settings and status Sntp serverShow sntp Sntp servers This command is used to display Sntp client settings Sftos Command Reference for the S2410, Version 219Show sntp client Show sntp client For each configured server 220 Sntp CommandsShow sntp server Show sntp server Sftos Command Reference for the S2410, Version 221 Dvlan-tunnel ethertypeDvlan-tunnel ethertype 802.1Q vman custom Vman Mode dot1q-tunnel Mode dvlan-tunnelInterface. By default, Double Vlan Tunneling is disabled Interface Config Show dot1q-tunnel interface unit/slot/port all Sftos Command Reference for the S2410, Version 223Show dot1q-tunnel 224 VLAN-Stack Commands Show dvlan-tunnelShow dvlan-tunnel Show dvlan-tunnel interface unit/slot/port all Set garp timer join Garp CommandsCommands in this sections are Sftos Command Reference for the S2410, Version 225 Set garp timer leave Set garp timer leaveSet garp timer join No set garp timer join Syntax set garp timer leave Set garp timer leaveall Syntax set garp timer leaveallShow garp Show garp Gvrp adminmode enable Gvrp interfacemode enableGarp Vlan Registration Protocol Gvrp Commands This command enables Gvrp globally Gvrp interfacemode enable all Set gvrp adminmodeShow gvrp configuration Set gvrp interfacemode Show gvrp configuration 230 GARP, GVRP, and Gmrp Commands Gmrp adminmode Garp Multicast Registration Protocol Gmrp CommandsGmrp adminmode Syntax gmrp adminmode enable Set gmrp adminmode Gmrp interfacemode enable allChanged to gmrp adminmode Gmrp interfacemode enable all Show gmrp configuration Set gmrp interfacemodeSet gmrp interfacemode all One or all interfaces 234 GARP, GVRP, and Gmrp Commands Show mac-address-table gmrpMulticast Forwarding Database Mfdb table Show mac-address-table gmrp Igmp Snooping Commands Sftos Command Reference for the S2410, Version 235 Igmp enable interface Igmp enable globalDisabled Interface Config Interface Vlan Revised from set igmp. Added Interface Vlan mode Igmp fast-leave interface Igmp groupmembership-interval interfaceEntry To 3600 seconds Igmp interfacemode enable all Igmp interfacemode enable allNo igmp interfacemode enable all 238 Igmp Snooping Commands Mode and Interface Vlan mode Igmp mcrtexpiretime interfaceIgmp maxresponse No igmp mcrtexpiretime Igmp mrouter interface enable No igmp mrouter interface enableIgmp mrouter interface No igmp mrouter vlanId Set igmp interface Set igmp systemSet igmp fast-leave Set igmp groupmembership-interval global Version 2.3 Revised to igmp mrouter interface enable 242 Igmp Snooping CommandsSet igmp groupmembership-interval interface Set igmp interfacemode all Sftos Command Reference for the S2410, Version 243 Set igmp maxresponse globalSet igmp maxresponse interface Set igmp maxresponse global 244 Igmp Snooping Commands Set igmp mcrtexpiretime globalSet igmp mcrtexpiretime interface Set igmp mcrtexpiretime global Set igmp mrouter Show igmpsnoopingRevised to igmp mrouter Show igmpsnooping unit/slot/port Unit/slot/port Show igmpsnooping fast-leave Show igmpsnooping mrouter interfaceShow igmpsnooping mrouter interface unit/slot/port vlan Vlan Sftos Command Reference for the S2410, Version 247 Show mac-address-table igmpsnoopingShow mac-address-table igmpsnooping Syntax show mac-address-table igmpsnoopingPage Sftos Command Reference for the S2410, Version 249 Addport Deleteport interface config Deleteport interface config250 LAG/Port Channel Commands Addport unit/slot/port Deleteport global config Port-channelDeleteport unit/slot/port all No port-channel name Port-channel linktrap Port-channel enable all globalPort-channel enable interface This command renames a LAG port channel or all LAGs All configured LAGsPort-channel name Port-channel staticcapability Port lacpmode Port lacpmode enable allPort lacptimeout global Show port-channel brief Port lacptimeout interfaceInterface Config Interface Range Show port-channel For each LAG, the following information is displayedSyntax show port-channel brief Show port-channel Lagid all Sftos Command Reference for the S2410, Version 257 Show port-channel summaryPort channel/LAG Summary Show port-channel summary This command disables the selected LAG port channel No version of this command enables the selected LAG258 LAG/Port Channel Commands Shutdown Sftos Command Reference for the S2410, Version 259 260 Spanning Tree STP Commands Show spanning-treeAre displayed Show spanning-tree Show spanning-tree interface unit/slot/port Following details are displayed on execution of the commandShow spanning-tree interface 262 Spanning Tree STP Commands Show spanning-tree mst detailedShow spanning-tree mst port detailed Show spanning-tree mst detailed Sftos Command Reference for the S2410, Version 263 Show spanning-tree mst port detailed Switch. On execution, the following details are displayed Show spanning-tree mst port summaryShow spanning-tree mst summary For each Mstid Details are displayed on execution of the command Show spanning-tree summaryShow spanning-tree vlan Spanning-tree Spanning-tree configuration name Spanning-tree configuration revisionNo spanning-tree configuration name name Spanning-tree bpdumigrationcheck Spanning-tree configuration revision Spanning-tree edgeportSpanning-tree forceversion Words Internal spanning tree to the default value, in other words Spanning-tree forward-timeSpanning-tree hello-time Value being greater than or equal to Bridge Max Age / 2 + Spanning-tree max-age Spanning-tree max-hopsSpanning-tree mst Syntax spanning-tree max-age No spanning-tree max-age Cost auto external-cost auto port-priorty Interface Config 270 Spanning Tree STP CommandsNo spanning-tree mst No spanning-tree mst Spanning-tree mst instance Spanning-tree mst priorityMaximum number of multiple instances supported by Sftos is Multiple spanning tree instance to be removed Spanning-tree port mode enable Spanning-tree mst vlanSpanning-tree mst vlan mstid vlanid No spanning-tree mst vlan mstid vlanid Spanning-tree port mode enable all Spanning-tree port mode enable allNo spanning-tree port mode enable No spanning-tree port mode enable allPage Class of Service CoS Commands Sftos Command Reference for the S2410, Version 275 Classofservice dot1p-mapping No form of this command is not supportedClassofservice dot1p-mapping userpriority trafficclass Userpriority range is Classofservice trust Classofservice trust dot1pCos-queue max-bandwidth Syntax no cos-queue max-bandwidth bw-0…bw-3 Cos-queue min-bandwidth Cos-queue random-detectUp to four in the S2410 Operation for the specified queues Random-detect exponential-weighting-constant Random-detect exponential-weighting-constant commandsCos-queue strict Four in the S2410 280 Quality of Service QoS Commands Random-detect queue-parmsRandom-detect queue-parms Queue-id-1 queue-id-2 Show classofservice dot1p-mapping Show classofservice trustSystem-wide port trust mode used for all interfaces For a specific interface Settings are displayed Show interfaces cos-queueShow interfaces random-detect Report Fields Non-IP Traffic Sftos Command Reference for the S2410, Version 283 Show interfaces tail-drop-thresholdShow interfaces tail-drop-threshold Syntax show interfaces random-detect slot/port Global Config and Interface Config 284 Quality of Service QoS CommandsTail-drop queue-parms Tail-drop queue-parms Classofservice dot1pmapping Differentiated Services DiffServ CommandsProvisioning Ieee 802.1p Commands Traffic-shape Show classofservice dot1pmapping Configuration will override this configuration settingVlan port priority all Vlan priority This chapter covers the following commands Sftos Command Reference for the S2410, Version 287 Ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios DenypermitAny bpdu Vlan eq Secondary-vlan Secondary-cosAssign-queue Redirect Mac access-list extended Mac Access List ConfigMac access-list extended name Access-list extended command Mac access-list extended rename Mac access-list extended rename name newnameSftos Command Reference for the S2410, Version 291 Newname Mac access-group Show mac access-listsMac access-group name 1-4294967295in Show mac access-lists name Show mac access-lists Sftos Command Reference for the S2410, Version 293 Show mac access-lists 294 ACL Commands Sftos Command Reference for the S2410, Version 295 Index Copy 37-38 296 Index Sftos Command Reference for the S2410, Version 297 Html Http 298 Index Sftos Command Reference for the S2410, Version 299 PDUs 225 Show inventory 114-116, 119, 169, 227, 229 300 Index Sftos Command Reference for the S2410, Version 301 Show sysinfo 83, 222 75-77 302 Index Sftos Command Reference for the S2410, Version 303 Gvrp IDs 134 304 Index