Force10 Networks S2410s specification

Chapter 18	ACL Commands

This chapter covers the following commands:

•{denypermit} on page 288

•mac access-list extended on page 290

•mac access-list extended rename on page 291

•mac access-group on page 292

•show mac access-lists on page 292

Note: SFTOS 2.4.1 does not support IP-based ACL commands.

An Access Control List (ACL) ensures that only authorized users and types of traffic to have access to specific resources, while blocking unwarranted attempts to reach network resources.

The following conditions pertain to ACLs in SFTOS:

•Maximum of 1064 ACLs, each with a maximum of 64 rules

•ACL configuration for IP packet fragments is not supported.

•The maximum number of rules per ACL translates into the number of hardware classifier entries used when an ACL is attached to an interface. Increasing these values in the SFTOS software increases the RAM and NVSTORE usage.

•Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0’s) in a bit position that must be checked. A ‘1’ in a bit position of the ACL mask indicates the corresponding bit can be ignored.

For details on using ACL commands, see the Access Control chapter in the SFTOS Configuration Guide. ACLs factor into quality of service. For more on quality of service (QoS), see Quality of Service (QoS) Commands on page 275.

SFTOS Command Reference for the S2410, Version 2.4.1.0

287

Image 287

Force10 Networks S2410s This chapter covers the following commands, Sftos Command Reference for the S2410, Version 287

Contents

Sftos Command Reference for the S2410 Copyright 2008 Force10 Networks Other Changes Sftos Command Reference for the S2410, VersionMajor Changes New Features Deprecated Commands Contents Contents Using the Command Line Interface Show running-config Chapter System Configuration Commands 105 127 System Log Port-securitymac-address move 166 Dhcp Server Commands Sntp Commands Chapter Igmp Snooping Commands 235 Chapter LAG/Port Channel Commands 249 Chapter Quality of Service QoS Commands 275 List of Figures 141 List of Tables Page Objectives About This Guide About This Guide How to Use this GuideAudience Contact Information Products and Services LiabilityRelated Documents and Sources of Additional Information Documentation Feedback Sftos Command Reference for the S2410, Version About This Guide Chapter Sftos Overview Sftos Overview Sftos 2.4.1 Features Igmp Snooping Layer 2 Multicast Forwarding Ingress Rate Limiting Login Access Control Sftos Overview Chapter Quick Start Starting the Switch Press 2 and Enter quickly to access the Boot menu Using the Boot Menu Show hardware System Info and System SetupBoot Menu Options User Account Management Physical Port Data SSH Management IP Address None bootp dhcp Managementethernet Address command Ip address ipaddrDefault gateway Serviceport protocol Downloading to the Switch through Xmodem Uploading from the Switch through Xmodem Copy tftp//ip address Using Factory DefaultsClear config Downloading from a Tftp Server Parameter Command Syntax ConventionsKeyword Mtrace sourceipaddr destination group Using the Command Line InterfaceLoc is a parameter-a placeholder for a required value Ip address ipaddr subnetmask No Form of a Command Macaddr Network Address SyntaxIpaddr Keyboard Shortcuts Obtaining Help at the Command Line Partial Keyword Example Using Command Modes Mode-based Topology CLI Mode Diagram Enter the interface range Pool-name commandEnter logout or quit Enter the ip dhcp pool Enter the tacacs-server Mode-based Command HierarchyEnter the mac access-list Extended command Command Prompt hostname Interface # Flow of CLI Operation Using the Web User Interface Web Page Layout Configuring for Web AccessTo enable Web browser access to the switch Follow these steps to bring up the switch Web UI Switch Navigation Icon in Web UI Command Buttons Using the Web User Interface This section describes the following commands General System Management and Information Commands Dir System Management CommandsDir None Privileged Exec Hostname hostname HostnameChange the text that appears as part of the CLI prompt Characters Syntax ip address ipaddr subnetmask Interface managementethernetIp address management Interface managementethernet Mac-address mac-address Mac-addressMac-type None Interface ManagementEthernet Use no management route default to remove the gateway Management route defaultManagement route default Management route default gateway Syntax no mtu MtuMtu Network protocol Network mac-addressNetwork mac-type Network parms Protocol Serviceport ipProtocol none bootp dhcp Serviceport ip ipaddr netmask gateway Report fields include Serviceport protocolShow arp switch Communicating with the switch Syntax show interface unit/slot/port This command displays inventory information for the switchShow hardware Show interface Show interface Fields in Output of show interface unit/slot/port Command 3965 Show interface ethernetUnit/slot/port Show interface ethernet Example of show interface ethernet switchport Output Recent reboot Address Entries Currently in Use Packets Received Packets Received Successfully Packets Transmitted Octets Packets Transmitted Successfully Statistics for this port were last cleared Show interface managementethernet Show interface managementethernetShow interface managementethernet Fields in Output of show interface switchport Command Show interface switchportShow interface switchport Show interface switchport Port Show interfacesShow interfaces Description unit/slot/port Show logging Show loggingShow mac-addr-table Count S2410, If Index values areAll Show msglog Show msglog Show network Show running-configEnabled Show running-config all scriptname Show serviceport Show serviceport Syntax show sysinfo This command displays switch informationShow sysinfo Show sysinfo Show version Fields in Output of show sysinfo CommandFields in Output of show version Command Show version SNMP-COMMUNITY-MIB Show version Fields in Output of show version Command Syntax show tech-support Show tech-support Fields in Output of show version CommandShow tech-support Vlan participation management Telnet CommandsThis command assigns the management Vlan of the switch This section describes the following Sftos Telnet commands Time is a decimal value from 1to Ip telnet timeoutMinutes, to the default Ip telnet maxsessions Session-limit Ip telnet server enableSession-timeout Telnet Telnetcon timeoutShow telnet Telnetcon maxsessions Serial CommandsTelnetcon maxsessions Serial baudrate Show serial Serial timeout9600 default Console activity to the 5-minute default Show serial Fields of show serial Command Output Show serial Snmp Management CommandsGlobal Config mode Router Ospf Config mode Syntax show snmptrap Show snmpcommunityShow snmptrap Show snmpcommunity Show trapflags Show trapflags Fields of show snmptrap Command ReportFields of show trapflags Command Report Show trapflags None Snmp-serverSnmp-server community No snmp-server community Syntax snmp-server community ipaddr ipaddr name Snmp-server community modeSnmp-server community ipaddr Snmp-server community ipmask Snmp-server community rw Snmp-server enable traps bcaststormSnmp-server community ro Syntax no snmp-server enable traps linkmode Snmp-server enable traps linkmodeSnmp-server enable traps multiusers No version of this command disables Multiple User traps This command enables the Authentication traps Snmp-server enable traps stpmodeSnmp-server enable trap violation Snmp-server traps enable Snmptrap ipaddr Snmptrap modeSnmptrap Snmptrap snmpversion Snmp trap link-statusSnmp trap link-status all Snmptrap snmpversion 104 System Management Commands Sftos Command Reference for the S2410, Version 105 System Configuration Commands Bridge aging-time Configure106 System Configuration Commands Bridge aging-time User Exec EnableModes to which the Global Config mode provides a gateway Password for the command Specified interface ConfigurationInterface Interface range Vlan EthernetPort-channel Range,range 110 System Configuration Commands Commands Available in Ethernet Range Mode Single Range Bulk Configuration Bulk Configuration Warning Message Mode Monitor sessionBe only one destination port Destination interface Syntax no monitor Monitor session 1 modeSyntax no monitor session 1 mode No monitor Show mac-address-table This command displays the timeout for address agingNo monitor session Show forwardingdb agetime Show mac-address-table multicast macaddr Show mac-address-table multicastBy specifying the MAC address as an optional parameter For 1-3965, you have the option of entering a valid Vlan ID Information Show mac-address-table statsShow monitor session Displays the Multicast Forwarding Database Mfdb Syntax show monitor session Sftos Command Reference for the S2410, Version 117Show port Show port 118 System Configuration Commands Show port all Command Output Example For the indicated group Show port protocolShutdown Interface Shutdown all Virtual LAN Vlan commands in this section are Virtual LAN Vlan Commands Syntax clear vlan Sftos Command Reference for the S2410, Version 121Clear vlan Clear vlan Description 122 System Configuration CommandsDescription Enter a description for the selected interface port or Vlan Interface Vlan Sftos Command Reference for the S2410, Version 123Encapsulation Vlan Interface vlan Syntax makestatic 124 System Configuration CommandsMakestatic Makestatic Name Vlan Mtu Vlan Priority Vlan 126 System Configuration CommandsNetwork mgmtvlan Participation Vlan Such as conf-if-range-vlan 10-20# Except when Gvrp is expected to create the VlanProtocol group Group that is identified by this groupid Fail and the interfaces will not be added to the group Configure the Vlan ID for a specific port Interface VlanProtocol vlan group all Pvid Vlan Name Show vlanShow vlan brief id vlanid name port Brief Id vlanid Show vlan port 130 System Configuration CommandsShow vlan port Display 802.1Q port parameters Tagged unit/slot/port Sftos Command Reference for the S2410, Version 131Tagged Tagged Untagged 132 System Configuration CommandsUntagged Vlan Vlan participation interface Vlan acceptframeVlan database Vlan ingressfilter Vlan port ingressfilter all This command changes the Vlan ID for all interfacesVlan participation all Vlan port acceptframe Vlan port tagging all Sftos Command Reference for the S2410, Version 135Vlan port tagging all Vlan port untagging all Vlan protocol group remove Vlan protocol groupVlan protocol group add protocol Vlan untagging Sftos Command Reference for the S2410, Version 137Vlan pvid Vlan tagging Clear counters Clear configSystem Utility Commands Syntax clear config Copy Clear port-channelClear traplog Clear igmpsnooping Trap log nvramtraplog Specify a URL for the destination in this formCopy Copy clibanner Copy systemrunning-config nvramstartup-configNvramstartup-config and copy tftp //tftpserveripaddress Path/filename nvramstartup-config Tftpserveripaddress Enable passwdNo clibanner command removes the CLI banner Copy nvramclibanner tftp//tftpserveripaddress/filepath Quit Enable passwd passwordLogout Quit Reload PingReload Show terminal length Destination through the network on a hop-by-hop basis Terminal lengthTraceroute Lines Use Exec or Privileged Exec Functionality of this Configuration ScriptingCommands in this section are Write Present Script applyScript delete Script list Script file Format of display is Line no Line contentsScript show Script validate Syntax logging buffered severitylevel Sftos Command Reference for the S2410, Version 149Logging buffered Logging buffered wrap Logging cli-commandCommands issued on the system No logging cli-command Logging host Logging console Logging persistent Logging host reconfigureThis command removes the identified host Logging host remove Logging syslog Use no logging syslog to disable syslog loggingDisabled local0 Logging syslog Show logging buffered This command displays buffered logging the System logShow logging buffered Show logging buffered Show logging hosts unit This command displays configured logging hostsShow logging hosts Unit variable is the host index 156 System Log Show logging traplogsShow logging traplogs Show logging traplogs Syntax clear pass Sftos Command Reference for the S2410, Version 157Clear pass Show users Show loginsessionLogin Session ID Disconnect Username passwd Users snmpv3 encryption Users snmpv3 accessmodeUsers snmpv3 authentication Users snmpv3 encryption Sftos Command Reference for the S2410, Version 161Associated with the specified encryption No encryption Users snmpv3 encryption 162 User Account Commands Sftos Command Reference for the S2410, Version 163 This section contains the following commands Port-security 164 Security CommandsPort-security Port-security max-dynamic Port-security max-static Sftos Command Reference for the S2410, Version 165Port-security max-static Port-security mac-address Show port-security Port-security mac-address move Show port-security dynamic Sftos Command Reference for the S2410, Version 167Show port-security dynamic MAC Address MAC address of the dynamically locked MAC Locked port Show port-security staticShow port-security violation MAC Address-MAC Address of statically locked MAC Sftos Command Reference for the S2410, Version 169 Authentication loginAuthentication login No authentication login listname Clear dot1x statistics unit/slot/port all Dot1x defaultloginClear dot1x statistics Clear radius statistics Dot1x max-req Dot1x loginBe a configured authentication login list Dot1x initialize Auto Dot1x port-controlDot1x port-control all Dot1x port-control force-unauthorized force-authorized auto Authorized Dot1x re-authenticateDot1x re-authentication Unauthorized Can be changed, but is not activated Dot1x timeoutSwitch Dot1x system-auth-control Dot1x user Show authenticationSftos Command Reference for the S2410, Version 175 Dot1x user Displayed Show authentication usersShow dot1x User column Show dot1x Sftos Command Reference for the S2410, Version 177 178 Security Commands Example of Output from the show dot1x detail Command Show dot1x users unit/slot/port Show users authenticationShow users authentication Show dot1x users Accidental lockout from the switch Users defaultloginUsers login Users will be authenticated using local authentication only Radius server host Radius accounting modeValue i.e. the Radius accounting function is disabled Radius server key Authentication server182 Security Commands Radius server key Radius server retransmit Previously configured Radius authentication serverRadius server msgauth Radius server primary Show radius Radius server timeout Show radius accounting statistics IP address Radius Accounting ModeShow radius accounting statistics Show radius accounting statistics Otherwise all the following listed fields are displayed Show radius statistics authentication186 Security Commands Radius Accounting Server Sftos Command Reference for the S2410, Version 187 Show radius statistics authentication To delete a key, use the no tacacs-server key key Not configuredTacacs-server host Tacacs-server key Seconds Global Config Tacacs-server timeoutSpecify a global timeout value for all TACACS+ hosts To restore the default, enter no tacacs-server timeout Priority priority PortPriority Specify a server port number for a particular Tacacs host Show tacacs TimeoutSpecify the timeout value for a particular Tacacs host Single-connection Ip ssh maxsessions 192 Security CommandsIp ssh maxsessions Ip ssh maxsessions Ip ssh protocol Ip ssh server enableEnable SSH No version of this command disables SSH Disabled Global Config Report fields Ip ssh timeoutThis command displays the SSH settings Show ip ssh Sshcon maxsessions Sshcon timeoutSftos Command Reference for the S2410, Version 195 Sshcon maxsessions Ip http secure-port Ip http javamode enableThis command is used to set the Sslt port SSL3 and TLS1 Global Config No ip http server enable Ip http secure-server enableIp http server enable No ip http secure-server enable disabled Show ip http Show ip httpShow ip http Show storm-control unit/slot/port all This command displays switch configuration informationShow storm-control Show storm-control No storm-control broadcast This command enables 802.3x flow control for the switchStorm-control broadcast Storm-control flowcontrol Storm-control flowcontrol Sftos Command Reference for the S2410, Version 201 Storm-control flowcontrol 202 Security Commands Sftos Command Reference for the S2410, Version 203 Dhcp Server Commands Clear ip dhcp server statistics BootfileMode Dhcp Pool Config Clear ip dhcp binding Client-name Clear ip dhcp conflictClient-identifier Domain-name Default-routerDns-server Prefix-length is an integer from 0 to Hardware-addressHost From 0 to 255. IP address 0.0.0.0 is invalid Ip dhcp excluded-address Ip dhcp bootp automaticIp dhcp conflict logging Lease Ip dhcp ping packetsIp dhcp pool Network Netbios-name-serverNetbios-node-type Option Next-server No option code Service dhcpService dhcp Show ip dhcp binding Show ip dhcp pool configuration name all Show ip dhcp global configurationShow ip dhcp pool configuration Show ip dhcp global configuration Specified, all the conflicting addresses are displayed This command displays Dhcp server statisticsShow ip dhcp server statistics Show ip dhcp conflict Sntp broadcast client poll-interval poll-interval Where poll-interval can be a value from 6 toSftos Command Reference for the S2410, Version 215 Sntp broadcast client poll-interval Processed Sntp client modeThis command sets the Sntp client port ID to a value from Sntp client port Sntp unicast client poll-retry Sntp unicast client poll-timeoutSntp unicast client poll-interval Sntp servers This command is used to display Sntp settings and statusSntp server Show sntp Show sntp client This command is used to display Sntp client settingsSftos Command Reference for the S2410, Version 219 Show sntp client Show sntp server For each configured server220 Sntp Commands Show sntp server Vman Sftos Command Reference for the S2410, Version 221Dvlan-tunnel ethertype Dvlan-tunnel ethertype 802.1Q vman custom Interface Config Mode dot1q-tunnelMode dvlan-tunnel Interface. By default, Double Vlan Tunneling is disabled Show dot1q-tunnel interface unit/slot/port all Sftos Command Reference for the S2410, Version 223Show dot1q-tunnel Show dvlan-tunnel interface unit/slot/port all 224 VLAN-Stack CommandsShow dvlan-tunnel Show dvlan-tunnel Sftos Command Reference for the S2410, Version 225 Set garp timer joinGarp Commands Commands in this sections are Syntax set garp timer leave Set garp timer leaveSet garp timer leave Set garp timer join No set garp timer join Show garp Set garp timer leaveallSyntax set garp timer leaveall Show garp This command enables Gvrp globally Gvrp adminmode enableGvrp interfacemode enable Garp Vlan Registration Protocol Gvrp Commands Set gvrp interfacemode Gvrp interfacemode enable allSet gvrp adminmode Show gvrp configuration 230 GARP, GVRP, and Gmrp Commands Show gvrp configuration Syntax gmrp adminmode enable Gmrp adminmodeGarp Multicast Registration Protocol Gmrp Commands Gmrp adminmode Gmrp interfacemode enable all Set gmrp adminmodeGmrp interfacemode enable all Changed to gmrp adminmode One or all interfaces Show gmrp configurationSet gmrp interfacemode Set gmrp interfacemode all Show mac-address-table gmrp 234 GARP, GVRP, and Gmrp CommandsShow mac-address-table gmrp Multicast Forwarding Database Mfdb table Sftos Command Reference for the S2410, Version 235 Igmp Snooping Commands Revised from set igmp. Added Interface Vlan mode Igmp enable interfaceIgmp enable global Disabled Interface Config Interface Vlan To 3600 seconds Igmp fast-leave interfaceIgmp groupmembership-interval interface Entry 238 Igmp Snooping Commands Igmp interfacemode enable allIgmp interfacemode enable all No igmp interfacemode enable all No igmp mcrtexpiretime Mode and Interface Vlan modeIgmp mcrtexpiretime interface Igmp maxresponse No igmp mrouter vlanId Igmp mrouter interface enableNo igmp mrouter interface enable Igmp mrouter interface Set igmp groupmembership-interval global Set igmp interfaceSet igmp system Set igmp fast-leave Set igmp interfacemode all Version 2.3 Revised to igmp mrouter interface enable242 Igmp Snooping Commands Set igmp groupmembership-interval interface Set igmp maxresponse global Sftos Command Reference for the S2410, Version 243Set igmp maxresponse global Set igmp maxresponse interface Set igmp mcrtexpiretime global 244 Igmp Snooping CommandsSet igmp mcrtexpiretime global Set igmp mcrtexpiretime interface Show igmpsnooping unit/slot/port Unit/slot/port Set igmp mrouterShow igmpsnooping Revised to igmp mrouter Vlan Show igmpsnooping fast-leaveShow igmpsnooping mrouter interface Show igmpsnooping mrouter interface unit/slot/port vlan Syntax show mac-address-table igmpsnooping Sftos Command Reference for the S2410, Version 247Show mac-address-table igmpsnooping Show mac-address-table igmpsnoopingPage Addport Sftos Command Reference for the S2410, Version 249 Addport unit/slot/port Deleteport interface configDeleteport interface config 250 LAG/Port Channel Commands No port-channel name Deleteport global configPort-channel Deleteport unit/slot/port all Port-channel linktrap Port-channel enable all globalPort-channel enable interface Port-channel staticcapability This command renames a LAG port channel or all LAGsAll configured LAGs Port-channel name Port lacpmode Port lacpmode enable allPort lacptimeout global Show port-channel brief Port lacptimeout interfaceInterface Config Interface Range Show port-channel Lagid all Show port-channelFor each LAG, the following information is displayed Syntax show port-channel brief Show port-channel summary Sftos Command Reference for the S2410, Version 257Show port-channel summary Port channel/LAG Summary Shutdown This command disables the selected LAG port channelNo version of this command enables the selected LAG 258 LAG/Port Channel Commands Sftos Command Reference for the S2410, Version 259 Show spanning-tree 260 Spanning Tree STP CommandsShow spanning-tree Are displayed Show spanning-tree interface unit/slot/port Following details are displayed on execution of the commandShow spanning-tree interface Show spanning-tree mst detailed 262 Spanning Tree STP CommandsShow spanning-tree mst detailed Show spanning-tree mst port detailed Show spanning-tree mst port detailed Sftos Command Reference for the S2410, Version 263 For each Mstid Switch. On execution, the following details are displayedShow spanning-tree mst port summary Show spanning-tree mst summary Spanning-tree Details are displayed on execution of the commandShow spanning-tree summary Show spanning-tree vlan Spanning-tree bpdumigrationcheck Spanning-tree configuration nameSpanning-tree configuration revision No spanning-tree configuration name name Words Spanning-tree configuration revisionSpanning-tree edgeport Spanning-tree forceversion Value being greater than or equal to Bridge Max Age / 2 + Internal spanning tree to the default value, in other wordsSpanning-tree forward-time Spanning-tree hello-time Syntax spanning-tree max-age No spanning-tree max-age Spanning-tree max-ageSpanning-tree max-hops Spanning-tree mst No spanning-tree mst Cost auto external-cost auto port-priorty Interface Config270 Spanning Tree STP Commands No spanning-tree mst Multiple spanning tree instance to be removed Spanning-tree mst instanceSpanning-tree mst priority Maximum number of multiple instances supported by Sftos is No spanning-tree mst vlan mstid vlanid Spanning-tree port mode enableSpanning-tree mst vlan Spanning-tree mst vlan mstid vlanid No spanning-tree port mode enable all Spanning-tree port mode enable allSpanning-tree port mode enable all No spanning-tree port mode enablePage Sftos Command Reference for the S2410, Version 275 Class of Service CoS Commands Userpriority range is Classofservice dot1p-mappingNo form of this command is not supported Classofservice dot1p-mapping userpriority trafficclass Syntax no cos-queue max-bandwidth bw-0…bw-3 Classofservice trustClassofservice trust dot1p Cos-queue max-bandwidth Operation for the specified queues Cos-queue min-bandwidthCos-queue random-detect Up to four in the S2410 Four in the S2410 Random-detect exponential-weighting-constantRandom-detect exponential-weighting-constant commands Cos-queue strict Queue-id-1 queue-id-2 280 Quality of Service QoS CommandsRandom-detect queue-parms Random-detect queue-parms For a specific interface Show classofservice dot1p-mappingShow classofservice trust System-wide port trust mode used for all interfaces Report Fields Non-IP Traffic Settings are displayedShow interfaces cos-queue Show interfaces random-detect Syntax show interfaces random-detect slot/port Sftos Command Reference for the S2410, Version 283Show interfaces tail-drop-threshold Show interfaces tail-drop-threshold Tail-drop queue-parms Global Config and Interface Config284 Quality of Service QoS Commands Tail-drop queue-parms Traffic-shape Classofservice dot1pmappingDifferentiated Services DiffServ Commands Provisioning Ieee 802.1p Commands Vlan priority Show classofservice dot1pmappingConfiguration will override this configuration setting Vlan port priority all Sftos Command Reference for the S2410, Version 287 This chapter covers the following commands Vlan eq Ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbiosDenypermit Any bpdu Redirect Secondary-vlanSecondary-cos Assign-queue Access-list extended command Mac access-list extendedMac Access List Config Mac access-list extended name Newname Mac access-list extended renameMac access-list extended rename name newname Sftos Command Reference for the S2410, Version 291 Show mac access-lists name Mac access-groupShow mac access-lists Mac access-group name 1-4294967295in Sftos Command Reference for the S2410, Version 293 Show mac access-lists Show mac access-lists 294 ACL Commands Index Sftos Command Reference for the S2410, Version 295 296 Index Copy 37-38 Html Http Sftos Command Reference for the S2410, Version 297 298 Index PDUs 225 Sftos Command Reference for the S2410, Version 299 300 Index Show inventory 114-116, 119, 169, 227, 229 Show sysinfo 83, 222 Sftos Command Reference for the S2410, Version 301 302 Index 75-77 Gvrp IDs 134 Sftos Command Reference for the S2410, Version 303 304 Index