Access Control Lists | SMC Networks SMC8150L2 instruction

Access Control Lists 3

CLI – This example displays the 802.1X statistics for port 4.

Console#show dot1x statistics interface ethernet 1/4						4-86
Eth 1/4	EAPOL	EAPOL	EAPOL	EAP	EAP	EAP
Rx: EAPOL	EAPOL	EAPOL	EAPOL	EAP	EAP	EAP
Start	Logoff	Invalid	Total	Resp/Id	Resp/Oth LenError
2	0	0	1007	672	0	0
Last	Last
EAPOLVer	EAPOLSrc
1	00-12-CF-94-34-DE
Tx: EAPOL	EAP	EAP
Total	Req/Id	Req/Oth
2017	1005	0
Console#

Access Control Lists

Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.

Configuring Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted.

Command Usage

The following restrictions apply to ACLs:

•Each ACL can have up to 32 rules.

•The maximum number of ACLs is also 32.

•The maximum number of rules that can be bound to the ports is 96 for each of the following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs).

•When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail.

•The switch does not support the explicit “deny any any” rule for the egress IP ACL. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

The order in which active ACLs are checked is as follows:

1.User-defined rules in the Egress IP ACL for egress ports.

2.User-defined rules in the Ingress IP ACL for ingress ports.

3-67

Image 111

SMC Networks SMC8150L2 Configuring Access Control Lists, CLI This example displays the 802.1X statistics for port

Contents

Management Guide Page TigerSwitch 10/100/1000 Management Guide Page Contents Page Iii Page Command Line Interface Page Vii Viii Contents Page Contents Xii Xiii Appendix a Software SpecificationsAppendix B Troubleshooting Glossary Index Xiv Tables Xvi Xvii Xviii Xix Figures Figures Xxi Xxii Key Features Key FeaturesFeature Description Introduction Description of Software Features Description of Software Features Introduction Description of Software Features System Defaults System DefaultsFunction Parameter Default Client Enabled System Defaults Function Parameter Sntp Configuration Options Connecting to the Switch Required Connections Initial Configuration Basic Configuration Remote ConnectionsConsole Connection Setting Passwords Setting an IP AddressManual Configuration Dynamic Configuration Enabling Snmp Management Access Trap Receivers Configuring Access for Snmp Version 3 Clients Saving Configuration Settings Managing System Files Initial Configuration Using the Web Interface Configuring the Switch Home Navigating the Web Browser Interface Revert Apply Help Configuration Options ActionPanel Display Button Main Menu Main Menu DescriptionSystem System Information ACL Configuration Allows ports to dynamically join trunks 116 STA 131 Class-of-service value122 Current Table 152 Query Igmp Filter ConfigurationConfiguration Settings Igmp Filter/Throttling Trunk Configuration Settings 185 Dhcp Snooping 186 Configuration183 Cache Field Attributes Displaying System Information Management Software Displaying Switch Hardware/Software VersionsCLI Specify the hostname, location and contact information Main Board Switch Information Web Click System, Switch Information Displaying Bridge Extension Capabilities Bridge Extension Configuration Setting the Switch’s IP Address CLI Enter the following commandCommand Attributes Manual IP Configuration Dhcp IP Configuration Using DHCP/BOOTP Managing Firmware Enabling Jumbo Frames Copy Firmware Downloading System Software from a Server 11 Deleting Files Saving or Restoring Configuration Settings 12 Downloading Configuration Settings for Startup Downloading Configuration Settings from a Server 13 Setting the Startup Configuration Settings Console Port Settings 14 Console Port Settings Telnet Settings 15 Enabling Telnet Displaying Log Messages Configuring Event Logging Logging Levels System Log ConfigurationError resource exhausted CLI This example shows the event message stored in RAM 17 System Logs Remote Log Configuration 18 Remote Logs Simple Mail Transfer Protocol 19 Enabling and Configuring Smtp Renumbering the System Resetting the System Configuring Sntp Setting the System Clock 23 Setting the System Clock Setting the Time Zone Setting Community Access Strings Access ModeSimple Network Management Protocol Specifying Trap Managers and Trap Types 24 Configuring Snmp Community Strings Enabling Snmp Agent Status 25 Configuring IP Trap Managers Configuring SNMPv3 Management Access Setting the Local Engine IDCLI This example sets an SNMPv3 engine ID Configuring SNMPv3 Users Specifying a Remote Engine IDCLI This example specifies a remote SNMPv3 engine ID Configuring the Switch 29 Configuring SNMPv3 Users 30 Configuring Remote SNMPv3 Users Configuring Remote SNMPv3 Users Subsequent to its election Configuring SNMPv3 GroupsTopology Change Timer immediately Supported Notification Messages Rmon Events SNMPv2 Traps ChangeTrap SwIpFilterRejectTrap 6.1.4.1.202.20.68.2.1.0.1 Private Traps SwPowerStatus 6.1.4.1.202.20.68.2.1.0.1PD Powered Device. This notification is Mode PethPsePortPower 6.1.4.1.202.20.68.2.1.0.1 31 Configuring SNMPv3 Groups 32 Configuring SNMPv3 Views Setting SNMPv3 Views Configuring User Accounts User Authentication 33 Access Levels Command Usage Configuring Local/Remote Logon Authentication Tacacs Settings Radius Settings 34 Authentication Settings User Authentication Https System Support Web Browser Operating System Configuring Https Replacing the Default Secure-site Certificate Configuring the Secure Shell User Authentication SSH server includes basic settings for authentication Configuring the SSH Server Generating the Host Key Pair 37 SSH Host-Key Settings Configuring Port Security 38 Configuring Port Security Configuring 802.1X Port Authentication 802.1X protocol provides client authentication Displaying 802.1X Global Settings Web Click Security, 802.1X, Information Configuring 802.1X Global SettingsCLI This example shows the default global setting for CLI This example enables 802.1X globally for the switch Authorized Configuring Port Settings for 41 802.1X Port Configuration Consoleconfig#interface ethernet 1/2 Displaying 802.1X Statistics 802.1X StatisticsParameter Description Access Control Lists Configuring Access Control ListsCLI This example displays the 802.1X statistics for port CLI This example creates a standard IP ACL named david Setting the ACL Name and Type Configuring an Extended IP ACL Configuring a Standard IP ACL Configuring the Switch 45 Configuring Extended IP ACLs Configuring a MAC ACL This switch supports ACLs for ingress filtering only Binding a Port to an Access Control List 47 Configuring ACL Port Binding Filtering IP Addresses for Management Access 48 Creating an IP Filter List Field Attributes Web Port ConfigurationCLI This example allows Snmp access for a specific client Displaying Connection Status Configuration Web Click Port, Port Information or Trunk InformationBasic Information Current Status Configuring Interface Connections 50 Port/Trunk Configuration Creating Trunk Groups 51 Configuring Static Trunks Statically Configuring a Trunk 131 Enabling Lacp on Selected Ports 52 Lacp Trunk Configuration Dynamically Creating a Port Channel Configuring Lacp Parameters 53 Lacp Port Configuration Field Description Displaying Lacp Port CountersYou can display statistics for Lacp protocol messages Lacp Port Counters CLI The following example displays Lacp counters 54 Lacp Port Counters Information Lacp Internal Configuration Information Displaying Lacp Settings and Status for the Local Side 55 Lacp Port Internal Information Lacp Neighbor Configuration Information Field Description Displaying Lacp Settings and Status for the Remote Side Setting Broadcast Storm Thresholds 57 Port Broadcast Control 58 Mirror Port Configuration Configuring Port Mirroring Rate Limit Configuration Configuring Rate Limits Showing Port Statistics Etherlike Statistics 10 Port Statistics Formed Oversize Frames Or alignment error Received BytesRmon Statistics Drop Events Resources Jabbers 60 Port Statistics Address Table Settings Setting Static AddressesCLI This example shows statistics for port Displaying the Address Table 61 Configuring a Static Address Table 62 Configuring a Dynamic Address Table Spanning Tree Algorithm Configuration Changing the Aging TimeCLI This example sets the aging time to 300 seconds Spanning Tree Algorithm Configuration 104 Displaying Global Settings 64 Displaying Spanning Tree Information Global settings apply to the entire switch Configuring Global Settings Root Device Configuration Basic Configuration of Global Settings Configuration Settings for Mstp Configuration Settings for Rstp 65 Configuring Spanning Tree Displaying Interface Settings 112 CLI This example shows the STA attributes for port 66 Displaying Spanning Tree Port Information Configuring Interface Settings CLI This example sets STA attributes for port 67 Configuring Spanning Tree per Port Configuring Multiple Spanning Trees 68 Configuring Multiple Spanning Trees MST Instance ID Instance identifier to configure. Default Displaying Interface Settings for Mstp 69 Displaying Mstp Interface Settings Configuring Interface Settings for Mstp 121 Vlan Configuration Ieee 802.1Q VLANsCLI This example sets the Mstp attributes for port Assigning Ports to VLANs 124 Enabling or Disabling Gvrp Global Setting CLI This example enables Gvrp for the switchForwarding Tagged/Untagged Frames Command Attributes Web Displaying Basic Vlan InformationDisplaying Current VLANs 73 Displaying Current VLANs Command Attributes CLI 175 Creating VLANs CLI This example creates a new Vlan Adding Static Members to VLANs Vlan Index 130 Adding Static Members to VLANs Port Index 75 Configuring a Vlan Static Table Configuring Vlan Behavior for Interfaces 77 Configuring VLANs per Port Configuring Ieee 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Access Port Layer 2 Flow for Packets Coming into a Tunnel Uplink Port General Configuration Guidelines for QinQ Configuration Limitations for QinQ 78 802.1Q Tunnel Status Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel CLI This example sets the switch to operate in QinQ mode 79 Tunnel Port Configuration 45-1 Configuring Private VLANs CLI This example enables private VLANsEnabling Private VLANs Configuring Uplink and Downlink Ports Protocol Vlan Group ConfigurationProtocol VLANs 82 Protocol Vlan Configuration Configuring Protocol Vlan Interfaces Class of Service Configuration Layer 2 Queue SettingsSetting the Default Priority for Interfaces 11 Mapping CoS Values to Egress Queues Port Priority ConfigurationCLI This example assigns a default priority of 5 to port Mapping CoS Values to Egress Queues Spare 12 CoS Priority LevelsPriority Level Traffic Type Background Enabling CoS Selecting the Queue Mode 87 Queue Mode Setting the Service Weight for Traffic Classes Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS ValuesSelecting IP Precedence/DSCP Priority 13 Mapping IP Precedence Mapping IP Precedence 90 Mapping IP Precedence Priority Values 10, 12, 14 18, 20, 22 26, 28, 30, 32, 34 38, 40 Mapping Dscp Priority14 Mapping Dscp Priority Values IP Dscp Value CoS Value 92 IP Port Priority Status Mapping IP Port Priority 93 IP Port Priority Quality of Service Configuring Quality of Service Parameters Configuring a Class MapClass map is used for matching packets to a specified class Class Configuration Match Class SettingsClass Map 94 Configuring Class Maps Policy Configuration Creating QoS PoliciesPolicy Map Policy Options Policy Rule Settings Class Settings 95 Configuring Policy Maps Attaching a Policy Map to Ingress Queues 96 Service Policy Settings Layer 2 Igmp Snooping and Query Multicast Filtering Configuring Igmp Snooping and Query Parameters Enabling Igmp Immediate Leave 97 Igmp Configuration 98 Igmp Immediate Leave Displaying Interfaces Attached to a Multicast Router 99 Displaying Multicast Router Port Information Specifying Static Interfaces for a Multicast Router 100 Static Multicast Router Port Configuration Displaying Port Members of Multicast Services 101 IP Multicast Registration Table Assigning Ports to Multicast Services 102 Igmp Member Port Table Igmp Filtering and Throttling 103 Enabling Igmp Filtering and Throttling Enabling Igmp Filtering and Throttling Configuring Igmp Filtering and Throttling for Interfaces 104 Igmp Filter and Throttling Port Configuration Configuring Igmp Filter Profiles 105 Igmp Profile Configuration Multicast Vlan Registration General Configuration Guidelines for MVR Configuring Global MVR Settings Displaying MVR Interface Status 106 MVR Global Configuration 107 MVR Port Information Web Click MVR, Port or Trunk Information 108 MVR Group IP Information Displaying Port Members of Multicast Groups MVR Vlan Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Web Click MVR, Port or Trunk Configuration Configuring General DNS Service Parameters Configuring Domain Name Service 111 DNS General Configuration 238 Configuring Static DNS Host to Address Entries 112 DNS Static Host Table 113 DNS Cache Displaying the DNS Cache Dhcp Snooping Web Click Dhcp Snooping, Configuration Dhcp Snooping Configuration CLI This example first enables Dhcp Snooping for Vlan Dhcp Snooping Vlan ConfigurationDhcp Snooping Information Option Configuration Enables Dhcp snooping on the specified Vlan Trust Status Enables or disables port as trusted Dhcp Snooping Port Configuration Dhcp Snooping Binding Information 117 Dhcp Snooping Port Configuration IP Source Guard Port Configuration IP Source GuardWeb Click Dhcp Snooping, Dhcp Snooping Binding Information 119 IP Source Guard Port Configuration Static IP Source Guard Binding Configuration Dynamic IP Source Guard Binding Information 120 Static IP Source Guard Binding Configuration Web Click IP Source Guard, Dynamic Information Switch Clustering 122 Cluster Member Choice Cluster Configuration Cluster Member Configuration Web Click Cluster, ConfigurationAdds Candidate switches to the cluster as Members Web Click Cluster, Member Configuration Displays current cluster Member switch informationCluster Member Information 126 Cluster Candidate Information Cluster Candidate Information Accessing the CLI Using the Command Line Interface Telnet Connection Keywords and Arguments Entering CommandsCommand Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of CommandsUsing Command History Understanding Command Modes Command Modes Exec Commands Configuration Commands Configuration Modes Command PromptConsoleconfig-if# 120 Command Line Processing Command Line ProcessingKeystroke Function Command Groups Description Command Groups Line Commands Function Mode Line Commands Line Login No password is specified PasswordUsername 4-25 password Syntax Password 0 7 password no password Exec-timeout Timeout login response Password-thresh Syntax Exec-timeout seconds no exec-timeoutSyntax Password-thresh threshold no password-thresh Silent-time DatabitsSyntax Silent-time seconds no silent-time Parity Syntax Databits 7 8 no databitsSyntax Parity none even odd no parity Syntax Stopbits 1 SpeedStopbits Syntax Speed bps no speed Syntax Show line console vty DisconnectShow line Syntax Disconnect session-id General Commands Function Mode General CommandsEnable To show all lines, enter this command Level DisableDisable Enable password Enable Show history Configure End Reload Quit This command exits the configuration programThis example shows how to quit a CLI session Exit System Management Commands Device Designation CommandsPrompt Username User Access CommandsUser Access Commands Function Mode Hostname Enable password 10 Default Login Settings Username Access-level PasswordGuest Admin IP Filter Commands 11 IP Filter Commands Function ModeManagement All addresses Show management Ip http port Web Server Commands12 Web Server Commands Function Mode Default Setting Command Mode Ip http secure-server Syntax No ip http server Default SettingSyntax No ip http secure-server Default Setting Ip http server Portnumber The UDP port used for HTTPS. Range Ip http secure-port13 Https System Support Web Browser Operating System Ip http secure-port4-31 Copy tftp https-certificate Ip http secure-server4-30 Telnet Server Commands14 Telnet Server Commands Function Mode Ip telnet port Ip telnet server Secure Shell CommandsSyntax No ip telnet server Default Setting 15 SSH Commands Function Mode Copy tftp public-key Ip ssh server Syntax No ip ssh server Default Setting Ip ssh crypto host-key generate 4-38 show ssh Ip ssh timeoutSyntax Ip ssh timeout seconds no ip ssh timeout Exec-timeout4-13 show ip ssh Bits Ip ssh authentication-retriesIp ssh server-key size Key-size- The size of server key. Range 512-896 bits Syntax Ip ssh crypto host-key generate dsa rsa Delete public-keyIp ssh crypto host-key generate Syntax Delete public-key username dsa rsa Syntax Ip ssh save host-key dsa rsa Ip ssh crypto zeroizeIp ssh save host-key Syntax Ip ssh crypto zeroize dsa rsa Ip ssh crypto host-key generate This command displays the current SSH server connectionsShow ip ssh Show ssh Show public-key TerminologySyntax Show public-key user username host Console#show public-key host Host Logging on Event Logging Commands17 Event Logging Commands Function Mode Syntax No logging on Default Setting Flash errors level 3 RAM warnings level 6 Logging history18 Logging Levels Hostipaddress The IP address of a syslog server Logging hostLogging facility Syntax No logging host hostipaddress Syntax Clear logging flash ram Logging trapClear logging Syntax Logging trap level no logging trap Show logging Syntax Show logging flash ram sendmail trap19 show logging flash/ram display description Show log Facility commandLogging trap command Syntax Show log flash ram login tail Following example shows sample messages stored in RAM Smtp Alert Commands21 Smtp Alert Commands Function Mode Logging sendmail host Syntax Logging sendmail level level Logging sendmail level This example will set the source email john@acme.com Logging sendmail source-emailLogging sendmail destination-email Syntax No logging sendmail source-email email-address Syntax No logging sendmail Default Setting Logging sendmailShow logging sendmail Sntp client Time Commands22 Time Commands Function Mode Syntax No sntp client Default Setting Sntp client 4-53 sntp poll 4-55 show sntp Sntp serverSntp server 4-54 sntp poll 4-55 show sntp Syntax Sntp server ip1 ip2 ip3 Sntp client Sntp pollShow sntp Syntax Sntp poll seconds no sntp poll Calendar set hour min sec day month year month day year Clock timezoneCalendar set Syntax 23 System Status Commands Function Mode System Status CommandsShow startup-config This command displays the system clock Command Line Interface Show running-config4-59 Show running-config Show startup-config4-57 This command displays system information Show systemShow users Show version Syntax No jumbo frame Default Setting Frame Size Commands24 Frame Size Commands Function Mode Jumbo frame Enables support for jumbo frames Copy Flash/File Commands25 Flash/File Commands Function Mode Copy Flash/File Commands Following example shows how to download a configuration file Dir Delete public-key4-38 This command deletes a file or imageDelete Delete unit filename Column Heading Description Syntax Dir unit boot-rom config opcode filenameDir 26 File Directory Information Syntax Boot system unit boot-romconfig opcode filename WhichbootBoot system Syntax whichboot unit 27 Authentication Commands Command Group Function Authentication CommandsAuthentication Sequence Dir 4-68 whichboot Authentication login Username for setting the local user names and passwordsLocal Authentication enable 29 Radius Client Commands Function Mode Show radius-server Shows the current Radius settingsRadius Client Radius-server port Default Setting Auth-portRetransmit Command Mode Radius-server host Radius-server key Radius-server retransmitSyntax Radius-server key keystring no radius-server key Show radius-server Radius-server timeout Tacacs-server port 30 Tacacs Commands Function ModeTACACS+ Client Tacacs-server host Tacacs-server key Show tacacs-serverSyntax Tacacs-server key keystring no tacacs-server key Interface Configuration Ethernet Port Security Commands31 Port Security Commands Function Mode Status Disabled Action None Maximum Addresses Command Usage Dot1x system-auth-control 802.1X Port Authentication32 802.1X Port Authentication Command Function Mode Syntax No dotx system-auth-control Default Setting Dot1x port-control Dot1x defaultDefault Command Mode Dot1x max-req Dot1x operation-mode Force-authorizedSingle-host Dot1x re-authenticate Dot1x re-authenticationDot1x timeout quiet-period Dot1x timeout tx-period Dot1x timeout re-authperiod Show dot1x Syntax Show dot1x statistics interface interfaceStatistics Displays dot1x status for each port Backend State Machine Authenticator State MachineReauthentication State Machine State Current state including initialize, reauthenticate Command Line Interface Access Control List Commands Access Control Lists33 Access Control Lists Command Groups Function IP ACLs Access-list ip34 IP ACLs Command Function Mode Syntax No access-list ip standard extended aclname Standard ACL Permit, deny Ip access-group4-93 show ip access-list4-93Access-list ip Syntax No permit deny any source bitmask host source Any destination address-bitmask host destination Source-port sport end destination-port dport endExtended ACL Syntax No ip access-group aclname Show ip access-listIp access-group Syntax Show ip access-list standard extended aclname Show ip access-group Show ip access-list4-93This command shows the ports assigned to IP ACLs Permit, deny Mac access-group4-98 show mac access-list4-97 Access-list mac35 MAC ACL Commands Function Mode Syntax No access-list mac aclname Permit, deny MAC ACL Permit, deny Mac access-group4-98 Show mac access-listThis command displays the rules for configured MAC ACLs Syntax Show mac access-list aclname Show mac access-list4-97 Mac access-groupShow mac access-group Syntax Mac access-group aclname ACL Information Show access-listShow access-group 36 ACL Information Command Function Mode 37 Snmp Commands Function Mode Snmp Commands Syntax No snmp-server Default Setting Snmp-serverShow snmp Snmp-server community Syntax Snmp-server location text no snmp-server location Snmp-server contactSnmp-server location Syntax Snmp-server contact string no snmp-server contact Host Address None Notification Type Traps Snmp-server host Snmp Version UDP Port Snmp-server enable traps Snmp-server enable trapsIssue authentication and link-up-down traps Snmp-server engine-id This command shows the Snmp engine ID This example shows the default engine IDShow snmp engine-id This view includes MIB-2 Defaultview includes access to the entire MIB treeSnmp-server view Examples 39 show snmp view display description This command shows information on the Snmp viewsShow snmp view Snmp-server group Consoleconfig#snmp-server group r&d v3 auth write daily Show snmp group 40 show snmp group display description Snmp-server user 114 This command shows information on Snmp users Show snmp user41 show snmp user display description Port-channel channel-idRange Interface Commands42 Interface Commands Function Mode Interface Description Speed-duplexSyntax Description string no description Syntax No negotiation Default Setting NegotiationNegotiation 4-118 capabilities Following example configures port 11 to use autonegotiation CapabilitiesCapabilities 4-119speed-duplex4-117 Syntax No flowcontrol Default Setting FlowcontrolNegotiation 4-118speed-duplex4-117 flowcontrol Shutdown Syntax No shutdown Default Setting Syntax Clear counters interface Switchport broadcast packet-ratePort-channel channel-idRange Default Setting Clear counters Syntax Show interfaces status interface This command displays the status for an interfaceShow interfaces status Following example clears statistics on port Shows the counters for all interfaces This command displays interface statisticsShow interfaces counters Syntax Show interfaces counters interface Show interfaces switchport Syntax Show interfaces switchport interfaceShows all interfaces 43 Interfaces Switchport Statistics Interface ethernet unit/port source port Mirror Port Commands44 Mirror Port Commands Function Mode Port monitor Syntax Show port monitor interface This command displays mirror informationFollowing shows mirroring configured from port 6 to port Show port monitor Rate Limit Commands Rate-limitGigabit Ethernet 1000 Mbps 123 Link Aggregation Commands46 Link Aggregation Commands 135 Dynamically Creating a Port Channel Channel-groupGuidelines for Creating Trunks General Guidelines Syntax No lacp Default Setting LacpFollowing example creates trunk 1 and then adds port 32768 Lacp system-priority Lacp admin-keyEthernet Interface Interface Configuration Port Channel Lacp admin-key Port Channel This command displays Lacp information Lacp port-priorityShow lacp LACPDUs Illegal Pkts Port Channel all47 show lacp counters display description Type 48 show lacp internal display description 50 show lacp sysid display description 49 show lacp neighbors display description Action Address Table Commands51 Address Table Commands Function Mode Mac-address-table static Clear mac-address-table dynamic Show mac-address-tableMac-address- MAC address Mask Bits to match in the address Sort Sort by address, vlan or interface Mac-address-table aging-time Show mac-address-table aging-time 52 Spanning Tree Commands Function Mode Spanning Tree Commands Spanning-tree Spanning-tree modeSyntax No spanning-tree Default Setting Spanning tree is enabled Spanning-tree forward-time Spanning-tree hello-time Spanning-tree priority Spanning-tree max-age Long method Spanning-tree pathcost method Count The transmission limit in seconds. Range Spanning-tree mst-configurationThis command limits the maximum transmission rate for BPDUs Spanning-tree transmission-limit No mst instanceid vlan vlan-range MST ConfigurationMst vlan Mst priority Name Name of the spanning tree Switch’s MAC addressName Syntax Name name Max-hopshop-number RevisionMax-hops Syntax Revision number Spanning-tree cost Spanning-tree spanning-disabledSyntax No spanning-tree spanning-disabled Default Setting This example disables the spanning tree algorithm for port Priority The priority for a port. Range 0-240, in steps Spanning-tree port-priority Spanning-tree portfast Syntax No spanning-tree edge-port Default SettingSyntax No spanning-tree portfast Default Setting Spanning-tree edge-port Spanning-tree link-type Spanning-treeedge-port4-156Auto Spanning-tree mst cost Spanning-tree mst port-priority4-159 Spanning-tree mst port-priority Syntax Spanning-tree protocol-migration interface Port-channel channel-idRange Command ModeSpanning-tree protocol-migration Show spanning-tree Mstp Show spanning-tree mst configuration 54 Gvrp and Bridge Extension Commands Function Mode Vlan CommandsGvrp and Bridge Extension Commands 53 VLANs Command Groups Function Syntax No bridge-ext gvrp Default Setting Bridge-ext gvrpShow bridge-ext Syntax Show gvrp configuration interface Switchport gvrpShow gvrp configuration Syntax No switchport gvrp Default Setting Show garp timer Garp timer Vlan database Syntax Show garp timer interface55 Editing Vlan Groups Command Function Mode Editing Vlan Groups Show vlan By default only Vlan 1 exists and is activeVlan Database Configuration Vlan Interface vlan Configuring Vlan Interfaces56 Configuring Vlan Interfaces Command Function Mode Interface vlan Switchport mode All ports are in hybrid mode with the Pvid set to VlanSwitchport acceptable-frame-types4-171 All frame types Switchport acceptable-frame-typesSwitchport ingress-filtering Switchport mode Switchport native vlan Switchport allowed vlan No VLANs are included in the forbidden list Switchport forbidden vlan 57 Show Vlan Commands Function Mode Displaying Vlan InformationShow vlan Dot1q-tunnel system-tunnel-control Configuring Ieee 802.1Q Tunneling58 Ieee 802.1Q Tunneling Commands Function Mode General Configuration Guidelines for QinQ Show dot1q-tunnel4-178 Show interfaces switchport Switchport dot1q-tunnel mode Show dot1q-tunnel Switchport dot1q-tunnel tpidRelated Commands This command displays information about QinQ tunnel ports Switchport dot1q-tunnel mode 59 Private Vlan Commands Function ModePvlan This command displays the configured private Vlan Show pvlanNo private VLANs are defined Configuring Protocol-based VLANs Protocol-vlan protocol-group Configuring Groups60 Protocol-based Vlan Commands Function Mode Protocol-vlan protocol-group Configuring Interfaces No protocol groups are configuredNo protocol groups are mapped for any interface Show protocol-vlan protocol-group Show interfaces protocol-vlan protocol-groupSyntax Show protocol-vlan protocol-group group-id 62 Priority Commands Layer Function Mode Priority CommandsPriority Commands Layer 61 Priority Commands Command Groups Function Queue mode Switchport priority defaultSyntax Queue mode strict wrr no queue mode Queue bandwidth weight1...weight4 no queue bandwidth Weights 1, 2, 4, 8 are assigned to queues 0-3 respectivelyQueue bandwidth 63 Default CoS Values to Egress Queues Queue cos-mapQueue cos-mapqueueid cos1 ... cosn no queue cos-map Show queue bandwidth Show queue modeFollowing example shows how to change the CoS assignments This command shows the current queue mode Show queue cos-map Priority Commands Layer 3This command shows the class of service priority map 64 Priority Commands Layer 3 Function Mode Syntax No map ip dscp Default Setting Map ip dscp dscp-value cos cos-value no map ip dscp65 IP Dscp to CoS Vales IP Dscp Value CoS Value This command shows the IP Dscp priority map Show map ip dscpSyntax Show map ip dscp interface Quality of Service Commands 66 Quality of Service Commands Function Mode 198 Service-policy199 Input of a particular interface Show class-map Show class map Class-mapMatch Syntax No class-map class-map-namematch-any Class Map Configuration Policy-mapNo policy-mappolicy-map-name Policy Map Configuration ClassNo class class-map-name Set Policy Map Class Configuration Police Syntax No police rate-kbpsburst-byteexceed-action drop setDrop out-of-profile packets Syntax Show class-map class-map-name Service-policySyntax No service-policy input policy-map-name Show class-map Displays all policy maps and all classes Show policy-mapShow policy-map interface Show policy-mappolicy-map-name class class-map-name 68 Igmp Snooping Commands Function Mode Multicast Filtering CommandsIgmp Snooping Commands 67 Multicast Filtering Commands Command Groups Function Ip igmp snooping vlan static Syntax No ip igmp snooping Default SettingFollowing example enables Igmp snooping Ip igmp snooping Ip igmp snooping leave-proxy Following configures the switch to use Igmp VersionSyntax No ip igmp snooping leave-proxy Default Setting Ip igmp snooping version Ip igmp snooping immediate-leave Syntax No ip igmp snooping immediate-leave Default SettingInterface Configuration Vlan This command shows the Igmp snooping configuration Following shows the current Igmp snooping configuration This command shows known multicast addressesShow mac-address-table multicast Ip igmp snooping querier Igmp Query Commands Layer69 Igmp Query Commands Layer Function Mode Syntax No ip igmp snooping querier Default Setting Ip igmp snooping query-max-response-time4-208 Following shows how to configure the query count toIp igmp snooping query-interval Times Seconds The report delay advertised in Igmp queries. Range Ip igmp snooping query-max-response-timeIp igmp snooping router-port-expire-time Syntax No ip igmp snooping vlan vlan-idmrouter interface Static Multicast Routing Commands70 Static Multicast Routing Commands Function Mode Ip igmp snooping vlan mrouter Multicast router port types displayed include Static Displays multicast router ports for all configured VLANsShow ip igmp snooping mrouter Syntax Show ip igmp snooping mrouter vlan vlan-id 213 Igmp Filtering and Throttling Commands71 Igmp Filtering and Throttling Commands Function Mode Syntax No ip igmp filter Default Setting Syntax No ip igmp profile profile-number Syntax Permit deny Default SettingIp igmp profile Permit, deny Range No range low-ip-address high-ip-addressSyntax No ip igmp filter profile-number Syntax Ip igmp max-groups number No ip igmp max-groups Ip igmp max-groups Syntax Show ip igmp filter interface interface Ip igmp max-groups actionShow ip igmp filter Syntax Ip igmp max-groups action replace deny Syntax Show ip igmp throttle interface interface Show ip igmp profileShow ip igmp throttle interface Syntax Show ip igmp profile profile-number 219 Multicast Vlan Registration Commands72 Multicast Vlan Registration Commands Function Mode Port Port number. Range Port-channelchannel-id Range No mvr group ip-address count vlan vlan-id Command Line Interface Mvr Global Configuration Multicast Filtering Commands Mvr Interface Configuration 220 Show mvr Syntax Show mvr interface interface members ip-address73 show mvr display description 74 show mvr interface display description 75 show mvr members display descriptionMembers 224 IP Interface Commands76 IP Interface Commands Function Mode Ip address Following example defines a default gateway for this device Ip default-gatewaySyntax Ip default-gateway gateway no ip default-gateway Gateway IP address of the default gateway Show ip interface This command submits a Bootp or Dhcp client requestThis command displays the settings of an IP interface Ip dhcp restart Ping Ip default-gateway4-224This command has no default for the host Show ip redirects IP Source Guard Commands 77 IP Source Guard Commands Function ModeIp source-guard Syntax Ip source-guard sip sip-macno ip source-guard No ip source-guard binding mac-addressvlan vlan-id This example enables IP source guard on portNo configured entries Ip source-guard binding Ip source-guard4-227 ip dhcp snooping Ip dhcp snooping vlan This command shows the source guard binding tableShow ip source-guard Show ip source-guard binding Ip dhcp snooping Dhcp Snooping Commands78 Dhcp Snooping Commands Function Mode Syntax No ip dhcp snooping Default Setting 232 Ip dhcp snooping vlan 4-233 ip dhcp snooping trust This example enables Dhcp snooping globally for the switchThis example enables Dhcp snooping for Vlan Ip dhcp snooping vlan Ip dhcp snooping trust Syntax No ip dhcp snooping trust Default Setting This example enables MAC address verification Ip dhcp snooping verify mac-addressIp dhcp snooping information option This example enables the Dhcp Snooping Information Option Ip dhcp snooping information policyReplace Show ip dhcp snooping binding Switch Cluster Commands79 Switch Cluster Commands Function Mode Show ip dhcp snooping Syntax No cluster Default Setting ClusterDisplays current cluster Candidates in the network 242 Syntax Cluster ip-pool ip-addressno cluster ip-pool Cluster commanderSyntax No cluster commander Default Setting Cluster ip-pool Cluster member RcommandSyntax Rcommand id member-id Member-id- The ID number of the Member switch. Range Show cluster members This command shows the switch clustering configurationThis command shows the current switch cluster members Show cluster Show cluster candidates Software Features Appendix a Software Specifications Igmp RFC 1112 IGMPv2 RFC 2236 RADIUS+ RFC Management FeaturesGroups 1, 2, 3, 9 Statistics, History, Alarm, Event Standards Management Information Bases a Management Information Bases Software Specifications Symptom Action Table B-1 Troubleshooting Chart Using System Logs Differentiated Services Code Point Service Dscp Access Control List ACLBoot Protocol Bootp Class of Service CoS Group Attribute Registration Protocol Garp Garp Vlan Registration Protocol GvrpGeneric Attribute Registration Protocol Garp Generic Multicast Registration Protocol Gmrp In-Band Management Igmp SnoopingIgmp Query Internet Group Management Protocol Igmp Network Time Protocol NTP Multicast SwitchingPort Authentication Remote Authentication Dial-in User Service Radius Spanning Tree Algorithm STA Secure Shell SSHSimple Network Management Protocol Snmp Simple Network Time Protocol Sntp XModem Virtual LAN Vlan Numerics Index Index Gateway, default 3-14,4-224 Index-3 Index-4 Page Technical Support