Management
Software
AT-S94
CLI User’s Guide
AT-8000S Series Stackable Gigabit Ethernet Switches
Version 3.0.0.45
613-001983 Rev. A
Copyright © 2014 Allied Telesis, Inc.
All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesis, Inc.
Allied Telesis is a trademark of Allied Telesis, Inc. Mic ros oft and Internet Explorer are registered trad em arks of Mi crosoft Corporation.
Netscape Navigator is a registered trademark of Netscape Communications Corporation. All other product names, company names, logos or
other designations mentioned herein are trademarks or registered trademarks of their respective owners.
Allied Telesis, Inc. reserves the right to make changes in specifications and other information contained in this document without prior
written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesis, Inc. be liable for any
incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this
manual or the information contained herein, even if Allied Telesis, Inc. has been advised of, known, or should have known, the possibility of
such damages.
Table of Contents
Preface................................................................................................................................. 14
Intended Audience.........................................................................................................................15
Document Conventions .................................................................................................................15
Contacting Allied Telesis ...............................................................................................................16
Chapter 1.Using the CLI..................................................................................................... 17
Overview..............................................................................................................................................17
CLI Command Modes....................................................................................................................17
Introduction..............................................................................................................................................17
User EXEC Mode ....................................................................................................................................17
Privileged EXEC Mode............................................................................................................................17
Global Configuration Mode......................................................................................................................18
Interface Configuration and Specific Configuration Modes.................................................. ....................19
Starting the CLI..............................................................................................................................20
Editing Features ............................................................................................................................20
Entering Commands................................................................................................................................20
Terminal Command Buffer.................................................................................................................21
Negating the Effect of Commands.....................................................................................................21
Command Completion........................................................................................................................21
Nomenclature.....................................................................................................................................22
Keyboard Shortcuts............................................................................................................................22
CLI Command Conventions...............................................................................................................22
Copying and Pasting Text............................................... .. ... ....................................................................23
Chapter 2.ACL Commands ................................................................................................ 24
ip access-list........................... .... ... ... ... .... ... ... ....................................... ... ... ... .... ... ................................24
permit (ip).............................................................................................................................................24
deny (IP)...............................................................................................................................................27
ipv6 access-list........................... ...................................... .... ... ... ... .... ...................................................29
permit (IPv6).........................................................................................................................................30
deny (IPv6)...........................................................................................................................................32
mac access-list........................... ... ... ... .... ... ... ... ....................................... ... ... .... ... ... .............................34
permit (MAC)........................................................................................................................................35
deny (MAC)..........................................................................................................................................35
service-acl............................................................................................................................................36
show access-lists.................................................................................................................................37
show interfaces access-lists.................................................................................................................38
Chapter 3.AAA Commands................................................................................................39
aaa authentication login.......................................................................................................................39
aaa authentication enable....................................................................................................................40
login authentication..............................................................................................................................41
enable authentication...........................................................................................................................42
Page 2
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
ip http authentication .................... .... ...................................... .... ... ... ... .... ............................................ 42
ip https authentication................... .... ... ... ....................................... ... ... .... ... ......................................... 43
show authentication methods.............................................................................................................. 44
password............................................................................................................................................. 45
username............................................................................................................................................. 45
aaa accounting login............................................................................................................................46
aaa accounting dot1x ..........................................................................................................................47
show users accounts........................................................................................................................... 49
enable password ................................................................................................................................. 49
show accounting..................................................................................................................................50
Chapter 4.Address Table Commands............................................................................... 52
bridge address.....................................................................................................................................52
bridge multicast filtering.......................................................................................................................52
bridge multicast address...................................................................................................................... 53
bridge multicast forbidden address...................................................................................................... 54
bridge multicast unregistered ..............................................................................................................55
bridge multicast forward-all..................................................................................................................55
bridge multicast forbidden forward-all.................................................................................................. 56
bridge aging-time.................................................................................................................................57
clear bridge.......................................................................................................................................... 58
port security.........................................................................................................................................58
port security mode............................................................................................................................... 59
port security max................................................................................................................................. 59
port security routed secure-address....................................................................................................60
show bridge address-table ..................................................................................................................61
show bridge address-table static......................................................................................................... 62
show bridge address-table count.........................................................................................................62
show bridge multicast address-table ...................................................................................................64
show bridge multicast address-table static..........................................................................................66
show bridge multicast filtering .............................................................................................................66
show bridge multicast unregistered.....................................................................................................68
show ports security.............................................................................................................................. 68
show ports security addresses............... ... ....................................... ... .... ... ... ... ................................... 69
Chapter 5.Clock Commands.............................................................................................. 71
clock set..................... ....................................... ... ... ... .... ... ....................................... ............................71
clock source..................... .... ...................................... .... ... ... ... .... .........................................................71
clock timezone........................... ....................................... ... ... .... ... ... ................................................... 72
clock summer-time ........................... ... ... ... .... ... ....................................... ... ... ... ... .... ............................73
sntp authentication-key........................................................................................................................ 74
sntp authenticate................................................................................................................................. 75
sntp trusted-key................................................................................................................................... 75
sntp client poll timer............................................................................................................................. 76
sntp broadcast client enable................................................................................................................77
sntp anycast client enable ................................................................................................................... 77
sntp client enable (Interface)...............................................................................................................78
Page 3
sntp unicast client enable.....................................................................................................................78
sntp unicast client poll..........................................................................................................................79
sntp server ...........................................................................................................................................80
show clock............................................................................................................................................81
show sntp configuration .......................................................................................................................82
show sntp status ..................................................................................................................................83
Chapter 6.Configuration and Image File Commands...................................................... 85
copy......................................................................................................................................................85
dir.........................................................................................................................................................87
delete ...................................................................................................................................................88
boot system..........................................................................................................................................89
show running-config.............................................................................................................................89
show startup-config..............................................................................................................................90
show bootvar........................................................................................................................................91
Chapter 7.DHCP Snooping Commands............................................................................93
ip dhcp snooping.............. ... ... .... ... ... ... .... ...................................... .... ... ... ... ... .......................................93
ip dhcp snooping vlan ..........................................................................................................................93
ip dhcp snooping trust..........................................................................................................................94
ip dhcp snooping information option allowed-untrusted.......................................................................95
ip dhcp snooping verify ........................................................................................................................95
ip dhcp snooping database..................................................................................................................96
ip dhcp snooping database update-freq...............................................................................................96
ip dhcp snooping binding .....................................................................................................................97
clear ip dhcp snooping database .........................................................................................................98
show ip dhcp snooping.........................................................................................................................98
show ip dhcp snooping binding............................................................................................................99
Chapter 8.Ethernet Configuration Commands............................................................... 100
interface ethernet...............................................................................................................................100
interface range ethernet.....................................................................................................................100
shutdown............................................................................................................................................101
description..........................................................................................................................................102
speed .................................................................................................................................................102
duplex.................................................................................................................................................103
negotiation..........................................................................................................................................104
flowcontrol..........................................................................................................................................104
mdix....................................................................................................................................................105
back-pressure ....................................................................................................................................106
system flowcontrol......................... ... ... .... ... ... ... ... ....................................... ... .... ... ... ... ........................106
clear counters.....................................................................................................................................107
set interface active.............................................................................................................................107
show interfaces advertise...................................................................................................................108
show interfaces configuration.............................................................................................................109
show interfaces status........................................................................................................................110
show interfaces description................................................................................................................111
Page 4
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
show interfaces counters...................................................................................................................112
port storm-control include-multicast (IC)............................................................................................ 115
port storm-control broadcast enable.................................................................................................. 115
port storm-control broadcast rate ......................................................................................................116
show ports storm-control ................................................................................................................... 117
Chapter 9.GVRP Commands............................................................................................ 118
gvrp enable (Global).......................................................................................................................... 118
gvrp enable (Interface) ......................................................................................................................118
garp timer .......................................................................................................................................... 119
gvrp vlan-creation-forbid....................................................................................................................120
gvrp registration-forbid....................................................................................................................... 120
clear gvrp statistics............................................................................................................................ 121
show gvrp configuration..................................................................................................................... 121
show gvrp statistics ........................................................................................................................... 122
show gvrp error-statistics...................................................................................................................123
Chapter 10.IGMP Snooping Commands......................................................................... 125
ip igmp snooping (Global)..................................................................................................................125
ip igmp snooping (Interface).............................................................................................................. 125
ip igmp snooping mrouter learn-pim-dvmrp....................................................................................... 126
ip igmp snooping host-time-out ......................................................................................................... 128
ip igmp snooping querier enable ....................................................................................................... 128
ip igmp snooping querier address ..................................................................................................... 129
ip igmp snooping querier version.......................................................................................................130
ip igmp snooping mrouter-time-out.................................................................................................... 130
ip igmp snooping leave-time-out........................................................................................................131
show ip igmp snooping mrouter..................................................................................................... ....132
show ip igmp snooping interface .......................................................................................................132
show ip igmp snooping groups.......................................................................................................... 134
Chapter 11.IP Addressing Commands............................................................................ 135
ip address.................................................. ....................................... ... .... ... ... ... .................................135
ip address dhcp................... ... ... ... ....................................... ... .... ... ... ... .............................................. 135
ip default-gateway .................. ... ... .... ... ....................................... ... ... ... .... ... ....................................... 136
show ip interface................................................................................................................................ 137
arp ..................................................................................................................................................... 138
arp timeout.........................................................................................................................................138
clear arp-cache..................................................................................................................................139
show arp............................................................................................................................................140
ip domain-lookup................. ... ... ... ....................................... ... .... ... ... ... .............................................. 140
ip domain-name......................... ... .... ... ... ... .... ... ....................................... ... ... ... ... .... ..........................141
ip name-server..................... ... ....................................... ... ... ... .... ... .................................................... 142
ip host.................................................. ... ....................................... ... ... .... ... ... .................................... 142
clear host...........................................................................................................................................143
clear host dhcp.................................................................................................................................. 143
show hosts......................................................................................................................................... 144
Page 5
Chapter 12.IPv6 Addressing Commands........................................................................ 146
ipv6 enable .... ...................................... .... ... ... ... ... ....................................... ... .... ... ... ... ........................146
ipv6 address .. ... ... ... ... .... ... ....................................... ... ... ... .... ... ...........................................................146
ipv6 address link-local ... ... ... ...............................................................................................................147
ipv6 default-gateway.................. ... ... ... ....................................... ... .... ... ... ... ........................................148
show ipv6 interface ............................................................................................................................149
ipv6 nd dad attempts..........................................................................................................................150
ipv6 host. ....................................... ... ... .... ... ... ....................................... ... ... ... .... .................................151
ipv6 neighbor.......................... .... ...................................... .... ... ... ... .... .................................................152
show ipv6 neighbors ..........................................................................................................................153
clear ipv6 neighbors...........................................................................................................................154
Chapter 13.Line Commands ............................................................................................ 155
line......................................................................................................................................................155
speed .................................................................................................................................................155
autobaud............................................................................................................................................156
exec-timeout.......................................................................................................................................157
history.................................................................................................................................................157
history size.......................... ... ....................................... ... .... ... ... ... .....................................................158
terminal history...................................................................................................................................158
terminal history size ...........................................................................................................................159
show line............................................................................................................................................160
Chapter 14.DHCP Option 82 Commands........................................................................162
ip dhcp information option..................................................................................................................162
show ip dhcp information option....................... ... .... ...................................... .... ... ... ... ........................162
Chapter 15.IP DHCP Relay ............................................................................................... 164
ip dhcp relay enable (global)..............................................................................................................164
ip dhcp relay enable (interface)..........................................................................................................164
ip dhcp relay address.........................................................................................................................165
show ip dhcp relay .............................................................................................................................165
Chapter 16.LACP Commands..........................................................................................167
lacp system-priority....................... ... ....................................... ... ... .... ... ... ...........................................167
lacp port-priority ............................... ... .... ...................................... .... ... ... ... ... .....................................168
lacp timeout... ... ....................................... ... ... ... ... .... ...................................... .... ... ... ... ........................169
show lacp ethernet.............................................................................................................................170
show lacp port-channel......................................................................................................................172
Chapter 17.LLDP Commands .......................................................................................... 174
lldp enable (global).............................................................................................................................174
lldp enable (interface).........................................................................................................................174
lldp timer.............................................................................................................................................175
lldp hold-multiplier..............................................................................................................................176
lldp reinit-delay...................................................................................................................................176
Page 6
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
lldp tx-delay .......................................................................................................................................177
lldp optional-tlv...................................................................................................................................177
lldp management-address.................................................................................................................178
lldp notifications................................................................................................................................. 179
lldp med enable................................................................................................................................. 179
lldp med network-policy (global)........................................................................................................ 180
lldp med network-policy (interface)....................................................................................................181
lldp med location................................................................................................................................ 181
clear lldp rx........................................................................................................................................182
show lldp configuration...................................................................................................................... 183
show lldp med configuration.............................................................................................................. 184
show lldp local................................................................................................................................... 185
show lldp neighbors...........................................................................................................................187
Chapter 18.Login Banner Commands............................................................................. 192
login_banner......................................................................................................................................192
show login_banner ............................................................................................................................192
Chapter 19.Management ACL Commands ..................................................................... 194
management access-list....................................................................................................................194
permit (Management)........................................................................................................................195
deny (Management) ..........................................................................................................................196
management access-class................................................................................................................197
show management access-list ..........................................................................................................197
show management access-class.......................................................................................................198
Chapter 20.PHY Diagnostics Commands....................................................................... 199
test copper-port tdr............................................................................................................................199
show copper-ports tdr........................................................................................................................199
show copper-ports cable-length ........................................................................................................200
show fiber-ports optical-transceiver...................................................................................................201
Chapter 21.Port Channel Commands ............................................................................. 203
interface port-channel........................................................................................................................203
interface range port-channel..............................................................................................................203
channel-group.................................................................................................................................... 204
show interfaces port-channel.............................................................................................................204
Chapter 22.Port Monitor Commands .............................................................................. 206
port monitor .......................................................................................................................................206
show ports monitor............................................................................................................................ 207
Chapter 23.Power over Ethernet Commands................................................................. 208
power inline ............................ ... ... .... ... ....................................... ... ... ... .... ... ....................................... 208
power inline powered-device............................................... ... ....................................... ... .... ... .......... 208
power inline priority........................... ... ... ...........................................................................................209
power inline usage-threshold..................... .... ... ... ....................................... ... ... ... .... ..........................210
Page 7
power inline traps enable...................................................................................................................210
show power inline...............................................................................................................................211
show power inline power-consumption..............................................................................................213
show power inline version..................................................................................................................213
Chapter 24.QoS Commands ............................................................................................ 215
qos .....................................................................................................................................................215
show qos............................................................................................................................................215
priority-queue out num-of-queues......................................................................................................216
rate-limit .............................................................................................................................................216
traffic-shape .......................................................................................................................................217
show qos interface.............................................................................................................................218
wrr-queue cos-map............................................................................................................................219
qos trust (Global)................................. ....................................... ... .... ... ... ... ........................................220
qos map dscp-queue..........................................................................................................................220
qos cos... ... .... ... ... ... ... .... ...................................... .... ... ... ... .... ...................................... ........................221
show qos map....................................................................................................................................222
Chapter 25.Radius Commands........................................................................................224
radius-server host ..............................................................................................................................224
radius-server key................................................................................................................................225
radius-server retransmit.....................................................................................................................225
radius-server source-ip ......................................................................................................................226
radius-server source-ipv6...................................................................................................................227
radius-server timeout .........................................................................................................................227
radius-server deadtime ......................................................................................................................228
show radius-servers...........................................................................................................................228
Chapter 26.RMON Commands......................................................................................... 230
show rmon statistics...........................................................................................................................230
rmon collection history .. ... ... ... .... ... ... ... .... ...........................................................................................232
show rmon collection history..............................................................................................................232
show rmon history..............................................................................................................................233
rmon alarm....... ... ... ... .... ... ... ... ....................................... ... .... ... ... ... .....................................................236
show rmon alarm-table.......................................................................................................................237
show rmon alarm................................................................................................................................238
rmon event................................................................. ... ... .... ... ...........................................................240
show rmon events..............................................................................................................................240
show rmon log....................................................................................................................................241
rmon table-size........................... ... ... ... .... ... ... ....................................... ... ... ... .... .................................242
Chapter 27.SNMP Commands ......................................................................................... 244
snmp-server community.....................................................................................................................244
snmp-server view.......... ... ... ... ....................................... ... .... ... ... ....................................... .................245
snmp-server group.............................................................................................................................246
snmp-server user.......................... ....................................... ... ... ... .... ... ..............................................247
snmp-server engineID local .................................... ... ... ... .... ...................................... .... ... ... ... ...........248
Page 8
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
snmp-server enable traps..................................................................................................................249
snmp-server filter....................... ... .... ... ... ... .... ... ....................................... ... ... ... ... .... ..........................249
snmp-server host...............................................................................................................................250
snmp-server v3-host..........................................................................................................................252
snmp-server trap authentication........................................................................................................253
snmp-server contact.......................................................................................................................... 253
snmp-server location.............. ... ... .... ... ... ... ....................................... ... .... ... ... ... .................................254
snmp-server set.................................................................................................................................254
show snmp ........................................................................................................................................ 255
show snmp engineid..........................................................................................................................257
show snmp views .............................................................................................................................. 257
show snmp groups ............................................................................................................................ 258
show snmp filters...............................................................................................................................259
show snmp users............................................................................................................................... 260
Chapter 28.Spanning-Tree Commands........................................................................... 261
spanning-tree..................................................................................................................................... 261
spanning-tree mode................... ... ....................................... ... .... ... ... ... .............................................. 261
spanning-tree forward-time............... ... ... ... .... ....................................................................................262
spanning-tree hello-time.................................................................................................................... 263
spanning-tree max-age......................................................................................................................263
spanning-tree priority.............................. ... ........................................................................................264
spanning-tree disable................ ... .... ... ....................................... ... ... ... .... ... ....................................... 264
spanning-tree cost............................................... ... ....................................... ... ... .... ... ... ....................265
spanning-tree port-priority .................................................................................................................266
spanning-tree portfast........................................................................................................................ 266
spanning-tree link-type........... ... ... .... ...................................... .... ... ... ... .... .......................................... 267
spanning-tree pathcost method.........................................................................................................268
spanning-tree bpdu................. ... ....................................... ... ... .... ... ... ................................................. 268
spanning-tree guard root...................................................................................................................269
spanning-tree bpduguard ....................... ... .... ... ... ... ....................................... ... ... .... ... ... ....................270
clear spanning-tree detected-protocols............................................................................................. 270
spanning-tree mst priority.................................................................................................................. 271
spanning-tree mst max-hops............................................ ....................................... ... ... ... .... ... .......... 271
spanning-tree mst port-priority...........................................................................................................272
spanning-tree mst cost .............................................. .... ... ... ... ....................................... ... .................273
spanning-tree mst configuration ........................................................................................................273
instance (mst)....................................................................................................................................274
name (mst) .......................... ... ... ... .... ...................................... .... ... ... ... .... .......................................... 275
revision (mst)..................................................................................................................................... 275
show (mst).........................................................................................................................................276
exit (mst)............................................................................................................................................ 277
abort (mst)................. ... ....................................... ... ... .... ... ... ....................................... .......................277
show spanning-tree........................................................................................................................... 278
Chapter 29.SSH Commands ............................................................................................ 290
ip ssh port.. ... ... .... ... ... ... ....................................... ... ... .... ... ....................................... ... .......................290
Page 9
ip ssh server..... ... ... ... ....................................... ... .... ... ... ....................................... ... ... ........................290
crypto key generate dsa.....................................................................................................................291
crypto key generate rsa......................................................................................................................291
ip ssh pubkey-auth........... ... ... .... ... ... ... .... ...................................... .... ... ... ... ... .....................................292
crypto key pubkey-chain ssh..............................................................................................................293
user-key .............................................................................................................................................294
key-string............................................................................................................................................294
show ip ssh ........................................................................................................................................295
show crypto key mypubkey................................................................................................................296
show crypto key pubkey-chain ssh ....................................................................................................297
Chapter 30.Syslog Commands........................................................................................299
logging on...........................................................................................................................................299
logging................................................................................................................................................299
logging console..................................................................................................................................300
logging buffered .................................................................................................................................301
logging buffered size..........................................................................................................................301
clear logging.......................................................................................................................................302
logging file..........................................................................................................................................303
clear logging file.................................................................................................................................303
aaa logging.........................................................................................................................................304
file-system logging .............................................................................................................................304
management logging..........................................................................................................................305
show logging......................................................................................................................................306
show logging file.................................................................................................................................307
show syslog-servers...........................................................................................................................308
Chapter 31.TACACS+ Commands...................................................................................310
tacacs-server host.. ... .... ... ... ... ............................................................................................................310
tacacs-server key............. ... ...............................................................................................................311
tacacs-server timeout.... ...................................... .... ... ... ... .... ...................................... .... ... .................311
tacacs-server source-ip......................................................................................................................312
show tacacs .......................................................................................................................................312
Chapter 32.Tunnel Commands........................................................................................314
interface tunnel...................................................................................................................................314
tunnel mode ipv6ip.............................................................................................................................314
tunnel isatap router ............................................................................................................................315
tunnel source......................................................................................................................................316
tunnel isatap query-interval................................................................................................................316
tunnel isatap solicitation-interval........................................................................................................317
tunnel isatap robustness....................................................................................................................318
show ipv6 tunnel ................................................................................................................................318
Chapter 33.System Management Commands................................................................320
ping ....................................................................................................................................................320
telnet ..................................................................................................................................................321
Page 10
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
reload................................................................................................................................................. 324
resume............................................................................................................................................... 325
hostname........................................................................................................................................... 325
stack master...................................................................................................................................... 326
stack reload....................................................................................................................................... 327
stack change unit-id........................................................................................................................... 327
show stack......................................................................................................................................... 328
show users ........................................................................................................................................ 329
show sessions................................................................................................................................... 330
show system...................................................................................................................................... 331
show system id..................................................................................................................................332
show version...................................................................................................................................... 333
Chapter 34.User Interface Commands............................................................................ 335
do.......................................................................................................................................................335
enable................................................................................................................................................ 336
disable............................................................................................................................................... 336
login...................................................................................................................................................337
configure............................................................................................................................................ 337
exit (Configuration)............................................................................................................................ 338
exit.....................................................................................................................................................338
end.....................................................................................................................................................339
help.................................................................................................................................................... 339
terminal datadump.............................................................................................................................340
show history....................................................................................................................................... 341
show privilege.................................................................................................................................... 342
Chapter 35.VLAN Commands.......................................................................................... 343
vlan database.................. .... ... ... ....................................... ... ... .... ... ... ................................................. 343
vlan....................................................................................................................................................343
interface vlan.....................................................................................................................................344
interface range vlan........................................................................................................................... 345
name.................................................................................................................................................. 345
switchport protected ..........................................................................................................................346
switchport mode ................................................................................................................................347
switchport access vlan....................................................................................................................... 348
switchport trunk allowed vlan..... ... .... ...................................... .... ... ... ... .............................................. 348
switchport trunk native vlan ............................................................................................................... 349
switchport general allowed vlan................. .... ... ... ....................................... ... ... ... .... ..........................349
switchport general pvid......................................................................................................................350
switchport general ingress-filtering disable.................................................................................... ....351
switchport general acceptable-frame-type tagged-only.....................................................................351
switchport general map macs-group vlan..........................................................................................352
map mac macs-group........................................................................................................................353
show vlan macs-group....................................................................................................................... 353
switchport forbidden vlan..................... ... ....................................... ... ... .... ... ....................................... 354
ip internal-usage-vlan................ ... .... ... ... ... .... ...................................... .... ... ... ... ... ..............................355
Page 11
show vlan...........................................................................................................................................356
show vlan internal usage....................................................................................................................356
show interfaces switchport.................................................................................................................357
Chapter 36.Web Server Commands................................................................................361
ip http server ................................. ... ... ....................................... ... .... ... ... ... ........................................361
ip http port.................................. ... ....................................... ... ... ... .... ... ..............................................361
ip http exec-timeout ....................................... ... ... .... ... ... ....................................... ... ... .... ....................362
ip https server................................ ... ....................................... ... ... .... ... ... ...........................................362
ip https port ... ...................................... .... ... ... ... ... ....................................... ... .... ... ... ... ........................363
ip https exec-timeout..... ... ... ... .... ... ... ....................................... ... ... .... ... ..............................................364
crypto certificate generate................................... .... ...................................... .... ... ... ... .... ....................364
crypto certificate request........ ....................................... ... .... ... ... ... .....................................................365
crypto certificate import....... ....................................... ... ... .... ... ... ....................................... .................367
ip https certificate............................. ... .... ... ....................................... ... ... ... ... .... .................................368
show crypto certificate mycertificate ..................................................................................................369
show ip http........................................................................................................................................369
show ip https......................................................................................................................................370
Chapter 37. 802.1x Commands........................................................................................ 372
aaa authentication dot1x....................................................................................................................372
dot1x system-auth-control................................ ... .... ... ... ... .... ... ....................................... ... ... ..............372
dot1x port-control................................................................. ... ... ... .... .................................................373
dot1x re-authentication.................................. ....................................... ... ... ... .... ... ..............................374
dot1x timeout re-authperiod............................. ... .... ... ....................................... ... ... ... .... ... .................374
dot1x re-authenticate .................................... ... ... .... ... ... ....................................... ... ... .... ... .................375
dot1x timeout quiet-period..................................................................................................................376
dot1x timeout tx-period............................ ... ....................................... ... ... ... ... .... .................................376
dot1x max-req....................................................................................................................................377
dot1x timeout supp-timeout.... ....................................... ... .... ... ... ... ....................................... ..............378
dot1x timeout server-timeout......................... ....................................... ... ... ... .... ... ..............................378
show dot1x.........................................................................................................................................379
show dot1x users...............................................................................................................................381
show dot1x statistics..........................................................................................................................383
dot1x auth-not-req..............................................................................................................................384
dot1x guest-vlan .. ....................................... ........................................................................................385
dot1x single-host-violation..................................................................................................................386
dot1x mac-authentication...................................................................................................................387
show dot1x advanced ........................................................................................................................387
dot1x guest-vlan enable......... ............................................................................................................389
dot1x guest-vlan timeout....................................................................................................................389
dot1x radius-attributes vlan........ ... ... ... .... ... ... ... ....................................... ... ... .... ... ... ...........................390
Index................................................................................................................................... 392
Page 12
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Page 13
Preface
Preface
This guide describes how to configure an AT-8000S Series switch with AT-S94 V2.0.0 firmware using the
command line interface. The commands are grouped by topic into the following chapters:
• Chapter 1. "Using the CLI" — Describe the CLI basic structure and command usage.
• Chapter 2. "ACL Commands" — Define MAC and IP based ACLs and ACL bindings.
• Chapter 3. "AAA Commands" — Define the authentication method lists for servers.
• Chapter 4. "Address Table Commands" — Register MAC-layer Multicast addresses, and handles MAC-
layer secure address to a routed port .
• Chapter 5. "Clock Commands" — Show the configuration or status of the Simple Network Time Protocol
(SNTP).
• Chapter 6. "Configuration and Image File Commands" — Display the contents of the currently running
configuration file, specify contents of image files.
• Chapter 7. "DHCP Snooping Commands" — Contains parameters for enabling DHCP Snooping on the
device
• Chapter 8. "Ethernet Configuration Commands" — Configure multiple Ethernet type interfaces.
• Chapter 9. "GVRP Commands" — Display the GARP VLAN Registration Protocol (GVRP) configuration
information, enable GVRP globally or on an interface.
• Chapter 10. "IGMP Snooping Commands" — Enable the Internet Group Management Protocol (IGMP)
snooping.
• Chapter 11. "IP Addressing Commands" — Define a default gateway, set an IP address for interface,
delete entries from the host.
• Chapter 12. "IPv6 Addressing Commands" — Define addressing commands for the IPv6 protocol.
• Chapter 13. "Line Commands" — Display line parameters, enable the command history function, or
configure the command history buffer size.
• Chapter 14. "DHCP Option 82 Commands" — DHCP with Option 82 attaches authentication messages to
the packets sent from the host. DHCP passes the configuration information to hosts on a TCP/IP network.
This permits network administrators to limit address allocation authorized hosts.
• Chapter 15. "IP DHCP Relay" — Defines Dynamic Host Configuration Protocol (DHCP) relay features on
the router.
• Chapter 16. "LACP Commands" — Specify LACP system and port priority and display LACP information.
• Chapter 17. "LLDP Commands" — Define commands for use with LLDP.
• Chapter 18. "Login Banner Commands" — Display login banner commands.
• Chapter 19. "Management ACL Commands" — Define a permit or deny a rule, or configure a management
access control list.
• Chapter 20. "PHY Diagnostics Commands" — Display the optical transceiver diagnostics.
• Chapter 21. "Port Channel Commands" — Enter the interface configuration mode to confi gure a specific,
or a multiple port-channel.
• Chapter 22. "Port Monitor Commands" — Start a port monitoring session, or display the port monitoring
status.
• Chapter 23. "Power over Ethernet Commands" — Configure and display Power over Ethernet device
settings.
• Chapter 24. "QoS Commands" — Enable Quality of Service (QoS) on the device, create policy maps, and
define traffic classifications
Page 14
Allied Telesis
Note
Caution
Warning
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 25. "Radius Commands" — Specify the source IP address used for communication with Remote
•
Authentication Dial-in User Service (RADIUS) servers, and display the RADIUS server settings.
• Chapter 26. "RMON Commands" — Display the Remote Network Monitoring (RMON) Ethernet history
statistics, alarms table and configuration.
• Chapter 27. "SNMP Commands" — Configure the community access string to permit access to the Simple
Network Management Protocol (SNMP) server, create or update SNMP server entries, and specify SNMP
engineID.
• Chapter 28. "Spanning-Tree Commands" — Configure the spanning-tree functionality.
• Chapter 29. "SSH Commands" — Display the Secure Socket Shell (SSH) public keys on the device, SSH
server configuration, or which SSH public key is manually configured.
• Chapter 30. "Syslog Commands" — Log messages to a syslog server, or limit log messages to a syslog
server.
• Chapter 31. "TACACS+ Commands" — Display configuration and statistical information about a Terminal
Access Controller Access Control System (TACACS+) server, or specify a TACACS+ host.
• Chapter 32. "Tunnel Commands" — Configure interface tunnel commands.
• Chapter 33. "System Management Commands" — Display and list system, version or Telnet session
information.
• Chapter 34. "User Interface Commands" — Display and list system, version or Telnet session information.
• Chapter 35. "VLAN Commands" — Enter the (Virtual Local Area Network) VLAN Configuration mode,
enable simultaneously configuring multiple VLANs, or adds or remove VLANs.
• Chapter 36. "Web Server Commands" — Enable configuring the device from a browser, or display the
HTTP server configuration.
• Chapter 37. "802.1x Commands" — Specify authentication, authorization and accounting (AAA) methods
for use on interfaces running IEEE 802.1x, and enable 802.1x globally.
Intended Audience
This guide is intended for network administrators familiar with IT concepts and terminology.
Document Conventions
This document uses the following conventions:
Provides related information or information of special importance.
Indicates potential damage to hardware or software, or loss of data.
Indicates a risk of personal injury.
Page 15
Contacting Allied Telesis
Contacting Allied Telesis
This section provides Allied Telesis contact information for technical support as well as sales or corporate
information. .
Preface
Online Support
Email and Telephone
Support
Returning Products
For Sales or
Corporate
Information
Warranty
You can request technical support online by accessing the Allied Telesis Knowledge Base
from the following web site:
www.alliedtelesis.com/support. You can use the Knowledge Base to submit questions
to our technical support staff and review answers to previously asked questions..
For Technical Support via email or telephone, refer to the Allied Telesis web site:
www.alliedtelesis.com. Select your country from the list displayed on the website. Then
select the appropriate menu tab.
Products for return or repair must first be assigned a Return Materials Authorization (RMA)
number. A product sent to Allied Telesis without a RMA number will be returned to the
sender at the sender’s expense.
To obtain an RMA number, contact the Allied Telesis Technical Support group at our web
site: www.alliedtelesis.com/support/. Select your country from the list displayed on the
website. Then select the appropriate menu tab.
You can contact Allied Telesis for sales or corporate information at our web site:
www.alliedtelesis.com. Select your country from the list displayed on the website. Then
select the appropriate menu tab.
The AT-8000S Series Switch has a limited warranty of two years. Go to
www.alliedtelesis.com/warranty for the specific terms and conditions of the warranty
and for warranty registration.
Page 16
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 1. Using the CLI
Overview
This chapter describes how to start using the CLI and the CLI command editing features.
CLI Command Modes
Introduction
To assist in configuring the device, the Command Line Interface (CLI) is divided into different command modes.
Each command mode has its own set of specific commands. Entering a question mark "?" at the system prompt
(console prompt) displays a list of commands available for that particular command mode.
From each mode a specific command is used to navigate from one command mode to another. The standard
order to access the modes is as follows: Privileged EXEC mode, Global Configuration mode, and Interface
Configuration mode. After logging into the device, the user is automatically in Privileged EXEC command mode
unless the user is defined as a User EXEC user.
The User EXEC mode can be assigned for a user once a user account is created. Only a limited subset of
commands are available in User EXEC mode. This level is reserved for tasks that do not change the configuration.
To enter the next level, the Privileged EXEC mode, a password is required.
The Privileged EXEC mode gives access to commands that are restricted on User EXEC mode and provides
access to the device Configuration mode.
The Global Configuration mode manages the device configuration on a global level.
The Interface Configuration mode configures specific interfaces in the device.
User EXEC Mode
In general, the User EXEC commands allow the user to perform basic tests, and list system information.
The user-level prompt consists of the device host name followed by the angle bracket (>).
Console>
The default host name is Console unless it has been changed using the hostname command in the Global
Configuration mode.
Privileged EXEC Mode
Privileged access is the system default mode and is password protected to prevent unauthorized use because
many of the privileged commands set operating system parameters. The password is not displayed on the screen
and is case sensitive.
Privileged users enter directly into the Privileged EXEC mode. To enter the Privileged EXEC mode from the User
EXEC mode, perform the following steps:
1. At the prompt enter the enable command and press <Enter>. A password prompt is displayed.
Page 17
Using the CLI
CLI Command Modes
2. Enter the password and press <Enter>. The password is displayed as *. The Privileged EXEC mode prompt
is displayed. The Privileged EXEC mode prompt consists of the device host name followed by #.
Console#
To return from the Privileged EXEC mode to the User EXEC mode, use the disable command. The following
example illustrates how to access the Privileged EXEC mode and return to the User EXEC mode:
Console>
Enter Password: ******
Console#
Console#
Console>
The exit command is used to return from any mode to the previous mode except when returning to the User
EXEC mode from the Privileged EXEC mode. For example, the exit command is used to return from the Inter face
Configuration mode to the Global Configuration mode.
enable
disable
Global Configuration Mode
Global Configuration mode commands apply to features that affect the system as a whole, rather than just a
specific interface. The configure Privileged EXEC mode command is used to enter the Global Configuration
mode.
To enter the Global Configuration mode perform the following steps:
1. At the Privileged EXEC mode prompt enter the configure command and press <Enter>. The Global
Configuration mode prompt is displayed. The Global Configuration mode prompt consists of the device host
name followed by (config) and #.
Console(config)#
One of the following commands can be used to return from the Global Configuration mode to the Privileged EXEC
mode:
• exit
• end
• Ctrl+Z
The following example illustrates how to access the Global Configuration mode and return to the Privileged EXEC
mode:
Console#
Console#
Console(config)#
Console#
configure
exit
Page 18
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Interface Configuration and Specific Configuration Modes
Interface Configuration mode commands modify specific interface operations. The following are the Interface
Configuration modes:
• Line Interface — Contains commands to configure the management connections. These include commands
such as line timeout settings, etc. The line Global Configuration mode command is used to enter the Line
Configuration command mode.
• VLAN Database — Contains commands to create a VLAN as a whole. The VLAN database Global
Configuration mode command is used to enter the VLAN Database Interface Configuration mode.
• Management Access List — Contains commands to define management access-lists. The management
access-list Global Configuration mode command is used to enter the Management Access List Configuration
mode.
• Ethernet — Contains commands to manage port configuration. The interface ethernet Global Configuration
mode command is used to enter the Interface Configuration mode to configure an Ethernet type interface.
• Port Channel — Contains commands to configure port-channels, for example, assigning ports to a port-
channel. Most of these commands are the same as the commands in the Ethernet interface mode, and are
used to manage the member ports as a single entity. The interface port-channel Global Configuration mode
command is used to enter the Port Channel Interface Configuration mode.
• SSH Public Key-chain — Contains commands to manually specify other device SSH public keys. The
crypto key pubkey-chain ssh Global Configuration mode command is used to enter the SSH Public Key-
chain Configuration mode.
• QoS — Contains commands related to service definitions. The qos Global Configuration mode command is
used to enter the QoS services configuration mode.
• MAC Access-List— Configures conditions required to allow traffic based on MAC addresses. The mac
access-list Global Configuration mode command is used to enter the MAC access-list configuration mode.
• Tunnel Mode — Configures tunneling specifications in the device. The tunnel interface Global
Configuration mode command is used to enter the tunneling configuration mode.
Page 19
Using the CLI
Note
Note
Note
Starting the CLI
Starting the CLI
The device can be managed over a direct connection to the device console RS-232 port or via a Telnet
connection. The device is managed by entering command keywords and parameters at the prompt. Using the
device Command Line Interface (CLI) is very similar to entering commands on a UNIX system.
If access is via a Telnet connection, ensure that the device has a defined IP address, corresponding management
access is granted, and the workstation used to access the device is connected to the device prior to using CLI
commands.
The following steps are for use on the console line only.
To start using the CLI, perform the following steps:
1. Connect the DB9 null-modem or cross over cable to the RS-232 serial port of the device to the RS-232 serial
port of the terminal or computer running the terminal emulation application.
The default data rate is 115200 bps.
a) Set the data format to 8 data bits, 1 stop bit, and no parity.
b) Set Flow Control to none.
c) Under Properties, select VT100 for Emulation mode.
d) Select Terminal keys for Function, Arrow, and Ctrl keys. Ensure that the setting is for Terminal keys
(not Windows keys).
When using HyperTerminal with Microsoft® Windows 2000, ensure that Windows® 2000 Service Pack 2
or later is installed. With Windows 2000 Service Pack 2, the arrow keys function properly in
HyperTerminal’s VT100 emulation. Go to www.microsoft.com for information on Windows 2000 service
packs.
2. Configure the device and enter the necessary commands to complete the required tasks.
3. When finished, exit the session with the exit command.
When a different user is required to log onto the system, use the login Privileged EXEC mode command. This
effectively logs off the current user and logs on the new user.
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify
configuration parameters. For example, in the command show interfaces status ethernet 1/e11, show,
interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/e11
specifies the port.
Page 20
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
To enter commands that require parameters, enter the required parameters after the command keyword. For
example, to set a password for the administrator, enter:
Console(config)#
When working with the CLI, the com m an d options are not displayed. The command is not selected from a menu,
but is manually entered. To see what commands are available in each mode or within an interface configuration,
the CLI does provide a method of displaying the available commands, the command syntax requirements and in
some instances parameters required to complete the command. The standard command to request help is ?.
There are two instances where help information can be displayed:
username
admin
password
alansmith
• Keyword lookup — The character ? is entered in place of a command. A list of all valid commands and
corresponding help messages are is displayed.
• Partial keyword lookup — If a command is incomplete and or the character ? is entered in place of a
parameter. The matched keyword or parameters for this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The following features are described:
• Terminal Command Buffer
• Command Completion
• Nomenclature
• Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally managed Command History buffer.
Commands stored in the buffer are maintained on a First In First Out (FI FO) basis. These commands can be
recalled, reviewed, modified, and reissued. This buffer is not preserved across device resets.
Keyword Description
Up-arrow key
Ctrl+P
Down-arrow key Returns to more recent commands in the history buffer after recalling
By default, the history buffer system is enabled, but it can be disabled at any time. For information about the
command syntax to enable or disable the history buffer, see history.
There is a standard default number of commands that are stored in the buffer. The standard number of 10
commands can be increased to 216. By configuring 0, the effect is the same as disabling the history buffer
system. For information about the command syntax for configuring the command history buffer, see history size.
To display the history buff er, see show history.
Recalls commands in the history buffer, beginning with the most recent
command. Repeats the key sequence to recall successively older commands.
commands with the up-arrow key. Repeating the key sequence will recall
successively more recent commands.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to cancel the effect of a command or
reset the configuration to the default value. This guide describes the negation effect for all applicable commands.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid parameters, then the appropriate error
message is displayed. This assists in entering the correct command. By pressing the <Tab> button, an incomplete
Page 21
Using the CLI
Editing Features
command is entered. If the characters already entered are not enough for the system to identify a single matching
command, press ? to display the available commands matching the characters already entered.
Nomenclature
When referring to an Ethernet port in a CLI command, the following format is used:
• For an Ethernet port on a standalone device: Ethernet_type port_number
• For an Ethernet port on a stacked device: unit_number/Ethernet_type port number
The Ethernet type is Fast Ethernet (indicated by “e”).
For example, and e3 stands for Fast Ethernet port 3 on a stand-alone device, whereas 1/e3 stands for Fast
Ethernet port 3 on stacking unit 1.
The ports may be described on an individual basis or within a range. Use format port number-port number to
specify a set of consecutive ports and port number, port number to indicate a set of non-consecutive ports. For
example, e1-3 stands for Ethernet ports 1, 2 and 3, and e1, 5 stands for Ethernet ports 1 and 5.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands. The following table describes
the CLI shortcuts.
Keyboard Key Description
Up-arrow key Recalls commands from the history buffer, beginning with the most recent command.
Repeat the key sequence to recall successively older commands.
Down-arrow key Returns the most recent commands from the history buffer after recalling commands with
the up arrow key. Repeating the key sequence will recall successively more recent
commands.
Ctrl+A Moves the cursor to the beginning of the command line.
Ctrl+E Moves the cursor to the end of the command line.
Ctrl+Z / End Returns back to the Privileged EXEC mode from any configuration mode.
Backspace key Deletes one character left to the cursor position.
CLI Command Conventions
When entering commands there are certain command entry standards that apply to all commands. The following
table describes the command conventions.
Convention Description
[ ] In a command line, square brackets indicates an optional entry.
{ } In a command line, curly brackets indicate a selection of compulsory parameters
separated by the | character. One option must be selected. For example: flowcontrol
{auto|on|off} means that for the flowcontrol command either auto, on or off must be
selected.
Italic font Indicates a parameter.
<Enter> Indicates an individual key on the keyboard. For example, <Enter> indicates the Enter
key.
Page 22
Note
Note
Ctrl+F4 Any combination keys pressed simultaneously on the keyboard.
Screen Display
all When a parameter is required to define a range of ports or parameters and all is an
Indicates system messages and prompts appearing on the console.
option, the default for the command is all when no parameters are defined. For
example, the command interface range port-channel has the option of either entering
a range of channels, or selecting all. When the command is entered without a
parameter, it automatically defaults to all.
Copying and Pasting Text
Up to 1000 lines of text (i.e., commands) can be copied and pasted into the device.
It is the user’s responsibility to ensure that the text copied into the device consists of legal commands only.
This feature is dependent on the baud rate of the device.
The default device baud rate is 115,200
When copying and pasting commands from a configuration file, make sure that the following conditions exist:
• A device Configuration mode has been accessed.
• The commands contain no encrypted data, like encrypted passwords or keys. Encrypted data cannot be
copied and pasted into the device.
ACL Commands
Chapter 2. ACL Commands
ip access-list
The ip access-list Global Configuration mode command defines an IPv4 Access List and places the devic e in
IPv4 Access List Configuration mode. Use the no form of this command to remove the Access List.
Syntax
ip access-list access-list-name
no ip access-list access-list-name
Parameters
access-list-name — Name of the IPv4 Access List. (Range: 1 - 32 characters)
•
Default Configuration
No IPv4 Access List is defined
Command Mode
Global Configuration mode
User Guidelines
IPv4 ACLs are defined by a unique name. An IPv4 ACL and MAC ACL cannot share the same name.
Example
The following example places the device in IPv4 Access List Configuration mode.
console(config)#
ip access-list
permit (ip)
The permit IP Access-list Configuration mode command sets conditions to allow a packet to pass a named IP
Access List.
Syntax
permit {any | protocol} {any | {source source-wildcard}} {any | {destination destination-wildcard}} [dscp number |
ip-precedence number] [fragments]
permit-icmp {any | {source source-wildcard}} {any | {destination destination-wildcard}} {any | icmp-type} {any |
icmp-code} [dscp number | ip-precedence number]
permit-igmp {any | {source source-wildcard}} {any | {destination destination-wildcard}} {any | igmp-type} [dscp
number | ip-precedence number]
permit-tcp {any | { source source-wildcard}} {any | source-port} {any |{ destination destination-wildcard}} {any |
destination-port} [dscp number | ip-precedence number] [flags list-of-flags]
Page 24
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
permit-udp {any | { source source-wildcard}} {any | source-port} {any | {destination destination-wildcard}} {any |
destination-port} [dscp number | ip-precedence number]
Parameters
source — Source IP address of the packet.
•
• source-wildcard — Wildcard bits to be applied to the source IP address. Use 1s in the bit position to be
ignored.
• destination — Destination IP address of the packet.
• destination-wildcard — Wildcard bits to be applied to the destination IP address. Use 1s in the bit position to
be ignored.
• protocol — The name or the number of an IP protocol. Available protocol names: icmp, igmp, ip, tcp, egp,
igp, udp, hmp, rdp, idpr, idrp, rsvp, gre, esp, ah, eigrp, ospf, ipip, pim, l2tp, isis. (Range: 0 - 255)
• dscp number — Speci fies the DSCP value.
• ip-precedence number — Specifies the IP precedence value.
• fragments— The set of conditions is applied only to noninitial fragments.
• icmp-type — Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the
following values: echo-reply, destination-unreachable, source-quench, redirect, alternate-hostaddress, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address
mask-reply, traceroute, datagram-conversion-error , mobile-host-redirect, mobile-registration-request,
mobile-registration-reply, domain-name-request, domain-name-reply, skip, photuris. (Range: 0 - 255)
• icmp-code — Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
• igmp-type — IGMP packets can be filtered by IGMP message type. Enter a number or one of the following
values: host-query , host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3.
(Range: 0 - 255)
• destination-port — Specifies the UDP/TCP destination port. (Range: 1 - 65535)
• source-port — Specifies the UDP/TCP source port. (Range: 1 - 65535)
• flags list-of-flags — List of TCP flags that should occur. If a flag should be set it is prefixed by "+".If a flag
should be unset it is prefixed by "-". Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack.
Page 25
ACL Commands
IP Protocol Abbreviated Name Protocol Number
Internet Control Message Protocol icmp 1
Internet Group Management Protocol igmp 2
IP in IP (encapsulation) Protocol ipinip 4
Transmission Control Protocol tcp 6
Exterior Gateway Protocol egp 8
Interior Gateway Protocol igp 9
User Datagram Protocol udp 17
Host Monitoring Protocol hmp 20
Reliable Data Protocol rdp 27
Inter-Domain Policy Routing Protocol
Ipv6 protocol ipv6 41
Routing Header for IPv6 ipv6-route 43
Fragment Header for IPv6 ipv6-frag 44
Inter-Domain Routing Protocol
Reservation Protocol rsvp 46
General Routing Encapsulation gre 47
Encapsulating Security Payload (50)
Authentication Header ah 51
ICMP for IPv6 ipv6-icmp 58
EIGRP routing protocol eigrp 88
Open Shortest Path Protocol ospf 89
Protocol Independent Multicast pim 103
Layer Two Tunneling Protocol l2tp 115
ISIS over IPv4 isis 124
(any IP protocol) any 25504
idpr 35
idrp 45
esp 50
• dscp — Indicates matching the dscp number with the packet dscp value.
• ip-precedence — Indicates matching ip-precedence with the packet ip-precedence value.
• icmp-type — Specifies an ICMP message type for filtering ICMP packets. Enter a value or one of the following
values: echo-reply, destination-unreachable, source-quench, redirect, alternate-host-address, echorequest, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp,
timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply,
traceroute, datagram-conversion-error, mobile-host-redirect, ipv6-where-are-you, ipv6-i-am-here,
Page 26
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
mobile-registration-request, mobile-registration-reply, domain-name-request, domain-name-reply,
skip and photuris. (Range: 0-255)
• icmp-code — Specifies an ICMP message code for filtering ICMP packets. ICMP packets that are filtered by
ICMP message type can also be filtered by the ICMP message code. (Range: 0-255)
• igmp-type — IGMP packets can be filtered by IGMP message type. Enter a number or one of the following
values: dvmrp, host-query, host-report, pim or trace. (Range: 0-255)
• destination-port — Specifies the UDP/TCP destination port. (Range: 0-65535)
• source-port — Specifies the UDP/TCP source port. (Range: 0-65535)
• list-of-flags — Specifies a list of TCP flags that can be triggered. If a flag is set, it is prefixed by “+”. If a flag is
not set, it is prefixed by “-”. Possible values: +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn
and -fin. The flags are concatenated into one string. For example: +fin-ack.
Default Configuration
No IPv4 ACL is defined.
Command Mode
Ip Access-list Configuration mode
User Guidelines
You enter IP-Access List configuration mode by using the ip access-list Global Configuration mode command.
Example
The following example defines a permit statement for an IP ACL.
console(config)#
console(config-ip-al)#
ip access-list
permit
rsvp 192.1.1.1 0.0.0.0
ip-acl1
any dscp
56
deny (IP)
The deny IP Access List Configuration mode command sets conditions to not allow a packet to pass a named IP
Access List.
Syntax
deny [disable-port] {any| protocol} {any|{source source-wildcard}} {any|{destination destination-wildcard}} [dscp
number | ip-precedence number]
deny-icmp [disable-port] {any|{source source-wildcard}} {any|{destination destination-wildcard}} {any|icmptype} {any|{icmp-code} [dscp number | ip-precedence number]
deny-igmp [disable-port] {any|{source source-wildcard}} {any|{destination destination-wildcard}} {any|igmp-
type} [dscp number | ip-precedence number]
deny-tcp [disable-port] {any|{ source source-wildcard}} {any|source-port} {any|{ destination destination-
wildcard}} {any|destin
deny-udp [disable-port] {any|{ source source-wildcard}} {any| source-port} {any|{destination destination-
wildcard}} {any|destination-port} [dscp number | ip-precedence number]
ation-port} [dscp number | ip-precedence number] [flags list-of-flags]
Page 27
ACL Commands
Parameters
disable-port — The Ethernet interface is disabled if the condition is matched.
•
• source — Source IP address of the packet.
• source-wildcard — Wildcard bits to be applied to the source IP address. Use 1s in the bit position to be
ignored.
• destination — Packet’s destination IP address.
• destination-wildcard — Wildcard bits to be applied to the destination IP address. Use 1s in the bit position to
be ignored.
• protocol —The name or number of an IP protocol. Available protocol names: icmp, igmp, ip, tcp, egp, igp,
udp, hmp, rdp, idpr, idrp, rsvp, gre, esp, ah, eigrp, ospf, ipip, pim, l2tp, isis.: (Range: 0 - 255)
• dscp number — Specifies the DSCP value.
• ip-precedence number — Specifies the IP precedence value.
• icmp-type — Specifies an ICMP message type for filtering ICMP packets. Enter a number, or one of the
following values: echo-reply, destination-unreachable, source-quench, redirect, alternate-hostaddress, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request, information-reply, address-mask-request, addressmask-reply, traceroute, datagram-conversion-error , mobile-host-redirect, mobile-registration-request,
mobile-registration-reply, domain-name-request, domain-name-reply, skip, photuriss. (Range: 0 - 255)
• icmp-code — Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
• igmp-type — GMP packets can be filtered by IGMP message type. Enter a number, or one of the following
values: host-query , host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3.
(Range: 0 - 255)
• destination-port — Specifies the UDP/TCP destination port. (Range: 1 - 65535)
• source-port — Specifies the UDP/TCP source port. (Range: 1 - 65535)
• flags list-of-flags — List of TCP flags that should occur. If a flag is intended to be set, it is prefixed by ‘+’.If a
flag should be unset it is prefixed by ‘-’. Available options are: +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack,
-psh, -rst, -syn and -fin. The flags are concatenated to a single string. For example: +fin-ack.
IP Protocol Abbreviated Name Protocol Number
Internet Control Message Protocol icmp 1
Internet Group Management Protocol igmp 2
Transmission Control Protocol tcp 6
Exterior Gateway Protocol egp 8
Interior Gateway Protocol igp 9
User Datagram Protocol udp 17
Host Monitoring Protocol hmp 20
Reliable Data Protocol rdp 27
Inter-Domain Policy Routing Protocol
Ipv6 protocol ipv6 41
Routing Header for IPv6 ipv6-route 43
Fragment Header for IPv6 ipv6-frag 44
Inter-Domain Routing Protocol
Reservation Protocol rsvp 46
idpr 35
idrp 45
Page 28
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
IP Protocol Abbreviated Name Protocol Number
General Routing Encapsulation gre 47
Encapsulating Security Payload (50)
Authentication Header ah 51
ICMP for IPv6 ipv6-icmp 58
EIGRP routing protocol eigrp 88
Open Shortest Path Protocol ospf 89
Protocol Independent Multicast pim 103
Layer Two Tunneling Protocol l2tp 115
ISIS over IPv4 isis 124
(any IP protocol) any 25504
esp 50
Default Configuration
No IPv4 Access List is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
Enter IP-Access List configuration mode by using the ip access-list Global Configuration mode command.
•
• After an access control entry (ACE) is added to an access control list, an implied deny-any-any condition
exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first
ACE is added, the list permits all packets.
Example
The following example defines a permit statement for an IP ACL.
console(config)#
console(config-ip-al)#
ip-access-list
deny
rsvp 192.1.1.1 0.0.0.255
ip-acl1
any
ipv6 access-list
The ipv6 access-list Global Configuration mode command defines an IPv6 Access List and places the device in
IPv6 Access List Configuration mode. Use the no form of this command to remove the Access List.
Syntax
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Parameters
access-list-name — Name of the IPv6 Access List. (Range: 1 - 32 characters)
•
Page 29
ACL Commands
Default Configuration
No IPv6 access list is defined.
Command Mode
Global configuration
User Guidelines
An IPv6 ACL has a unique name. An IPv6 ACL, IPv4 ACL and MAC ACL cannot share the same name.
•
• Every IPv6 ACL has implicit permit icmp an y a ny nd -n s any, permit icmp any any nd-na any and deny
ipv6 any any statements as its last match conditions (The former two match conditions allow for ICMPv6
neighbor discovery).
• The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6
ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the
Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use
of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent
and received on an interface.
Example
The following example creates an IPv6 ACL.
Switch(config)# ipv6 access-list acl1
Switch(config-ipv6-acl)#
permit (IPv6)
The permit IPv6 Access-list Configuration mode command sets conditions to allow a packet to pass a named
IPv6 Access List.
Syntax
permit {any | protocol} {any | source-prefix/length} {any | destination-prefix/length} [dscp number |
ip-precedence number] [time-range time-range-name]
permit-icmp {any | source-prefix/length} {any | destination-prefix/length} {any | icmp-type} {any | icmp-code}
[dscp number | ip-precedence number]
permit-tcp {any | source-prefix/length} {any | source-port} {any | destination-prefix/length} {any |
destination-port} [dscp number | ip-precedence number] [flags list-of-flags] [time-range time-range-name]
permit-udp {any | source-prefix/length} {any | source-port} {any | destination-prefix/length} {any |
destination-port} [dsc
p number | ip-precedence number] [time-range time-range-name]
Page 30
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Parameters
destination-port — Specifies the UDP/TCP destination port. (Range: 0- 65535)
•
• destination-prefix/length — The destination IPv6 network or class of networks about which to set permit
conditions. This argument must be in the form documented in RFC 3513, where the address is specified in
hexadecimal using 16-bit values between colons.
• dscp number — Matches a differentiated services codepoint value against the traffic class value in the Traffic
Class field of each IPv6 packet header. (Range: 0 - 63)
• flags list-of-flags — List of TCP flags that should occur. If a flag should be set, it is prefixed by +. If a flag
should be unset it is prefixed by -. Avaiable options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh,
-rst, -syn and -fin. The flags are concatenated to one string. For example: +fin-ack.
• icmp-type — Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the
following values: destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echorequest, echo-reply, mld-query, mld-report, mldv2-report, mld-done, router-solicitation, routeradvertisement, nd-ns, nd-na. (Range: 0 - 255)
• icmp-code — Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
• ip-precedence number — Specifies the IP precedence value.
• protocol — The name or the number of an IP protocol. Available protocol names are: icmp, tcp and udp.
(Range: 0 - 255)
IP Protocol Abbreviated Name Protocol Number
Transmission Control Protocol tcp 6
User Datagram Protocol udp 17
Internet Control Message Protocol icmp 58
(any IP protocol) any 25504
• destination-port — Specifies the UDP/TCP destination port. (Range: 1 - 65535)
• source-port — Specifies the UDP/TCP source port. (Range: 1 - 65535)
• source-prefix/length — The source IPv6 network or class of networks about which to set permit conditions.
This argument must be in the form documented in RFC 3513, where the address is specified in hexadecimal
using 16-bit values between colons.
Default Configuration
No IPv6 access list is defined.
Command Mode
IPv6 access list configuration
Page 31
ACL Commands
User Guidelines
IPv6 Syntax — The 128-bit IPv6 address format is divided into eight groups of four hexadecimal digits.
•
Abbreviation of this format is done by replacing a group of zeros with double colons. The IPv6 address
representation can be further simplified by suppressing the leading zeros.
• All different IPv6 address formats are acceptable for insertion, yet for display purposes, the system displays
the most abbreviated form, which replaces groups of zeros with double colons and removes the leading
zeros.
• IPv6 Prefixes — While Unicast IPv6 addresses written with their prefix lengths are permitted, in practice their
prefix lengths are always 64 bits and therefore are not required to be expressed. Any prefix that is less than
64 bits is a route or address range that is summarizing a portion of the IPv6 address space.
• For every assignment of an IP address to an interface, the system runs the Duplicate Address Detection
algorithm to ensure uniqueness.
• An intermediary transition mechanism is required for IPv6-only nodes to communicate with IPv6 nodes over
an IPv4 infrastructure. The tunneling mechanism implemented is the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP). This protocol treats the IPv4 network as a virtual IPv6 local-link, with each IPv4 address
mapped to a Link Local IPv6 address.
Examples
The following example sets the conditions to allow a packet to pass an IPv6 Access List acl1.
Switch(config)# ipv6 access-list acl1
Switch(config-ipv6-acl)# permit-tcp 2001:0DB8:0300:0201::/64 any any 80
deny (IPv6)
The deny IPv6 Access-list Configuration mode command sets conditions to not allow a packet to pass a named
IPv6 Access List.
Syntax
deny [disable-port] {any | protocol} {any | source-prefix/length} {any | destination-prefix/length} [dscp number |
ip-precedence number] [time-range time-range-name]
deny-icmp [disable-port] {any | source-prefix/length} {any | destination-prefix/length} {any | icmp-type} {any |
icmp-code} [dscp number | ip-precedence number] [time-range time-range-name]
deny-tcp [disable-port] {any | source-prefix/length} {any | source-port} {any | destination-prefix/length} {any |
destination-port} [dscp number | ip-precedence number] [flags list-of-flags] [time-range time-range-name]
deny-udp [disable-port] {any | source-prefix/length} {any | s
destination-port} [dscp number | ip-precedence number] [time-range time-range-name]
ource-port} {any | destination-prefix/length} {any |
Page 32
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Parameters
destination-port — Specifies the UDP/TCP destination port. (Range: 0 - 65535)
•
• destination-prefix/length — The destination IPv6 network or class of networks about which to set permit
conditions. This argument must be in the form documented in RFC 3513, where the address is specified in
hexadecimal using 16-bit values between colons.
• disable-port — The Ethernet interface would be disabled if the condition is matched.
• dscp number — Matches a differentiated services codepoint value against the traffic class value in the Traffic
Class field of each IPv6 packet header. (Range: 0 - 63)
• flags list-of-flags — List of TCP flags that should occur. If a flag should be set, it is prefixed by +. If a flag
should be unset, it is prefixed by -. Avaiable options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh,
-rst, -syn and -fin. The flags are concatenated to one string. For example: +fin-ack.
• icmp-type — Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the
following values: destination-unreachable, packet-too-big, time-exceeded, parameter-problem,
echo-request, echo-reply, mld-query, mld-report, mldv2-report, mld-done, router-solicitation,
router-advertisement, nd-ns, nd-na. (Range: 0 - 255)
• icmp-code — Specifies an ICMP message code for filtering ICMP packets. (Range: 0 - 255)
• ip-precedence number — Specifies the IP precedence value.
• protocol — The name or the number of an IP protocol. Available protocol names are: icmp, tcp and udp.
(Range: 0 - 255)
IP Protocol Abbreviated Name Protocol Number
Transmission Control Protocol tcp 6
User Datagram Protocol udp 17
Internet Control Message Protocol icmp 58
(any IP protocol) any 25504
• destination-port — Specifies the UDP/TCP destination port. (Range: 1 - 65535)
• source-port — Specifies the UDP/TCP source port. (Range: 1 - 65535)
• source-prefix/length — The source IPv6 network or class of networks about which to set permit conditions.
This argument must be in the form documented in RFC 3513, where the address is specified in hexadecimal
using 16-bit values between colons.
• time-range-name — Name of the time range that applies to this deny statement. (Range: 1 - 32)
Default Configuration
No IPv6 access list is defined.
Command Mode
IPv6 access list configuration
Page 33
ACL Commands
User Guidelines
IPv6 Syntax — The 128-bit IPv6 address format is divided into eight groups of four hexadecimal digits.
•
Abbreviation of this format is done by replacing a group of zeros with double colons. The IPv6 address
representation can be further simplified by suppressing the leading zeros.
• All different IPv6 address formats are acceptable for insertion, yet for display purposes, the system displays
the most abbreviated form, which replaces groups of zeros with double colons and removes the leading
zeros.
• IPv6 Prefixes — While Unicast IPv6 addresses written with their prefix lengths are permitted, in practice their
prefix lengths are always 64 bits and therefore are not required to be expressed. Any prefix that is less than
64 bits is a route or address range that is summarizing a portion of the IPv6 address space.
• For every assignment of an IP address to an interface, the system runs the Duplicate Address Detection
algorithm to ensure uniqueness.
• An intermediary transition mechanism is required for IPv6-only nodes to communicate with IPv6 nodes over
an IPv4 infrastructure. The tunneling mechanism implemented is the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP). This protocol treats the IPv4 network as a virtual IPv6 local-link, with each IPv4 address
mapped to a Link Local IPv6 address.
Examples
The following example sets the conditions to deny a packet to pass an IPv6 Access List acl1.
Switch(config)# ipv6 access-list acl1
Switch(config-ipv6-acl)# deny-tcp 2001:0DB8:0300:0201::/64 any any 80
mac access-list
The mac access-list Global Configuration mode command defines a Layer 2 Access List and places the device in
MAC-Access List Configuration mode. Use the no form of this command to remove the Access List.
Syntax
mac access-list access-list-name
no mac access-list access-list-name
Parameters
access-list-name — Name of the MAC-Access List.
•
Default Configuration
No MAC-Access List is defined.
Command Mode
Global Configuration mode
User Guidelines
MAC ACLs are defined by a unique name. An IPv4 ACL, IPv6 ACL and MAC ACL cannot share the same name.
Page 34
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Example
The following example creates a MAC ACL.
console(config)#
console(config-mac-al)#
mac access-list
macl-acl1
permit (MAC)
The permit MAC-Access List Configuration mode command sets permit conditions for a MAC-Access List.
Syntax
permit {any | {source source-wildcard} any | {destination destination-wildcard}} [vlan vlan-id] [cos cos cos-
wildcard] [ethtype eth-type]
Parameters
source — Source MAC address of the packet.
•
• source-wildcard — Wildcard bits to be applied to the source MAC address. Use 1s in the bit position to be
ignored.
• destination — Destination MAC address of the packet.
• destination-wildcard — Specifies wildcard bits to be applied to the destination MAC address. Use 1s in bit
positions to be ignored.
• vlan-id — Specifies the ID of the packet VLAN.
• cos — Specifies the Class of Service (CoS) for the packet. (Range: 0-7)
• cos-wildcard — Specifies wildcard bits to be applied to the CoS.
• eth-type — Specifies the Ethernet type in hexadecimal format of the packet. (Range: 0-05dd-fff)
Default Configuration
No MAC ACL is defined.
Command Mode
MAC-Access List Configuration mode
User Guidelines
Enter IP-Access List configuration mode by using the MAC access-list Global Configuration mode command.
•
• After an access control entry (ACE) is added to an access control list, an implied deny-any-any condition
exists at the end of the list. That is, if there are no matches, the packets are denied. However, before the first
ACE is added, the list permits all packets.
Example
The following example creates a MAC ACL with permit rules.
console(config)#
console(config-mac-al)#
mac access-list
permit 6:6:6:6:6:6 0:0:0:0:0:0 any vlan 6
macl-acl1
deny (MAC)
The deny MAC-Access List Configuration mode command sets deny conditions for an MAC-Access List.
Page 35
ACL Commands
Syntax
deny [disable-port] {any|{source source- wildcard} {any|{ destination destination- wildcard}} [vlan vlan-id] [cos
cos cos-wildcard] [ethtype eth-type]
Parameters
disable-port — Indicates the Ethernet interface is disabled if the condition is matched.
•
• source — Specifies source MAC address of the packet.
• source-wildcard — Specifies wildcard bits to be applied to the source MAC address. Use 1s in the bit position
to be ignored.
• destination — Specifies the MAC address of the host to which the packet is being sent.
• destination-wildcard — Specifies wildcard bits to be applied to the destination MAC address. Use 1s in the bit
position to be ignored.
• vlan-id — Specifies the VLAN ID of the packet. (Range: 0 - 4095)
• cos — Specifies the Class of Service of the packet. (Range: 0 - 7)
• cos-wildcard — Specifies wildcard bits to be applied to the CoS.
• eth-type — Specifies the Ethernet type in hexadecimal format of the packet. (Range: 0-05dd-fff)
Default Configuration
No MAC-Access List is defined.
Command Mode
MAC-Access List Configuration mode
User Guidelines
MAC BPDU packets cannot be denied.
•
• This command defines an Access Control Element (ACE). An ACE can only be removed by deleting the ACL,
using the no mac access-list Global Configuration mode command. Alternatively, the Web-based interface
can be used to delete ACEs from an ACL.
• The following user guidelines are relevant to GE devices only:
Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE is
added, an implied deny-any-any condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.
If the VLAN ID is specified, the policy map cannot be connected to the VLAN interface.
Example
The following example creates a MAC ACL with deny rules.
console(config)#
console(config-mac-acl)#
mac access-list
deny
6:6:6:6:6:6:0:0:0:0:0:0
macl1
any
service-acl
The service-acl Interface Configuration mode command controls access to an interface. Use th e no form of this
command to remove the access control.
Page 36
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Syntax
service-acl input acl-name
no service-acl input
Parameters
input — Applies the specified ACL to the input interface.
•
Default Configuration
This command has no default configuration.
Command Mode
Interface Configuration (Ethernet, Port-Channel) mode
User Guidelines
In advanced mode, when an ACL is bound to an interface, the port trust mode is set to trust 12-13 and not to 12.
Example
The following example, binds (services) an ACL to Ethernet interface e2.
console(config)#
console(config-if)#
interface ethernet
service-acl input
e2
macl1
show access-lists
The show access-lists Privileged EXEC mode command displays Access Control Lists (ACLs) configured on the
switch.
Syntax
show access-lists [name]
Parameters
name — Name of the ACL.
•
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Page 37
Example
The following example displays access lists.
ACL Commands
console#
IP access list ACL1
permit ip host 172.30.40.1 any
permit rsvp host 172.30.8.8 any
show access-lists
show interfaces access-lists
The show interfaces access-lists Privileged EXEC mode command displays access lists applied on interfaces.
Syntax
show interfaces access-lists [ ethernet interface | vlan vlan-id | port-channel port-channel-number ]
Parameters
vlan-id— Specifies the ID of the VLAN.
•
• interface — The full syntax is: unit/port.
• port-channel-number — Valid port-channel Index.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays ACLs applied to the interfaces of a device:
console#
Interface Input ACL
--------- --------1/e1 ACL1
2/e1 ACL3
show interfaces access-lists
Page 38
Allied Telesis
Note
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 3. AAA Commands
aaa authentication login
The aaa authentication login Global Configuration mode command defines login authentication. Use the no
form of this command to return to the default configuration.
Syntax
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name}
Parameters
default — Uses the listed authentication methods that follow this argument as the default list of methods
•
when a user logs in.
• list-name — Character string used to name the list of authentication methods activated when a user logs in.
(Range: 1-12 characters).
• method1 [method2...] — Specify at least one from the following table:
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command aaa authentication login list-
name local.
On the console, login succeeds without any authentication check if the authentication method is not
defined.
Command Mode
Global Configuration mode
Page 39
AAA Commands
User Guidelines
The default and optional list names created with the aaa authentication login command are used with the
•
login authentication command.
• Create a list by entering the aaa authentication login list-name method command for a particular protocol,
where list-name is any character string used to name this list. The method argument identifies the list of
methods that the authentication algorithm tries, in the given sequence.
• The additional methods of authentication are used only if the previous method returns an error, not if it fails.
To ensure that the authentication succeeds even if all methods return an error, specify none as the final
method in the command line.
Example
The following example configures the authentication login.
Console(config)#
aaa authentication login default radius local enable none
aaa authentication enable
The aaa authentication enable Global Configuration mode command defines authentication method lists for
accessing higher privilege levels. Use the no form of this command to return to the default configuration.
Syntax
aaa authentication enable {default | list-name} method1 [method2...]
no aaa authentication enable {default | list-name}
Parameters
default — Uses the listed authentication methods that follow this argument as the default list of methods,
•
when using higher privilege levels.
• list-name — Character string used to name the list of authentication methods activated, when using access
higher privilege levels (Range: 1-12 characters).
• method1 [method2...] — Specify at least one from the following table:
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication. Uses username $enabx$.,
where x is the privilege level.
tacacs Uses the list of all TACACS+ servers for authentication. Uses username
"$enabx$." where x is the privilege level.
Default Configuration
If the default list is not set, only the enable password is checked. This has the same effect as the command aaa
authentication enable default enable.
On the console, the enable password is used if it exists. If no password is set, the process still succeeds. This has
the same effect as using the command aaa authentication enable default enable none.
Page 40
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Command Mode
Global Configuration mode
User Guidelines
The default and optional list names created with the aaa authentication enable command are used with the
•
enable authentication command.
• The additional methods of authentication are used only if the previous method returns an error, not if it fails.
To ensure that the authentication succeeds even if all methods return an error, specify none as the final
method in the command line.
• All aaa authentication enable default requests sent by the device to a RADIUS or TACACS+ server include
the username $enabx$., where x is the requested privilege level.
Example
The following example sets the enable password for authentication when accessing higher privilege levels.
Console(config)#
aaa authentication enable default enable
login authentication
The login authentication Line Configuration mode command specifies the login authentication method list for a
remote telnet or console. Use the no form of this command to return to the default configuration specified by the
aaa authentication login command.
Syntax
login authentication {default | list-name}
no login authentication
Parameters
default — Uses the default list created with the aaa authentication login command.
•
• list-name — Uses the indicated list created with the aaa authentication login command.
Default Configuration
Uses the default set with the command aaa authentication login.
Command Mode
Line Configuration mode
User Guidelines
Changing login authentication from default to another value may disconnect the telnet session.
Example
The following example specifies the default authentication method for a console.
Console(config)#
Console(config-line)#
line console
login authentication default
Page 41
AAA Commands
enable authentication
The enable authentication Line Configuration mode command specifies the authentication method list when
accessing a higher privilege level fro m a remote telnet or console. Use the no form of this command to return to
the default configuration specified by the aaa authentication enable command.
Syntax
enable authentication {default | list-name}
no enable authentication
Parameters
default — Uses the default list created with the aaa authentication enable command.
•
• list-name — Uses the indicated list created with the aaa authentication enable command.
Default Configuration
Uses the default set with the aaa authentication enable command.
Command Mode
Line Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example specifies the default authentication method when accessing a higher privilege level from a
console.
Console(config)#
Console(config-line)#
line console
enable authentication default
ip http authentication
The ip http authentication Global Configuration mode command specifies authentication methods for HTTP
server users. Use the no form of this command to return to the default configuration.
Syntax
ip http authentication method1 [method2...]
no ip http authentication
Parameters
method1 [method2...] — Specify at least one from the following table:
•
Keyword Description
local Uses the local username database for authentication.
none Uses no authentication.
Page 42
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command ip http authentication local.
Command Mode
Global Configuration mode
User Guidelines
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To
ensure that the authentication succeeds even if all methods return an error, specify none as the final method in
the command line.
Example
The following example configures the HTTP authentication.
Console(config)#
ip http authentication radius local
ip https authentication
The ip https authentication Global Configuration mode command specifies authentication methods for HTTPS
server users. Use the no form of this command to return to the default configuration.
Syntax
ip https authentication method1 [method2...]
no ip https authentication
Parameters
method1 [method2...] — Specify at least one from the following table:
•
Keyword Source or destination
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The local user database is checked. This has the same effect as the command ip https authentication local.
Command Mode
Global Configuration mode
Page 43
AAA Commands
User Guidelines
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To
ensure that the authentication succeeds even if all methods return an error, specify none as the final method in
the command line.
Example
The following example configures HTTPS authentication.
Console(config)#
ip https authentication radius local
show authentication methods
The show authentication methods Privileged EXEC mode command displays information about the
authentication methods.
Syntax
show authentication methods
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the authentication configuration.
Console#
Login Authentication Method Lists
--------------------------------Default: Radius, Local, Line
Console_Login:
Enable Authentication Method Lists
---------------------------------Default: Radius, Enable
Console_Enable:
show authentication methods
Line, None
Enable, None
Page 44
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Line Login Method List Enable Method List
-------------- ----------------- -----------------Console Console_Login Console_Enable
Telnet Default Default
SSH Default Default
http: Radius, Local
https: Radius, Local
dot1x: Radius
password
The password Line Configuration mode command specifies a password on a line. Use the no form of this
command to remove the password.
Syntax
password password [encrypted]
no password
Parameters
password — Password for this level (Range: 1-159 characters).
•
• encrypted — Encrypted password to be entered, copied from another device configuration.
Default Configuration
No password is defined.
Command Mode
Line Configuration mode
User Guidelines
If a password is defined as encrypted, the required password length is 32 characters.
Example
The following example specifies password secret on a console.
Console(config)#
Console(config-line)#
line console
password
secret
username
The username Global Configuration mode command creates a user account in the local database. Use the no
form of this command to remove a user name.
Page 45
AAA Commands
Syntax
username name [password password] [level level] [encrypted]
no username name
Parameters
name — The name of the user (Range: 1- 20 characters).
•
• password — The authentication password for the user (Range: 1-159 characters).
• level — The user level (Range: 1-15).
• encrypted — Encrypted password entered, copied from another device configuration.
Default Configuration
No user is defined.
Command Mode
Global Configuration mode
User Guidelines
User account can be created without a password.
•
• A single username can be defined for privilege level 1 and another one for privilege level 15.
• Default usernames:
Privilege level 1: username = operator, password = operator
Privilege level 15: username = manager, password = friend
Example
The following example configures user bob with password lee and user level 15 to the system.
Console(config)#
username
bob
password
lee
level
15
aaa accounting login
The aaa accounting login Global Configuration mode command defines accounting of device management
sessions. Use the no form of this command to disable accounting.
Syntax
aaa accounting login {radius}
no aaa accounting login
Parameters
radius — Accounting is performed by a RADIUS server.
•
Default Configuration
Disabled.
Page 46
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Command Mode
Global Configuration mode.
User Guidelines
This command enables the recording of device management sessions (Telnet, serial and Web, but not
•
SNMP).
• It records only users that were identified with a username (for example, a user logged in with a line password
is not recorded).
• If accounting is activated, the device sends a Start/Stop messages to a RADIUS server when a user
logs in/logs out, respectively.
• The device uses the configured priorities of the available RADIUS servers to select the RADIUS server to
use.
• The following table describes the supported RADIUS accounting Attribute Values when they are sent by the
switch:
Name Start Stop Description
User-Name (1) Yes Yes The user identity.
NAS-IP-Address (4) Yes Yes The switch IP address that is used for the session
with the RADIUS server.
Class (25) Yes Yes An arbitrary value is included in all accounting
packets for a specific session.
Called-Station-ID (30) Yes Yes The switch IP address that is used for the
management session.
Calling-Station-ID (31) Yes Yes The user IP address.
Acct-Session-ID (44) Yes Yes A unique accounting identifier.
Acct-Authentic (45) Yes Yes Indicates how the supplicant was authenticated.
Acct-Session-Time (46) No Yes Indicates how long the user was logged in.
Acct-Terminate-Cause (49) No Yes Reports why the session was terminated.
Example
The following example defines the accounting of device management sessions to a RADIUS server.
Console(config)#
aaa accounting login
radius
aaa accounting dot1x
The aaa accounting dot1x Global Configuration mode command defines accounting of 802.1x sessions. Use the
no form of this command to disable 802.1x accounting.
Syntax
aaa accounting dot1x {radius}
no aaa accounting dot1x
Page 47
AAA Commands
Parameters
radius — Accounting is performed by a RADIUS server.
•
Default Configuration
Disabled.
Command Mode
Global Configuration.
User Guidelines
This command enables the recording of 802.1x sessions.
•
• If accounting is activated, the device sends a Start/Stop message to a RADIUS server when a user
logs in/logs out to the network, respectively. The software sends Start/Stop messages for each authenticated
supplicant.
• The device uses the configured priorities of the available RADIUS servers to select the RADIUS server to
use.
• If a new supplicant replaces an old supplicant (even if the port state remains authorized), the software sends
a Stop message for the old supplicant and a Start message for the new supplicant.
• The software does not send Start/Stop messages if the port is force-authorized.
• The software does not send Start/Stop messages for hosts that are sending traffic on the guest VLAN or on
the unauthenticated VLANs.
• The following table describes the supported RADIUS accounting Attribute Values when they are sent by the
switch:
Name Start Stop Description
User-Name (1) Yes Yes The user identity.
NAS-IP-Address (4) Yes Yes The switch IP address that is used for the session
with the RADIUS server.
NAS-Port (5) Y es Y es The switch port from where the supplicant logged in.
Class (25) Yes Yes An arbitrary value is included in all accounting
packets for a specific session.
Called-Station-ID (30) Yes Yes The switch MAC address.
Calling-Station-ID (31) Yes Yes The supplicant MAC address.
Acct-Session-ID (44) Yes Yes A unique accounting identifier.
Acct-Authentic (45) Yes Yes Indicates how the supplicant was authenticated.
Acct-Session-Time (46) No Yes Indicates how long the user was logged in.
Acct-Terminate-Cause (49) No Yes Reports why the session was terminated.
Nas-Port-Type (61) Yes Yes Indicates the supplicant physical port type.
Example
The following example defines the accounting of 802.1x sessions sessions to a RADIUS server.
Console(config)#
aaa accounting dot1x
radius
Page 48
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
show users accounts
The show users accounts Privileged EXEC mode command displays information about the local user database.
Syntax
show users accounts
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the local users configured with access to the system.
Console# show users accounts
Username Privilege Password
Aging
-------- --------- -------- ----------- ------Bob 1 120 Jan 21 2005 Admin 15 120 Jan 21 2005 Manager 15 120 Jan 21 2005 -
The following table describes significant fields shown above.
Field Description
Username Name of the user.
Privilege User’s privilege level.
Password Expiry
date
Lockout
enable password
The enable password Global Configuration mode command sets a local password to control access to user and
privilege levels. Use the no form of this command to remove the password requirement.
Syntax
enable password [level level] password [encrypted]
Page 49
AAA Commands
no enable password [level level]
Parameters
password — Password for this level. (Range: 1-159 characters)
•
• level — Level for which the password applies. If not specified the level is 15. (Range: 1-15)
• encrypted — Encrypted password entered, copied from another device configuration. (Range: 32 characters
in hexadecimal)
Default Configuration
No enable password is defined.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets a local level 15 password called ‘secret’ to control access to user and privilege levels. .
Console(config)#
enable password secret level 15
show accounting
The show accounting Exec mode command displays information about the accounting.
Syntax
show accounting
Parameters
This command has no arguments or keywords.
Default Configuration
There is no default configuration for this command.
Command Mode
Exec mode
User Guidelines
There are no user guidelines for this command.
Page 50
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Example
Console# show accounting
Login: Radius
802.1x: Disabled
Page 51
Address Table Commands
Chapter 4. Address Table Commands
bridge address
The bridge address Interface Configuration (VLAN) mode command adds a MAC-layer station source address to
the bridge table. Use the no form of this command to delete the MAC address.
Syntax
bridge address mac-address {ethernet interface | port-channel port-channel-number} [permanent permanent} |
delete-on-reset delete-on-reset} | delete-on-timeout delete-on-timeout} | secure secure]
no bridge address [mac-address]
Parameters
mac-address — A valid MAC address.
•
• interface — A valid Ethernet port.
• port-channel-number — A valid port-channel number.
• permanent — The address can only be deleted by the no bridge address command.
• delete-on-reset — The address is deleted after reset.
• delete-on-timeout — The address is deleted after "age out" time has expired.
• secure — The address is deleted after the port changes mode to unlock learning (no port security
command). This parameter is only available when the port is in the learning locked mode.
Default Configuration
No static addresses are defined. The default mode for an added address is permanent.
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
Using the no form of the command without specifying a MAC address deletes all static MAC addresses belonging
to this VLAN).
Example
The following example adds a permanent static MAC-layer station source address 3aa2.64b3.a245 on port 1/e16
to the bridge table.
console(config)#
console(config-if)#
interface vlan
bridge address
2
3aa2.64b3.a245
ethernet
1/e16
permanent
bridge multicast filtering
The bridge multicast filtering Global Configuration mode command enables filtering of Multicast addresses. Use
the no form of this command to disable filtering of Multicast addresses.
Page 52
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Syntax
bridge multicast filtering
no bridge multicast filtering
Parameters
This command has no keywords or arguments.
Default Configuration
Bridge Multicast filtering is disabled. All Multi ca s t addresses are flooded to all ports.
Command Mode
Global Configuration mode
User Guidelines
If routers exist on the VLAN, do not change the unregistered Multicast addresses state to drop on the routers
•
ports.
• If Multicast routers exist on the VLAN and IGMP snooping isn't enabled, use the bridge multicast forward-
all command to enable forwarding all Multicast packets to the Multicast routers.
Example
The following example enables bridge Multicast filtering.
console(config)#
bridge multicast filtering
bridge multicast address
The bridge multicast address Interface Configuration mode command registers MAC-layer Multicast addresses
to the bridge table, and adds ports statically to the group. Use the no form of this command to deregister the
address.
Syntax
bridge multicast address mac-multicast-address
Parameters
add — Adds ports to the group. If no option is specified, this is the default option.
•
• remove — Removes ports from the group.
• mac-multicast-address — A valid MAC Multicast address.
• interface-list — Separate nonconsecutive Ethernet ports with a comma and no spaces; a hyphen is used to
designate a range of ports.
• port-channel-number-list — Separate nonconsecutive port-channels with a comma and no spaces; a hyphen
is used to designate a range of ports.
Default Configuration
No Multicast addresses are defined.
Page 53
Address Table Commands
Command Mode
Interface configuration (VLAN) mode
User Guidelines
If the command is executed without add or remove, the command only registers the group in the bridge
•
database.
• Static Multicast addresses can only be defined on static VLANs.
Example
The following example registers the MAC address:
console(config)#
console(config-if)#
The following example registers the MAC address and adds ports statically.
console(config)#
console(config-if)#
e2
interface vlan
bridge multicast address
interface vlan
bridge multicast address
8
8
01:00:5e:02:02:03
01:00:5e:02:02:03
add ethernet
1/e1-9, 2/
bridge multicast forbidden address
The bridge multicast forbidden address Interface Configuration mode command forbids adding specific
Multicast addresses to specific ports. Use the no form of this command to return to default.
Syntax
bridge multicast forbidden address {mac-multicast-address | ip-multicast-address} {add | remove} {ethernet
interface-list | port-channel port-channel-number-list}
no bridge multicast forbidden address {mac-multicast-address | ip-multicast-address}
Parameters
add — Adds ports to the group.
•
• remove — Removes ports from the group.
• mac-multicast-address — A valid MAC Multicast address.
• interface-list — Separate nonconsecutive Ethernet ports with a comma and no spaces; hyphen is used to
designate a range of ports.
• port-channel-number-list — Separate nonconsecutive valid port-channels with a comma and no spaces; a
hyphen is used to designate a range of port-channels.
Default Configuration
No forbidden addresses are defined.
Command Modes
Interface Configuration (VLAN) mode
Page 54
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
Example
The following example configures MAC address 0100.5e02.0203 to be forbidden on port 2/e9 within VLAN 8.
console(config)#
console(config-if)#
console(config-if)#
interface vlan
bridge multicast address
bridge multicast forbidden address
8
0100.5e02.0203
0100.5e02.0203
add ethernet
2/e9
bridge multicast unregistered
The bridge multicast unregistered Interface Configuration mode command configures the forwarding state of
unregistered multicast addresses. Use the no form of this command to return to default.
Syntax
bridge multicast unregistered [forwarding | filtering]
no bridge multicast unregistered
Parameters
forwarding — Forwards unregistered multicast packets.
•
• filtering — Filters unregistered multicast packets. See the usage guidelines for cases where the port is a
router port.
Default Configuration
Forwarding.
Command Mode
Interface configuration (Ethernet, Port-Channel).
User Guidelines
Do not enable unregistered multicast filtering on ports that are connected to routers, since the 224.0.0.x address
range is not filtered. Note that routers do not necessarily send IGMP reports for the 224.0.0.x range.
Example
The following example configures the forwarding state of unregistered multicast addresses to be forwarded.
console(config)#
console(config-if)#
interface vlan
bridge multicast unregistered forwarding
8
bridge multicast forward-all
The bridge multicast forward-all Interface Configuration (VLAN) mode command enables forwarding all
Multicast packets on a port. Use the no form of this command to restore the default configuration.
Page 55
Address Table Commands
Syntax
bridge multicast forward-all {add | remove} {ethernet interface-list | port-channel port-channel-number-list}
no bridge multicast forward-all
Parameters
add — Force forwarding all Multicast packets.
•
• remove — Do not force forwarding all Multicast packets.
• interface-list — Separate nonconsecutive Ethernet ports with a comma and no spaces; a hyphen is used to
designate a range of ports.
• port-channel-number-list — Separate nonconsecutive port-channels with a comma and no spaces; a hyphen
is used to designate a range of port-channels.
Default Configuration
This setting is disabled.
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example enables all Multicast packets on port 1/e8 to be forwarded.
console(config)#
console(config-if)#
ethernet 1/e8
interface vlan 2
bridge multicast forward-all add
bridge multicast forbidden forward-all
The bridge multicast forbidden forward-all Interface Configuration mode command forbids a port to be a
Forward-all-Multicast port. Use the no form of this command to return to default.
Syntax
bridge multicast forbidden forward-all {add | remove} {ethernet interface-list | port-channel port-channel-
number-list}
no bridge multicast forbidden forward-all
Parameters
add — Forbid forwarding all Multicast packets.
•
• remove — Do not forbid forwarding all Multicast packets.
• interface-list — Separates nonconsecutive Ethernet ports with a comma and no spaces; use a hyphen to
designate a range of ports.
• port-channel-number-list — Separates nonconsecutive port-channels with a comma and no spaces; use a
hyphen to designate a range of port-channels.
Page 56
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Default Configuration
This setting is disabled.
Command Mode
Interface Configuration (VLAN) mode
User Guidelines
IGMP snooping dynamically discovers Multicast router ports. When a Multicast router port is discovered, all
•
the Multicast packets are forwarded to it unconditionally.
• This command prevents a port from becoming a Multicast router port.
Example
The following example forbids forwarding all Multicast packets to 1/e1 with VLAN 2.
console(config)#
console(config-if)#
interface vlan
bridge multicast forbidden forward-all add ethernet
2
1/e1
bridge aging-time
The bridge aging-time Global Configuration mode command sets the aging time of the Address Table. Use the
no form of this command to restore the default.
Syntax
bridge aging-time seconds
no bridge aging-time
Parameters
seconds — Aging-time range in seconds indicating how long an entry remains in address table. (Range: 10-
•
630 seconds)
Default Configuration
The default setting is 300 seconds.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets the bridge aging time to 250.
console(config)#
bridge aging-time
250
Page 57
Address Table Commands
clear bridge
The clear bridge Privileged EXEC mode command removes any learned entries from the forwarding database.
Syntax
clear bridge
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example clears the bridge tables.
console#
clear bridge
port security
The port security Interface Configuration mode command enables port security on an interface. Use the no form
of this command to disable port security on an interface.
Syntax
port security [forward | discard | discard-shutdown] [trap seconds]
no port security
Parameters
forward — Forwards frames with unlearned source addresses, but does not learn the address.
•
• discard — Discards frames with unlearned source addresses. This is the default if no option is indicated.
• discard-shutdown — Discards frames with unlearned source addresses. The port is also shut down.
• trap seconds — Send SNMP traps, and specifies the minimum time between consecutive traps.
Default Configuration
This setting is disabled.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
Page 58
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
User Guidelines
There are no user guidelines for this command.
Example
The following example forwards all packets from port 1/e1 without learning addresses of packets from unknown
sources and sends traps every 100 seconds if a packet with an unknown source address is received.
console(config)#
console(config-if)#
interface ethernet
port security forward trap
1/e1
100
port security mode
The port security mode Interface Configuration mode command configures the port security mode. Use the no
form of this command to return to the default configuration.
Syntax
port security mode {lock | max-addresses}
no port security mode
Parameters
lock — Saves the current dynamic MAC addresses associated with the port and disables learning, relearning
•
and aging.
• max-addresses — Delete the current dynamic MAC addresses associated with the port. Learn up to the
maximum addresses allowed on the port. Relearning and aging are enabled.
Default Configuration
Lock.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets port security mode to dynamic for Ethernet interface 1/e7.
console(config)#
interface ethernet
1/e7
port security max
The port security max Interface Configuration (Ethernet, port-channel) mode command configures the maximum
number of addresses that can be learned on the port while the port is in port security mode. Use the no form of
this command to return to the default configuration.
Syntax
port security max max-addr
Page 59
Address Table Commands
no port security max
Parameters
max-addr— Maximum number of addresses that can be learned by the port.
•
(Range: 1-128)
Default Configuration
The default setting is 1 address.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
This command is only relevant in dynamic learning modes.
Example
The following example configures the maximum number of addresses that are learned on port 1/e7 before it is
locked is set to 20.
console(config)#
console(config-if)#
interface ethernet
port security max
1/e7
20
port security routed secure-address
The port security routed secure-address Interface Configuration (Ethernet, port-channel) mode command adds
a MAC-layer secure address to a routed port. Use the no form of this command to delete a MAC address.
Syntax
port security routed secure-address mac-address
no port security routed secure-address mac-address
Parameters
mac-address — A valid MAC address.
•
Default Configuration
No addresses are defined.
Command Mode
Interface Configuration (Ethernet, port-channel) mode. Cannot be configured for a range of interfaces (range
context).
User Guidelines
The command enables adding secure MAC addresses to a routed port in port security mode.
•
• The command is available when the port is a routed port and in port security mode.
• The address is deleted if the port exits the security mode or is not a routed port.
Page 60
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Example
The following example adds the MAC-layer address 66:66:66:66:66:66 to port 1/e1.
console(config)#
console(config-if)#
interface ethernet
port security routed secure-address
1/e1
66:66:66:66:66:66
show bridge address-table
The show bridge address-table Privileged EXEC mode command displays all entries in the bridge-forwarding
database.
Syntax
show bridge address-table [vlan vlan] [ethernet interface | port-channel port-channel-number]
Parameters
vlan — Specifies a valid VLAN, such as VLAN 1.
•
• interface — A valid Ethernet port.
• port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
Internal usage VLANs (VLANs that are automatically allocated on ports with a defined Layer 3 interface) are
•
presented in the VLAN column by a port number and not by a VLAN ID.
• "Special" MAC addresses that were not statically defined or dynamically learned are displayed in the MAC
Address Table.
Example
The following example displays all classes of entries in the bridge-forwarding database.
console#
Aging time is 300 sec
vlan mac address Port Type
--------- -------------- ---- ------1 00:02:3f:b4:28:05 e16 dynamic
1 00:07:40:c9:5f:83 ch5 dynamic
1 00:15:77:74:64:40 ch5 dynamic
show bridge address-table
Page 61
Address Table Commands
show bridge address-table static
The show bridge address-table static Privileged EXEC mode command displays statically created entries in the
bridge-forwarding database.
Syntax
show bridge address-table static [vlan vlan] [ethernet interface | port-channel port-channel-number]
Parameters
vlan — Specifies a valid VLAN, such as VLAN 1.
•
• interface — A valid Ethernet port.
• port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays all static entries in the bridge-forwarding database.
console#
Aging time is 300 sec
vlan mac address port type
---- ----------------- ---- ----------------1 00:60:70:4C:73:FF 1/e8 Permanent
1 00:60.70.8C.73:FF 1/e8 delete-on-timeout
200 00:10:0D:48:37:FF 1/e9 delete-on-reset
show bridge address-table static
show bridge address-table count
The show bridge address-table count Privileged EXEC mode command displays the number of addresses
present in the Forwarding Database.
Syntax
show bridge address-t a bl e c ount [vlan vlan][ ethernet interface-number | port-channel port-channel-number]
Page 62
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Parameters
vlan — Specifies a valid VLAN, such as VLAN 1.
•
• interface — A valid Ethernet port.
• port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the number of addresses present in all VLANs.
console#
This may take some time.
Capacity: 8192
Free: 8190
Used: 2
Secure: 0
Dynamic: 2
Static : 0
Internal: 0
show bridge address-table count
Page 63
Address Table Commands
show bridge multicast address-table
The show bridge multicast address-table Privileged EXEC mode command displays the bridge Multicast
Address Table information.
Syntax
show bridge multicast address-table [vlan vlan-id] [address mac-multicast-address | ip-multicast-address]
[format ip | format mac] [source ip-address]
Parameters
vlan-id — A valid VLAN ID value.
•
• mac-multicast-address — A valid MAC Multicast address.
• ip-multicast-address — A valid IP Multicast address.
• ip-address — Source IP address
• format ip|mac — Multicast address format. Can be ip or mac. If the format is unspecified, the default is mac.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
A MAC a ddress can be dis played in IP format onl y if it is in the range of 0100.5e00.0000-010 0.5e7 f.ffff.
Page 64
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Examples
The following examples display Multicast MAC address and IP Address Table information.
console#
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan MAC Address Type Ports
---- -------------- ------- ---------1 0100.5e23.8787 static 1/e1, 2/e2
1 01:00:5e:02:02:03 dynamic 1/e1, 2/e2
19 01:00:5e:02:02:08 static 1/e1-e8
19 00:00:5e:02:02:08 dynamic 1/e9-e11
Forbidden ports for multicast addresses:
Vlan MAC Address Ports
---- -------------- ----1 01:00:5e:02:02:03 2/8
19 01:00:5e:02:02:08 2/8
console# show bridge multicast address-table format ip
show bridge multicast address-table
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan IP/MAC Address Type Ports
---------- --------------- ---------------- -----------------1 0100.9923.8787 static 1/e1, 2/e2
1 224-239.130|2.2.3 dynamic 1/e1, 2/e2
19 224-239.130|2.2.8 static 1/e1-e8
19 224-239.130|2.2.8 dynamic 1/e9-e11
Forbidden ports for multicast addresses:
Vlan IP/MAC Address Ports
--------- ---------------- ----------1 224-239.130|2.2.3 2/8
19 224-239.130|2.2.8 2/8
Page 65
Address Table Commands
Note
A Multicast MAC address maps to multiple IP addresses as shown above.
show bridge multicast address-table static
The show bridge multicast address-table static Privileged EXEC mode command displays statically configured
Multicast addresses.
Syntax
show bridge multicast address-table static [vlan vlan-id] [address mac-multicast-address |
Parameters
vlan-id — A valid VLAN ID value.
•
• mac-multicast-address — A valid MAC Multicast address.
• ip-multicast-address — A valid IP Multicast address.
• ip-address — Source IP address
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
A MAC address can be displayed in IP format only if it's in the range 0100.5e00.0000 through 0100.5e7f.ffff.
Example
The following example displays Multicast MAC address and IP Address Table information.
console#
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan MAC Address Type Ports
---- -------------- ------- ---------1 0100.5e23.8787 static 1/e1, 2/e2
Forbidden ports for multicast addresses:
Vlan MAC Address Ports
---------- ---------------- ------------------------------------console#
show bridge multicast address-table static
show bridge multicast filtering
The show bridge multicast filtering User EXEC mode command displays Multicast filtering configuration.
Page 66
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Syntax
show bridge multicast filtering vlan-id
Parameters
vlan-id — VLAN ID value.
•
Default Configuration
This command has no default configuration.
Command Mode
User EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the Multicast configuration for VLAN 1.
console#
Filtering:
Enabled
VLAN: 1
Forward-All
Port Static Status
---- --------- --------1/e1 - Filter
1/e2 - Filter
1/e3 - Filter
1/e4 - Filter
1/e5 - Filter
1/e6 - Filter
1/e7 - Filter
1/e8 - Filter
1/e9 - Filter
1/e10 - Filter
1/e11 - Filter
1/e12 - Filter
show bridge multicast filtering
1
Page 67
Address Table Commands
show bridge multicast unregistered
Use The show bridge multicast unregistered User EXEC mode command displays the unregistered multicast
filtering configuration.
Syntax
show bridge multicast unregistered [ethernet interface | port-channel port-channel-number]
Parameters
interface — Specify the required Ethernet port to display.
•
• port-channel-number — Specify the required Port-channel number to display.
Default Configuration
This command has no default configuration.
Command Mode
User EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the Multicast configuration for VLAN 1.
console#
Port Unregistered
---- -----------1/e10 Forward
1/e11 Filter
1/e12 Filter
show bridge multicast unregistered
show ports security
The show ports security Privileged EXEC mode command displays the port-lock status.
Syntax
show ports security [ethernet interface | port-channel port-channel-number]
Parameters
interface — A valid Ethernet port.
•
• port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Page 68
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays classes of entries in the port-lock status:
console#
Port Status Learning Action Maximum Trap Frequency
---- ------- -------- ------- ------- ------- --------1/e1 Locked Dynamic Discard 3 Enable 100
1/e2 Unlocked Dynamic - 28 - 1/e3 Locked Disabled Discard,
The following table describes the fields shown above.
Field Description
Port Port number
Status Locked/Unlocked
Learning Learning mode
Action Action on violation
Maximum Maximum addresses that can be associated on this port in Static
Trap Indicates if traps are sent in case of a violation
Frequency Minimum time between consecutive traps
show ports security
8 Disable -
Shutdown
Learning mode or in Dynamic Le ar ni ng mode
show ports security addresses
The show ports security addresses Privileged EXEC mode command displays the current dynamic addresses
in locked ports.
Syntax
show ports security addresses [ethernet interface | port-channel port-channel-number]
Parameters
interface — A valid Ethernet port.
•
• port-channel-number — A valid port-channel number.
Page 69
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Examples
The following examples display dynamic addresses in currently locked ports.
Address Table Commands
console#
Port Status Learning Current Maximum
---- -------- -------- ------- ------1/e1 Disabled Lock - 1
1/e2 Disabled Lock - 1
1/e3 Enabled Max-addresses 0 1
1/e4 Port is a member in port-channel ch1
1/e5 Disabled Lock - 1
1/e6 Enabled Max-addresses 0 10
ch1 Enabled Max-addresses 0 50
ch2 Enabled Max-addresses 0 128
The following example displays dynamic addresses in currently locked port 1/e1.
console#
Port Status Learning Current Maximum
---- -------- -------- ------- ------1/e1 Disabled Lock - 1
show ports security addresses
show ports security addresses ethernet 1/e1
Page 70
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 5. Clock Commands
clock set
The clock set Privileged EXEC mode command manually sets the system clock. To avoid an SNTP conflict, this
command should only be used if there is no clock source set.
Syntax
clock set hh:mm:ss day month year
or
clock set hh:mm:ss month day year
Parameters
hh:mm:ss — Current time in hours (military format), minutes, and seconds (hh: 0 - 23, mm: 0 - 59, ss: 0 - 59).
•
• day — Current day (by date) in the month (1 - 31).
• month — Current month using the first three letters by name (Jan, …, Dec).
• year — Current year (2000 - 2097).
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets the system time to 13:32:00 on the 7th March 2002.
Console# clock set 13:32:00 7 Mar 2002
clock source
The clock source Global Configuration mode command configures an external time source for the system clock.
Use no form of this command to disable external time source.
Syntax
clock source {sntp}
no clock source
Parameters
sntp — SNTP servers
•
Page 71
Clock Commands
Default Configuration
No external clock source
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures an external time source for the system clock.
Console(config)# clock source sntp
clock timezone
The clock timezone Global Configuration mode command sets the time zone for display purposes. Use the no
form of this command to set the time to the Coordinated Universal Time (UTC).
Syntax
clock timezone hours-offset [minutes minutes-offset] [zone acronym]
no clock timezone
Parameters
hours-offset — Hours difference from UTC. (Range: -12 – +13)
•
• minutes-offset — Minutes difference from UTC. (Range: 1 – 59)
• acronym — The acronym of the time zone. (Range: Up to 4 characters)
Default Configuration
Clock set to UTC.
Command Mode
Global Configuration mode
User Guidelines
The system internally keeps time in UTC, so this command is used only for display purposes and when the time is
manually set.
Example
The following example sets the timezone to 6 hours difference from UTC.
#
Console(config)
clock timezone -6 zone CST
Page 72
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
clock summer-time
The clock summer-time Global Configuration mode command configures the system to automatically switch to
summer time (daylight saving time). Use the no form of this command to configure the software not to
automatically switch to summer time.
Syntax
clock summer-time recurring {usa | eu | {week day month hh:mm week day month hh:mm}} [offset offset] [zone
acronym]
clock summer-time date date month year hh:mm date month year hh:mm [offset offset] [zone acronym]
clock summer-time date month date year hh:mm month date year hh:mm [offset offset] [zone acronym]
no clock summer-time recurring
Parameters
recurring — Indicates that summer time should start and end on the corresponding specified days every
•
year.
• date — Indicates that summer time should start on the first specific date listed in the command and end on
the second specific date in the command.
• usa — The summer time rules are the United States rules.
• eu — The summer time rules are the European Union rules.
• week — Week of the month. (Range: 1 - 5, first, last)
• day — Day of the week (Range: first three letters by name, like sun)
• date — Date of the month. (Range:1 - 31)
• month — Month. (Range: first three letters by name, like Jan)
• year — year - no abbreviation (Range: 2000 - 2097)
• hh:mm — Time in military format, in hours and minutes. (Range: hh: 0 - 23, mm:0 - 59)
• offset — Number of minutes to add during summer time. (Range: 1 - 1440)
• acronym — The acronym of the time zone to be displayed when summer time is in effect. (Range: Up to 4
characters)
Default Configuration
Summer time is disabled.
offset — Default is 60 minutes.
acronym — If unspecified default to the timezone acronym.
If the timezone has not been defined, the default is GMT.
Command Mode
Global Configuration mode
Page 73
Clock Commands
User Guidelines
In both the date and recurring forms of the command, the first part of the command specifies when summer time
begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is
relative to standard time. The end time is relative to summer time. If the starting month is chronologically after the
ending month, the system assumes that the device is in the southern hemisphere.
USA rule for daylight savings time:
• Start: Second Sunday in March
• End: First Sunday in November
• Time: 2 am local time
EU rule for daylight savings time:
• Start: Last Sunday in March
• End: Last Sunday in October
• Time: 1.00 am (01:00)
Example
The following example sets summer time starting on the first Sunday in April at 2 am and finishing on the last
Sunday in October at 2 am.
Console(config)# clock summer-time recurring first sun apr 2:00 last sun oct 2:00
sntp authentication-key
The sntp authentication-key Global Configuration mode command defines an authentication key for Simple
Network Time Protocol (SNTP). Use the no form of this command to remove the authentication key for SNTP.
Syntax
sntp authentication-key number md5 value
no sntp authentication-key number
Parameters
number — Key number (Range: 1-4294967295)
•
• value — Key value (Range: 1-8 characters)
Default Configuration
No authentication key is defined.
Command Mode
Global Configuration mode
User Guidelines
Multiple keys can be generated.
Page 74
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Example
The following example defines the authentication key for SNTP.
Console(config)#
sntp authentication-key
8
md5
ClkKey
sntp authenticate
The sntp authenticate Global Configuration mode command grants authentication for received Simple Network
Time Protocol (SNTP) traffic from servers. Use the no form of this command to disable the feature.
Syntax
sntp authenticate
no sntp authenticate
Parameters
This command has no arguments or keywords.
Default Configuration
No authentication
Command Mode
Global Configuration mode
User Guidelines
The command is relevant for both Unicast and Broadcast.
Example
The following example defines the authentication key for SNTP and grants authentication.
Console(config)#
Console(config)#
Console(config)#
sntp authentication-key
sntp trusted-key
sntp authenticate
8
8
md5
ClkKey
sntp trusted-key
The sntp trusted-key Global Configuration mode command authenticates the identity of a system to which
Simple Network Time Protocol (SNTP) will synchronize. Use the no form of this command to disable
authentication of the identity of the system.
Syntax
sntp trusted-key key-number
no sntp trusted-key key-number
Parameters
key-number — Key number of authentication key to be trusted. (Range: 1 - 4294967295)
•
Page 75
Default Configuration
No keys are trusted.
Command Mode
Global Configuration mode
User Guidelines
The command is relevant for both received Unicast and Broadcast.
If there is at least 1 trusted key, then unauthenticated messages will be ignored.
Example
The following example authenticates key 8.
Clock Commands
Console(config)#
Console(config)#
Console(config)#
sntp authentication-key
sntp trusted-key
sntp authenticate
8
8
md5
ClkKey
sntp client poll timer
The sntp client poll timer Global Configuration mode command sets the polling time for the Simple Network
Time Protocol (SNTP) client. Use the no form of this command to return to default configuration.
Syntax
sntp client poll timer seconds
no sntp client poll timer
Parameters
seconds — Polling interval in seconds (Range: 60-86400)
•
Default Configuration
Polling interval is 1024 seconds.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example sets the polling time for the Simple Network Time Protocol (SNTP) client to 120 seconds.
Console(config)#
sntp client poll timer
Page 76
120
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
sntp broadcast client enable
The sntp broadcast client enable Global Configuration mode command enables Simple Network Time Protocol
(SNTP) Broadcast clients. Use the no form of this command to disable SNTP Broadcast clients.
Syntax
sntp broadcast client enable
no sntp broadcast client enable
Parameters
This command has no arguments or keywords.
Default Configuration
The SNTP Broadcast client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the sntp client enable (Interface) Interface Configuration mode command to enable the SNTP client on a
specific interface.
Example
The following example enables the SNTP Broadcast clients.
Console(config)# sntp broadcast client enable
sntp anycast client enable
The sntp anycast client enable Global Configuration mode command enables SNTP Anycast client. Use the no
form of this command to disable the SNTP Anycast client.
Syntax
sntp anycast client enable
no sntp anycast client enable
Parameters
This command has no arguments or keywords.
Default Configuration
The SNTP Anycast client is disabled.
Command Mode
Global Configuration mode
Page 77
Clock Commands
User Guidelines
The sntp client poll timer Global Configuration mode command determines polling time.
Use the sntp client enable (Interface) Interface Configuration mode command to enable the SNTP client on a
specific interface.
Example
The following example enables SNTP Anycast clients.
console(config)#
sntp anycast client enable
sntp client enable (Interface)
The sntp client enable Interface Configuration (Ethernet, port-channel, VLAN) mode command enables the
Simple Network Time Protocol (SNTP) client on an interface. This applies to both receive Broadcast and Anycast
updates. Use the no form of this command to disable the SNTP client.
Syntax
sntp client enable
no sntp client enable
Parameters
This command has no arguments or keywords.
Default Configuration
The SNTP client is disabled on an interface.
Command Mode
Interface configuration (Ethernet, port-channel, VLAN) mode
User Guidelines
Use the sntp broadcast client enable Global Configuration mode command to enable Broadcast clients globally.
Use the sntp anycast client enable Global Configuration mode command to enable Anycast clients globally.
Example
The following example enables the SNTP client on Ethernet port 1/e3.
Console(config)#
Console(config-if)#
interface ethernet
sntp client enable
1/e3
sntp unicast client enable
The sntp unicast client enable Global Configuration mode command enables the device to use the Simple
Network Time Protocol (SNTP) to request and accept SNTP traffic from servers. Use the no form of this command
to disable requesting and accepting SNTP traffic from servers.
Page 78
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Syntax
sntp unicast client enable
no sntp unicast client enable
Parameters
This command has no arguments or keywords.
Default Configuration
The SNTP Unicast client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use the sntp server Global Configuration mode command to define SNTP servers.
Example
The following example enables the device to use the Simple Network Time Protocol (SNTP) to request and accept
SNTP traffic from servers.
Console(config)#
sntp unicast client enable
sntp unicast client poll
The sntp unicast client poll Global Configuration mode command enables polling for the Simple Network Time
Protocol (SNTP) predefined Unicast servers. Use the no form of this command to disable the polling for SNTP
client.
Syntax
sntp unicast client poll
no sntp unicast client poll
Parameters
This command has no arguments or keywords.
Default Configuration
Polling is disabled.
Command Mode
Global Configuration mode
User Guidelines
The sntp client poll timer Global Configuration mode command determines polling time.
Page 79
Clock Commands
Example
The following example enables polling for Simple Network Time Protocol (SNTP) predefined Unicast clients.
Console(config)#
sntp unicast client poll
sntp server
The sntp server Global Configuration mode command configures the devi ce to use the Simple Netw ork Time
Protocol (SNTP) to request and accept SNTP traffic from a specified server. Use the no form of this command to
remove a server from the list of SNTP servers.
Syntax
sntp server {ipv4-address|ipv6-address|hostname} [poll] [key keyid]
no sntp server {ipv4-address|ipv6-address|hostname}
Parameters
ipv4-address — IPv4 address of the server. An out-of-band IP address can be specified as described in the
•
usage guidelines.
• ipv6-address — IPv6 address of the server. An out-of-band IP address can be specified as described in the
usage guidelines. When the IPv6 address is a Link Local address (IPv6 address), the outgoing interface
name must be specified. Refer to the usage guidelines for the interface name syntax.
• hostname — Hostname of the server. Only translation to IPv4 addresses is supported.
• poll — Enable polling.
• keyid — Authentication key to use when sending packets to this peer.
(Range:1-4294967295)
Default Configuration
No servers are defined.
Command Mode
Global Configuration mode
User Guidelines
Up to 8 SNTP servers can be defined.
•
• To enable predefined Unicast clients globally use the sntp unicast client enable Global Configuration mode
command.
• To enable global polling use the sntp unicast client poll Global Configuration mode command.
• The sntp client poll timer Global Configuration mode command determines polling time.
• The format of an IPv6 address is: <ipv6-link-local-address>%<interface-name>
interface-name = vlan<integer> | ch<integer> | isatap<integer> | <physical-port-name>
– integer = <decimal-number> | <integer><decimal-number>
– decimal-number = 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
– physical-port-name = Product specific.
Page 80
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Example
The following example configures the device to accept SNTP traffic from the server on 192.1.1.1.
Console(config)#
sntp server
192.1.1.1
show clock
The show clock User EXEC mode command displays the time and date from the system clock.
Syntax
show clock [detai l]
Parameters
detail — Shows timezone and summertime configuration.
•
Default Configuration
This command has no default configuration.
Command Mode
User EXEC mode
User Guidelines
The symbol that precedes the show clock display indicates the following:
Symbol Description
* Time is not authoritative.
(blank) Time is authoritative.
. Time is authoritative, but SNTP is not synchronized.
Example
The following example displays the time and date from the system clock.
Console> show clock
15:29:03 PDT(UTC-7) Jun 17 2002
Time source is SNTP
Console>
15:29:03 PDT(UTC-7) Jun 17 2002
Time source is SNTP
show clock detail
Page 81
Clock Commands
Time zone:
Acronym is PST
Offset is UTC-8
Summertime:
Acronym is PDT
Recurring every year.
Begins at first Sunday of April at 2:00.
Ends at last Sunday of October at 2:00.
Offset is 60 minutes.
show sntp configuration
The show sntp configuration Privileged EXEC mode command shows the configuration of the Simple Network
Time Protocol (SNTP).
Syntax
show sntp configuration
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the current SNTP configuration of the device.
Console#
Polling interval: 7200 seconds
MD5 Authentication keys: 8, 9
Authentication is required for synchronization.
Trusted Keys: 8, 9
show sntp configuration
Unicast Clients: Enabled
Unicast Clients Polling: Enabled
Page 82
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Server Polling Encryption Key
----------- ------- --------------
176.1.1.8 Enabled 9
176.1.8.179 Disabled Disabled
Broadcast Clients: Enabled
Anycast Clients: Enabled
Broadcast and Anycast Interfaces: 1/e1, 1/e3
show sntp status
The show sntp status Privileged EXEC mode command shows the status of the Simple Network Time Protocol
(SNTP).
Syntax
show sntp status
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example shows the status of the SNTP.
Console# show sntp status
Clock is synchronized, stratum 4, reference is 176.1.1.8, unicast
Reference time is AFE2525E.70597B34 (00:10:22.438 PDT Jul 5 1993)
Unicast servers:
Server Status Last response Offset
[mSec]
----------- ------- ---------------------------- ------ ------
176.1.1.8 Up 19:58:22.289 PDT Feb 19 2002 7.33 117.79
Delay
[mSec]
Page 83
Clock Commands
176.1.8.179 Unknown 12:17.17.987 PDT Feb 19 2002 8.98 189.19
Anycast server:
Server Interface Status Last response Offset Delay
[mSec] [mSec]
--------- ------- ----- ----------------------------- ------ -----
176.1.11.8 VLAN 118 Up 9:53:21.789 PDT Feb 19 2002 7.19 119.89
Broadcast:
Interface Interface Last response
--------- --------- ----------------------------
176.9.1.1 VLAN 119 19:17:59.792 PDT Feb 19 2002
Page 84
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 6. Configuration and Image File Commands
copy
The copy Privileged EXEC mode command copies files from a source to a destination.
Syntax
copy source-url destination-url
Parameters
source-url — The source file location URL or reserved keyword of the source file to be copied.
•
(Range: 1-160 characters)
• destination-url — The destination file URL or reserved keyword of the destination file.
(Range: 1-160 characters)
The following table displays keywords and URL prefixes:
Keyword Source or Destination
flash: Source or destination URL for flash memory. It’s the default in case a URL is specified
without a prefix.
flash://startupconfig
flash://image Source is an image file on flash memory.
running-config Represents the current runnin g co nfiguration file.
startup-config Represents the startup configuration file.
image If the source file, represents the active image file. If the destination file, represents the
boot Boot file.
tftp:// Source or destination URL for a TFTP network server. The syntax for this alias is tftp://
xmodem: Source for the file from a serial connection that uses the Xmodem protocol.
logging Copy from a syslog file.
unit://member/
image
unit://member/
boot
null: Null destination for copies or files. A remote file can be copied to null to determine its size.
backup-config Represents the backup configuration file.
unit://member/
backup-config
Source is the startup-config file in flash memory.
non-active image file.
host/[directory]/filename. The host can be IPv4 address, IPv6 address or hostname.
Image file on one of the units. To copy from the master to all units, specify * in the member
field.
Boot file on one of the units. To copy from the master to all units, specify * in the member
field.
Backup configuration on one of the units.
Page 85
Configuration and Image File Commands
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
Up to five backup configuration files are supported on the device.
•
• The location of a file system dictates the format of the source or destination URL.
• The entire copying process may take several minutes and differs from protocol to protocol and from network
to network.
• *.prv and *.sys files cannot be copied.
• When the IPv6 address is a Link Local address (IPv6 address), the outgoing interface name must be
specified. The format of an IPv6 address is: <ipv6-link-local-address>%<interface-name>
interface-name = vlan<integer> | ch<integer> | isatap<integer> | <physical-port-name>
– integer = <decimal-number> | <integer><decimal-number>
– decimal-number = 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
– physical-port-name = Product specific.
Understanding Invalid Combinations of Source and Destination
Some invalid combinations of source and destination exist. Specifically, you cannot copy if one of the following
conditions exist:
The source file and destination file are the same file.
xmodem: is the destination file. The source file can be copied to image, boot and null: only.
tftp:// is the source file and destinati on file on the same copy.
The following table describes copy characters:
Character Description
! For network transfers, indicates that the copy process is taking place. Each exclamation
point indicates successful transfer of ten packets (512 bytes each).
. For network transfers, indicates that the copy process timed out. Generally, many
periods in a row means that the copy process may fail.
Copying an Image File from a Server to Flash Memory
To copy an image file from a server to flash memory, use the copy source-url image command.
Copying a Boot File from a Server to Flash Memory
To copy a boot file from a server to flash memory, enter the copy source-url boot command.
Copying a Configuration File from a Server to the Running Configuration File
To load a configuration file from a network server to the running configuration file of the device, enter the copy
source-url running-config command. The commands in the loaded configuration file are added to those in the
running configuration file as if the commands were typed in the command-line interface (CLI). Thus, the resulting
configuration file is a combination of the previous running configuration and the loaded configuration files with the
loaded configuration file taking precedence.
Page 86
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Copying a Configuration File from a Server to the Startup Configuration
To copy a configuration file from a network server to the startup configuration file of the device, enter copy source-
url startup-config. The startup configuration file is replaced by the copied configuration file.
Storing the Running or Startup Configuration on a Server
Use the copy running-config destination-url comma nd to copy the current configuration file to a network server
using TFTP. Use the copy startup-config destination-url command to copy the startup configuration file to a
network server.
Saving the Running Configuration to the Startup Configuration
To copy the running configuration to the startup configuration file, enter the copy running-config startup-config
command.
Backing up the Running or Startup Configuration to a Backup Configuration File
T o copy the running configuration file to a backup configuration file, enter the copy running-config file command.
To copy the startup configuration file to a backup configuration file, enter the copy startup-config file command.
Before copying from the backup configuration file to the running configuration file, make sure that the backup
configuration file has not been corrupted.
Example
The following example copies system image file1 from the TFTP server 172.16.101.101 to a non-active image file.
console#
Accessing file 'file1' on 172.16.101.101...
Loading file1 from 172.16.101.101:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK]
Copy took 0:01:11 [hh:mm:ss]
copy tftp://
172.16.101.101/file1
image
dir
The dir Privileged EXEC mode command displays the list of files on a flash file system.
Syntax
dir
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
Page 87
Configuration and Image File Commands
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the list of files on a flash file system.
console# dir
Directory of flash:
File Name Permission FlashSize DataSize Modified
---------- ---------- ---------- ---------- ---------image-1 rw 5242880 4325376 01-Jan-2000 01:07:13
image-2 rw 5242880 4325376 01-Jan-2000 09:09:19
dhcpsn.prv -- 131072 --- 01-Jan-2000 01:02:15
sshkeys.prv -- 262144 --- 01-Jan-2000 01:02:15
syslog1.sys r 262144 -- 01-Jan-2000 01:03:21
syslog2.sys r 262144 -- 01-Jan-2000 01:03:21
directry.prv -- 262144 -- 01-Jan-2000 01:02:15
startup-config rw 524288 4 01-Jan-2000 01:06:34
Total size of flash: 15728640 bytes
Free size of flash: 3538944 bytes
console#
delete
The delete Privileged EXEC mode command deletes a file from a flash memory device.
Syntax
delete url
Parameters
url — The location URL or reserved keyword of the file to be deleted. (Range: 1-160 characters)
•
The following table displays keywords and URL prefixes:
Keyword Source or Destination
flash: Source or destination URL for flash memory. It’s the default in case a URL is specified
without a prefix.
startup-config Represents the startup configuration file.
Page 88
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
*.sys, *.prv, image-1 and image-2 files cannot be deleted.
Example
The following example deletes file test from flash memory.
console#
Delete flash:test? [confirm]
delete flash:
test
boot system
The boot system Privileged EXEC mode command specifies the system image that the device loads at startup.
Syntax
boot system [unit unit] {image-1 | image-2}
Parameters
unit — Specifies the unit number.
•
• image-1 — Specifies image 1 as the system startup image.
• image-2 — Specifies image 2 as the system startup image.
Default Configuration
If the unit number is unspecified, the default setting is the master unit number.
Command Mode
Privileged EXEC mode
User Guidelines
Use the show bootvar command to find out which image is the active image.
Example
The following example loads system image 1 at device startup.
console#
boot system image-1
show running-config
The show running-config Privileged EXEC mode command displays the contents of the currently running
configuration file.
Page 89
Configuration and Image File Commands
Syntax
show running-config
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the contents of the running configuration file.
console#
software version 1.1
hostname device
interface ethernet 1/e1
ip address 176.242.100.100 255.255.255.0
duplex full
speed 1000
interface ethernet 1/e2
ip address 176.243.100.100 255.255.255.0
duplex full
speed 1000
show running-config
show startup-config
The show startup-config Privileged EXEC mode command displays the contents of the startup configuration file.
Syntax
show startup-config
Parameters
This command has no arguments or keywords.
Page 90
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the contents of the running configuration file.
console#
software version 1.1
hostname device
interface ethernet 1/e1
ip address 176.242.100.100 255.255.255.0
duplex full
speed 1000
interface ethernet 1/e2
ip address 176.243.100.100 255.255.255.0
duplex full
speed 1000
show startup-config
show bootvar
The show bootvar Privileged EXEC mode command displays the active system image file that is loaded by the
device at startup.
Syntax
show bootvar [unit unit]
Parameters
unit — Specifies the unit number.
•
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
Page 91
Configuration and Image File Commands
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the active system image file that is loaded by the device at startup.
console#
Images currently available on the FLASH
image-1 active
image-2 not active (selected for next boot)
Unit Active Image Selected for next boot
---- ------------ ---------------------1 image-1 image-2
2 image-1 image-1
show bootvar
Page 92
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Chapter 7. DHCP Snooping Commands
ip dhcp snooping
The ip dhcp snooping Global Configuration mode command globally enables DHCP snooping. Use the no form
of this command to return to the default setting.
Syntax
ip dhcp snooping
no ip dhcp snooping
Parameters
This command has no arguments or keywords
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
For any DHCP snooping configuration to take effect, DHCP snooping must be globally enabled. DHCP snooping
is not active until snooping on a VLAN is enabled by using the ip dhcp snooping VLAN Global Configuration
mode command.
Example
.The following example configures globally enabling DHCP snooping.
console(config)# ip dhcp snooping
ip dhcp snooping vlan
The ip dhcp snooping vlan Global Configuration mode command enables DHCP snooping on a VLAN. Use the
no form of this command to disable DHCP snooping on a VLAN
Syntax
ip dhcp snooping vlan vlan-id
no ip dhcp snooping vlan vlan-id
Parameters
vlan-id — Specify VLAN ID.
•
Default Configuration
Disabled
Page 93
DHCP Snooping Commands
Command Mode
Global Configuration mode
User Guidelines
DHCP snooping must be first globally enabled before enabling DHCP snooping on a VLAN.
Example
The following example configures DHCP snooping on a VLAN.
console(config)# ip dhcp snooping vlan 1
ip dhcp snooping trust
The ip dhcp snooping trust Interfac e Configuration mode command configures a port as trusted for DHCP
snooping purposes. Use the no form of this command to return to the default setting.
Syntax
ip dhcp snooping trust
no ip dhcp snooping trust
Parameters
This command has no arguments or keywords.
Default Configuration
Interface configuration (Ethernet, Port-channel)
Command Mode
Interface Configuration mode
User Guidelines
Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure
as untrusted ports those that are connected to DHCP clients.
Example
.The following example configures a port as trusted for DHCP snooping purposes.
console#
console# configure
console(config)#
console(config-if)#
console(config-if)#
interface ethernet
ip dhcp snooping trust
1/e1
Page 94
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
ip dhcp snooping information option allowed-untrusted
The ip dhcp snooping information optio n allowed-un trusted Global Configuration mode command configures
a switch to accept DHCP packets with option-82 information from an untrusted port. Use the no form of this
command to configure the switch to drop these packets from an untrusted port.
Syntax
ip dhcp snooping information option allowed-untrusted
no ip dhcp snooping information option all owed-untrusted
Parameters
This command has no arguments or keywords.
Default Configuration
Discard DHCP packets with option-82 information from an untrusted port.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the switch to accept DHCP packets with option-82 information from an
untrusted port.
console(config)# ip dhcp snooping information option allowed-untrusted
ip dhcp snooping verify
The ip dhcp snooping verify Global Configuration mode command configures the switch to verify, on an
untrusted port, that the source MAC address in a DHCP packet matches the client hardware address. Use the no
form of this command to configure the switch to not verify the MAC addresses.
Syntax
ip dhcp snooping verify
no ip dhcp snooping verify
Parameters
This command has no arguments or keywords.
Default Configuration
The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the
client hardware address in the packet.
Command Mode
Global configuration.
Page 95
DHCP Snooping Commands
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the switch to verify on an untrusted port that the source MAC address in a
DHCP packet matches the client hardware address
console(config) #ip dhcp snooping verify
ip dhcp snooping database
The ip dhcp snooping database Global Configuration mode command configures the DHCP snooping binding
file. Use the no form of this command to delete the binding file.
Syntax
ip dhcp snooping database
no ip dhcp snooping database
Parameters
This command has no arguments or keywords.
Default Configuration
The DHCP snooping binding file is not defined.
Command Mode
Global Configuration mode
User Guidelines
To ensure that the lease time in the database is accurate, Simple Network Time Protocol (SNTP) is enabled and
configured.
The switch writes binding changes to the binding file only when the switch system clock is synchronized with
SNTP.
Example
The following example configures the DHCP snooping binding file.
console(config)# ip dhcp snooping database
ip dhcp snooping database update-freq
The ip dhcp snooping database update-freq Global Configuration mode command configures the update
frequency of the DHCP snooping binding file. Use the no form of this command to return to default.
Syntax
ip dhcp snooping database update-freq seconds
no ip dhcp snooping database update-freq
Page 96
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
Parameters
seconds — Specify, in seconds, the update frequency (Range: 600 - 86400 ).
•
Default Configuration
1200
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the update frequency of the DHCP snooping binding file.
console(config)#
ip dhcp snooping database update-freq
1500
ip dhcp snooping binding
The ip dhcp snooping bindin g Privileged EXEC mode command configures the DHCP snooping binding
database and adds binding entries to the database. Use the no form of this command to delete entries from the
binding database.
Syntax
ip dhcp snooping binding mac-address vlan-id ip-address {ethernet interface | port-channel port-channel-
number} expiry seconds
no ip dhcp snooping binding mac-address vlan-id
Parameters
mac-address — Specify a MAC address
•
• vlan-id — Specify a VLAN number
• ip-address — Specify an IP address
• interface — Specify Ethernet port
• port-channel-number — Specify Port-channel number
• expiry seconds — Specify the interval, in seconds, after which the binding entry is no longer valid (Range: 10
- 4294967295)
Default Configuration
No static binding exists
Command Mode
Privileged EXEC
User Guidelines
After entering this command an entry is added to the DHCP snooping database. If DHCP snooping binding file
exists, the entry is added to that file also.
Page 97
DHCP Snooping Commands
The entry is displayed in the show commands as a ‘DHCP Snooping entry’.
Example
The following example configures the DHCP snooping binding database and adds binding entries to the database.
console# ip dhcp snooping binding 0060.704c.73ff 3 10.1.8.1 ethernet 1/e21
clear ip dhcp snooping database
The clear ip dhcp snooping database Privileged EXEC mode command clears the DHCP binding database.
Syntax
clear ip dhcp snooping database
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example clears the DHCP binding database.
console# clear ip dhcp snooping database
show ip dhcp snooping
The show ip dhcp snooping EXEC mode command displays the DHCP snooping configuration.
Syntax
show ip dhcp snooping [ethernet interface | port-channel port-channel-number]
Parameters
interface — Specify Ethernet port
•
• port-channel-number — Specify Port-channel number
Default Configuration
This command has no default configuration.
Command Mode
EXEC mode.
Page 98
Allied Telesis
AT-8000S-S94-3.0 Command Line Interface User’s Guide
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the DHCP snooping configuration.
show ip dhcp snooping binding
The show ip dhcp snooping binding User EXEC mode command displays the DHCP snooping binding
database and configuration information for all interfaces on a switch.
Syntax
show ip dhcp snooping binding [mac-address mac-address] [ip-address ip-address] [vlan vlan] [ethernet
interface | port-channel port-channel-number]
Parameters
mac-address — Specify a MAC address
•
• ip-address — Specify an IP address.
• vlan-id — Specify a VLAN number.
• interface — Specify Ethernet port.
• port-channel-number — Specify Port-channel number
Default Configuration
This command has no default configuration.
Command Mode
EXEC
User Guidelines
There are no user guidelines for this command.
Example
console#
Total number of binding: 2
MAC Adreess IP Address Lease (sec) Type VLAN Interface
------------------ --------------- ------------ ---------- ---- ---------00:60:70:4c:73:ff 10.1.8.1 4294967295 snooping 3 1/e21
00:60:70:4c:7f:c1 10.1.8.2 4294967295 snooping 3 1/e22
console#
show ip dhcp snooping binding
Page 99
Loading...