D-Link DXS-3600-16S, DXS-3600-32S, DXS-3600-EM-8T, DXS-3600-EM-8XS, DXS-3600-EM-4QXS User Manual

CLI Reference Guide

Product Model: DXS-3600 Series

Layer 2/3 Managed 10GbE Switch Release: 1.10

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

DXS-3600 Series CLI Reference Guide

Software Release F/W: 1.10.023

by any party by any means.

Preface

Version Description

This manual’s command descriptions are based on the software release 1.10.023. The commands listed here are the subset of commands that are supported by the DXS-3600 Series switch.

Audience

This reference manual is intended for network administrators and other IT networking professionals responsible for managing the switch by using the Command Line Interface (CLI). The CLI is the primary management interface to the DXS-3600 Series switch, which will be generally be referred to simply as the “switch” within this manual. This manual is written in a way that assumes that you already have the experience and knowledge of Ethernet and modern networking principles for Local Area Networks.

Document Layout

Preface Describes how to use the CLI reference manual. Table of Contents Lists out the chapters discussed throughout this manual. Chapters Each chapter contains a specific grouping of CLI commands that are related to the

topic labelled.

Appendices Contains extra information related to this switch.

Other Documentation

The documents below are a further source of information in regards to configuring and troubleshooting the switch . All the documents are available either from the CD, bundled with th is switch, or from the D-Li nk website. Other docu ment s related to this switch are:

• DXS-3600 Series Hardware Installation Guide

• DXS-3600 Series Web UI Reference Guide

Conventions

Convention Description

Boldface Font Commands, command options and keywords are printed in boldface. Keywords, in

the command line, are to be entered exactly as they are displayed.

UPPERCASE ITALICS Font Parameters or values that must be specified are printed in UPPERCASE ITALICS.

Parameters in the command line, are to be replaced with the actual values that are desired to be used with the command.

[ ] Square brackets enclose an optional value or set of optional arguments.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Convention Description

{a | b | c} Braces enclose alternative keywords seperated by vertical bars. Generally, one of

the keywords in the seperated list can be chosen.

[a | d | c] Optional values or arguements are enclosed in square barackets and seperated by

vertical bars. Generally, one or more of th e vales or ar gueme nt s in th e seperated list can be chosen.

Blue Courier Font

This convention is used to represent an example of a screen console display including example entries of CLI command input with the corresponding output. All examples used in this manual is based on the DXS-3600-32S switch in the DXS3600 Series.

Notes, Notices, and Cautions

Below are examples of the 3 types of indicators used in this manual. When administering your switch using the information in this document, you should pay special attention to these indicators. Each example below provides an explanatory remark regarding each type of indicator.

NOTE: A note indicates important information that helps you make better use of your device

NOTICE: A notice indicates either potential damage to hardware or loss of data and tells you how to

avoid the problem

CAUTION: A caution indicates a potential for property damage, personal injury, or death.

Command Descriptions

The information pertaining to each command in this reference guide is presented using a number of template fields. The fields are:

• Description - This is a short and concise statement describing the commands functionality.

• Syntax - The precise form to use when ente ring a nd issui ng the co mmand. The form conventions ar e described in the table shown under the section “Conventions” on page iv of this guide.

• Syntax Description - A table where each row describes the optional or required arguments, and their use, that can be issued with the command.

• Default - If the command sets a configuration value or administra tive state of the switch then any default settings (i.e. without issuing the command) of the configuration is shown here.

• Command Mode - The mode in which the command can be issued. The modes are either User EXEC, Privileged EXEC, Global Configuration or a specific configuration mode. These modes are described in the section titled “Command Modes” on page v below.

• Command Usage - If necessary, a detailed description of the command and its various utilization scenarios is given here.

• Example(s) - Each command is accompanied by a practical example of the command being issued in a suitable scenario.

Command Modes

There are several command modes available in the command-line inte rface (CLI). The set of commands available to the user depends on both the mode the user is cu rrently i n and their p rivilege level. For ea ch case, the use r can see all the commands that are available in a particular command mode by entering a question mark (?) at the system prompt.

The command-line interface has five privilege levels:

• Basic User - Privilege Level 1. This user account level has the lowest priority of the user account s. The purpose of this type of user account level is for basic system checking.

• Advanced User - Privilege Level 3. This user account level is allowed to configure the terminal control setting. This user account can only show limited information that is not related to security.

• Power User - Privilege 8. This user account level can execute fewer commands than operator, including configuration commands other than the operator level and administrator level commands.

iii

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

• Operator - Privilege Level 12. This user account level is used to grant system configuration rights for users who need to change or monitor system configuration, except for security related infor mation such as user accounts and SNMP account settings, etc.

• Administrator - Privilege Level 15. This administrator user account level can monitor all system information and change any of the system configuration settings expressed in this configuration guide.

The command-line interface has a number of command modes. There are three basic command modes:

• User EXEC mode

• Privileged EXEC mode

• Global Configuration mode

All other sub-configuration modes can be accessed via global configuration mode. When a user logs in to the Switch, the privilege level of the user determines the command mode the user will enter

after initially logging in. The user will either log into user EXEC mode or privileged EXEC mode. Users with a basic user level will log into the Switch in user EXEC mode. Users with advanced user, power user, operator or administrator level accounts will log into the Switch in privileged EXEC mode. Therefore, user EXEC mode can operate at basic user level and privileged EXEC mode can operate at advanced user, power user, operator or administrator level. The user can only enter global configuration mode from privileged EXEC mode. Therefore, global configuration mode can be accessed by users who have advanced user, power user, operator or administrator level user accounts. As for subconfiguration modes, a subset of those can only be accessed by users who have th e highest secure administrator level privileges.

The following table briefly lists the available command modes. Only the basic command modes and some of the subconfiguration modes are enumerated. The basic command modes and basic sub-configuration modes are further described in the following chapters. Descriptions for the rest of the sub-configuration modes are not provided in this section. For more information on the additional sub-configuration modes, the user should refer to the chapters relating to these functions.

The available command modes and privilege levels are described below:

Command Mode /

Purpose

Privilege Level

User EXEC Mode / Basic User level

Privileged EXEC Mode / Advanced User level

Privileged EXEC Mode / Power User level

Privileged EXEC Mode / Operator level

Privileged EXEC Mode / Administrator level

Global Configuration Mode / Power User level

Global Configuration Mode / Operator level

Global Configuration Mode / Administrator level

Interface Configuration Mode / Administrator level

VLAN Interface Configuration Mode

VLAN Configuration Mode For applying settings to a VLAN.

This level has the lowest priority of the user accounts. It is provided only to check basic system settings.

This level is allowed to configure the terminal control setting. This user account can only show limited information that is not related to security.

This level can execute less commands than operator, include the configure commands other than the operator level an d ad m inis tra to r level commands.

For changing both local and global terminal settings, monitoring, and performing certain system administration tasks. The system administration tasks that can be performed at this level includes the clearing of system configuration settings, except for any security related information, such as user accounts, SNMP account settings etc.

This level is identical to privileged EXEC mode at power user level, except that a user at the administrator level can monitor and clear security related settings.

For applying global settings, including the configuration commands other than the operator level and administrator level commands.

For applying global settings, except for security relate d settings, on the entire Switch. In addition to applying global settings on the entire Switch, the user can access other sub-configuration modes from global configuration mode.

For applying global settings on the entire Switch. In addition to applying global settings on the entire Switch, the user can access other sub-configuration modes from global configuration mode.

For applying interface related settings.

For applying VLAN interface related settings.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Mode /

Purpose

Privilege Level

IP Access-List Configuration Mode

For specifying filtering criteria for an IP access list.

User EXEC Mode at Basic User Level

This command mode is mainly designed for checking basic system settings. This command mode can be entered by logging in as a basic user.

Privileged EXEC Mode at Advanced User Level

This command mode is mainly designed for checking basic system settings, allowing users to change the local terminal session settings and carrying out basic network connectivity verification. One limit ation of this command mode is that it cannot be used to display information related to security. This command mode can be entered by loggin g in as an advanced user.

Privileged EXEC Mode at Power User Level

User logged into the switch in privileged EXEC mode at this level can execute fewer commands than operator, including the configuration commands other than the operator level and administrator level commands. The method to enter privileged EXEC mode at power user level is to login to the switch with a user account that has a privileged level of 8.

Privileged EXEC Mode at Operator Level

Users logged into the Switch in privileged EXEC mode at this level can change both lo ca l an d global ter minal settin gs, monitor, and perform system administration tasks like clearing configuration settings (except for security related information such as user accounts, SNMP account settings etc.) The method to enter privileged EXEC mode at operator level is to login to the Switch with a user account that has a privilege level of 12.

Privileged EXEC Mode at Administrator Level

This command mode has a privilege level of 15. Users logged in with this command mode can monitor all system information and change any system configur ation settin gs me nt ioned in this Configuration Guide. The method to enter privileged EXEC mode at administrator level is to login to the Switch with a user account that has a privilege level of 15.

Global Configuration Mode

The primary purpose of global configuration mode is to apply global settings on the entire Switch. Global configuration mode can be accessed at advanced user , power user, operator or administrator level u ser accounts. However, security related settings are not accessible at adva nc ed use r, power user or operator user accounts. In addition to applying global settings on the entire Switch, the user can also access other sub-configuration modes. In order to access the global configuration mode, the user must be logged in with the corresponding account level and use the configure terminal command in privileged EXEC mode.

In the following example, the user is logged in as an Administrator in privileged EXEC mode and uses the configure terminal command to access global configuration mode:

DXS-3600-32S#configure terminal DXS-3600-32S(config)#

The exit command is used to exit global configuration mode and return to privileged EXEC mode.

DXS-3600-32S(config)#exit DXS-3600-32S#

The procedures to enter the different sub-configuration modes can be found in the related chapters in this Configuration Guide. The command modes are used to configure the individual functions.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Interface Configuration Mode

Interface configuration mode is used to configure the parameters for an interface or a range of interfaces. An interface can be a physical port, VLAN, or other virtual interface. Thus, interface configuration mode is distinguished further according to the type of interface. The command prompt for each type of interface is slightly different.

VLAN Interface Configuration Mode

VLAN interface configuration mode is one of the available interface modes and is used to configure the parameters of a VLAN interface.

To access VLAN interface configuration mode, use th e following command in global configuration mode:

DXS-3600-32S(config)#interface vlan 1 DXS-3600-32S(config-if)#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Table of Contents

Basic CLI Commands................................................................................................................................................1

802.1X Commands....................................................................................................................................................6

Access Control List (ACL) Commands....................................................................................................................17

Address Resolution Protocol (ARP) Commands........................................................................... .... ......................40

Alternate Store and Forward (ASF) Commands......................................................................................................46

Authentication, Authorization, and Accounting (AAA) Commands..........................................................................48

Border Gateway Protocol (BGP) Commands..........................................................................................................65

Compound Authentication Commands..................................................................................................................172

Configuration Commands.............................. ... ... ... .......................................... .... ... ... ... ... .....................................175

Counter Commands ..............................................................................................................................................187

CPU Commands........................ ... .... .......................................... ... ........................................................................190

Debug Commands.................................................................................................................................................191

DHCP Relay Commands.......................................................................................................................................199

DHCP Server Commands .....................................................................................................................................205

Distance Vector Multicast Routing Protocol (DVMRP) Commands.......................................................................220

D-Link License Management System Commands ................................................................................................225

Domain Name System (DNS) Commands............................................................................................................227

DoS Attack Prevention Commands.......................................................................................................................230

Enhanced Transmission Selection (ETS) Commands ..........................................................................................233

File System Commands ........................................................................................................................................237

Filter Database (FDB) Commands........................................................................................................................243

GARP VLAN Registration Protocol (GVRP) Commands.......................................................................................251

Internet Group Management Protocol (IGMP) Commands ...................................................................................257

IGMP Snooping Commands..................................................................................................................................266

Interface Commands.............................................................................................................................................281

IP Access List Commands......................... .... ... ... ... .... .......................................... ... ... ... ... .....................................284

IP Address Commands........................ ... ... .... ... .......................................... ... ... .... ... ... ...........................................287

IP Prefix List Commands.................................................. ... ... .... ... ........................................................................290

IP Multicast (IPMC) Commands.................... ... ... ..................................................................................................294

LINE Commands...................................................................................................................................................301

Link Aggregation Commands................. ... .... ... ... ... .... ... ... .......................................... ... ... .... ... ..............................303

Link Layer Discovery Protocol (LLDP) Commands...............................................................................................309

LLDP-DCBX Commands.......................................................................................................................................327

LLDP-MED Commands.........................................................................................................................................332

Memory Commands..................... .... ... ... ... .... ... ... ... .... ... ... .......................................... ... ... .... .................................337

Mirror Commands..................................................................................................................................................338

Multicast Filter Mode Commands............................................... ... ... ... .... ... ... ........................................................342

Multiprotocol Label Switching (MPLS) Commands ...............................................................................................344

Network Connectivity Test Commands .................................................................................................................377

Open Shortest Path First (OSPF) Version 2 Commands ......................................................................................379

Password Recovery Commands.....................................................................................................

Peripheral Commands...........................................................................................................................................419

Port Commands............................ .... ... .......................................... ... ... ..................................................................421

Port Security Commands..................... ... ... .... ... ... ... .... ... .......................................... ... ... ... .... .................................428

Priority-based Flow Control (PFC) Commands................... ... .... ... ... ... .... ............................................. .................436

Protocol Independent Commands.........................................................................................................................439

Protocol Independent Multicast (PIM) Commands................................................................................................449

Quality of Service (QoS) Commands ....................................................................................................................467

Quantized Congestion Notification (QCN) Commands .........................................................................................487

RADIUS Commands..............................................................................................................................................497

Remote Network MONitoring (RMON) Commands...............................................................................................502

Routing Information Protocol (RIP) Commands....................................................................................................508

......................417

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Route Map Commands........................ ... ... .... ... ... ... .......................................... .... ... ... ... ........................................523

Secure Shell (SSH) Commands............................................................................................................................536

Simple Network Management Protocol (SNMP) Commands........................................... .... ... ... ... .... ... ... ... ... .... ....539

Simple Network Time Protocol (SNTP) and Clock Commands.............................................................................551

Spanning Tree Protocol (STP) Commands...........................................................................................................557

Storm Control Commands.....................................................................................................................................574

Switch Management Commands......................... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... .................................................578

Syslog Commands ................................................................................................................................................584

TACACS+ Commands ..........................................................................................................................................591

TELNET Commands .............................. .......................................... ... ..................................................................595

Time Range Commands........................................................................................................................................597

Traffic Segmentation Commands..........................................................................................................................599

Upgrade and Maintenance Commands.................................................................................................................601

Virtual LAN (VLAN) Commands............................................................................................................................603

Virtual Private LAN Service (VPLS) Commands...................................................................................................616

Virtual Private Wire Service (VPWS) Commands .................................................................................................628

Virtual Router Redundancy Protocol (VRRP) Commands ....................................................................................632

VLAN Mapping Commands...................................................................................................................................642

VLAN Tunnel Commands......................................................................................................................................646

VRF-Lite Commands.............................................................................................................................................653

Weighted Random Early Detection (WRED) Commands......................................................................................659

Appendix A - Password Recovery Procedure .......................................................................................................664

Appendix B - System Log Entries..........................................................................................................................665

Appendix C - Trap Entries.....................................................................................................................................685

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Basic CLI Commands

1-1 help

This command is used to display a brief description of the help system. Use the help command in any command mode.

help

Parameters Default Command Mode

Command Default Level Usage Guideline

None. None. Exec Mode

Privileged Mode All Configuration Modes

Level: 1 This command provides a brief description of the context-sensitive help system,

which functions as follow:

• To list all commands available for a particular command mode, enter a question mark “?” at the system prompt.

• To obtain a list of commands that begin with a particular character string, enter the abbreviated command entry immediately followed by a question mark “ ?”. Do not leave a space between the keyword and question mark. This form of help is called word help, because it lists only the keywords or argument s that begin with the abbreviation you entered.

• To list the keywords and ar g um e nts associat ed w ith a co mm a nd , en te r a question mark “?” in place of a keyword or argument on the command line. Leave a space between the keyword and question mark. This form of help is called command syntax help, because it lists the keywords or arguments that apply based on the command, keywords, and arguments you have already entered.

Note: To complete a partial command name, enter the abbreviated command name followed by a <Tab> key . Examp le: ‘ s how addr <Tab>’. To enter the character “?” in the command argument, press Ctrl+V immediately followed by the character “?”.

Example

DXS-3600-32S>help

Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'ip ?') and describes each possible argument.

2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'ip a?'.)

Note:

1. For completing a partial command name could enter the abbreviated command name immediately followed by a <Tab> key.

2. If wants to enter the character '?' in the command argument, please press ctrl+v immediately followed by the character '?'.

DXS-3600-32S>

This example shows how to display a brief description of the help system. The field descriptions are self-explanatory.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#re? reboot rename

DXS-3600-32S#re

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard ? WORD Access-list name(the first character must be a letter) <1-1999> Standard IP access-list number

DXS-3600-32S(config)#ip access-list standard

This example shows how to use the word ‘help’ to display all the privileged mode commands that begin with the letters “re”. The letters entered, before the question mark, are reprinted on the next command line to allow the user to continue entering the command.

This example shows how to use the command syntax, ‘help’, to display the next argument of a partially completed ip access-list standard command. The characters entered, before the question mark, is reprinted o n the next command line to allow the user to continue entering the command.

1-2 prompt

This command is used to customize the CLI prompt. Execute the prompt command in global configuration mode. To revert to the default prompt, execute the no form of this command.

prompt string no prompt

Parameters

string Enter the character string that will be displayed on screen as the CLI prompt here.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#prompt Router Router(config)#

The default prompt value is ‘DXS-3600-32S’. Global Configuration Mode Level: 3 The default prompt string is the system’s name. To restore the prompt to the default

value, use the ‘no prompt’ command in global configuration mode.

This example shows how to configure a customized prompt string, used in the CLI. IN this example we’ll change the prompt to the word ‘Router’.

1-3 banner login

This command is used to configure and customized the banner that will be displayed before the username and password login prompts. Use the banner logi n command in glo bal configuration mode. To disable the customized login banner, use no form of this command.

banner login c message c no banner login

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

c Specifies the separator of the login banner message, for example a ha sh sign (# ).

The delimiting character is not allowed in the login banner message.

message Enter the contents of the login banner, that will be displayed before the username

and password login prompts, here.

Default Command Mode Command Default Level Usage Guideline

Displays the switch type and other contents defined by the system. Global Configuration Mode Level: 3 Follow the banner login command with one or more blank spaces and a delimiting

character of your choice. Enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. For example with a hash sign (#) being the delimiting character, after inputting the delimiting character, press the enter key, then the login banner contents can be typed. The delimiting character need to be inputted then press enter to complete the type.

To reset the login banner contents to default, use the ‘no banner login’ command in global configuration mode.

Note: The typed additional characters after the end delimiting character are invalid. These characters will be discarded by the system. The delimiting character can not be used in the text of login banner.

Example

This example shows how to configure the login banner . The hash sig n (#) is used as the delimiting character. The starting delimiting character, banner contents and ending delimiting character will be entered before pressing the first enter key.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#banner login #Enter Command Line Interface# DXS-3600-32S(config)#end DXS-3600-32S#logout

Enter Command Line Interface

User Access Verification

Username:

Example

This example shows how to configure the login banner . The hash sig n (#) is used as the delimiting character.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#banner login # LINE c banner-text c, where 'c' is a delimiting character Enter Command Line Interface # DXS-3600-32S(config)#end DXS-3600-32S#logout

Enter Command Line Interface

User Access Verification

Username:

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

1-4 exit

This command is used to exit any configuration mode to the next highest mode in the CLI mode hierarchy. Use the exit command in any configuration mode. If th e current mo de is the highest mode (Exec Mode, Privileged Mod e) in the CLI mode hierarchy, execute the exit command to close the active terminal session by logging off the switch.

exit

Parameters Default Command Mode

None. None. Exec Mode

Privileged Mode All Configuration Modes

Command Default Level Usage Guideline

Level: 1 Use the exit command in the highest mode (Exec Mode, Privileged Mode) to exit the

active session (exit from the mode process and log off from the device). If the current session is console, the account will logout. if there is another session running, it will be closed.

Use the exit command in any configuration mode to th e next highest mode in th e CLI mode hierarchy. For example, use the exit command in global configuration mode to return to privileged mode.

Example

This example shows how to exit from the Line Configuration Mode to return to the Global Configuration Mode and exit from the Global Configuration Mode to return to the privileged mode.

DXS-3600-32S(config-line)#exit DXS-3600-32S(config)#exit DXS-3600-32S#

Example

This example shows how to use the exit command, in the p rivileg ed mo de, to logout of the current account.

DXS-3600-32S#exit

Switch con0 is now available

Press any key to login...

16 2000-01-22 01:20:37 INFO(6) Logout through Console (Username: admin)

DXS-3600-32S TenGigabit Ethernet Switch

Command Line Interface

Firmware: Build 1.10.023

User Access Verification

Username:

Example

This example shows how to use the exit command, in the privileged mode, in a Telnet session, to exit this mode and close the active session.

DXS-3600-32S#exit

1-5 end

This command is used to end the current configuration mod e and return to the highest mod e in the CLI mode hierarch y. Use the end command in any configuration mode.

end

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters Default Command Mode

Command Default Level Usage Guideline

Example

DXS-3600-32S(config-line)#end DXS-3600-32S#

Example

DXS-3600-32S#end DXS-3600-32S#disable DXS-3600-32S>end DXS-3600-32S>

None. None. Exec Mode

Privileged Mode All Configuration Modes

Level: 1 Execute this command to return back to the highest mode in the CLI mode hierar chy

regardless of what configuration mode or configuration sub-mode currently located. Note: This global command can be used in any mode, but if the current located

mode is the highest mode in the CLI mode hierarchy (Exec Mode, Privileged Mode), executing this command will not have any effect. If the current located mode is any configuration mode, execute this command will return to the privileged mode.

This example shows how to use the end command in the Line Configuratio n Mode to return to the privileged mode.

This example shows how to use the end command in the privileged and EXEC mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

802.1X Commands

2-1 dot1x default

This command is used to reset the IEEE 802.1X parameters on a specific port to their default settings.

dot1x default

Parameters Default

Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x default DXS-3600-32S(config-if)#

None. Port control mode - Auto

Port PAE type - None Port control direction - Both Quiet period when authentication fails - 60 seconds Re-authentication interval when authentication succeeds - 3600 seconds Default timeout value waiting for a response from RADIUS - 30 seconds Default timeout value waiting for a reply from Supplicant - 30 seconds Default transmission interval from the Authenticator to the Supplicant - 30 seconds Default maximum number of authentication request - 2 times Re-authentication state on the port - Disabled

Interface Configuration Mode. Level: 8 This command is used to reset all the IEEE 802.1X parameters on a specific port to

their default settings.

This example shows how to reset the 802.1X parameters on port 1.

2-2 dot1x port-control

This command is used to manually control the authorization state on a specific port. Use the no form of this command to reset the authorization state of the specific port to its default state (auto).

dot1x port-control {auto | force-authorized | forc e-unauthorized} no dot1x port-control

Parameters

auto Specifies to enable IEEE 802.1X authentication. The state (authorized or

unauthorized) for a specific port is determined according to the outcome of the authentication.

force-authorized Specifies to force a specific port to change to the authorized state without an

authentication exchange.

force-unauthorized Specifies to deny all access on a specific port by forcing the port to change to the

unauthorized state, ignoring all authentication attempts.

Default Command Mode Command Default Level Usage Guideline

The default authorization state is auto. Interface Configuration Mode. Level: 8 The configuration for this command on a specific port won’t be in operation if you

don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x pae authenticator’ command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x port-control force-unauthorized DXS-3600-32S(config-if)#

This example shows how to deny all access to port 1.

2-3 dot1x pae authenticator

This command is used to configure a specific port as an IEEE 802.1X port access entity (PAE) authenticator. Use the no form of this command to disable IEEE 802.1X authentication on the port.

dot1x pae authenticator no dot1x pae

Parameters Default Command Mode Command Default Level Usage Guideline

None. The 802.1X is disabled on a port by default. Interface Configuration Mode. Level: 8 Y ou must also globally enable IEEE 802.1X authentication on the switch by using the

‘dot1x system-auth-control’ command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x pae authenticator DXS-3600-32S(config-if)#

This example shows how to configure port 1 as an IEEE 802.1X PAE authenticator.

2-4 dot1x control-direction

This command is used to configure the direction of the traffic on a controlled port as unidirectional (in) or bidirectional (both). Use the no form of this command to reset the control direction of a port to its default value (both).

dot1x control-direction {both | in} no dot1x control-direction

Parameters

both Specifies to enable bidirectional control. Both incoming and outgoing traffic thr ough

an IEEE 802.1X-enabled port are prevented if the port is not in the authorized state.

in Specifies to enable unidirectional control. Incoming traffic through an IEEE 802.1X-

enabled port is prohibited if the port is not the authorized state.

Default Command Mode Command Default Level

The default is in bidirectional mode. Interface Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x control-direction in DXS-3600-32S(config-if)#

The configuration for this command on a specific port won’t be in operation if you don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x pae authenticator’ command.

When the port is in the force-unauthorized state or in the unauthorized state after authentication, the traffic is controlled based on the setting of this command.

When the port is in the force-authorized state or becomes authorized after authentication, the traffic will be allowed in both directions.

This example shows how to specify the direction of traffic through Ethernet port 1. The direction is set as unidirectional.

2-5 dot1x timeout

This command is used to configure the IEEE 802.1X timers.

dot1x timeout {quiet-period <sec 0-65535> | reauth-period <sec 1-65535> | server-timeout <sec 1-65535> |

supp-timeout <sec 1-65535> | tx-period <sec 1-65535>}

Parameters

quiet-period <sec 0-

65535> reauth-period <sec 1-

65535> server-timeout <sec 1-

65535> supp-timeout <sec 1-

65535>

tx-period <sec 1-65535> Number of seconds that the switch will wait for a response to an EAP-Request or

Default

Command Mode Command Default Level Usage Guideline

Number of seconds that the switch will be in the quiet state in the wake of a failed authentication process. The range is 0 to 65535

Number of seconds between re-authentication attempts. The range is 1 to 65535.

Number of seconds that the switch will wait for the request from the authentication server before timing out the server. The range is 1 to 65535.

Number of seconds that the switch will wait for the response from the supplicant before timing out the supplicant. The range is 1 to 65535.

Identity frame from the supplicant before retransmitting the request. The range is 1 to 65535

The default quiet period when authentication fails is 60 seconds (quiet-period). The default re-authentication interval when authenticatio n succeeds is 3600 seconds (reauth-period). The default timeout value waiting for a response from RADIUS is 30 seconds (server-timeout). The default timeout value waiting for a reply from Supplicant is 30 seconds (supptimeout). The default transmission interval from the Authenticator to the Supplicant is 30 seconds (tx-period).

Interface Configuration Mode. Level: 8 The ‘dot1x timeout reauth-period’ command is in operation only if you have

enabled re-authentication by using the ‘dot1x re-authentication interface configuration’ command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x timeout quiet-period 20 DXS-3600-32S(config-if)#dot1x timeout reauth-period 1000 DXS-3600-32S(config-if)#dot1x timeout server-timeout 15 DXS-3600-32S(config-if)#dot1x timeout supp-timeout 15 DXS-3600-32S(config-if)#dot1x timeout tx-period 10 DXS-3600-32S(config-if)#

This example shows how to configure the quiet period, reauthentication period, server timeout value, supplicant timeout value, and transmission period for Ethernet port 1 to be 20, 1000, 15, 15, and 10 seconds, respectively.

2-6 dot1x max-req

This command is used to configure the maximum number of times that the backend authentication state machine will retransmit an Extensible Authentication Protocol (EAP) request frame to the supplicant before restarting the authentication process. Use the no form of this command to reset the maximum number of times to its default value.

dot1x max-req <int 1-10> no dot1x max-req

Parameters

max-req <int 1-10> Number of times that the switch retransmits an EAP frame to th e supplicant before

restarting the authentication process. The range is 1 to 10.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x max-req 3 DXS-3600-32S(config-if)#

The default value is 2 times. Interface Configuration Mode. Level: 8 This command is used to set the maximum number of times that the backend

authentication state machine will retransmit an Extensible Authentication Protocol (EAP) request frame to the supplicant before restarting the authentication process.

This example shows how to set the maximum number of retries allowed on port 1. The maximum number of retries is set to 3.

2-7 dot1x reauthentication

This command is used to enable periodic reauthentication. Use the no form of this command to return to disable periodic reuthentication.

dot1x reauthentication no dot1x reauthentication

Parameters Default Command Mode Command Default Level

None. The periodic reauthentication on interface is disabled by default. Interface Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x reauthentication DXS-3600-32S(config-if)#

You can configure the number of seconds between reauthentication attempts by using the ‘dot1x timeout reauth-period’ command.

This example shows how to enable periodic reauthentication on Ethernet port 1.

2-8 dot1x re-authenticate

This command is used to reauthenticate a specific port or a specific MAC address.

dot1x re-authenticate {interface <interface-id> | mac-address <mac-address>}

Parameters

interface <interface-id> (Optional) Specifies a port to reauthenticate. Valid interfaces are physical ports. mac-address <mac-

address>

(Optional) Specifies a MAC address to re-authenticate. The function can be used only if the authentication mode is host-based.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x re-authenticate interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config)#

This command has no default value. Global Configuration Mode. Level: 8 Under port-based mode, use the parameter interface <interface-id> to re-

authenticate a specific port. Under host-based mode, use the parameter mac- address <mac-address> to reauthenticate a specific MAC address.

This example shows how to reauthenticate Ethernet port 1.

2-9 dot1x initialize

This command is used to initialize the authenticator state machine on a specific port or associated with a specific MAC address.

dot1x initialize {interface <interface-id> | mac-address H.H.H}

Parameters

interface <interface-id> (Optional) Specifies a port on which the authenticator state machine will be

initialized. Valid interfaces are physical ports.

mac-address H.H.H (Optional) Specifies a MAC address with which the authenticator state machine

associates will be initialized. The function can be used only if the authentication mode is host-based.

Default Command Mode Command Default Level

None. Global Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x initialize interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config)#

Under port-based mode, use the parameter interface <interface-id> to initialize a specific port. Under host-based mode, use the parameter mac-address <mac- address> to initialize a specific MAC address.

This example shows how to initialize the authenticator state machine on Ethernet port 1.

2-10 dot1x system-auth-control

This command is used to globally enable IEEE 802.1X authentication on the switch. Use the no form of this command to disable IEEE 802.1X function.

dot1x system-auth-control no dot1x system-auth-control

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X is disabled globally by default.

Global Configuration Mode. Level: 8 Use this command to enable 802.1X authentication globally.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-auth-control DXS-3600-32S(config)#

This example shows how to enable IEEE 802.1X authentication on the switch.

2-11 dot1x system-max-user

This command is used to configure the maximum number of users that can be learned via 80 2.1X authentication. Use the no form of this command to reset to the defaulting settings.

dot1x system-max-user <int 1-4096> no dot1x system-max-user

Parameters

<int 1-4096> Specifies the maximum number of users.

Default

Command Mode Command Default Level Usage Guideline

By default, the maximum number of users that can be learned via 802.1X authentication is 4096.

Global Configuration Mode. Level: 8 The setting is a global limitation on the maximum number of users that can be

learned via 802.1X authentication. In addition to the global limitation, the maximum number of users per port is also limited.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-max-user 128 DXS-3600-32S(config)#

This example shows how to configure the maximum number of users, that is allowed to be learned via the 802.1X authentication. The maximum number of users allowed is 128.

2-12 dot1x port-max-user

This command is used to configure the maximum number of users that can be learned via 802.1X authentication on a specific port. Use the no form of this command to reset to the defaulting settings.

dot1x port-max-user <int 1-4096> no dot1x port-max-user

Parameters

<int 1-4096> Specifies the maximum number of users on a port.

Default

Command Mode Command Default Level Usage Guideline

By default, the maximum number of users that can be learned via 802.1X authentication on a port is 16.

Interface Configuration Mode. Level: 8 The setting is an interface limitation on the maximum number of users that can be

learned via 802.1X authentication. In addition to the interface limitation, the global maximum number of users is also limited.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x port-max-user 32 DXS-3600-32S(config-if)#

This example shows how to configure the maximum numbers of users allowed on port 1. The maximum number of users allowed is 32.

2-13 dot1x system-fwd-pdu

This command is used to globally control the forwarding of EAPOL PDUs. Use the no form of this command to reset to the defaulting settings.

dot1x system-fwd-pdu no dot1x system-fwd-pdu

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X can not forward EAPOL PDUs by default.

Global Configuration Mode. Level: 8 When 802.1X functionality is disabled globally or for a port, and if 802.1X is set to

forward EAPOL PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPOL PDUs enabled and 802.1X is disabled (globally or just for the port). 802.1X can not forward EAPOL PDUs by default.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-fwd-pdu DXS-3600-32S(config)#

This example shows how to enable the forwarding of EAPOL PDUs, globally, on the switch.

2-14 dot1x port-fwd-pdu

This command used to control the forwarding of EAPOL PDUs on specific ports. Use the no form of this command to reset to the defaulting settings.

dot1x port-fwd-pdu no dot1x port-fwd-pdu

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X can not forward EAPOL PDUs on all ports by default.

Interface Configuration Mode. Level: 8 This is a per-port setting to control the forwarding of EAPOL PDUs. When 802.1X

functionality is disabled globally or for a port, and if 802.1X is set to forward EAPOL PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPOL PDUs and 802.1X is disabled (globally or just for the port). 802.1X can not forward EAPOL PDUs on all ports by default.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-fwd-pdu DXS-3600-32S(config)#end

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#no dot1x pae DXS-3600-32S(config-if)#dot1x port-fwd-pdu DXS-3600-32S(config-if)#

This example shows how to enable the forwarding of EAPOL PDUs on port 1.

2-15 show dot1x

This command is used to display the IEEE 802.1X global configuration, interface configuration, authentication state, statistics, diagnostics, and session statistics.

show dot1x [[interface INTERFACE-ID] {auth-configuration | auth-state | statistics | diagnostics | session-

statistics}]

Parameters

interface INTERFACE-ID (Optional) Specifies a port to display authentication state, configuration, statistics,

diagnostics, or session statistics.

auth-configuration Displays the IEEE 802.1X interface configuration. auth-state Displays the IEEE 802.1X authentication state. statistics Displays the IEEE 802.1X information about the authenticator statistics diagnostics Displays the IEEE 802.1X information about the authenticator diagnostics. session-statistics Displays the IEEE 802.1X information about the authenticator session statistics.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Default Command Mode Command Default Level Usage Guideline

None. Privileged EXEC Mode. Level: 15 Use this command display the IEEE 802.1X global configuration, interface

configuration, authentication state, statistics, diagnostics, and session statistics. When no interface is specified, information about all interfaces will be displayed.

Example

DXS-3600-32S#show dot1x

802.1X : Disabled Forward EAPOL PDU : Disabled Max User : 4096

DXS-3600-32S#

Example

This example shows how to display the 802.1X global configuration.

This example shows how to display the 802.1X configuration for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 auth-configuration

Interface : TenGigabitEthernet1/0/1 Capability : None AdminCrlDir : Both OperCrlDir : Both Port Control : Auto QuietPeriod : 60 sec TxPeriod : 30 sec SuppTimeout : 30 sec ServerTimeout : 30 sec MaxReq : 2 times ReAuthPeriod : 3600 sec ReAuthenticate : Disabled Forward EAPOL PDU On Port : Disabled Max User On Port : 16

DXS-3600-32S#

Example

DXS-3600-32S#show dot1x auth-state

Status: A - Authorized; U - Unauthorized; (P): Port-Based 802.1X;Pri:Priority Interface MAC Address Auth PAE State Backend State Status VID Pri VID

------------------------- ----------------- --- -------------- ------------- ------ ---- --TenGigabitEthernet1/0/1 00-00-00-00-00-01 10 Authenticated Idle A 4004 3 TenGigabitEthernet1/0/1 00-00-00-00-00-02 10 Authenticated Idle A 1234 TenGigabitEthernet1/0/1 00-00-00-00-00-04 30 Authenticating Response U - TenGigabitEthernet1/0/2 - (P) - Authenticating Request U - TenGigabitEthernet1/0/3 - (P) - Connecting Idle U - TenGigabitEthernet1/0/14 - (P) - Held Fail U - -

Total Authenticating Hosts :2 Total Authenticated Hosts :2

DXS-3600-32S#

This example shows how to display the 802.1X authentication state.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to display the 802.1X statistics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 statistics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

EAPOLFramesRx 0 EAPOLFramesTx 6 EAPOLStartFramesRx 0 EAPOLReqIdFramesTx 6 EAPOLLogoffFramesRx 0 EAPOLReqFramesTx 0 EAPOLRespIdFramesRx 0 EAPOLRespFramesRx 0 InvalidEAPOLFramesRx 0 EapLengthErrorFramesRx 0 LastEAPOLFrameVersion 0 LastEAPOLFrameSource 00-00-00-00-00-03

DXS-3600-32S#

Example

This example shows how to display the 802.1X diagnostics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 diagnostics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

EntersConnecting 20 EapLogoffsWhileConnecting 0 EntersAuthenticating 0 SuccessWhileAuthenticating 0 TimeoutsWhileAuthenticating 0 FailWhileAuthenticating 0 ReauthsWhileAuthenticating 0 EapStartsWhileAuthenticating 0 EapLogoffWhileAuthenticating 0 ReauthsWhileAuthenticated 0 EapStartsWhileAuthenticated 0 EapLogoffWhileAuthenticated 0 BackendResponses 0 BackendAccessChallenges 0 BackendOtherRequestsToSupplicant 0 BackendNonNakResponsesFromSupplicant 0 BackendAuthSuccesses 0 BackendAuthFails 0

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to display the 802.1X session statistics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 session-statistics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

SessionOctetsRx 0 SessionOctetsTx 0 SessionFramesRx 0 SessionFramesTx 0 SessionId ether1_1-1 SessionAuthenticMethod Remote Authentication Server SessionTime 3 SessionTerminateCause NotTerminatedYet SessionUserName user_test

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Access Control List (ACL) Commands

Throughout this chapter, we'll refer to two abbreviates called:

ACL - Access Control List. ACE - Access Control Entry

3-1 ip access-list standard

This command is used to create or modify a standard IP ACL. This command will enter into the standard IP access-list configuration mode. Use the no command to remove a st andard IP access-list.

ip access-list standard {[id | name]} no ip access-list standard {id | name}

Parameters

id Enter the ID of standard IP ACL here. This value must be between 1 and 1999. name The name of the standard IP access-list to be conf igured. The name can be up to 3 2

characters.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard Std-ip DXS-3600-32S(config-std-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1999 Std-ip DXS-3600-32S#

None. Global Configuration Mode. Level: 12 Standard IP ACL only filters the IPv4 packet.

The name must be unique among all (includin g MAC, IP, IPv6 or Expert) acce ss-list s and the first character of name must be a letter.

When creating an ACL, through assigning a name, an ID will be assigned automatically. The ID assignment rule will start from the maximum ID of 1999 and decrease 1 per new ACL.

When creating an ACL through assigning an ID, a name will be assigned automatically. The name assignment rule is ‘std-ip’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘std-ip’ + “-” + ID +”alt”.

This example shows how to create a standard ACL.

3-2 permit | deny (ip standard access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

[sn] {permit | deny} {source source-wildcard | host source | any} no sn

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

source source-wildcard Specifies the source IP address. Masks are used with IP addresses in IP ACLs to

specify what should be permitted and denied. Masks, in order to configure IP addresses on interfaces, start with 255 and have the large values on the left side. For example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is not considered.

host source Specifies a specific source IP address. any Means any source IP address.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard Std-acl DXS-3600-32S(config-std-nacl)#permit 10.20.0.0 0.0.255.255 DXS-3600-32S(config-std-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1998 Std-acl 10 permit 10.20.0.0 0.0.255.255 Standard IP access list 1999 Std-ip DXS-3600-32S#

None. Standard IP Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user does not assign it

manually. The automatically assign sequence number starts from 10, and increase 10 per new entry. The start sequence number and sequence increment of the IP ACL can be configured manually.

This example shows how to create a standard IP ACL, named Std-ip. This entry will permit packets to the source network 10.20.0.0/16.

3-3 ip access-list extended

This command is used to create or modify an extended IP ACL. This command will enter into the extended IP accesslist configuration mode. Use the no command to remove an extended IP access-list.

ip access-list extended {[id | name]} no ip access-list extended {id | name}

Parameters

id Specifies the ID number of the extended IP ACL. This value must be between 2000

and 3999.

name Spe cifies the name of the extended IP access-list to be configu red. The name can be

up to 32 characters.

Default Command Mode Command Default Level

None. Global Configuration Mode. Level: 12

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Extended IP ACL only filters IPv4 packets. The name must be unique among all (includin g MAC, IP, IPv6 or Expert) acce ss-list s and the first character of the name must be a letter.

When creating an ACL through assigning a name, an ID will be assigned automatically. The ID assignment rule will start from the maximum ID of 3999 and decrease 1 per new ACL.

When creating an ACL through assigning an ID, a name will be assigned automatically. The name assignment rule is ‘ext-ip’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘ext-ip’ + “-” + ID +”alt”.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended Ext-ip DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1998 Std-acl 10 permit 10.20.0.0 0.0.255.255 Standard IP access list 1999 Std-ip Extended IP access list 3999 Ext-ip DXS-3600-32S#

This example shows how to create an extended ACL.

3-4 permit | deny (ip extended access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove a specific entry.

Extended IP ACL:

[sn] {permit | deny} protocol {source source-wildcard | host source | any} {destination destination-wildcard | host

destination | any} [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

Extended IP ACLs of some important protocols:

[sn] {permit | deny} tcp {source source-wildcard | host source | any} [operator port] {destination destination-

wildcard | host destination | any} [operator port] [tcp-flag] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

[sn] {permit | deny} udp {source source–wildcard | host source | any} [operator port] {destination destination-

wildcard | host destination | any} [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

[sn] {permit | deny} icmp {source source-wildcard | host source | any} {destination destination-wildcard | host

destination | any} [{icmp-type [icmp-code] | icmp-message}] [precedence precedence

[time-range time-range-name]

no sn

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

protocol Specifies the name or number of an IP protocol: 'eigrp', 'esp', 'gre', 'igmp', 'ip', 'ipinip',

'ospf', 'pcp', 'pim', 'tcp', 'udp', 'icmp' or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol. Additional specific parameters for ‘tcp’, ‘udp’, and ‘icmp’. The ‘ip’ means any IP Protocol.

source Specifies the source IP address. source-wildcard Applies wildcard bits to the source.

host source Specifies a specific source IP address. any Means any source or destination IP address.

] [tos tos] [fragments]

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

destination Specifies the destination IP address. destination-wildcard Applies wildcard bits to the destination. host destination Specifies a specific destination IP address. operator (Optional) Possible operators include ‘eq’ (equal), ‘gt’ (greater than), ‘lt’ (less than),

‘neq’ (not equal), and ‘range’ (inclusive range). A range needs two port numbers, while other operators only need one port number.

port Specifies the Layer 4 port number as a decimal number (from 0 to 65535) or the

name of a Layer 4 port.

TCP ports used:

'bgp', 'chargen', 'daytime', 'discard', 'domain', 'echo', 'rexec', 'finger', 'ftp', 'ftp-data',

'gopher', 'hostname', 'ident', 'irc', 'klogin', 'kshell', 'login', 'lpd', 'nntp', 'snpp', 'pop2', 'pop3', 'smtp', 'sunrpc', 'shell', 'tacacs', 'telnet', 'time', 'uucp', 'whois', 'http'.

UDP ports used:

'biff', 'bootpc', 'bootps', 'discard', 'irc', 'domain', 'echo', 'isakmp', 'mobile-ip',

'nameserver', 'netbios-dgm', 'netbios-ns', 'netbios-ss', 'nat-t', 'ntp', 'snpp', 'rip', 'snmp', 'snmptrap', 'sunrpc', 'syslog', 'tacacs', 'talk' , 'tftp', 'time', 'who', 'xdmcp'.

precedence precedence (Optional) Packets can be filtered by precedence level, as specified by a number

from 0 to 7 or by name: routine (0), priority (1), immediate (2), flash (3), flashoverride (4), critical (5), internet (6), network (7).

tos tos (Optional) Packets can be filtered by type of service level, as specified by a number

from 0 to 15 or by name: normal (0) , min-monetary-cost(1), max-reliability (2), maxthroughput (4), min-delay (8).

fragments (Optional) Packet fragment filtering.

time-range time-rangename

tcp-flag (Optional) Specifies the TCP flag fields. The specified TCP header bits are: ack

icmp-type (Optional) Specifies the ICMP message type. The valid number for the message type

icmp-code (Optional) Specifies the ICMP message code. The valid number for the message

icmp-message (Optional) Specifies the ICMP message type name or the ICMP message type and

(Optional) Specifies the name of time-period profile associated with the access-list delineating its activation period.

(acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).

is from 0 to 255.

code is from 0 to 255

code by name. Code names that can be used are 'administratively-prohibited', 'alternate-address', 'conversion-error', 'host-prohibited', 'net-prohibited', 'echo', 'echo-reply', 'pointer-indicates-err or ', 'host-isolated', 'host-precedence-violation', 'host-redirect', 'host-tos-redirect', 'host-tos-unreachable', 'host-unknown', 'hostunreachable', 'information-reply', 'information-request', 'mask-reply', 'mask-request', 'mobile-redirect', 'net-redirect', 'net-tos-redirect', 'net-tos-unreachable', 'netunreachable', 'net-unknown', 'bad-length', 'op tion-missing', 'packet-fragment', 'parameter-problem', 'port-unreachable', 'precedence-cutoff', 'protocol-unreachable', 'reassembly-timeout', 'redirect-message', 'router-advertisement', 'router-solicitation', 'source-quench', 'source-route-failed', 'time-exceeded', 'timestamp-reply', 'timestamp-request', 'traceroute', 'ttl-expired', 'unreachable'.

Default Command Mode Command Default Level Usage Guideline

None. Extended IP Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually . The autom atic assign sequence n umber start fr om 10 and increases by 10 per new entry. The start sequence number and sequence increment of IP ACL can be configured manually.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to use the extended IP ACL. The purpose is to den y Telnet access from the host, with the IP address 192.168.4.12, to any host in the network

192.168.1.0 and to permit any others.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended Ext-ip DXS-3600-32S(config-ext-nacl)#deny tcp host 192.168.4.12 192.168.1.0 0.0.255.255 eq telnet DXS-3600-32S(config-ext-nacl)#permit ip any any DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 Ext-ip 10 deny tcp host 192.168.4.12 192.168.1.0 0.0.255.255 eq telnet 20 permit ip any any DXS-3600-32S#

3-5 ipv6 access-list

This command is used to create or modify an IPv6 ACL. This command will enter into the IPv6 access-list configuration mode. Use the no command to remove an IPv6 access-list.

ipv6 access-list {name} no ipv6 access-list {name}

Parameters

name Spe cifie s the n ame of the IP access-list to be con figur ed. T he nam e can be up to 3 2

characters long.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ipv6 access-list ext_ipv6 DXS-3600-32S(config-ipv6-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 Ext-ip 10 deny tcp host 192.168.4.12 192.168.1.0 0.0.0.255 eq telnet 20 permit ip any any Extended IPv6 access list ext_ipv6 DXS-3600-32S#

None. Global Configuration Mode. Level: 12 Extended IPv6 ACL only filters the IPv6 packet. The name must be unique among all

(including MAC, IP, IPv6 or Expert) access-lists and the first character of name must be a letter.

This example shows how to create an IPv6 ACL:

3-6 permit | deny (ipv6 access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

Extended IPv6 ACL:

[sn] {permit | deny} protocol {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} {destination-ipv6-

prefix/prefix-length | host destination-ipv6-address | any} [dscp dscp] [flow-label flow-label] [fragments] [timerange time-range-name]

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Extended IPv6 ACLs of some important protocols:

[sn] {permit | deny} tcp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} [operator port]

{destination-ipv6-prefix/prefix-length | host destination-ipv6-address | any} [operator port ] [tcp-flag] [dscp dscp] [flow-label flow-label] [fragments] [time-range time-range-name]

[sn] {permit | deny} udp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} [operator port]

{destination-ipv6-prefix/prefix-length | host destination-ipv6-address | any} [operator port] [dscp dscp] [flowlabel flow-label] [fragments] [time-range time-range-name]

[sn] {permit | deny} icmp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} {destination-ipv6-

prefix/prefix-length | host destination-ipv6-address | any} [{icmp-type [icmp-code] | icmp-message}] [dscp dscp] [flow-label flow-label] [fragments] [time-range time-range-name]

no sn

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

protocol Specifies the name or number of an IPv6 protocol used. Protocol names, that can be

used are 'esp', 'ipv6', 'pcp', 'sctp', ‘tcp’, ‘udp’, ‘icmp’ or an integer in the range 0 to 255 representing an IP protocol number. Additional specific parameters are used for ‘tcp’, ‘udp’, and ‘icmp’. The ‘ipv6’ name means any IPv6 Protocol.

source-ipv6-prefix Specifies the source IPv6 network address or network type. destination-ipv6-prefix Specifies the destination IPv6 network address or network type. prefix-length Specifies the prefix mask length. source-ipv6-address Specifies the source IPv6 address. destination-ipv6-address Specifies the destination IPv6 address.

any Means any source or destination IPv6 address.

operator (Optional) Possible operators include ‘eq’ (equal), ‘gt’ (greater than), ‘lt’ (less than),

‘neq’ (not equal), and ‘range’ (inclusive range). Note that the range operator need s two port numbers, while other operators only need one port number.

port Specifies the Layer 4 port number as a decimal number (from 0 to 65535) or the

name of a Layer 4 port.

TCP port names used:

'bgp', 'chargen', 'daytime', 'discard', 'domain', 'echo', 'rexec', 'finger', 'ftp', 'ftp-data',

'gopher', 'hostname', 'ident', 'irc', 'klogin', 'kshell', 'login', 'lpd', 'nntp', 'snpp', 'pop2', 'pop3', 'smtp', 'sunrpc', 'shell', 'tacacs', 'telnet', 'time', 'uucp', 'whois', 'http'.

UDP port names used:

'biff', 'bootpc', 'bootps', 'discard', 'irc', 'domain', 'echo', 'isakmp', 'mobile-ip',

'nameserver', 'netbios-dgm', 'netbios-ns', 'netbios-ss', 'nat-t', 'ntp', 'snpp', 'rip', 'snmp', 'snmptrap', 'sunrpc', 'syslog', 'tacacs', 'talk' , 'tftp', 'time', 'who', 'xdmcp'.

dscp dscp (Optional) Enter the DSCP value to match a differentiated services code point value

against the traffic class value in the Tra ffic Class field of each IPv6 packet header. The acceptable range is from 0 to 255.

fragments (Optional) Specifies packet fragment filtering.

time-range time-rangename

tcp-flag (Optional) Specifies the TCP flag fields. The specified TCP header bits that can be

icmp-type (Optional) Specifies the ICMP message type. The valid number for the message type

icmp-code (Optional) Specifies the ICMP message code. The valid number for the message

(Optional) Specifies the name of the time-period profile associated with the accesslist delineating its activation period.

used are ‘ack’ (acknowledge), ‘fin’ (finish), ‘psh’ (push), ‘rst’ (reset), ‘syn’ (synchronize), or ‘urg’ (urgent).

is from 0 to 255.

code is from 0 to 255

+ 665 hidden pages

D-Link DXS-3600-16S, DXS-3600-32S, DXS-3600-EM-8T, DXS-3600-EM-8XS, DXS-3600-EM-4QXS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Basic CLI Commands

1-1 help

1-2 prompt

1-3 banner login

1-4 exit

1-5 end

802.1X Commands

2-1 dot1x default

2-2 dot1x port-control

2-3 dot1x pae authenticator

2-4 dot1x control-direction

2-5 dot1x timeout

2-6 dot1x max-req

2-7 dot1x reauthentication

2-8 dot1x re-authenticate

2-9 dot1x initialize

2-10 dot1x system-auth-control

2-11 dot1x system-max-user

2-12 dot1x port-max-user

2-13 dot1x system-fwd-pdu

2-14 dot1x port-fwd-pdu

2-15 show dot1x

Access Control List (ACL) Commands

3-1 ip access-list standard

3-2 permit | deny (ip standard access-list)

3-3 ip access-list extended

3-4 permit | deny (ip extended access-list)

3-5 ipv6 access-list

3-6 permit | deny (ipv6 access-list)