D-Link DXS-3600-16S, DXS-3600-32S, DXS-3600-EM-8T, DXS-3600-EM-8XS, DXS-3600-EM-4QXS User Manual

Download

CLI Reference Guide

Product Model: DXS-3600 Series

Layer 2/3 Managed 10GbE Switch Release: 1.10

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

DXS-3600 Series CLI Reference Guide

Software Release F/W: 1.10.023

by any party by any means.

Preface

Version Description

This manual’s command descriptions are based on the software release 1.10.023. The commands listed here are the subset of commands that are supported by the DXS-3600 Series switch.

Audience

This reference manual is intended for network administrators and other IT networking professionals responsible for managing the switch by using the Command Line Interface (CLI). The CLI is the primary management interface to the DXS-3600 Series switch, which will be generally be referred to simply as the “switch” within this manual. This manual is written in a way that assumes that you already have the experience and knowledge of Ethernet and modern networking principles for Local Area Networks.

Document Layout

Preface Describes how to use the CLI reference manual. Table of Contents Lists out the chapters discussed throughout this manual. Chapters Each chapter contains a specific grouping of CLI commands that are related to the

topic labelled.

Appendices Contains extra information related to this switch.

Basic CLI Commands

1-1 help

This command is used to display a brief description of the help system. Use the help command in any command mode.

help

Parameters Default Command Mode

Command Default Level Usage Guideline

None. None. Exec Mode

Privileged Mode All Configuration Modes

Level: 1 This command provides a brief description of the context-sensitive help system,

which functions as follow:

• To list all commands available for a particular command mode, enter a question mark “?” at the system prompt.

• To obtain a list of commands that begin with a particular character string, enter the abbreviated command entry immediately followed by a question mark “ ?”. Do not leave a space between the keyword and question mark. This form of help is called word help, because it lists only the keywords or argument s that begin with the abbreviation you entered.

• To list the keywords and ar g um e nts associat ed w ith a co mm a nd , en te r a question mark “?” in place of a keyword or argument on the command line. Leave a space between the keyword and question mark. This form of help is called command syntax help, because it lists the keywords or arguments that apply based on the command, keywords, and arguments you have already entered.

Note: To complete a partial command name, enter the abbreviated command name followed by a <Tab> key . Examp le: ‘ s how addr <Tab>’. To enter the character “?” in the command argument, press Ctrl+V immediately followed by the character “?”.

Example

DXS-3600-32S>help

Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options. Two styles of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'ip ?') and describes each possible argument.

2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (e.g. 'ip a?'.)

Note:

1. For completing a partial command name could enter the abbreviated command name immediately followed by a <Tab> key.

2. If wants to enter the character '?' in the command argument, please press ctrl+v immediately followed by the character '?'.

DXS-3600-32S>

This example shows how to display a brief description of the help system. The field descriptions are self-explanatory.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#re? reboot rename

DXS-3600-32S#re

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard ? WORD Access-list name(the first character must be a letter) <1-1999> Standard IP access-list number

DXS-3600-32S(config)#ip access-list standard

This example shows how to use the word ‘help’ to display all the privileged mode commands that begin with the letters “re”. The letters entered, before the question mark, are reprinted on the next command line to allow the user to continue entering the command.

This example shows how to use the command syntax, ‘help’, to display the next argument of a partially completed ip access-list standard command. The characters entered, before the question mark, is reprinted o n the next command line to allow the user to continue entering the command.

1-2 prompt

This command is used to customize the CLI prompt. Execute the prompt command in global configuration mode. To revert to the default prompt, execute the no form of this command.

prompt string no prompt

Parameters

string Enter the character string that will be displayed on screen as the CLI prompt here.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#prompt Router Router(config)#

The default prompt value is ‘DXS-3600-32S’. Global Configuration Mode Level: 3 The default prompt string is the system’s name. To restore the prompt to the default

value, use the ‘no prompt’ command in global configuration mode.

This example shows how to configure a customized prompt string, used in the CLI. IN this example we’ll change the prompt to the word ‘Router’.

1-3 banner login

This command is used to configure and customized the banner that will be displayed before the username and password login prompts. Use the banner logi n command in glo bal configuration mode. To disable the customized login banner, use no form of this command.

banner login c message c no banner login

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

c Specifies the separator of the login banner message, for example a ha sh sign (# ).

The delimiting character is not allowed in the login banner message.

message Enter the contents of the login banner, that will be displayed before the username

and password login prompts, here.

Default Command Mode Command Default Level Usage Guideline

Displays the switch type and other contents defined by the system. Global Configuration Mode Level: 3 Follow the banner login command with one or more blank spaces and a delimiting

character of your choice. Enter one or more lines of text, terminating the message with the second occurrence of the delimiting character. For example with a hash sign (#) being the delimiting character, after inputting the delimiting character, press the enter key, then the login banner contents can be typed. The delimiting character need to be inputted then press enter to complete the type.

To reset the login banner contents to default, use the ‘no banner login’ command in global configuration mode.

Note: The typed additional characters after the end delimiting character are invalid. These characters will be discarded by the system. The delimiting character can not be used in the text of login banner.

Example

This example shows how to configure the login banner . The hash sig n (#) is used as the delimiting character. The starting delimiting character, banner contents and ending delimiting character will be entered before pressing the first enter key.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#banner login #Enter Command Line Interface# DXS-3600-32S(config)#end DXS-3600-32S#logout

Enter Command Line Interface

User Access Verification

Username:

Example

This example shows how to configure the login banner . The hash sig n (#) is used as the delimiting character.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#banner login # LINE c banner-text c, where 'c' is a delimiting character Enter Command Line Interface # DXS-3600-32S(config)#end DXS-3600-32S#logout

Enter Command Line Interface

User Access Verification

Username:

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

1-4 exit

This command is used to exit any configuration mode to the next highest mode in the CLI mode hierarchy. Use the exit command in any configuration mode. If th e current mo de is the highest mode (Exec Mode, Privileged Mod e) in the CLI mode hierarchy, execute the exit command to close the active terminal session by logging off the switch.

exit

Parameters Default Command Mode

None. None. Exec Mode

Privileged Mode All Configuration Modes

Command Default Level Usage Guideline

Level: 1 Use the exit command in the highest mode (Exec Mode, Privileged Mode) to exit the

active session (exit from the mode process and log off from the device). If the current session is console, the account will logout. if there is another session running, it will be closed.

Use the exit command in any configuration mode to th e next highest mode in th e CLI mode hierarchy. For example, use the exit command in global configuration mode to return to privileged mode.

Example

This example shows how to exit from the Line Configuration Mode to return to the Global Configuration Mode and exit from the Global Configuration Mode to return to the privileged mode.

DXS-3600-32S(config-line)#exit DXS-3600-32S(config)#exit DXS-3600-32S#

Example

This example shows how to use the exit command, in the p rivileg ed mo de, to logout of the current account.

DXS-3600-32S#exit

Switch con0 is now available

Press any key to login...

16 2000-01-22 01:20:37 INFO(6) Logout through Console (Username: admin)

DXS-3600-32S TenGigabit Ethernet Switch

Command Line Interface

Firmware: Build 1.10.023

User Access Verification

Username:

Example

This example shows how to use the exit command, in the privileged mode, in a Telnet session, to exit this mode and close the active session.

DXS-3600-32S#exit

1-5 end

This command is used to end the current configuration mod e and return to the highest mod e in the CLI mode hierarch y. Use the end command in any configuration mode.

end

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters Default Command Mode

Command Default Level Usage Guideline

Example

DXS-3600-32S(config-line)#end DXS-3600-32S#

Example

DXS-3600-32S#end DXS-3600-32S#disable DXS-3600-32S>end DXS-3600-32S>

None. None. Exec Mode

Privileged Mode All Configuration Modes

Level: 1 Execute this command to return back to the highest mode in the CLI mode hierar chy

regardless of what configuration mode or configuration sub-mode currently located. Note: This global command can be used in any mode, but if the current located

mode is the highest mode in the CLI mode hierarchy (Exec Mode, Privileged Mode), executing this command will not have any effect. If the current located mode is any configuration mode, execute this command will return to the privileged mode.

This example shows how to use the end command in the Line Configuratio n Mode to return to the privileged mode.

This example shows how to use the end command in the privileged and EXEC mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

802.1X Commands

2-1 dot1x default

This command is used to reset the IEEE 802.1X parameters on a specific port to their default settings.

dot1x default

Parameters Default

Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x default DXS-3600-32S(config-if)#

None. Port control mode - Auto

Port PAE type - None Port control direction - Both Quiet period when authentication fails - 60 seconds Re-authentication interval when authentication succeeds - 3600 seconds Default timeout value waiting for a response from RADIUS - 30 seconds Default timeout value waiting for a reply from Supplicant - 30 seconds Default transmission interval from the Authenticator to the Supplicant - 30 seconds Default maximum number of authentication request - 2 times Re-authentication state on the port - Disabled

Interface Configuration Mode. Level: 8 This command is used to reset all the IEEE 802.1X parameters on a specific port to

their default settings.

This example shows how to reset the 802.1X parameters on port 1.

2-2 dot1x port-control

This command is used to manually control the authorization state on a specific port. Use the no form of this command to reset the authorization state of the specific port to its default state (auto).

dot1x port-control {auto | force-authorized | forc e-unauthorized} no dot1x port-control

Parameters

auto Specifies to enable IEEE 802.1X authentication. The state (authorized or

unauthorized) for a specific port is determined according to the outcome of the authentication.

force-authorized Specifies to force a specific port to change to the authorized state without an

authentication exchange.

force-unauthorized Specifies to deny all access on a specific port by forcing the port to change to the

unauthorized state, ignoring all authentication attempts.

Default Command Mode Command Default Level Usage Guideline

The default authorization state is auto. Interface Configuration Mode. Level: 8 The configuration for this command on a specific port won’t be in operation if you

don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x pae authenticator’ command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x port-control force-unauthorized DXS-3600-32S(config-if)#

This example shows how to deny all access to port 1.

2-3 dot1x pae authenticator

This command is used to configure a specific port as an IEEE 802.1X port access entity (PAE) authenticator. Use the no form of this command to disable IEEE 802.1X authentication on the port.

dot1x pae authenticator no dot1x pae

Parameters Default Command Mode Command Default Level Usage Guideline

None. The 802.1X is disabled on a port by default. Interface Configuration Mode. Level: 8 Y ou must also globally enable IEEE 802.1X authentication on the switch by using the

‘dot1x system-auth-control’ command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x pae authenticator DXS-3600-32S(config-if)#

This example shows how to configure port 1 as an IEEE 802.1X PAE authenticator.

2-4 dot1x control-direction

This command is used to configure the direction of the traffic on a controlled port as unidirectional (in) or bidirectional (both). Use the no form of this command to reset the control direction of a port to its default value (both).

dot1x control-direction {both | in} no dot1x control-direction

Parameters

both Specifies to enable bidirectional control. Both incoming and outgoing traffic thr ough

an IEEE 802.1X-enabled port are prevented if the port is not in the authorized state.

in Specifies to enable unidirectional control. Incoming traffic through an IEEE 802.1X-

enabled port is prohibited if the port is not the authorized state.

Default Command Mode Command Default Level

The default is in bidirectional mode. Interface Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x control-direction in DXS-3600-32S(config-if)#

The configuration for this command on a specific port won’t be in operation if you don’t configure the port as an IEEE 802.1X PAE authenticator by using the ‘dot1x pae authenticator’ command.

When the port is in the force-unauthorized state or in the unauthorized state after authentication, the traffic is controlled based on the setting of this command.

When the port is in the force-authorized state or becomes authorized after authentication, the traffic will be allowed in both directions.

This example shows how to specify the direction of traffic through Ethernet port 1. The direction is set as unidirectional.

2-5 dot1x timeout

This command is used to configure the IEEE 802.1X timers.

dot1x timeout {quiet-period <sec 0-65535> | reauth-period <sec 1-65535> | server-timeout <sec 1-65535> |

supp-timeout <sec 1-65535> | tx-period <sec 1-65535>}

Parameters

quiet-period <sec 0-

65535> reauth-period <sec 1-

65535> server-timeout <sec 1-

65535> supp-timeout <sec 1-

65535>

tx-period <sec 1-65535> Number of seconds that the switch will wait for a response to an EAP-Request or

Default

Command Mode Command Default Level Usage Guideline

Number of seconds that the switch will be in the quiet state in the wake of a failed authentication process. The range is 0 to 65535

Number of seconds between re-authentication attempts. The range is 1 to 65535.

Number of seconds that the switch will wait for the request from the authentication server before timing out the server. The range is 1 to 65535.

Number of seconds that the switch will wait for the response from the supplicant before timing out the supplicant. The range is 1 to 65535.

Identity frame from the supplicant before retransmitting the request. The range is 1 to 65535

The default quiet period when authentication fails is 60 seconds (quiet-period). The default re-authentication interval when authenticatio n succeeds is 3600 seconds (reauth-period). The default timeout value waiting for a response from RADIUS is 30 seconds (server-timeout). The default timeout value waiting for a reply from Supplicant is 30 seconds (supptimeout). The default transmission interval from the Authenticator to the Supplicant is 30 seconds (tx-period).

Interface Configuration Mode. Level: 8 The ‘dot1x timeout reauth-period’ command is in operation only if you have

enabled re-authentication by using the ‘dot1x re-authentication interface configuration’ command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x timeout quiet-period 20 DXS-3600-32S(config-if)#dot1x timeout reauth-period 1000 DXS-3600-32S(config-if)#dot1x timeout server-timeout 15 DXS-3600-32S(config-if)#dot1x timeout supp-timeout 15 DXS-3600-32S(config-if)#dot1x timeout tx-period 10 DXS-3600-32S(config-if)#

This example shows how to configure the quiet period, reauthentication period, server timeout value, supplicant timeout value, and transmission period for Ethernet port 1 to be 20, 1000, 15, 15, and 10 seconds, respectively.

2-6 dot1x max-req

This command is used to configure the maximum number of times that the backend authentication state machine will retransmit an Extensible Authentication Protocol (EAP) request frame to the supplicant before restarting the authentication process. Use the no form of this command to reset the maximum number of times to its default value.

dot1x max-req <int 1-10> no dot1x max-req

Parameters

max-req <int 1-10> Number of times that the switch retransmits an EAP frame to th e supplicant before

restarting the authentication process. The range is 1 to 10.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x max-req 3 DXS-3600-32S(config-if)#

The default value is 2 times. Interface Configuration Mode. Level: 8 This command is used to set the maximum number of times that the backend

authentication state machine will retransmit an Extensible Authentication Protocol (EAP) request frame to the supplicant before restarting the authentication process.

This example shows how to set the maximum number of retries allowed on port 1. The maximum number of retries is set to 3.

2-7 dot1x reauthentication

This command is used to enable periodic reauthentication. Use the no form of this command to return to disable periodic reuthentication.

dot1x reauthentication no dot1x reauthentication

Parameters Default Command Mode Command Default Level

None. The periodic reauthentication on interface is disabled by default. Interface Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x reauthentication DXS-3600-32S(config-if)#

You can configure the number of seconds between reauthentication attempts by using the ‘dot1x timeout reauth-period’ command.

This example shows how to enable periodic reauthentication on Ethernet port 1.

2-8 dot1x re-authenticate

This command is used to reauthenticate a specific port or a specific MAC address.

dot1x re-authenticate {interface <interface-id> | mac-address <mac-address>}

Parameters

interface <interface-id> (Optional) Specifies a port to reauthenticate. Valid interfaces are physical ports. mac-address <mac-

address>

(Optional) Specifies a MAC address to re-authenticate. The function can be used only if the authentication mode is host-based.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x re-authenticate interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config)#

This command has no default value. Global Configuration Mode. Level: 8 Under port-based mode, use the parameter interface <interface-id> to re-

authenticate a specific port. Under host-based mode, use the parameter mac- address <mac-address> to reauthenticate a specific MAC address.

This example shows how to reauthenticate Ethernet port 1.

2-9 dot1x initialize

This command is used to initialize the authenticator state machine on a specific port or associated with a specific MAC address.

dot1x initialize {interface <interface-id> | mac-address H.H.H}

Parameters

interface <interface-id> (Optional) Specifies a port on which the authenticator state machine will be

initialized. Valid interfaces are physical ports.

mac-address H.H.H (Optional) Specifies a MAC address with which the authenticator state machine

associates will be initialized. The function can be used only if the authentication mode is host-based.

Default Command Mode Command Default Level

None. Global Configuration Mode. Level: 8

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x initialize interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config)#

Under port-based mode, use the parameter interface <interface-id> to initialize a specific port. Under host-based mode, use the parameter mac-address <mac- address> to initialize a specific MAC address.

This example shows how to initialize the authenticator state machine on Ethernet port 1.

2-10 dot1x system-auth-control

This command is used to globally enable IEEE 802.1X authentication on the switch. Use the no form of this command to disable IEEE 802.1X function.

dot1x system-auth-control no dot1x system-auth-control

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X is disabled globally by default.

Global Configuration Mode. Level: 8 Use this command to enable 802.1X authentication globally.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-auth-control DXS-3600-32S(config)#

This example shows how to enable IEEE 802.1X authentication on the switch.

2-11 dot1x system-max-user

This command is used to configure the maximum number of users that can be learned via 80 2.1X authentication. Use the no form of this command to reset to the defaulting settings.

dot1x system-max-user <int 1-4096> no dot1x system-max-user

Parameters

<int 1-4096> Specifies the maximum number of users.

Default

Command Mode Command Default Level Usage Guideline

By default, the maximum number of users that can be learned via 802.1X authentication is 4096.

Global Configuration Mode. Level: 8 The setting is a global limitation on the maximum number of users that can be

learned via 802.1X authentication. In addition to the global limitation, the maximum number of users per port is also limited.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-max-user 128 DXS-3600-32S(config)#

This example shows how to configure the maximum number of users, that is allowed to be learned via the 802.1X authentication. The maximum number of users allowed is 128.

2-12 dot1x port-max-user

This command is used to configure the maximum number of users that can be learned via 802.1X authentication on a specific port. Use the no form of this command to reset to the defaulting settings.

dot1x port-max-user <int 1-4096> no dot1x port-max-user

Parameters

<int 1-4096> Specifies the maximum number of users on a port.

Default

Command Mode Command Default Level Usage Guideline

By default, the maximum number of users that can be learned via 802.1X authentication on a port is 16.

Interface Configuration Mode. Level: 8 The setting is an interface limitation on the maximum number of users that can be

learned via 802.1X authentication. In addition to the interface limitation, the global maximum number of users is also limited.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#dot1x port-max-user 32 DXS-3600-32S(config-if)#

This example shows how to configure the maximum numbers of users allowed on port 1. The maximum number of users allowed is 32.

2-13 dot1x system-fwd-pdu

This command is used to globally control the forwarding of EAPOL PDUs. Use the no form of this command to reset to the defaulting settings.

dot1x system-fwd-pdu no dot1x system-fwd-pdu

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X can not forward EAPOL PDUs by default.

Global Configuration Mode. Level: 8 When 802.1X functionality is disabled globally or for a port, and if 802.1X is set to

forward EAPOL PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPOL PDUs enabled and 802.1X is disabled (globally or just for the port). 802.1X can not forward EAPOL PDUs by default.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-fwd-pdu DXS-3600-32S(config)#

This example shows how to enable the forwarding of EAPOL PDUs, globally, on the switch.

2-14 dot1x port-fwd-pdu

This command used to control the forwarding of EAPOL PDUs on specific ports. Use the no form of this command to reset to the defaulting settings.

dot1x port-fwd-pdu no dot1x port-fwd-pdu

Parameters Default Command Mode Command Default Level Usage Guideline

None.

802.1X can not forward EAPOL PDUs on all ports by default.

Interface Configuration Mode. Level: 8 This is a per-port setting to control the forwarding of EAPOL PDUs. When 802.1X

functionality is disabled globally or for a port, and if 802.1X is set to forward EAPOL PDUs both globally and for the port, a received EAPOL packet on the port will be flooded in the same VLAN to those ports which have 802.1X forwarding EAPOL PDUs and 802.1X is disabled (globally or just for the port). 802.1X can not forward EAPOL PDUs on all ports by default.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#dot1x system-fwd-pdu DXS-3600-32S(config)#end

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/1 DXS-3600-32S(config-if)#no dot1x pae DXS-3600-32S(config-if)#dot1x port-fwd-pdu DXS-3600-32S(config-if)#

This example shows how to enable the forwarding of EAPOL PDUs on port 1.

2-15 show dot1x

This command is used to display the IEEE 802.1X global configuration, interface configuration, authentication state, statistics, diagnostics, and session statistics.

show dot1x [[interface INTERFACE-ID] {auth-configuration | auth-state | statistics | diagnostics | session-

statistics}]

Parameters

interface INTERFACE-ID (Optional) Specifies a port to display authentication state, configuration, statistics,

diagnostics, or session statistics.

auth-configuration Displays the IEEE 802.1X interface configuration. auth-state Displays the IEEE 802.1X authentication state. statistics Displays the IEEE 802.1X information about the authenticator statistics diagnostics Displays the IEEE 802.1X information about the authenticator diagnostics. session-statistics Displays the IEEE 802.1X information about the authenticator session statistics.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Default Command Mode Command Default Level Usage Guideline

None. Privileged EXEC Mode. Level: 15 Use this command display the IEEE 802.1X global configuration, interface

configuration, authentication state, statistics, diagnostics, and session statistics. When no interface is specified, information about all interfaces will be displayed.

Example

DXS-3600-32S#show dot1x

802.1X : Disabled Forward EAPOL PDU : Disabled Max User : 4096

DXS-3600-32S#

Example

This example shows how to display the 802.1X global configuration.

This example shows how to display the 802.1X configuration for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 auth-configuration

Interface : TenGigabitEthernet1/0/1 Capability : None AdminCrlDir : Both OperCrlDir : Both Port Control : Auto QuietPeriod : 60 sec TxPeriod : 30 sec SuppTimeout : 30 sec ServerTimeout : 30 sec MaxReq : 2 times ReAuthPeriod : 3600 sec ReAuthenticate : Disabled Forward EAPOL PDU On Port : Disabled Max User On Port : 16

DXS-3600-32S#

Example

DXS-3600-32S#show dot1x auth-state

Status: A - Authorized; U - Unauthorized; (P): Port-Based 802.1X;Pri:Priority Interface MAC Address Auth PAE State Backend State Status VID Pri VID

------------------------- ----------------- --- -------------- ------------- ------ ---- --TenGigabitEthernet1/0/1 00-00-00-00-00-01 10 Authenticated Idle A 4004 3 TenGigabitEthernet1/0/1 00-00-00-00-00-02 10 Authenticated Idle A 1234 TenGigabitEthernet1/0/1 00-00-00-00-00-04 30 Authenticating Response U - TenGigabitEthernet1/0/2 - (P) - Authenticating Request U - TenGigabitEthernet1/0/3 - (P) - Connecting Idle U - TenGigabitEthernet1/0/14 - (P) - Held Fail U - -

Total Authenticating Hosts :2 Total Authenticated Hosts :2

DXS-3600-32S#

This example shows how to display the 802.1X authentication state.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to display the 802.1X statistics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 statistics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

EAPOLFramesRx 0 EAPOLFramesTx 6 EAPOLStartFramesRx 0 EAPOLReqIdFramesTx 6 EAPOLLogoffFramesRx 0 EAPOLReqFramesTx 0 EAPOLRespIdFramesRx 0 EAPOLRespFramesRx 0 InvalidEAPOLFramesRx 0 EapLengthErrorFramesRx 0 LastEAPOLFrameVersion 0 LastEAPOLFrameSource 00-00-00-00-00-03

DXS-3600-32S#

Example

This example shows how to display the 802.1X diagnostics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 diagnostics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

EntersConnecting 20 EapLogoffsWhileConnecting 0 EntersAuthenticating 0 SuccessWhileAuthenticating 0 TimeoutsWhileAuthenticating 0 FailWhileAuthenticating 0 ReauthsWhileAuthenticating 0 EapStartsWhileAuthenticating 0 EapLogoffWhileAuthenticating 0 ReauthsWhileAuthenticated 0 EapStartsWhileAuthenticated 0 EapLogoffWhileAuthenticated 0 BackendResponses 0 BackendAccessChallenges 0 BackendOtherRequestsToSupplicant 0 BackendNonNakResponsesFromSupplicant 0 BackendAuthSuccesses 0 BackendAuthFails 0

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to display the 802.1X session statistics for the interface TenGigabitEthernet1/0/1.

DXS-3600-32S#show dot1x interface tenGigabitEthernet 1/0/1 session-statistics

MAC Address : 00-00-00-00-00-02 Interface : TenGigabitEthernet1/0/1

SessionOctetsRx 0 SessionOctetsTx 0 SessionFramesRx 0 SessionFramesTx 0 SessionId ether1_1-1 SessionAuthenticMethod Remote Authentication Server SessionTime 3 SessionTerminateCause NotTerminatedYet SessionUserName user_test

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Access Control List (ACL) Commands

Throughout this chapter, we'll refer to two abbreviates called:

ACL - Access Control List. ACE - Access Control Entry

3-1 ip access-list standard

This command is used to create or modify a standard IP ACL. This command will enter into the standard IP access-list configuration mode. Use the no command to remove a st andard IP access-list.

ip access-list standard {[id | name]} no ip access-list standard {id | name}

Parameters

id Enter the ID of standard IP ACL here. This value must be between 1 and 1999. name The name of the standard IP access-list to be conf igured. The name can be up to 3 2

characters.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard Std-ip DXS-3600-32S(config-std-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1999 Std-ip DXS-3600-32S#

None. Global Configuration Mode. Level: 12 Standard IP ACL only filters the IPv4 packet.

The name must be unique among all (includin g MAC, IP, IPv6 or Expert) acce ss-list s and the first character of name must be a letter.

When creating an ACL, through assigning a name, an ID will be assigned automatically. The ID assignment rule will start from the maximum ID of 1999 and decrease 1 per new ACL.

When creating an ACL through assigning an ID, a name will be assigned automatically. The name assignment rule is ‘std-ip’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘std-ip’ + “-” + ID +”alt”.

This example shows how to create a standard ACL.

3-2 permit | deny (ip standard access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

[sn] {permit | deny} {source source-wildcard | host source | any} no sn

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

source source-wildcard Specifies the source IP address. Masks are used with IP addresses in IP ACLs to

specify what should be permitted and denied. Masks, in order to configure IP addresses on interfaces, start with 255 and have the large values on the left side. For example, IP address 209.165.202.129 with a 255.255.255.224 mask. Masks for IP ACLs are the reverse, for example, mask 0.0.0.255. This is sometimes called an inverse mask or a wildcard mask. When the value of the mask is broken down into binary (0s and 1s), the results determine which address bits are to be considered in processing the traffic. A 0 indicates that the address bits must be considered (exact match); a 1 in the mask is not considered.

host source Specifies a specific source IP address. any Means any source IP address.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list standard Std-acl DXS-3600-32S(config-std-nacl)#permit 10.20.0.0 0.0.255.255 DXS-3600-32S(config-std-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1998 Std-acl 10 permit 10.20.0.0 0.0.255.255 Standard IP access list 1999 Std-ip DXS-3600-32S#

None. Standard IP Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user does not assign it

manually. The automatically assign sequence number starts from 10, and increase 10 per new entry. The start sequence number and sequence increment of the IP ACL can be configured manually.

This example shows how to create a standard IP ACL, named Std-ip. This entry will permit packets to the source network 10.20.0.0/16.

3-3 ip access-list extended

This command is used to create or modify an extended IP ACL. This command will enter into the extended IP accesslist configuration mode. Use the no command to remove an extended IP access-list.

ip access-list extended {[id | name]} no ip access-list extended {id | name}

Parameters

id Specifies the ID number of the extended IP ACL. This value must be between 2000

and 3999.

name Spe cifies the name of the extended IP access-list to be configu red. The name can be

up to 32 characters.

Default Command Mode Command Default Level

None. Global Configuration Mode. Level: 12

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Extended IP ACL only filters IPv4 packets. The name must be unique among all (includin g MAC, IP, IPv6 or Expert) acce ss-list s and the first character of the name must be a letter.

When creating an ACL through assigning a name, an ID will be assigned automatically. The ID assignment rule will start from the maximum ID of 3999 and decrease 1 per new ACL.

When creating an ACL through assigning an ID, a name will be assigned automatically. The name assignment rule is ‘ext-ip’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘ext-ip’ + “-” + ID +”alt”.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended Ext-ip DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-list

Standard IP access list 1998 Std-acl 10 permit 10.20.0.0 0.0.255.255 Standard IP access list 1999 Std-ip Extended IP access list 3999 Ext-ip DXS-3600-32S#

This example shows how to create an extended ACL.

3-4 permit | deny (ip extended access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove a specific entry.

Extended IP ACL:

[sn] {permit | deny} protocol {source source-wildcard | host source | any} {destination destination-wildcard | host

destination | any} [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

Extended IP ACLs of some important protocols:

[sn] {permit | deny} tcp {source source-wildcard | host source | any} [operator port] {destination destination-

wildcard | host destination | any} [operator port] [tcp-flag] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

[sn] {permit | deny} udp {source source–wildcard | host source | any} [operator port] {destination destination-

wildcard | host destination | any} [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

[sn] {permit | deny} icmp {source source-wildcard | host source | any} {destination destination-wildcard | host

destination | any} [{icmp-type [icmp-code] | icmp-message}] [precedence precedence

[time-range time-range-name]

no sn

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

protocol Specifies the name or number of an IP protocol: 'eigrp', 'esp', 'gre', 'igmp', 'ip', 'ipinip',

'ospf', 'pcp', 'pim', 'tcp', 'udp', 'icmp' or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol. Additional specific parameters for ‘tcp’, ‘udp’, and ‘icmp’. The ‘ip’ means any IP Protocol.

source Specifies the source IP address. source-wildcard Applies wildcard bits to the source.

host source Specifies a specific source IP address. any Means any source or destination IP address.

] [tos tos] [fragments]

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

destination Specifies the destination IP address. destination-wildcard Applies wildcard bits to the destination. host destination Specifies a specific destination IP address. operator (Optional) Possible operators include ‘eq’ (equal), ‘gt’ (greater than), ‘lt’ (less than),

‘neq’ (not equal), and ‘range’ (inclusive range). A range needs two port numbers, while other operators only need one port number.

port Specifies the Layer 4 port number as a decimal number (from 0 to 65535) or the

name of a Layer 4 port.

TCP ports used:

'bgp', 'chargen', 'daytime', 'discard', 'domain', 'echo', 'rexec', 'finger', 'ftp', 'ftp-data',

'gopher', 'hostname', 'ident', 'irc', 'klogin', 'kshell', 'login', 'lpd', 'nntp', 'snpp', 'pop2', 'pop3', 'smtp', 'sunrpc', 'shell', 'tacacs', 'telnet', 'time', 'uucp', 'whois', 'http'.

UDP ports used:

'biff', 'bootpc', 'bootps', 'discard', 'irc', 'domain', 'echo', 'isakmp', 'mobile-ip',

'nameserver', 'netbios-dgm', 'netbios-ns', 'netbios-ss', 'nat-t', 'ntp', 'snpp', 'rip', 'snmp', 'snmptrap', 'sunrpc', 'syslog', 'tacacs', 'talk' , 'tftp', 'time', 'who', 'xdmcp'.

precedence precedence (Optional) Packets can be filtered by precedence level, as specified by a number

from 0 to 7 or by name: routine (0), priority (1), immediate (2), flash (3), flashoverride (4), critical (5), internet (6), network (7).

tos tos (Optional) Packets can be filtered by type of service level, as specified by a number

from 0 to 15 or by name: normal (0) , min-monetary-cost(1), max-reliability (2), maxthroughput (4), min-delay (8).

fragments (Optional) Packet fragment filtering.

time-range time-rangename

tcp-flag (Optional) Specifies the TCP flag fields. The specified TCP header bits are: ack

icmp-type (Optional) Specifies the ICMP message type. The valid number for the message type

icmp-code (Optional) Specifies the ICMP message code. The valid number for the message

icmp-message (Optional) Specifies the ICMP message type name or the ICMP message type and

(Optional) Specifies the name of time-period profile associated with the access-list delineating its activation period.

(acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).

is from 0 to 255.

code is from 0 to 255

code by name. Code names that can be used are 'administratively-prohibited', 'alternate-address', 'conversion-error', 'host-prohibited', 'net-prohibited', 'echo', 'echo-reply', 'pointer-indicates-err or ', 'host-isolated', 'host-precedence-violation', 'host-redirect', 'host-tos-redirect', 'host-tos-unreachable', 'host-unknown', 'hostunreachable', 'information-reply', 'information-request', 'mask-reply', 'mask-request', 'mobile-redirect', 'net-redirect', 'net-tos-redirect', 'net-tos-unreachable', 'netunreachable', 'net-unknown', 'bad-length', 'op tion-missing', 'packet-fragment', 'parameter-problem', 'port-unreachable', 'precedence-cutoff', 'protocol-unreachable', 'reassembly-timeout', 'redirect-message', 'router-advertisement', 'router-solicitation', 'source-quench', 'source-route-failed', 'time-exceeded', 'timestamp-reply', 'timestamp-request', 'traceroute', 'ttl-expired', 'unreachable'.

Default Command Mode Command Default Level Usage Guideline

None. Extended IP Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually . The autom atic assign sequence n umber start fr om 10 and increases by 10 per new entry. The start sequence number and sequence increment of IP ACL can be configured manually.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to use the extended IP ACL. The purpose is to den y Telnet access from the host, with the IP address 192.168.4.12, to any host in the network

192.168.1.0 and to permit any others.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended Ext-ip DXS-3600-32S(config-ext-nacl)#deny tcp host 192.168.4.12 192.168.1.0 0.0.255.255 eq telnet DXS-3600-32S(config-ext-nacl)#permit ip any any DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 Ext-ip 10 deny tcp host 192.168.4.12 192.168.1.0 0.0.255.255 eq telnet 20 permit ip any any DXS-3600-32S#

3-5 ipv6 access-list

This command is used to create or modify an IPv6 ACL. This command will enter into the IPv6 access-list configuration mode. Use the no command to remove an IPv6 access-list.

ipv6 access-list {name} no ipv6 access-list {name}

Parameters

name Spe cifie s the n ame of the IP access-list to be con figur ed. T he nam e can be up to 3 2

characters long.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ipv6 access-list ext_ipv6 DXS-3600-32S(config-ipv6-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 Ext-ip 10 deny tcp host 192.168.4.12 192.168.1.0 0.0.0.255 eq telnet 20 permit ip any any Extended IPv6 access list ext_ipv6 DXS-3600-32S#

None. Global Configuration Mode. Level: 12 Extended IPv6 ACL only filters the IPv6 packet. The name must be unique among all

(including MAC, IP, IPv6 or Expert) access-lists and the first character of name must be a letter.

This example shows how to create an IPv6 ACL:

3-6 permit | deny (ipv6 access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

Extended IPv6 ACL:

[sn] {permit | deny} protocol {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} {destination-ipv6-

prefix/prefix-length | host destination-ipv6-address | any} [dscp dscp] [flow-label flow-label] [fragments] [timerange time-range-name]

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Extended IPv6 ACLs of some important protocols:

[sn] {permit | deny} tcp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} [operator port]

{destination-ipv6-prefix/prefix-length | host destination-ipv6-address | any} [operator port ] [tcp-flag] [dscp dscp] [flow-label flow-label] [fragments] [time-range time-range-name]

[sn] {permit | deny} udp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} [operator port]

{destination-ipv6-prefix/prefix-length | host destination-ipv6-address | any} [operator port] [dscp dscp] [flowlabel flow-label] [fragments] [time-range time-range-name]

[sn] {permit | deny} icmp {source-ipv6-prefix/prefix-length | host source-ipv6-address | any} {destination-ipv6-

prefix/prefix-length | host destination-ipv6-address | any} [{icmp-type [icmp-code] | icmp-message}] [dscp dscp] [flow-label flow-label] [fragments] [time-range time-range-name]

no sn

Parameters

sn (Optional) Specifie s the ACE sequence number used. Th is number must be between

1 and 65535.

protocol Specifies the name or number of an IPv6 protocol used. Protocol names, that can be

used are 'esp', 'ipv6', 'pcp', 'sctp', ‘tcp’, ‘udp’, ‘icmp’ or an integer in the range 0 to 255 representing an IP protocol number. Additional specific parameters are used for ‘tcp’, ‘udp’, and ‘icmp’. The ‘ipv6’ name means any IPv6 Protocol.

source-ipv6-prefix Specifies the source IPv6 network address or network type. destination-ipv6-prefix Specifies the destination IPv6 network address or network type. prefix-length Specifies the prefix mask length. source-ipv6-address Specifies the source IPv6 address. destination-ipv6-address Specifies the destination IPv6 address.

any Means any source or destination IPv6 address.

operator (Optional) Possible operators include ‘eq’ (equal), ‘gt’ (greater than), ‘lt’ (less than),

‘neq’ (not equal), and ‘range’ (inclusive range). Note that the range operator need s two port numbers, while other operators only need one port number.

port Specifies the Layer 4 port number as a decimal number (from 0 to 65535) or the

name of a Layer 4 port.

TCP port names used:

'bgp', 'chargen', 'daytime', 'discard', 'domain', 'echo', 'rexec', 'finger', 'ftp', 'ftp-data',

'gopher', 'hostname', 'ident', 'irc', 'klogin', 'kshell', 'login', 'lpd', 'nntp', 'snpp', 'pop2', 'pop3', 'smtp', 'sunrpc', 'shell', 'tacacs', 'telnet', 'time', 'uucp', 'whois', 'http'.

UDP port names used:

'biff', 'bootpc', 'bootps', 'discard', 'irc', 'domain', 'echo', 'isakmp', 'mobile-ip',

'nameserver', 'netbios-dgm', 'netbios-ns', 'netbios-ss', 'nat-t', 'ntp', 'snpp', 'rip', 'snmp', 'snmptrap', 'sunrpc', 'syslog', 'tacacs', 'talk' , 'tftp', 'time', 'who', 'xdmcp'.

dscp dscp (Optional) Enter the DSCP value to match a differentiated services code point value

against the traffic class value in the Tra ffic Class field of each IPv6 packet header. The acceptable range is from 0 to 255.

fragments (Optional) Specifies packet fragment filtering.

time-range time-rangename

tcp-flag (Optional) Specifies the TCP flag fields. The specified TCP header bits that can be

icmp-type (Optional) Specifies the ICMP message type. The valid number for the message type

icmp-code (Optional) Specifies the ICMP message code. The valid number for the message

(Optional) Specifies the name of the time-period profile associated with the accesslist delineating its activation period.

used are ‘ack’ (acknowledge), ‘fin’ (finish), ‘psh’ (push), ‘rst’ (reset), ‘syn’ (synchronize), or ‘urg’ (urgent).

is from 0 to 255.

code is from 0 to 255

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

icmp-message (Optional) Specifies the ICMP message type name or the ICMP message type and

code by name. Names that can be used are 'beyond-scope', 'destinationunreachable', 'echo-reply', 'echo-re quest', 'erroneous_header', 'hop-limit', 'multicastlistener-query', 'multicast-listener-done', 'multicast-listener-report', 'nd-na', 'nd-ns', 'next-header', 'no-admin', 'no-route', 'packet-too-big', 'parameter-option', 'parameterproblem', 'port-unreachable', 'reassembly-timeout', 'redirect', 'renum-command', 'renum-result', 'renum-seq-number', 'ro uter-advertisement', 'router-renumbering', 'router-solicitation', 'time-exceeded', 'unreachable'.

flow-label flow-label (Optional) Specifies the flow label value used. This value must be between 0 and

1048575.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended ext_ipv6 DXS-3600-32S(config-ext-nacl)#deny tcp host 19:18:43::12 120:16:10::/48 eq ftp DXS-3600-32S(config-ext-nacl)#permit any any DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-lists

Extended IPv6 access list ext_ipv6 10 deny tcp host 19:18:43::12 120:16:10::/48 eq ftp 20 permit any any DXS-3600-32S#

None. IPv6 Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually. Automatic assignment of sequence numbers start from 10, and increases by 10 for every new entry.

This example shows how to use the IPv6 ACL. The purpose is to deny FTP access from the host, with the IPv6 address of 19:18:43::12, to any host in the network 120:16:10::/48 and to permit any othe rs.

3-7 mac access-list

This command is used to create or modify an extended MAC ACL. This command will enter into the extended MAC access-list configuration mode. Use the no command to remove an extended MAC access-list.

mac access-list extended {[id | name]} no mac access-list extended {id | name}

Parameters

id Specifies the ID number of the extended MAC ACL. This value must be between

6000 and 7999.

name Spe cifies the name of the extend ed MAC ACL to be configured. The na me can be up

to 32 characters long.

Default Command Mode Command Default Level

None. Global Configuration Mode. Level: 12

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#mac access-list extended 6001 DXS-3600-32S(config-mac-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 ext_ipv6 10 permit ip any any Extended MAC access list 6001 ext-mac-6001 DXS-3600-32S#

Extended MAC ACL only filters the Non-IP packet. The name must be unique among all (including MAC, IP, IPv6 or Expert) access-lists and the first character of name must be a letter.

When creating an ACL through the assignment of a name, an ID will be assigned automatically. The ID assignment rule will start from the maximum ID of 7999 and decrease by 1 for envery new ACL created.

When creating an ACL through the assignment of an ID, a name will be assigned automatically. The name assignment rule is ‘ext-mac’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘ext-mac’ + “-” + ID +”alt”.

This example shows how to create an extended MAC ACL.

3-8 permit | deny (mac access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

[sn] {permit | deny} {source-mac-address mask | host source-mac-address | any} {destination-mac-address mask

| host destination-mac-address | any} [ethernet-type] [cos out [inner in]]

no sn

Parameters

sn (Optional) Specifies the ACE sequence number. This number must be between 1

and 65535.

source-mac-address Specifies the source MAC address. destination-mac-address Specifies the destination MAC address. mask Specifies the MAC address mask.

any Means any source or destination MAC address.

ethernet-type (Optional) Specifies the Ethernet type as a pair of hexadecimal numbers and the

mask (from 0x0 to 0xFFFF) or the name of the Ethernet type. Names that can be used are 'arp', 'aarp', 'appletalk', 'decnet-iv', 'etype-6000', 'etype-8042', 'lat', 'lavcsca', 'mop-console', 'mop-dump', 'vines-echo', 'vines-ip', 'xns-idp'.

cos out Specifies the out priority value used. This value must be between 0 and 7. inner in (Optional) Specifies the inner priority value used. This value must be be tween 0 and

Default Command Mode Command Default Level Usage Guideline

None. Extended MAC Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually. Automatic assignment of sequence numbers will start from 10 and increase by 10 for every new entry created.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to use the extended MAC ACL. The purpose is to deny a host, with the MAC address of 0013.0049.8272, to send Ethernet frames of the type ‘apply’.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#mac access-list extended 6001 DXS-3600-32S(config-mac-nacl)#25 deny host 0013.0049.8272 any aarp DXS-3600-32S(config-mac-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 ext_ipv6 10 permit ip any any Extended MAC access list 6001 ext-mac-6001 25 deny host 00-13-00-49-82-72 any aarp DXS-3600-32S#

3-9 expert access-list

This command is used to create or modify an extended expert ACL. This command will enter into the extended expert access-list configuration mode. Use the no command to remove an extended expert access-list.

expert access-list extended {[id | name]} no expert access-list extended {id | name}

Parameters

id Specifies the ID number of extended expert ACL. This number must be between

8000 and 9999.

name Specifies the name of the extended expert ACL to be configured. The name can be

up to 32 characters long.

Default Command Mode Command Default Level Usage Guideline

None. Global Configuration Mode. Level: 12 The name must be unique among all (includin g MAC, IP, IPv6 or Expert) acce ss-list s

and the first character of name must be a letter. When creating an ACL through the assignment of a name, an ID will be assigned

automatically. The ID assign rule states to start from the maximum ID of 9999 and decrease 1 for every new ACL created.

When creating an ACL through the assignment of an ID, a name will be assigned automatically. The name assign rule is ‘ext-expert’ + “-” + ID. If this name conflicts with the name of an existing ACL, then it will be renamed based on the following rule: ‘ext-expert’ + “-” + ID +”alt”

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#expert access-list extended exp_acl DXS-3600-32S(config-exp-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 ext_ipv6 10 permit ip any any Extended MAC access list 6001 ext-mac-6001 25 deny host 00-13-00-49-82-72 any aarp Extended EXPERT access list 9999 exp_acl DXS-3600-32S#

This example shows how to create an extended expert ACL.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

3-10 permit | deny (expert access-list)

Use the permit command to add a permit entry. Use the deny command to add a deny entry. Use the no command to remove an entry.

Extended expert ACL:

[sn] {permit | deny} [ethernet-type] [[cos out [inner in]] | [vlan out [inner in]]] {source source-wildcard | host

source | any} {source-mac-address mask | host source-mac-address | any} {destination destination-wildcard | host destination | any} {destination-mac-address mask | host destination-mac-address | any} [time-range time-range-name]

[sn] {permit | deny} protocol [vlan out [inner in]] {source source-wildcard | host source | any} {source-mac-

address mask | host source-mac-address | any} {destination destination-wildcard | host destination | any} {destination-mac-address mask | host destination-mac-address | any} [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

Extended expert ACLs of some important protocols:

[sn] {permit | deny} tcp [vlan out [inner in]] {source source-wildcard | host source | any} {source-mac-address

mask | host source-mac-address | any} [operator port]] {destination destination-wildcard | host destination | any} {destination-mac-address mask | host destination-mac-address | any} [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [tcp-flag]

[sn] {permit | deny} udp [vlan out [inner in]] {source source-wildcard | host source | any} {source-mac-address

mask | host source-mac-address | any} [operator port] {destination destination-wildcard | host destination | any} {destination-mac-address mask | host destination-mac-address | any} [operator port] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

[sn] {permit | deny} icmp [vlan out [inner in]] {source source-wildcard | host source | any} {source-mac-address

mask | host source-mac-address | any} {destination destination-wildcard | host destination | any} {destinationmac-address mask | host destination-mac-address | any} [icmp-type] [[icmp-type [icmp-code]] | [icmpmessage]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name]

no sn

Parameters

sn (Optional) Specifies the ACE sequence number. This number must be between 1

and 65535.

source Specifies the source IP address. source-wildcard Applies wildcard bits to the source.

host source Specifies a specific source IP address. any Means any source or destination IP or MAC address.

destination Specifies the destination IP address. destination-wildcard Applies wildcard bits to the destination. host destination Specifies a specific destination IP address. source-mac-address Specifies the source MAC address. destination-mac-address Specifies the destination MAC address. mask Specifies the MAC address mask.

vlan out (Optional) Specifies the outer VID used. This value must be between 1 and 4094. vlan inner in (Optional) Specifies the inner VID used. This value must be between 1 and 4094. cos out (Optional) Specifies the outer priority value. This value must be betwee 0 and 7. cos inner in (Optional) Specifies the inner priority value. This value must be between 0 and 7.

ethernet-type (Optional) Specifies the Ethernet type as a pair of hexadecimal numbers and mask

(from 0x0 to 0xFFFF) or the name of an Ethernet type. Names that can be used are 'arp', 'aarp', 'appletalk', 'decnet-iv', 'etype-6000', 'etype-8042', 'lat', 'lavc-sca', 'mopconsole', 'mop-dump', 'vines-echo', 'vines-ip', 'xns-idp'.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

protocol Specifies the name or number of an IP protocol used. Names that can be used are

'eigrp', 'esp', 'gre', 'igmp', 'ip', 'ipinip', 'ospf', 'pcp', 'pim', 'tcp', 'udp', 'icmp' or an intege r in the range 0 to 255 representing an IP prot ocol number. This field is used to match any Internet protocol. There are additional specific parameters for ‘tcp’, ‘udp’, and ‘icmp’. The ‘ip’ means any IP Protocol.

operator (Optional) Specifies the operator used. Possible operators include ‘eq’ (equal), ‘gt’

(greater than), ‘lt’ (less than), ‘neq’ (not equal), and ‘range’ (inclusive range). A range needs two port numbers, while other operators only need one port number.

port Specifies the Layer 4 port number as a decimal number (from 0 to 65535) or the

name of a L4 port.

TCP port names used:

'bgp', 'chargen', 'daytime', 'discard', 'domain', 'echo', 'rexec', 'finger', 'ftp', 'ftp-data',

'gopher', 'hostname', 'ident', 'irc', 'klogin', 'kshell', 'login', 'lpd', 'nntp', 'snpp', 'pop2', 'pop3', 'smtp', 'sunrpc', 'shell', 'tacacs', 'telnet', 'time', 'uucp', 'whois', 'http'.

UDP port names used:

'biff', 'bootpc', 'bootps', 'discard', 'irc', 'domain', 'echo', 'isakmp', 'mobile-ip',

'nameserver', 'netbios-dgm', 'netbios-ns', 'netbios-ss', 'nat-t', 'ntp', 'snpp', 'rip', 'snmp', 'snmptrap', 'sunrpc', 'syslog', 'tacacs', 'talk' , 'tftp', 'time', 'who', 'xdmcp'.

precedence precedence (Optional) Packets can be filtered by their precedence level. This is specified by a

number from 0 to 7 or by name. Names that can be used are routine (0), priority (1), immediate (2), flash (3), flash-override (4), critical (5), internet (6), network (7).

tos tos (Optional) Packets can be filtered by their type of service level. This is specified by a

number from 0 to 15 or by name. Names that can be used are normal (0), maxreliability (2), max-throughput (4), min-delay (8), min-monetary-cost (1).

fragments (Optional) Specifies packet fragment filtering.

time-range time-rangename

tcp-flag (Optional) Specifies the TCP flag fields. The specified TCP header bits can be ‘ack’

icmp-type (Optional) Specifies the ICMP message type. The valid number for the message type

icmp-code (Optional) Specifies the ICMP message code. The valid number for the message

icmp-message (Optional) Specifies the ICMP message type name or the ICMP message type and

(Optional) Specifies the name of the time-period profile associated with the accesslist delineating its activation period.

(acknowledge), ‘fin’ (finish), ‘psh’ (push), ‘rst’ (reset), ‘syn’ (synchronize), or ‘urg’ (urgent).

is from 0 to 255.

code is from 0 to 255

code by name. Names that can be used are 'administratively-prohibited', 'alternateaddress', 'conversion-error', 'host-prohibited', 'net-prohibited', 'echo', 'echo-reply', 'pointer-indicates-error', 'host-isolated', 'host-precedence-violation', 'host-redirect', 'host-tos-redirect', 'host-tos-unreachable', 'host-unknown', 'host-unreachable', 'information-reply', 'information-request', 'mask-reply', 'mask-request', 'mobileredirect', 'net-redirect', 'net-tos-redirect', 'net-tos-unreachable', 'net-unreachable', 'net-unknown', 'bad-length', 'option-missing', 'packet-fragment', 'parameter-problem', 'port-unreachable', 'precedence-cutof f', 'protocol-unreachable', 'reassembly-timeout', 'redirect-message', 'router-advertisement', 'router-solicitation', 'source-quench', 'source-route-failed', 'time-exceeded', 'timestamp-reply', 'timestamp-request', 'traceroute', 'ttl-expired', 'unreachable'.

Default Command Mode Command Default Level Usage Guideline

None. Extended Expert Access-list Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually . The automatic as signment sequence number start s from 10 and increases by 10 for every new entry.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to use the extended MAC ACL. The purpose is to deny all the TCP packets with, the source IP address 192.168.4.12 and the source MAC address 001300498272.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#expert access-list extended exp_acl DXS-3600-32S(config-exp-nacl)#deny tcp host 192.168.4.12 host 0013.0049.8272 any any DXS-3600-32S(config-exp-nacl)#end DXS-3600-32S#show access-list

Extended EXPERT access list 9999 exp_acl 10 deny tcp host 192.168.4.12 host 00-13-00-49-82-72 any any DXS-3600-32S#

3-11 ip access-list resequence

This command is used to reassign the sequence step and start sequence number of the IP ACL entries. Use the no command to default configuration.

ip access-list resequence {id | name} start-sn inc-sn no ip access-list resequence {id | name}

Parameters

id Specifies the ID number of IP ACL used. This number must be between 1 and 3999. name Specifies the name of the IP ACL to be configured. The name can be up to 32

characters long.

start-sn Specifies the start sequence number. inc-sn Specifies the sequence step value.

Default Command Mode Command Default Level Usage Guideline

The start sequence number is 10 and the sequence step is 10. Global Configuration Mode. Level: 12 Sequence numbers for the entries in an ACL are automatically generated when you

create a new ACE but does not assign it manually. You can use the ip access-list resequence global configuration command to edit the start sequence number and sequence step in a IP ACL and change the order to automatically ge nerated ID ACEs and apply them.

Example

DXS-3600-32S# show access-lists

Standard IP access list 1999 Std-acl 10 permit 10.20.0.0 0.0.255.255 20 deny any DXS-3600-32S# configure terminal DXS-3600-32S(config)# ip access-list resequence Std-acl 20 40 DXS-3600-32S(config)# end DXS-3600-32S# show access-lists

This example shows how to resequence the entries of an ACL.

Standard IP access list 1999 Std-acl 20 permit 10.20.0.0 0.0.255.255 60 deny any DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

3-12 list-remark text

This command is used to add remarks for the specified ACL. Use the no command to deletes the remarks.

list-remark text no list-remark

Parameters

text Specifies the remark information. The information can be up to 256 characters.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip access-list extended ip-ext-acl DXS-3600-32S(config-ext-nacl)#list-remark this acl is to filter the host 192.168.4.12 DXS-3600-32S(config-ext-nacl)#end DXS-3600-32S#show access-list

Extended IP access list 3999 ip-ext-acl 10 deny tcp host 192.168.4.12 this acl is to filter the host 192.168.4.12 DXS-3600-32S#

None. Access-list Configuration Mode. Level: 12 None.

This example shows how to add a remark in an ACL.

3-13 show access-lists

This command is used to display all ACLs or the specified ACL.

show access-list [id | name]

Parameters

id Specifies the ID number of the ACL. name Specifies the name of the IP ACL to be configured. The name can be up to 32

characters long.

Default Command Mode Command Default Level Usage Guideline

None. EXEC Mode. Level: 1 Use this command to display a specified ACL. If no ID or name is specified, all the

ACLs will be displayed.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S# show access-list sip1

Standard IP access list 1999 sip1 999 deny 2.2.2.2 0.0.255.255 DXS-3600-32S# show access-list 2001

Extended IP access list 2001 ext-ip-2001 10 permit tcp host 1.1.1.1 eq echo any gt 6524 ack fin psh rst syn urg precedence internet tos 14 DXS-3600-32S# show access-list

Standard IP access list 1 std-ip-1 999 deny 2.2.2.2 0.0.255.255 Standard IP access list 11 std-ip-11 10 permit host 1.1.1.1 Standard IP access list 1999 sip1 999 deny 2.2.2.2 0.0.255.255 Extended IP access list 2000 ext-ip-2000 Extended IP access list 2001 ext-ip-2001 10 permit tcp host 1.1.1.1 eq echo any gt 6524 ack fin psh rst syn urg precedence internet tos 14 Extended IP access list 2011 ext-ip-2011 10 deny ip 5.5.5.5 0.0.255.255 host 7.7.7.5 fragments precedence internet tos 5 Extended IP access list 2111 ext-ip-2111 10 deny ip 5.5.5.5 0.0.255.255 host 7.7.7.5 precedence critical tos 6 Extended IP access list 3111 ext-ip-3111alt Extended IP access list 3994 ext-ip-3111 Extended IPv6 access list ipv6-11 10 deny tcp host 1:2::3 eq 655 host 2:3:4:: gt 555 ack fin psh Extended IPv6 access list ipv6-1 10 deny ipv6 1:2::3/32 host 2:22:: Extended MAC access list 6000 ext-mac-6000 10 deny any any Extended MAC access list 7999 mac1 10 permit any any Extended EXPERT access list 8000 ext-expert-8000 10 deny any any host 1.1.1.22 host 00-11-22-33-44-55 Extended EXPERT access list 9999 exp1 10 deny ip host 1.1.1.1 host 00-01-02-03-04-05 any any DXS-3600-32S#

This example shows how to display ACLs.

3-14 ip access-group

This command is used to apply a specific IP ACL to an interface. Use the no command to cancels the application.

ip access-group {id | name} {in | out} no ip access-group {id | name} {in | out}

Parameters

id Specifies the ID number of IP ACL used. This number must be between 1 and 3999. name Specifies the name of the IP ACL to be configured. The name can be up to 32

characters long.

in Specifies to filter the incoming packets of the interface. out Specifies to filter the outgoing packets of the interface.

Default Command Mode

None. Interface Configuration Mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Level: 12 Only one IP ACL can be attached to the ingress physical ports or egress physical

ports. Applying or binding an ACL to an interface will fail if there is any criteria statements

that are not supported. An error message “Do not support fields: …” will be displayed and all unsupported criteria statements of the ACL type will be listed.

Example

This example shows how to apply an IP ACL to an interface. The purpose is to apply the ACL ‘ip-ext-acl’ attribute to the tenGigabitEthernet 1/0/5 interface, to filter incoming packets.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/5 DXS-3600-32S(config-if)#ip access-group ip-ext-acl in DXS-3600-32S(config-if)#end DXS-3600-32S#show access-group interface tenGigabitEthernet 1/0/5

Interface tenGigabitEthernet 1/0/5: ip access-group ip-ext-acl in DXS-3600-32S#

3-15 ipv6 traffic-filter

This command is used to apply a specific IPv6 ACL to an interface. Use the no command to cancels the application.

ipv6 traffic-filter name {in | out} no Ipv6 traffic-filter name {in | out}

Parameters

name Specifies the name of the IPv6 ACL to be configured. The name can be up to 32

characters long.

in Specifies to filter the incoming packets of the interface. out Specifies to filter the outgoing packets of the interface.

Default Command Mode Command Default Level Usage Guideline

None. Interface Configuration Mode. Level: 12 Only one IPv6 ACL can be attached to an ingress physical port or egress physical

port. Applying or binding an ACL to an interface will fail if there is any criteria statements

that are not supported. An error message “Do not support fields: …” will be displayed and all unsupported criteria statements of the ACL type will be listed.

Example

This example shows how to apply an IPv6 ACL to an interface. The purpose is to apply the ACL ‘ext_ipv6’ attribute to the tenGigabitEthernet 1/0/4 interface, to filter incoming packets.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/4 DXS-3600-32S(config-if)#ipv6 access-group ext_ipv6 in DXS-3600-32S(config-if)# end DXS-3600-32S# show access-group interface tenGigabitEthernet 1/0/4

Interface tenGigabitEthernet 1/0/4: ipv6 access-group ext_ipv6 in DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

3-16 mac access-group

This command is used to apply a specific MAC ACL to an interface. Use the no command to cancel the application.

mac access-group {id | name} {in | out} no mac access-group {id | name} {in | out}

Parameters

id Specifies the ID number of the MAC ACL. This number must be between 6000 and

7999.

name Specifies the name of the MAC ACL to be configured. The name can be up to 32

characters long.

in Specifies to filter the incoming packets of the interface. out Specifies to filter the outgoing packets of the interface.

Default Command Mode Command Default Level Usage Guideline

None. Interface Configuration Mode. Level: 12 Only one MAC ACL can be attached to an ingress physical port or egress physical

port. Applying or binding an ACL to an interface will fail if there is any criteria statements

that are not supported. An error message “Do not support fields: …” will be displayed and all unsupported criteria statements of the ACL type will be listed.

Example

This example shows how to apply a MAC ACL to an interface. The purpose is to apply the ACL ‘ext_mac’ attribute to the tenGigabitEthernet 1/0/3 interface, to filter outgoing packets.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface range tenGigabitEthernet 1/0/1-1/0/3 DXS-3600-32S(config-if-range)#mac access-group ext_mac out DXS-3600-32S(config-if-range)# end DXS-3600-32S# show access-group interface tenGigabitEthernet 1/0/1-1/0/3

Interface tenGigabitEthernet 1/0/1: mac access-group ext_mac out Interface tenGigabitEthernet 1/0/2: mac access-group ext_mac out Interface tenGigabitEthernet 1/0/3: mac access-group ext_mac out DXS-3600-32S#

3-17 expert access-group

This command is used to apply a specific expert ACL to an interface. Use the no command to cancel the application.

expert access-group {id | name} {in | out} no expert access-group {id | name} {in | out}

Parameters

id Specifies the ID n umber of the expert ACL . This numbe r must be b etween 800 0 and

9999.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

name Specifies the name of the expert ACL to be configured. The name can be up to 32

characters long.

in Specifies to filter the incoming packets of the interface. out Specifies to filter the outgoing packets of the interface.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#interface tenGigabitEthernet 1/0/2 DXS-3600-32S(config-if)#expert access-group exp_acl in DXS-3600-32S(config-if)#end DXS-3600-32S#show access-group interface tenGigabitEthernet 1/0/2

Interface tenGigabitEthernet 1/0/2: expert access-group exp_acl in DXS-3600-32S#

None. Interface Configuration Mode. Level: 12 Only one expert ACL can be attached to an ingress physical port or egress physical

port. Applying or binding an ACL to an interface will fail if there is any criteria statements

that are not supported. An error message “Do not support fields: …” will be displayed and all unsupported criteria statements of the ACL type will be listed.

This example shows how to apply an expert ACL to an interface. The purpose is to apply the ACL ‘exp_acl’ attribute to the tenGigabitEthernet 1/0/2 interface, to filter incoming packets.

3-18 show access-group

This command is used to display the ACL configuration of the interface.

show access-group [interface interface]

Parameters

interface interface Specifies the interface ID used.

Default Command Mode Command Default Level Usage Guideline

None. EXEC Mode. Level: 1 Displays the ACL applied to the interface. If no interface is specified, the ACLs

applied to all the interfaces will be displayed.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show access-group

Interface tenGigabitEthernet 1/0/2: ipv6 access-group ipv6-11 in ipv6 access-group ipv6-1 out expert access-group exp1 in Interface tenGigabitEthernet 1/0/11: ip access-group 11 in ip access-group std-ip-1 out mac access-group 6005 in mac access-group ext-mac-6000 out DXS-3600-32S#

This example shows how to display the ACL, applied to the interface.

3-19 show ip access-group

This command is used to display the IP ACL configuration of the interface.

show ip access-group [interface interface]

Parameters

interface interface Specifies the interface ID used.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show ip access-group

Interface tenGigabitEthernet 1/0/11: ip access-group 11 in ip access-group std-ip-1 out DXS-3600-32S#

None. EXEC Mode. Level: 1 Displays the IP ACL applied to the interface. If no interface is specified, the IP ACLs

applied to all the interfaces will be displayed.

This example shows how to display the IP ACL, applied to the interface.

3-20 show ipv6 access-group

This command is used to display the IPv6 ACL configuration of the interface.

show ipv6 traffic-filter [interface interface]

Parameters

interface interface Specifies the interface ID used.

Default Command Mode Command Default Level Usage Guideline

None. EXEC Mode. Level: 1 Displays the IPv6 ACL applied to the interface. If no interface is specified, the IPv6

ACLs applied to all the interfaces will be displayed.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show ipv6 traffic-filter

Interface tenGigabitEthernet 1/0/2: ipv6 access-group ipv6-11 in ipv6 access-group ipv6-1 out DXS-3600-32S#

This example shows how to display the IPv6 ACL, applied to the interface.

3-21 show mac access-group

This command is used to display the MAC ACL configuration of the interface.

show mac access-group [interface interface]

Parameters

interface interface Specifies the interface ID used.

Default Command Mode Command Default Level Usage Guideline

None. EXEC Mode. Level: 1 Displays the MAC ACL applied to the interface. If no interface is specified, the MAC

ACLs applied to all the interfaces will be displayed.

Example

DXS-3600-32S#show mac access-group

Interface tenGigabitEthernet 1/0/11: mac access-group 6005 in mac access-group ext-mac-6000 out DXS-3600-32S#

This example shows how to display the MAC ACL, applied to the interface.

3-22 show expert access-group

This command is used to display the expert ACL configuration of the interface.

show expert access-group [interface interface]

Parameters

interface interface Specifies the interface ID used.

Default Command Mode Command Default Level Usage Guideline

None. EXEC Mode. Level: 1 Displays the expert ACL applied to the interface. If no interface is specified, the

expert ACLs applied to all the interfaces will be displayed.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show expert access-group

Interface tenGigabitEthernet 1/0/2: expert access-group exp1 in DXS-3600-32S#

This example shows how to display the expert ACL, applied to the interface.

3-23 vlan access-map

This command is used to create a submap. This command will enter into the access-map configuration mode. The no form of this command deletes the submap.

vlan access-map map_name [map_sn] no vlan access-map map_name [map_sn]

Parameters

map_name Specifies the name of the hostmap to be configured. The name can be up to 32

characters long.

map_sn Specifies the sequence number of the submap.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#vlan access-map vlan-map 20 DXS-3600-32S(config-access-map)#

None. Global Configuration Mode. Level: 12 A sequence number will be assigned automatically if the user did not assign it

manually. Automatic assignment of the sequence number starts from 10 and increases by 10 for every new entry.

This example shows how to create a VLAN access map.

3-24 match ip / mac address

This command is used to associate an IP ACL or MAC ACL with a specific submap. The no form of this command removes the configuration.

match ip address {acl_name | acl_id}+8 no match ip address {acl_name | acl_id}+8 match mac address {acl_name | acl_id}+8 no match mac address {acl_name | acl_id}+8

Parameters

acl_name Speicifies the name of the ACL to be configured. The name can be up to 32

characters long.

acl_id Specifies the sequence number of the ACL.

+8 Input parameters can be continuously, but not more than 8 times.

Default Command Mode

None. Access-map Configuration Mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Level: 12 One submap can only be associated with an IP ACL or a MAC ACL. You can not

associate a submap with both an IP ACL and a MAC ACL. One submap can only be associated with at most 8 ACLs. One submap can not be associated with an non-existent ACL. One submap can not be associated with an ACL, which is NULL ACL.

Example

DXS-3600-32S(config)# vlan access-map vlan-map 20 DXS-3600-32S(config-access-map)# match ip address 10 20 sp1 30 sp2 DXS-3600-32S(config-access-map)# end DXS-3600-32S# show vlan access-map VLAN access-map vlan-map 20 match ip address: 10,20,sp1,30,sp2 action: forward DXS-3600-32S# configure terminal DXS-3600-32S(config)# vlan access-map vlan-map 30 DXS-3600-32S(config-access-map)# match mac address 6710 6720 ext_mac 7760 DXS-3600-32S(config-access-map)# end DXS-3600-32S# show vlan access-map VLAN access-map vlan-map 20 match ip address: 10,20,sp1,30,sp2 action: forward VLAN access-map vlan-map 30 match mac address: 6710,6720,ext_mac,7760 action: forward DXS-3600-32S#

This example shows how to configure matching content in the submap.

3-25 action

This command is used to set the forwarding, drop, and redirect actions of submaps in the VACL mode. Use the no command to return to the default configuration.

action forward no action forward action drop no action drop action redirect {port_id} no action redirect {port_id}

Parameters

port_id Specifies the redirection port used.

Default Command Mode Command Default Level Usage Guideline

Default action is forward. Access-map Configuration Mode. Level: 12 One submap has only one action.

The submap action is applied to all the associated ACLs.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S# show vlan access-map VLAN access-map vlan-map 20 match mac address: 6710,6720,ext_mac,7760, action: forward DXS-3600-32S# configure terminal DXS-3600-32S(config)# vlan access-map vlan-map 20 DXS-3600-32S(config-access-map)# action redirect tenGigabitEthernet 1/0/5 DXS-3600-32S(config-access-map)# end DXS-3600-32S# show vlan access-map VLAN access-map vlan-map 20 match mac address: 6710,6720,ext_mac,7760, action: redirect tenGigabitEthernet 1/0/5

DXS-3600-32S#

This example shows how to configure the action attribute in the submap.

3-26 vlan filter

This command is used to apply a hostmap in a VLAN. Use the no command to remove a hostmap from a VLAN.

vlan filter map_name vlan-list vlan_id no vlan filter map_name vlan-list vlan_id

Parameters

map_name Specifies the name of the hostmap. vlan_id Specifies the VLAN ID used.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#vlan filter vlan-map vlan-list 5 DXS-3600-32S(config)#end DXS-3600-32S#show vlan filter

VLAN Map vlan-map Configured on VLANs: 5 DXS-3600-32S#

None. Global Configuration Mode. Level: 12 One VLAN Access Map can be applied to multiple VLANs.

One VLAN can bind with only one VLAN Access Map.

This example shows how to apply the hostmap ‘vlan-map’ to VLAN 5.

3-27 show vlan access-map

This command is used to display the VLAN access-map configuration of the interface.

show vlan access-map [map_name]

Parameters

map_name Specifies the name of the hostmap to be configured. The name can be up to 32

characters long.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show vlan access-map

VLAN access-map vlan-map 10 match ip access list: 110,220,stp_ip1,30,stp_ip2, action: forward VLAN access-map vlan-map 20 match mac access list: 6710,6720,ext_mac,7760, action: redirect tenGigabitEthernet 1/0/5 DXS-3600-32S#

None. EXEC Mode. Level: 1 None.

This example shows how to display the VLAN access map.

3-28 show vlan filter

This command is used to display the VLAN filter configuration of the interface.

show vlan filter [{access_map map_name | vlan vlan_id}]

Parameters

access_map map_name Specifies the name of the hostmap to be configured. The name can be up to 32

characters long.

vlan vlan_id Specifies the VLAN ID used.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show vlan filter

VLAN Map aa Configured on VLANs: 5-127,221-333 VLAN Map bb Configured on VLANs: 1111-1222 DXS-3600-32S#show vlan filter vlan 5

VLAN ID 5 Binding VLAN Map aa DXS-3600-32S#

None. EXEC Mode. Level: 1 None.

This example shows how to display the VLAN filter.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Address Resolution Protocol (ARP) Commands

4-1 arp

This command is used to add a permanent IP address and MAC address mapping to the ARP cache table. Use the ‘no’ command to remove the IP-MAC address mapping.

arp [vrf <string 1-12>] ip-address mac-address no arp [vrf <string 1-12>] ip-address

Parameters

vrf Specifies the VRF that the IP reside in. If no VRF name is specified, the global

instance will be used.

ip-address Enter the IP address that corresponds to the MAC address here. mac-address Enter the 48-bit data link layer address here.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#arp 33.1.1.33 0050.BA00.0736 DXS-3600-32S(config)#

Example

DXS-3600-32S(config)#no arp 33.1.1.33 DXS-3600-32S(config)#

There is no static ARP entry in the ARP cache table. Global Configuration Mode. Level: 8 This command adds a static ARP mapping entry to the syst em. If this dynamic ARP

entry already exists, it will be replaced by the static ARP entry. If the new entry contains a different MAC address from the old one, the new entry will

cover the old one. Using the ‘no’ command, the user can delete static and dynamic entries however,

local entries cannot be removed. Users can verify the settings by entering the show ip arp or show arp command.

This example shows how to add a static ARP entry into the ARP cache table.

This example shows how to remove a static ARP entry, with the IP address

33.1.1.33, from the ARP cache table.

4-2 arp timeout

This command is used to configure the timeout value for the dynamic ARP mapping record in the ARP cache table. Use the ‘no’ command to restore it to the default configuration.

arp timeout minutes no arp timeout

Parameters

minutes Enter the timeout value used here. This value must be between 0 and 65535 min-

utes.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#arp timeout 120 DXS-3600-32S(config)#

Example

DXS-3600-32S(config)#no arp timeout DXS-3600-32S(config)#

The default timeout value is 20 minutes. Global Configuration Mode. Level: 8 The ARP timeout setting is only applicable to the IP address and the MAC address

mapping that are learned dynamically. The shorter the timeout, the truer the mapping table saved in the ARP cache, but the more network bandwidth occupied by the ARP. Hence the advantages and disadvantages should be weighted. Generally it is not necessary to configure the ARP timeout too shorter unless there is a special requirement.

Users can verify the settings by entering the show arp timeout command.

This example shows how to tonfigure the timeout value, for the dynamic ARP mapping record, to 120 minutes.

This example shows how to restore the timeout value, for the dynamic ARP map ping record, to 20 minutes.

4-3 clear arp cache

This command is used to remove one or all dynamic ARP entries from the ARP cache table.

clear arp-cache [vrf <string 1-12>] [ip-address] [interf ace interface-name]

Parameters

vrf Specifies the VRF that the IP reside in. If no VRF name is specified, the global

instance will be used.

ip-address (Optional) Enter the IP address of the dynamic ARP entry here.

interface interface-name (Optional) Specifies the interface from which the dynamic ARP entry was learned.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#clear arp-cache DXS-3600-32S#

None. Privileged Mode. Level: 8 This command can be used to clear the dynamic ARP entries.

Use the show ip arp command to view the current st ate of the ARP cache table.

This example shows how to remove all dynamic ARP entries.

Example

DXS-3600-32S#clear arp-cache 1.1.1.1 DXS-3600-32S#

This example shows how to remove a dynamic ARP entry with the IP address

1.1.1.1

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to remove dynamic ARP entries from the IP interface vlan1.

DXS-3600-32S#clear arp-cache interface vlan1 DXS-3600-32S#

4-4 show arp

This command is used to display the Address Resolution Protocol (ARP) cache table.

show arp [vrf <string 1-12>] [ip-address [net-mask] | mac-address | {static | complete}]

Parameters

vrf Specifies the VRF that the IP reside in. If no VRF name is specified, the global

instance will be used.

ip-address (Optional) Enter the ARP entry of the specified IP address here. net-mask (Optional) Enter the ARP entries of the network segment included within the mask. mac-address (Optional) Enter the ARP entry of the specified MAC address.

static (Optional) Specifies to display all the static ARP entries. complete (Optional) Specifies to display all the resolved dynamic ARP entries.

Default Command Mode Command Default Level Usage Guideline

All entries in the ARP cache table will be displayed if no option is specified. Privileged Mode. Level: 3 Use this command to display the ARP cache table. Static and complete is mutually

exclusive with each other.

Example

DXS-3600-32S#show arp

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.0.0.0 FF-FF-FF-FF-FF-FF Local/Broadcast System 10.90.90.90 00-12-21-12-21-11 Local System 10.1.1.5 00-12-21-12-21-18 Static System 10.1.1.8 00-12-21-12-21-48 Static System 10.1.1.9 00-05-5D-A5-32-3F Dynamic System 10.255.255.255 FF-FF-FF-FF-FF-FF Local/Broadcast

Total Entries: 6

DXS-3600-32S#

This example shows how to display all the entries in the ARP cache table.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to display the ARP cache table containing the IP address of 10.1.1.9.

DXS-3600-32S#show arp 10.1.1.9

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.9 00-05-5D-A5-32-3F Dynamic

Total Entries: 1

DXS-3600-32S#

Example

This example shows how to display the ARP cache table containing the netmask

10.1.0.0/255.255.0.0.

DXS-3600-32S#show arp 10.1.0.0 255.255.0.0

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.5 00-12-21-12-21-18 Static System 10.1.1.8 00-12-21-12-21-48 Static System 10.1.1.9 00-05-5D-A5-32-3F Dynamic

Total Entries: 3

DXS-3600-32S#

Example

This example shows how to display the ARP cache table containing static types for the netmask 10.1.0.0/255.255.0.0.

DXS-3600-32S#show arp 10.1.0.0 255.255.0.0 static

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.5 00-12-21-12-21-18 Static System 10.1.1.8 00-12-21-12-21-48 Static

Total Entries: 2

DXS-3600-32S#

Example

This example shows how to display the ARP cache table containing the MAC address 00:05:5D:A5:32:3F.

DXS-3600-32S#show arp 0005.5DA5.323F

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.9 00-05-5D-A5-32-3F Dynamic

Total Entries: 1

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show arp static

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.5 00-12-21-12-21-18 Static System 10.1.1.8 00-12-21-12-21-48 Static

Total Entries: 2

DXS-3600-32S#

Example

This example shows how to display the ARP cache table containing static types.

This example shows how to display the ARP cache table containing all the completed entries.

DXS-3600-32S#show arp complete

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

------------- --------------- ----------------- --------------System 10.1.1.9 00-05-5D-A5-32-3F Dynamic

Total Entries: 1

DXS-3600-32S#

4-5 show arp counter

This command is used to display the number of ARP entries in the ARP cache table.

show arp counter [vrf <string 1-12>]

Parameters

vrf Specifies the VRF that the IP reside in. If no VRF name is specified, the global

instance will be used.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show arp counter

None. Privileged Mode. Level: 3 Use this command to display the number of ARP entries in the ARP cache table.

This example shows how to display the number of ARP entries in the ARP cache table.

Total ARP Entry Counter: 3

DXS-3600-32S#

4-6 show arp timeout

This command is used to display the aging time of a dynamic ARP entry on the switch.

show arp timeout

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show arp timeout

ARP timeout is 20 minutes.

DXS-3600-32S#

None. None. Privileged Mode. Level: 3 Use this command to display the aging time of a dynamic ARP entry on the switch.

This example shows how to display the aging time value of a dynamic ARP entry on the switch.

4-7 show ip arp

This command is used to display the Address Resolution Protocol (ARP) cache table.

show ip arp [vrf <string 1-12>]

Parameters

vrf Specifies the VRF that the IP reside in. If no VRF name is specified, the global

instance will be used.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show ip arp

ARP timeout is 20 minutes.

Interface IP Address MAC Address Type

Total Entries: 3

None. Privileged Mode. Level: 3 Use this command to display the Address Resolution Protocol (ARP) cache table.

This example shows how to display the Address Resolution Protocol (ARP) cache table.

DXS-3600-32S#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Alternate Store and Forward (ASF) Commands

5-1 enable asf

This command is used to enable the ASF feature.

enable asf

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#enable asf DXS-3600-32S(config)#

None. Alternate store and forward feature is disabled. Global Configuration Mode Level: 15 Use this command to enable the alternate store and forward mode.

This example shows how to enable ASF.

5-2 no asf

This command is used to disable the ASF feature.

no asf

Parameters Default Command Mode Command Default Level Usage Guideline

None. Alternate store and forward feature is disabled. Global Configuration Mode Level: 15 Use this command to disable the alternate store and forward mode.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#no asf DXS-3600-32S(config)#

This example shows how to disable ASF.

5-3 show asf

This command is to display the current ASF mode.

show asf

Parameters Default Command Mode Command Default Level Usage Guideline

None. None. Privileged Mode. Level: 1 Use this command to display the current setting of the alternate store and forward

feature.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show asf

Alternate Store and Forward: Disabled

DXS-3600-32S#

This example shows how to display the current settings for ASF.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Authentication, Authorization, and Accounting (AAA) Commands

6-1 aaa

This command is used to enable the Authentication, Authorization, and Accounting (AAA) security service. The no form of this command is used to disable the AAA security service.

aaa no aaa

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa DXS-3600-32S(config)# 7 2011-11-14 11:55:14 INFO(6) Authentication Policy is enabled (Module: AAA) DXS-3600-32S(config)#

None. By default, this feature is disabled. Global Configuration Mode. Level: 15 Use this command to enable AAA. If AAA is not enabled, none of the AAA

commands can be configured.

This example shows how to enable the AAA security service.

6-2 aaa authentication login

This command is used to enable AAA login authentication and configure the login authentication method list. The no form of this command is used to delete the authentication method list.

aaa authentication login {default | list-name} method1 [method2...] no aaa authentication login {default | list-name}

Parameters

default When this parameter is used, the following defined authentication method list is used

as the default method for Login authentication.

list-name Name of the user authentication method list. After the user-defined authentication

method list created, you can use login authentication line configuration command to apply the login authentication method list to the specified terminal lines.

method Syntax "{local | none | group {radius | tacacs+ | group_name}}".

Up to four methods supported:

local - Use the local user name database for authentication. none - By pass authentication. group - Can be followed by radius or tacas+ or a group_name

“group radius” means use all RADIUS servers group “group tacacs+" means use all TACACS+ server group. “group group_name" is the specific group created via aaa group server global

configuration command.

Default

Command Mode Command Default Level

None. On the console, login will succeed without any authentication checks if the login authentication method list is not set.

Global Configuration Mode. Level: 15

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authentication login list-1 group radius local DXS-3600-32S(config)#

If the AAA login authentication security service is enabled on the device, users must use AAA for login authentication negotiation. You must use aaa authentication login to configure a default or optional method list for login authentication. The next method can be used for authentication only when the cur rent method does not work. You need to apply the configured login authentication method to the terminal line which needs login authentication. Otherwise, the configured login authentication method is invalid.

This example shows how to define an AAA login authentication method list, named ‘list-1’. In the authentication method list, the RADIUS security server is used first for authentication. If the RADIUS security server does not respond, the local user database is used for authentication. After the login authentication method list has been created, you can use the Login Authentication Line Configuration command to apply this method list to the console, SSH, or other terminals.

6-3 aaa authentication enable

This command is used to enable AAA enable authentication and configure the enable authentication method list. The no form of this command is used to delete the user authentication method list.

aaa authentication enable default method1 [method2...] no aaa authentication ena ble default

Parameters

default When this parameter is used, the following defined authentication method list is used

as the default method for enable authentication.

method Syntax "{enable | none | group {radius | tacacs+ | group_name}}".

Up to four methods supported:

enable - Uses the enable password for authentication. none - By pass authentication. group - Can be followed by radius or tacas+ or a group_name

"group radius" means use all RADIUS servers group "group tacacs+" means use all TACACS+ server group. "group group_name" is the specific group created via the ‘aaa group server

global’ configuration command.

Default

Command Mode Command Default Level Usage Guideline

None. On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Global Configuration Mode. Level: 15 If the AAA enable authentication service is enabled on the device, users must use

AAA for enable authentication negotiation. You must use aaa authentication enable to configure a default or optional method list for enable authentication. The next method can be used for authentication only when the current method does no t work. The enable authentication function automatically takes effect after configuring the enable authentication method list.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S(config)#aaa DXS-3600-32S(config)#aaa authentication enable default group radius local DXS-3600-32S(config)#

This example shows how to define an AAA enable authentication method list. In the authentication method list, the RADIUS security server is used first for authentication. If the RADIUS security server does not respond, the local user database is used for authentication.

After enabling the authentication method list defined, AAA security services will apply authentication to the user by enabling the privilege password.

6-4 login authentication

This command is used to apply the login authentication method list to the specified terminal lines. The no form of this command is used to remove the application of login authentication method list.

Parameters

default Apply the default Login authentication method list to the terminal line.

list-name Apply the defined Login authentication method list to the terminal line.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authentication login list-1 local DXS-3600-32S(config)#line console DXS-3600-32S(config-line)#login authentication list-1 DXS-3600-32S(config-line)#

Uses the default set with the ‘aaa authentication login’ command. Line Configuration Mode. Level: 15 Once the default login authentication method list has been configured, it will be

applied to all the terminals automatically. If non-default login authentication method list has been applied to the terminal, it will replace the default one. If you attempt to apply the undefined method list, it will prompt a warning message that the login authentication in this line is ineffective till it is defined.

This example shows how to define the AAA login authentication method list, named ‘list-1’. In the authentication method list, the local user database is used first for authentication. After that , this method list is applied to the console. After ap plying the login method list, called ‘list-1’, to the console, a user login from the console will be authentication by the AAA security servers.

6-5 aaa authorization exec

This command is used to authorize the users logg ed in the NAS CLI and a ssign the autho rity leve l. Th e no for m of this command is used to disable the aaa authoriza tio n exec function.

aaa authorization exec {default | list-name} method1 [method2...] no aaa authorization exec {default | list-name}

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

default When this parameter is used, the following defined method list is used as the d efault

method for Exec authorization.

list-name Name of the user authorization method list. After the user-defined authorization

method list created, you can use authorization exec line con figuration comm and to apply the authorization method list to the specified terminal lines.

method Syntax "{local | none | group {radius | tacacs+ | group_name}}".

Up to four methods supported:

local - Use the local user name database for authorization. none - Do not perform authorization. group - Can be followed by radius or tacas+ or a group_name

"group radius" means use all RADIUS servers group "group tacacs+" means use all TACACS+ server group. "group group_name" is the specific group created via aaa gro up server global

configuration command.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authorization exec list-1 group radius DXS-3600-32S(config)#

The default value is disabled. Global Configuration Mode. Level: 15 It supports authorization of users logged in the NAS CLI and assignment of CLI

authority level (0-15). The aaa authorization exec function is ef fective on condition that Login authentication function has been enabled. It can not enter the CLI if it fails to enable the aaa authorization exec. You must apply the exec authorization method to the terminal line; otherwise the configured method is ineffective.

This example shows how to use the RADIUS server to authorize EXEC. After the authorization method list, called ‘list-1’ has been created, you can use the Authorization EXEC Line Configuration command to apply this method list to the console, SSH, or other terminals.

6-6 aaa authorization console

This command is used to enable authorization function for users who has logged in the consol e. The no form of this command is used to disable the authorizatio n fun ct i on .

aaa authorization console no aaa authorization console

Parameters Default Command Mode Command Default Level Usage Guideline

None. The default option is disabled. Global Configuration Mode. Level: 15 It supports to identify the users logged in from the console and from other terminals,

configure whether to authorize the users logged in from the console or not. If the command authorization function is disabled on the console, the authorization method list applied to the console line is ineffective.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to enable the AAA authorization console fu nction. The authorization method list, applied to the console line, via the Authorization EXEC Line Configuration command, will take effect.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authorization console DXS-3600-32S(config)#

6-7 authorization exec

This command is used to authorize the users logg ed in the NAS CLI and a ssign the autho rity leve l. Th e no for m of this command is used to disable the aaa authoriza tio n exec function.

authorization exec {default | list-name} no authorization exec

Parameters

default Specifies to use the default method of Exec authorization.

list-name Specifies to apply a defined method list of Exec authorization.

Default Command Mode Command Default Level Usage Guideline

The default value is disabled. Line Configuration Mode. Level: 15 Once the default exec authorization method list has been configured, it is applied to

all terminals automatically. Once the non-default command authorization method list has been configured, it is applied to the line instead of the default method list. If you attempt to apply an undefined method list, a warning message will prompt that the exec authorization in this line is ineffective till the authorization method list is defined.

Example

This example shows how to configure the EXEC authorization method list, with the name of ‘list-1’, that uses the RADIUS server. If the security server does not respond, it will not perform authorization. After the configuration, the authorization command is applied to the console.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authentication login login-1 group tacacs+ local DXS-3600-32S(config)#aaa authorization exec list-1 group radius none DXS-3600-32S(config)#aaa authorization console DXS-3600-32S(config)#line console DXS-3600-32S(config-line)#authorization exec list-1 DXS-3600-32S(config-line)#login authentication login-1 DXS-3600-32S(config-line)#exit DXS-3600-32S(config)#

6-8 aaa accounting exec

This command is used to account users in order to count the manage user activities. The no form of this comman d is used to disable the accounting function.

aaa accounting exec {default | list-name} start-stop method1 [method2...] no aaa accounting exec {default | list-name}

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

default When this parameter is used, the following defined method list is used as the d efault

method for Exec accounting.

list-name Name of the Exec accounting method list. After the user-defined accounting method

list created, you can use accounting exec line configuration command to apply the accounting method list to the specified terminal lines.

method Syntax "{none | group {radius | group_name}}".

Up to four methods supported:

none - Do not perform accounting. group - Can be followed by radius or a group_name

"group radius" means use all RADIUS servers group "group group_name" is the specific group created via aaa gro up server global

configuration command.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa accounting exec list-1 start-stop group radius DXS-3600-32S(config)#

The default option is disabled. Global Configuration Mode. Level: 15 It enables the exec accounting function after enabling the login authentication.

After enabling the accounting function, it sends the accou n t start informa tio n to th e security server when the users log in the NAS CLI, and sends the account stop information to the security se rver when the users log out. If it does not send the account start information to the security server when a user logs in, it does not send the account stop information to the security server when a user logs ou t, either. The configured exec accounting method must be applied to the terminal line that needs accounting command; otherwise it is ineffective.

This example shows how to perform accounting, of a managed user’s activities, using RADIUS, and sends the accounting messages at the start an d the e nd tim e of access. After the ‘list-1’ accounting method list has been created, you can use the Accounting EXEC Line Configuration command to apply this method list to the console, SSH, or to other terminals.

6-9 accounting exec

This command is used to apply the exec accounting method list to the specified terminal lines in the line configuration mode. The no form of this command is used to disable the exec accounting function.

accounting exec {default | list-name} no accounting exec

Parameters

default Specifies to use the default method of Exec accounting.

list-name Specifies to use a defined Exec accounting method list.

Default Command Mode Command Default Level

By default, this feature is disabled. Line Configuration Mode. Level: 15

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa accounting exec list-1 start-stop group radius DXS-3600-32S(config)#line console DXS-3600-32S(config-line)#accounting exec list-1 DXS-3600-32S(config-line)#

Once the default exec accounting method list has been con figured, it is applied to all terminals automatically. Once the non-default exec accounting method list has been configured, it is applied to the line instead of the default method list. If you attempt to apply an undefined method list, a warning message will prompt that the exec accounting in this line is ineffective till the exec accounting command method list is defined.

This example shows how to configure the EXEC accounting method list, with the name of ‘list-1’, that uses the RADIUS server. If the security server does not response, it will not perform accounting. After the configuration, EXEC accounting is applied to the console.

After applying the login method list, ‘list-1’, to the console, when a user logs in from the console, it sends the account start information to the security server when the user has logged into the NAS’s CLI. It also sends the account stop information to the security server when a user logs out.

6-10 ip http authentication aaa

This command is used to specify an AAA authentication method for HTTP server users, use the ip http authentication aaa command in global configuration mode. To disable a configured authentication method, use the no form of this command.

ip http authentication aaa {exec-authorization {de fault | list-name} | lo gin -a uth ent ic at io n {def au lt | list-name}} no ip http authentication aaa {ex ec - au th o r iza ti o n | lo gin-authentication}

Parameters

exec-authorization Specifies to configure the method list for exec authorization. login-authentication Specifies to configure the method list for login authentication. default Specifies to configure the default method list.

listname Specifies to con fig ur e th e na me of the method list.

Default Command Mode Command Default Level Usage Guideline

None. Global Configuration Mode. Level: 15 The ‘ip http authentication aaa’ command specifies the AAA authentication method

to be used for login when a client connects to the HTTP server. The local, RADISU and TACACS+ methods should be specified using the ‘aaa authentication login’ command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authentication login list-1 local DXS-3600-32S(config)#aaa authorization exec list-1 local DXS-3600-32S(config)#ip http authentication aaa login-authentication list-1 DXS-3600-32S(config)#ip http authentication aaa exec-authorization list-1 DXS-3600-32S(config)#

This example shows how to specifies that the method, configured for AAA, should be used for authentication for HTTP server users. The AAA login method is configured as the “local” username/password authentication method. This example specifies that the local username database will be used for login authentication and the EXEC authorization of HTTP sessions.

6-11 aaa local authentication attempts

This command is used to configure login attempt times.

aaa local authentication attempts max-attempts no aaa local authentication attempts

Parameters Default Command Mode Command Default Level Usage Guideline

The range is between 1 and 255. The default value is 3. Global Configuration Mode. Level: 15 Use this command to configure login attempt times.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa local authentication attempts 6 DXS-3600-32S(config)#

This example shows how to configure the number of login attempt times to 6.

6-12 aaa local authentication lockout-time

This command is used to configure the length of the lockout-time when the login user has attempted for more than the limited times.

aaa local authentication lockout-time lockout-time no aaa local authentication lockout-time

Parameters Default Command Mode Command Default Level Usage Guideline

The range is between 1 and 255. The default value is 60 seconds. Global Configuration Mode. Level: 15 Use this command to configure the length of lockout-time when the login user has

attempted for more than the limited times.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa local authentication lockout-time 5 DXS-3600-32S(config)#

This example shows how to configure the lengt h of th e ‘loc kou t- tim e’ at trib u te , to 5 seconds.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

6-13 aaa authentication network

This command is used to enable AAA network access authentication and configure the network access user authentication method list. The no form of this command is used to delete the network access user authentication method list.

aaa authentication network default method1 [method2...] no aaa authentication ne tw o r k de fa u lt

Parameters

default When this parameter is used, the following defined network access user

authentication method list is used as the default method for user authentication.

method Syntax "{local | none | group radius | group_name}".

Up to four methods supported:

local - Specifies to use the local user name database for authentication. none - Specifies to bypass authentication. group - Specifies to be followed by radius or a group name.

"group radius" means to use all RADIUS servers group. “group group_name” means to use a specific RADIUS group, created by means

of the aaa group server radius global configuration command.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authentication network default group radius local DXS-3600-32S(config)#

None. Global Configuration Mode. Level: 15 If the AAA network access security service (such as 802.1X) is enabled on the

device, users must use AAA for network access user authentication negotiation. You must use the ‘aaa authentication network’ command to configure a default or optional method list for network access user authentication. The next method can be used for authentication only when the current method does not work.

This example shows how to define the AAA authentication method list for the network access security service. In the authentication method list, the RADIUS security server is first used for authentication. If the RADIUS security server does not respond, the local user database is used for authentication.

6-14 aaa authorization network

This command is used to authorize the service requests (including protocols like 802.1X) from the users that access the network. The no form of this command is used to disable the authorization function.

aaa authorization network default method1 [method2...] no aaa authorization network default

Parameters

default When this parameter is used, the following defined method list is used as the d efault

method for Network authorization.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

method Syntax "{local | none | group radius | group_name}".

Up to four methods supported:

local - Specifies to use the local user name database for authorization. none - Specifies not tp perform authorization. group - Specifies to be followed by radius or a group name.

"group radius" means to use all RADIUS servers group. “group group_name” means to use a specific RADIUS group, created by means

of the aaa group server radius global configuration command.

Default Command Mode Command Default Level Usage Guideline

By default, this feature is disabled. Global Configuration Mode. Level: 15 It supports authorization of all the service requests related to the network, such as

802.1X. If authorization is configured, all the authenticated users or interfaces will be

authorized automatically. Three different authorization methods can be specified. If the access user authenticated method is specified in authorization method list, the authorization attributes will be applied, otherwise these attributes will be ignored.

Authenticated by method Authorization configure method Accept authorization attributes

group radius group radius Yes group radius local / none No local group radius / none No local local No none group radius / local / none No

The RADIUS server authorizes authenticated users by returning a series of attributes. Therefore, RADIUS authorization is based on RADIUS authentication. RADIUS authorization is performed only when the user passes the RADIU S authentication.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa authorization network default group radius DXS-3600-32S(config)#

This example shows how to use the RADIUS server to authorize network services.

6-15 aaa accounting network

This command is used to account users in order to count the network access fees. The no form of this command is used to disable the accounting function.

aaa accounting network default start-stop method1 [method2...] no aaa accounting network default

Parameters

network Specifies to perform accounting of the network related service requests, including

dot1x, etc.

start-stop Send accounting messages at both the start time and the end ti me o f acce ss. Users

are allowed to access the network, no matter whether the start accounting message enables the accounting successfully.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

method Syntax "{none | group {radius | group_name}}".

Up to four methods supported:

none - Specifies not tp perform authorization. group - Specifies to be followed by radius or a group name.

"group radius" means to use all RADIUS servers group. “group group_name” means to use a specific RADIUS group, created by means

of the aaa group server radius global configuration command.

radius Specifies to use the RADIUS group for accounting.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa accounting network default start-stop group radius DXS-3600-32S(config)#

By default, this feature is disabled. Global Configuration Mode. Level: 15 It performs accounting of user activities by sending record attributes to the security

server. Use the keyword start-stop to set the user accounting option.

This example shows how to perform the accounting of a network service request, from users, using RADIUS, and sends accounting messages at the start and the end time of access.

6-16 aaa group server

This command is used to configure the AAA server group. The no form of this command is used to delete the server group.

aaa group server {radius | tacacs+} name no aaa group server {radius | tacacs+} name

Parameters

name Enter the name of the server group. It cannot be the keywords "radius" and

"tacacs+".

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa group server radius group-1 DXS-3600-32S(config-sg-radius)#

None. Global Configuration Mode. Level: 15 This command is used to configure the AAA server group. Currently, the RADIUS

and TACACS+ server groups are supported.

This example shows how to configure an AAA server group named ‘group-1’.

6-17 server

This command is used to add a server to the AAA server group. The no form is used to delete a server.

server ip-addr no server ip-addr

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

ip-addr Enter the IP address of the server. The host can be created via radius-server host

or tacacs-server host global configuration command.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa group server radius group-1 DXS-3600-32S(config-sg-radius)#server 192.168.4.12

Warning: Server 192.168.4.12 is not defended

DXS-3600-32S(config-sg-radius)#

By default, no server is configured. Server Group Configuration Mode. Level: 15 Add a server to the specified server group. The default value is used if no port is

specified.

This example shows how to add a server IP address to the server group called ‘group-1’.

6-18 show aaa

This command is used to display AAA security service global configuration, use the ‘show aaa’ command in EXEC mode.

show aaa

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show aaa

AAA State: Enabled Console Authorization State: Disabled Authentication Attempts: 3 Authentication Lockout-Time: 60 second(s)

DXS-3600-32S#

None. None. Privileged EXEC Mode. Level: 15 Use this command to show AAA security service global configuration.

This example shows how to display the global configuration of the AAA security service.

Display Parameters Description

AAA State AAA security service global state. Console Authorization State Console authorization state for users who has logged in the console. Authentication attempts Login attempt times. Authentication lockout-time Lockout-time when the login user has attempted for more than the limited times.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

6-19 show aaa server group

This command is used to display AAA server group configuration, use the ‘sho w aaa server group’ command in EXEC mode.

show aaa server group

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show aaa server group

Group Name Type IP Address

--------------------------------------- Authen_R RADIUS 10.10.10.1

10.10.10.2 Author_T TACACS 10.10.10.20

10.10.10.25 Authen_1X RADIUS 10.90.90.100

3 total server group(s)

DXS-3600-32S#

None. None. Privileged EXEC Mode. Level: 15 Use this command to show AAA server group configuration.

This example shows how to display the AAA server group configuration.

Display Parameters Description

Group Name Name of AAA serve group. Type Type of Server group, RADIUS or TACACS+. IP Address RADIUS server IP address.

6-20 show aaa authentication

This command is used to display the AAA authentication method list. Use the show aaa authentication command in EXEC mode.

show aaa authentication {login | enable | network}

Parameters

login Display the login authentication method list. enable Display the enable authentication method list. network Display the network authentica tion method list.

Default Command Mode Command Default Level Usage Guideline

None. Privileged EXEC Mode. Level: 15 Use this command to show AAA authentication method list.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show aaa authentication login

Method List Priority Method Name

----------------------------------------- default 1 RADIUS 2 Authen_R 3 Local auth_test 1 RADIUS 2 Authen_R 3 Local

DXS-3600-32S#

This example shows how to display the AAA login authentication method list.

Display Parameters Description

Method List Authentication method list name. Priority Priority of authentication method. Method Name Name of authentication method.

6-21 show aaa authorization

This command is used to display the AAA authorization method list. Use the show aaa authorization command in EXEC mode.

show aaa authorization {exec | network}

Parameters

exec Display the Exec authorization method list. network Display the Network authorization method list.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show aaa authorization exec

Method List Priority Method Name

----------------------------------- default 1 RADIUS 2 Author_R 3 Local author 1 RADIUS 2 Author_R 3 Local

None. Privileged EXEC Mode. Level: 15 Use this command to display the AAA authorization method list.

This example shows how to display the AAA EXEC authorization method list.

DXS-3600-32S#

Display Parameters Description

Method List Authorization method list name. Priority Priority of authorization method. Method Name Name of authorization method.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

6-22 show aaa accounting

This command is used to display the AAA accounting method list. Use the show aaa accounting command in EXEC mode.

show aaa accounting {exec | network}

Parameters

exec Display the Exec accounting method list. network Display the Network accounting method list.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#show aaa accounting exec

Method List Priority Method Name

-----------------------------------default 1 RADIUS acct_ssh 1 Acct_R

DXS-3600-32S#

None. Privileged EXEC Mode. Level: 15 Use this command to display the AAA accounting method list.

This example shows how to display the AAA EXEC accounting method list.

Display Parameters Description

Method List Accounting method list name. Priority Priority of accoun tin g me th od . Method Name Name of accounting method.

6-23 show aaa application

This command is used to display the AAA application information. Use the show aaa application command in EXEC mode.

show aaa application [{line | http | network}]

Parameters

line Display the Line application information. http Display the HTTP application information. network Display the Network-Access application information.

If the parameter is not specified, display all applications information.

Default Command Mode Command Default Level Usage Guideline

None. Privileged EXEC Mode. Level: 15 Use this command to display AAA application information.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#show aaa application line

Console: Login Method List: default Enable Method List: default Authorization Method List: default Accounting Method List: default

Telnet: Login Method List: login_list_1 Enable Method List: default Authorization Method List: author_list_1 Accounting Method List:

SSH: Login Method List: login_list_2 Enable Method List: default Authorization Method List: default Accounting Method List: acct_list_1

DXS-3600-32S#

Example

DXS-3600-32S#show aaa application

This example shows how to display AAA application LINE information.

This example shows how to display all AAA application information.

Console: Login Method List: default Enable Method List: default Authorization Method List: default Accounting Method List: default

Telnet: Login Method List: login_list_1 Enable Method List: default Authorization Method List: author_list_1 Accounting Method List:

SSH: Login Method List: login_list_2 Enable Method List: default Authorization Method List: Accounting Method List: acct_list_1

HTTP: Login Method List: login_list_1 Authorization Method List: author_list_1

Network-Access: Authentication Method List: default Authorization Method List: default Accounting Method List: default

DXS-3600-32S#

Display Parameters Description

Login Method List Login authentication method list for EXEC login. Enable Method List Enable authentication method list for enable EXEC privilege. Authentication Method List Authentication method list for network-access user authentication. Authorization Method List Authorization method list for EXEC or network-access user. Accounting Method List Accounting method list for EXEC or network-access user.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

6-24 ip vrf forwarding

This command is used to configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS or TACACS+ server group. Use this command in the server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.

ip vrf forwarding vrf-name no ip vrf forwarding

Parameters

vrf-name Specifies the name assigned to a VRF.

Default Command Mode Command Default Level Usage Guideline

No server is configured. Server Group Configuration Mode. Level: 15 Use this command to specify a VRF for an AAA RADIUS or TACACS+ server group.

This command enables dial access users to utilize AAA servers in different routing domains.

Example

The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:

DXS-3600-32S#configure terminal DXS-3600-32S(config)#aaa group server radius sg_global DXS-3600-32S(config-aaa-groug-server)#server-private 172.16.010.0254 timeout 5 retransmit 3 DXS-3600-32S(config-aaa-groug-server)#exit DXS-3600-32S(config)# DXS-3600-32S(config)#aaa group server radius sg_water DXS-3600-32S(config-aaa-group-server)#server-private 10.10.0.01 timeout 5 retransmit 3 key water DXS-3600-32S(config-aaa-group-server)#ip vrf forwarding water DXS-3600-32S(config-aaa-group-server)#end DXS-3600-32S(config)#

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Border Gateway Protocol (BGP) Commands

7-1 address-family ipv4

This command is used to enter the IPv4 address family mode. Use the no form of this command to delete the configuration of an address family.

address-family ipv4 [{unicast | vrf VRF-NAME}] no address-family ipv4 [{unicast | vrf VRF-NAME}]

Parameters

unicast Specifies to enter the IPv4 unicast address family configuration mode. vrf VRF-NAME Specifies the name of the VRF instance to enter IPv4 VRF address family

configuration mode.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S# configure terminal DXS-3600-32S(config)# router bgp 10 DXS-3600-32S(config-router)# address-family ipv4 unicast DXS-3600-32S(config-router-af)# neighbor 5.5.5.5 activate DXS-3600-32S(config-router-af)# exit-address-family DXS-3600-32S(config-router)#

Example

DXS-3600-32S# configure terminal DXS-3600-32S(config)# router bgp 10 DXS-3600-32S(config-router)# address-family ipv4 vrf VPN-A DXS-3600-32S(config-router-af)# neighbor 5.5.5.5 remote-as 20 DXS-3600-32S(config-router-af)# exit-address-family DXS-3600-32S(config-router)#

None. Router Configuration. Level: 8. (EI Mode Only Command) This command is used to enter the IPv4 address family mode. Dif ferent configuration

parameters can be set in different ad dress family modes. The IPv4 VRF address family mode is used to configure the BGP instance relation to every VRF instance. If no parameters are specified, it will enter the IPv4 unicast address family mode. Please note that only eBGP peers are supported in the IPv4 VRF address family.

To exit from the address-family configuration mode, use the exit-address-family command.

This example shows how to enter the IPv4 unicast address family and activate a peer session.

This example shows how to enter the VRF address family and create a BGP peer.

7-2 address-family vpnv4

This command is used to enter the IPv4 VPN address family mode. Use the no form of this command to delete the configuration of the VPNv4 address family.

address-family vpnv4 no address-family vpnv4

Parameters Default

None. None.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S# configure terminal DXS-3600-32S(config)# router bgp 120 DXS-3600-32S(config-router)# address-family vpnv4 DXS-3600-32S(config-router-af)# neighbor 10.2.2.5 activate DXS-3600-32S(config-router-af)# neighbor 10.2.2.5 send-community extended DXS-3600-32S(config-router-af)# exit-address-family DXS-3600-32S(config-router)#

Router Configuration. Level: 8. (EI Mode Only Command) This command is used to enter the IPv4 VPN address family mode. The BGP peers

activated in this mode are used to exchange VPN IPv4 routing information. Please note that only iBGP peers are supported in this address family now.

To exit from this address-family configuration mode, use the exit-address-family command.

This example shows how to enter the VPNv4 address family and activate a BGP peer.

7-3 aggregate-address

This command is used to configure BGP aggregate entries. Use the no form of this command to delete the entry.

aggregate-address NETWORK-ADDRESS [summary-only] [as-set] no aggregate-address NETWORK-ADDRESS

Parameters

NETWORK-ADDRESS Specifies the network address and the sub-network mask that BGP will aggregate.

For example, the format of NETWORK-ADDRESS can be 10.9.18.2/8.

summary-only (Optional) Filters all more-specific routes from updates. as-set (Optional) Generates autonomous system set path information.

Default Command Mode Command Default Level Usage Guideline

None. Router Configuration. Level: 8. (EI Mode Only Command) Aggregates are used to minimize the size of routing tables. Aggregation co mbines

the characteristics of several different routes and advertises a single route. The aggregate-address command creates an aggregate entry in the BGP routing t able if any more-specific BGP routes are available in the specified range. Using the summary-only parameter advertises the prefix only, suppressing the more-specific routes to all neighbors.

Use the as-set parameter to reduce the size of path information by listing each AS number only once, even if it was included in multiple paths that were aggregated. The as-set parameter is useful when aggregation of information results in incomplete path information.

You can verify your settings by entering the show ip bgp aggregate command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#aggregate-address 172.0.0.0/8 summary-only DXS-3600-32S(config-router)#

This example shows how to propagate the network 172.0.0.0 and suppress a more specific route called 172.10.0.0

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-4 bgp router-id

This command is used to configure a fixed router ID for the local Border Gateway Protocol (BGP) routing process. Use the no form of this command to remove the fixed router ID from the running configuration file and restore the default router ID selection.

bgp router-id IP-ADDRESS no bgp router-id

Parameters

IP-ADDRESS Configures the router ID in IPv4 address format as the identifier of the local router

running BGP.

Default

Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65100 DXS-3600-32S(config-router)#bgp router-id 192.168.1.1 DXS-3600-32S(config-router)#

The local router ID is selected by the following rules when this command is disabled: If a loopback interface is configured, the router ID is set to the IP address of the

loopback. If multiple loopback interfaces are configured, the loopback with the highest IP address is used.

If no loopback interface is configured, the router ID is set to the highest IP address on a physical interface.

Router Configuration. Level: 8. (EI Mode Only Command) The bgp router-id command is used to configure a fixed router ID for a local BGP

routing process. The address of a loopback interface is preferred to an IP a ddress on a physical interface because the loopback interface is mor e effective than a fixed interface as an identifier because there is no ph ys ic al link to go do wn .

You must specify a unique router ID within the network. This command will reset all active BGP peering sessions. It is recommended to configure a loopback interface, since the physical interface link may be up/down/removed for some reason.

You can verify your settings by entering the show ip bgp parameters command.

This example shows how to change the router ID to 192.168.1.1

7-5 bgp aggregate-next-hop-check

This command is used to enable the checking of next hop of the BGP aggregated routes. Only the routes with the same next hop attribute can be aggregated if the BGP aggregate next hop check is enabled. Using the no form of this command is to disable the bgp aggregate-next-hop-check.

bgp aggregate-next-hop-check no bgp aggregate-next-hop-check

Parameters Default Command Mode

None. The default option is disabled. Router Configuration.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp aggregate-next-hop-check DXS-3600-32S(config-router)#

Level: 8. (EI Mode Only Command) This command is used to enable the checking of next hop of the BGP aggregated

routes. Only the routes with the same next hop attribute can be aggregated if the BGP aggregate next hop check is enabled. Using the no form of this command is to disable the bgp aggregate-next-hop-check.

You can verify your settings by entering the show ip bgp parameters command.

This example shows how to configure the BGP aggregate-next-hop-checking state.

7-6 bgp always-compare-med

This command is used to enable the comparison of the Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems. Use the no form of this command to disallow the comparison.

bgp always-compare-med no bgp always-compare-med

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp always-compare-med DXS-3600-32S(config-router)#

None. The default option is disabled. Router Configuration. Level: 8. (EI Mode Only Command) The MED, as stated in RFC 1771, is an optional non-transitive attribute that is a fo ur

octet non-negative integer. The value of this attribute may be used by the BGP best path selection process to discriminate among multiple exit points to a neighboring autonomous system.

The MED is one of the parameters that are considered wh en se lecting th e be st path among many alternative paths. The path with a lower MED is preferred over a path with a higher MED. During the best-path selection process, MED comp arison is done only among paths from the same autonomous system. The bgp always-compare- med command is used to change this behavior by enforcing MED comparison between all paths, regardless of the autonomous system from which the paths are received. The bgp deterministic-med command can be configured to enforce deterministic comparison of the MED value between all paths received from within the same autonomous system.

You can verify your settings by entering show ip bgp parameters command.

This example shows how to configure the switc h to co mpare the MED from alternative paths, regardless of the autonomous system from which the paths are received.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-7 bgp bestpath as-path ignore

This command is used to not consider the as-path factor in selection of the best p ath. Use the no form of this command to restore default behavior and configure BGP to consider the AS-path during route selection.

bgp bestpath as-path ignore no bgp bestpath as-path ignore

Parameters Default Command Mode Command Default Level Usage Guideline

None. AS path is considered when the best path selects. Router Configuration. Level: 8. (EI Mode Only Command) The following are the best path selection rules.

• If the next hop associated with the rout e is unreachab le, then the route is dropped .

• Then route with the largest weight is selected.

• If weight cannot determine, then the largest LOCAL-PREF is used to determine

the preferred route.

• If still cannot determine the preferred route, then the route with the shortest AS-

PATH list is preferred.

• If still cannot determine the preferred route, then lowest origin type is preferred.

• If still cannot determine the preferred route, then the lowest MED is preferred.

• If still cannot determine the preferred route, eBGP is preferred over iBGP paths.

• Prefer the path with the lowest IGP metric to the BGP next hop.

• Determine if multiple paths require installation in the routing table for BGP

Multipath.

• When both paths are external, prefer the path that was received first (the oldest

one).

• Prefer the route that comes from the BGP router with the lowest router ID.

• If the originator or router ID is the same for multiple p aths, prefer the path with the

minimum cluster list length.

• Prefer the path that comes from the lowest neighbor address.

You can use the commands, bgp bestpath as-path ignore, bgp bestpath compare-router-id or bgp default local-preference to customize the path selection process.

You can verify your settings by entering show ip bgp parameters command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp bestpath as-path ignore DXS-3600-32S(config-router)#

This example shows how to configure the switch to ignore the AS-PATH for the best path for the autonomous system 65534.

7-8 bgp bestpath compare-confed-aspath

This command is used to configure a BGP routing process to compare the confederation AS path length of the routes received. To return the BGP routing process to the default operation, use the no form of this command.

bgp bestpath compare-confed-aspath no bgp bestpath compare-confed-aspath

Parameters Default Command Mode Command Default Level

None. By default, this option is disabled. Router Configuration. Level: 8. (EI Mode Only Command)

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp bestpath compare-confed-aspath DXS-3600-32S(config-router)#

If enabled, the BGP process will compare the confederation AS path length of the routes received. The shorter the confederation AS path length, the better the route is.

You can verify your settings by entering show ip bgp parameters command.

This example shows how to enable the BGP process to compare the AS path that contains some confederation AS numbers.

7-9 bgp bestpath compare-routerid

This command is used to compare the rou ter ID for identical eBGP p aths. Use the no command to revert to disable this function.

bgp bestpath compare-routerid no bgp bestpath compare-routerid

Parameters Default

Command Mode Command Default Level Usage Guideline

None. BGP receives routes with identical eBGP paths from eBGP peers and selects the

first route received as the best path. Router Configuration.

Level: 8. (EI Mode Only Command) When comparing similar routes from peers the BGP router does not consider router

ID of the routes. By default, it selects the first received route. Use this command to include router ID in the selection process; similar routes are compared and the route with lowest router ID is selected. The router-id is the highest IP address on the router, with pr eference given to loopback addresses. Router ID can be manually set by using the bgp router-id command.

You can verify your settings by entering show ip bgp parameters command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp bestpath compare-routerid DXS-3600-32S(config-router)#

This example shows how to configure to compare the router ID for identical eBGP paths for the autonomous system 65534.

7-10 bgp bestpath med confed

This command is used to configure a BGP routing process to compare the Multi Exit Discriminator (MED) between paths learned form confederation peers. To disable MED comparison of paths received from confederation peers, use the no form of this command.

bgp bestpath med confed no bgp bestpath med confed

Parameters Default Command Mode

None. By default, this option is disabled. Router Configuration.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp bestpath med confed DXS-3600-32S(config-router)#

Level: 8. (EI Mode Only Command) If enabled, the BGP process will compare the MED for the routes that are received

from confederation peers. For routes that have an external AS in the path, the comparison does not occur.

You can verify your settings by entering show ip bgp parameters command.

This example shows how the BGP routing process is configured to compare MED values for paths learned from confederation peers.

7-11 bgp bestpath med missing-as-worst

This command is used to configure the BGP routing process to assign a value of infinity to routes that are missing the Multi Exit Discriminator (MED) attribute (making the p ath, without an MED value, the lea st desirable p ath). To return the router to the default behavior (assigning a value of 0 to the missing MED), causing this path, as the best path, to be chosen, use the no form of this command.

bgp bestpath med missing-as-worst no bgp bestpath med missing-as-worst

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp bestpath med missing-as-worst DXS-3600-32S(config-router)#

None. By default, this option is disabled. Router Configuration Mode. Level: 8. (EI Mode Only Command) If enabled, the BGP process will assign a value of infinity to routes that are missing

the Multi Exit Discriminator (MED) attribute. If disabled, the BGP process will assign a value of zero to routes that are missing the Multi Exit Discriminator (MED) attribute, causing this route to be chosen as the best path.

You can verify your settings by entering show ip bgp parameters command.

This example shows how to enable the BGP router process to consider a route with a missing MED attribute as having a value of infinity, making this path the least desirable path.

7-12 bgp client-to-client reflection

This command is used to enable the local BGP router to be a route reflector. To disable client-to-client route reflection, use the no form of this command.

bgp client-to-client reflection no bgp client-to-client reflection

Parameters Default Command Mode

None. By default, this option is enabled. Router Configuration Mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp client-to-client reflection DXS-3600-32S(config-router)#

Level: 8. (EI Mode Only Command) By default, the clients of a router reflector are not required to be fu lly meshed and the

routes from a client are reflected to other clients. However, if the clients are fully meshed, route reflection is not required. In this case, use the no bgp client-to-client reflection command to disable client-to-client reflection.

Use the show ip bgp reflection command to verify your settings.

This example shows how to enable the route reflector function of the local router.

7-13 bgp cluster-id

This command is used to configure the cluster ID of the route reflector. To remove the cluster ID, use the no form of this command.

bgp cluster-id CLUSTER-ID no bgp cluster-id

Parameters

CLUSTER-ID Specifies the cluster ID, in the IPv4 address format, for the router reflector.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#neighbor 172.18.0.16 route-reflector-client DXS-3600-32S(config-router)#bgp cluster-id 10.0.0.2 DXS-3600-32S(config-router)#

By default, this value is the local router’s ID. Router Configuration Mode. Level: 8. (EI Mode Only Command) When a single route reflector is deployed in a cluster and the cluster ID of the route

reflector is 0.0.0.0, the cluster is identified by the router ID of the route reflector. Otherwise, the cluster is identified by the cluster ID.

This command is used to assign a cluster ID to a route reflector. Multiple route reflectors are deployed in a cluster to increase redundancy and to avoid a single point of failure. When multiple route reflecto rs ar e co nf ig u re d in a clus te r, they must be configured with the same cluster ID. This allows all route reflectors, in the cluster, to recognize updates from the peers in the same cluster and reduces the number of updates that needs to be stored in BGP routing tables.

This command is only required for the reflector and not for the client. Use the show ip bgp reflection command to verify your settings.

In the following example, the local router is one of the route reflectors serving the cluster. It is configured with a cluster ID to identify the cluster.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-14 bgp confederation identifier

This command is used to specify the BGP confederation identifier. Use the no form of this command to remove the confederation identifier.

bgp confederation identifier AS-NUMBER no bgp confederation identifier

Parameters

AS-NUMBER Specifies the Autonomous System number, used to specify the BGP confederation.

This value must be between 1 and 4294967295. The AS TRANS value is 23456.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp confederation identifier 20 DXS-3600-32S(config-router)#

None. Router Configuration Mode. Level: 8. (EI Mode Only Command) A confederation can be used to reduce the internal BGP (iBGP) mesh by dividing a

large single AS into multiple subs-ASs. External peers interact with the confederation as if it is a single AS.

Each subs-AS is fully meshed within itself and it has connections to other sub-ASs within the confederation. The next-hop, Multi Exit Discriminator (MED), and local preference information is preserved throughout the confederation, allowing users to retain a single Interior Gateway Protocol (IGP) for all the autonomous systems.

Use the show ip bgp confederation command to verify your settings.

This example shows how to create a confederation in which the AS number is 20.

7-15 bgp confederation peers

This command is used to add BGP confederation peers. Use the no form of this command to delete the confederation peers.

bgp confederation peers ASPATH-LIST no bgp confederation peers ASPATH-LIST

Parameters

ASPATH-LIST Specifies one or multiple AS number partitions, separated by a comma. This value

must be between 1 and 4294967295, howeve r, for the AS TRANS, this value must be 23456. This parameter specifies Autonomous System numbers for BGP peers that will belong to the confederation.

Default Command Mode Command Default Level

None. Router Configuration Mode. Level: 8. (EI Mode Only Command)

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp confederation identifier 10 DXS-3600-32S(config-router)#bgp confederation peers 21,22,23,24,25 DXS-3600-32S(config-router)#

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#no bgp confederation peers 21,22 DXS-3600-32S(config-router)#

The command is used to configure multiple adjacent Autonomous Systems in a confederation. The Autonomous Systems, specified in this command, are visible internally to the confederation. Each Autonomous System is fully meshed within itself or configures a route reflector.

Use the no bgp confederation peers command to delete all the or part of the AS numbers, configured earlier.

Use the show ip bgp confederation command to verify your settings.

In the following example, Autonomous Systems 21, 22, 23, 24, and 25 are configured to belong to a single confederation using the identifier 10.

This example shows how to delete part of the AS numbers, configured earlier.

7-16 bgp dampening

This command is used to enable BGP route dampening or to change the BGP route dampening par ameters. To disable BGP dampening, use the no form of this command.

bgp dampening [[HALF-LIFE REUSE SUPPRESS MAX-SUPPRESS-TIME UN-REACHABILTY- HALF-TIME] |

[route-map MAP-NAME]]

no bgp dampening [route-map]

Parameters

HALF-LIFE Specifies the time, in minutes, after which the penalty of the reachable routes will be

down, by half.

REUSE If the penalty for a fl apping route decreases enoug h to fall below this value, the route

is unsuppressed.

SUPPRESS A route is suppressed when its penalty exceeds this limit. MAX-SUPPRESS-TIME Specifies the maximum time, in minutes, that a route can be suppressed. UN-REACHABILITY-HALF-

LIFE MAP-NAME Specifies the route map name for configuring the dampening running configuration.

Specifies the time, in minutes, after which the penalty of the unreachable route will be down, by half.

The maximum length is 16 characters.

Default

Command Mode Command Default Level

BGP dampening is disabled by default. The following values are used when this command is enabled, without configuring any optional arguments: Half-life:15 minutes. Reuse: 750. Suppress: 2000. Max-suppress-time: 60 minutes. Un-reachability-half-life: 15 minutes.

Router Configuration Mode. Level: 8. (EI Mode Only Command)

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

The purpose of this command is to eliminate the dampening of routes and thus to avoid unstable networks caused by flapping routes.

The following describes the way it is achieved. When a route flaps (from up to down), it will add a penalty value, of 1000, to the frame. Since the penalty is smaller than the suppress value, BGP will function normally. It will send a withdraw message (an update message) to the neighbors. The penalty of the route will decrease as time elapses.

Here we assume that if it passes 7.5 minutes, then the penalty of the route is 1000500*7.5/15=750. If another flap occurs (the route changes from down to up) then the penalty of the route will be 1750, which is larger than the suppress value, and the route will be dampened. BGP will not send an update message for this status change.

When the penalty of the route decreases and becomes smaller than the re- use value (800), the route will not be dampened and the update message will be sent again.

Lastly , the ‘max-suppress-time’ is the longe st time the route may be suppre ssed. So, it decides the maximum penalty a route may suffer, regardless of the number of times that the prefix is dampened. Here is the formula:

Maximum - Penalty = Reuse - Value *

Max-sup press-time / Half-life

You can verify your settings by entering the show ip bgp dampening parameters command.

Note: If the dampening ability is enabled and there are one or more dampened routes, the dampened routes will be released to function in the normal state immediately after we disabled the dampening function.

Example

This example shows how to enable BGP dampening, set the half-life value to 20 minutes, the reuse value to 100, the suppress value to 6000, the maximum suppress time to 120 minutes, and the un-reachability-half-life value to 20 minutes.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp dampening 20 100 6000 120 20 DXS-3600-32S(config-router)#

Example

This example shows how to apply BGP damping to prefixes, filtered by the routemap called ‘mymap1’.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip prefix-list pp1 permit 100.2.0.0/16 DXS-3600-32S(config)#route-map mymap1 DXS-3600-32S(config-route-map)#match ip address prefix-list pp1 DXS-3600-32S(config-route-map)#exit DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#bgp dampening route-map mymap1 DXS-3600-32S(config-router)#

7-17 bgp default ipv4-unicast

This command is used to enable the IPv4 unicast address family as the default address family for BGP peer session establishment. The no form of this command disables the default IPv4 unicast address family for BGP peer session establishment.

bgp default ipv4-unicast no bgp default ipv4-unicast

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)# router bgp 10 DXS-3600-32S(config-router)# no bgp default ipv4-unicast DXS-3600-32S(config-router)# exit DXS-3600-32S(config)#

None. None. Router Configuration. Level: 8. (EI Mode Only Command) This command is used to enable the automatic establish BGP peer connection and

exchange of IPv4 unicast address family prefixes. If the no bgp default ipv4- unicast command is executed, the neighbor activate address family configura tion command must be executed in each IPv4 address family session before prefix exchange will occur. The no bgp default ipv4-unicast command is often executed in PE routers when exchanging VPN IPv4 routes. You can verify your settings by entering the show ip bgp parameters command.

This example shows how to disable the default IPv4 unicast address family for BGP peer session establishment.

7-18 bgp default local-preference

This command is used to change the default local preference value. To return the local preference value to the default setting.

bgp default local-preference NUMBER no bgp default local-preference

Parameters

NUMBER Specifies the range of the local reference. This value must be between 0 and

4294967295.

Default Command Mode Command Default Level Usage Guideline

By default, this option is disabled. BGP set s the defa ult local pref erence va lue to 100. Router Configuration Mode. Level: 8. (EI Mode Only Command) The local preference attribute is a discretionary attribute that is used to apply the

degree of preference to a route during the BGP best path selection process. This attribute is exchanged only between iBGP peers and is used to determine the local policy. The route with the highest local preference is preferred.

You can verify your settings by entering the show ip bgp parameters command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp default local-preference 200 DXS-3600-32S(config-router)#

This example shows how to configure the de fault value of the local pre ference to 200 for the autonomous system 65534.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-19 bgp deterministic-med

This command is used to include the Multi Exit Discriminator (MED) value between all paths received from within the same autonomous system in the process of the best route selection. Use the no command to prevent BGP from considering the MED attribute in comparing paths.

bgp deterministic-med no bgp deterministic-med

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp deterministic-med DXS-3600-32S(config-router)#

None. By default, this option is disabled. Router Configuration Mode. Level: 8. (EI Mode Only Command) This command is used to enable the comparison of the Multi Exit Discriminator

(MED) for paths from neighbors in different autonomous systems. After this command is configured, all paths for the same prefix, that are received from different neighbors, which are in the same autonomous system, will be grouped together and sorted by the ascending MED value (received-only paths are ignored and not grouped or sorted).

The best path selection algorithm will then pick the best paths using the existing rules. The comparison is made on a peer neighbor auton om o us sys te m ba sis an d then the global basis. The grouping and sorting of paths occurs immediately after this command was entered. For the correct results, all routers in the local autonomous system must have this comma n d en ab le d (or disa b l ed ).

This command can also be configured to enforce a deterministic comparison of the MED values between all paths received from within the same autonomous system.

You can verify your settings by entering the show ip bgp parameters command.

This example shows how to configure to switches to enable the comp are MED value for autonomous system 65534,

7-20 bgp enforce-first-as

This command is used to enforce the first AS for eBGP routes. To disable this feature, use the no form of this command.

bgp enforce-first-as no bgp enforce-first-as

Parameters Default Command Mode Command Default Level Usage Guideline

None. By default, this option is disabled. Router Configuration Mode. Level: 8. (EI Mode Only Command) This command specifies that any updates received from an external neighbor, that

do not have neighbor’s configured in an Autonomous System at the beginning of the AS-PATH attribute in the received update, must be denied. Enabling this feature adds to the security of the BGP network by not allowing traffic from unauthorized systems.

You can verify your settings by entering the show ip bgp parameters command.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#bgp enforce-first-as DXS-3600-32S(config-router)#

This example shows how to enable the security of the BGP network for the autonomous system 65534. All incoming updates from eBGP peers are examined to ensure that the first AS number in the AS-PATH attribute is the local AS number of the transmitting peer.

7-21 bgp fast-external-fallover

This command is used to configure the Border Gateway Protocol (BGP) routing process to immediately reset external BGP peering sessions if the link used to reach these peers goes down. To disable the BGP fast external fallover option, use the no form of this command.

bgp fast-external-fallover no bgp fast-external-fallover

Parameters Default Command Mode Command Default Level Usage Guideline

None. By default, this option is enabled. Router Configuration Mode. Level: 8. (EI Mode Only Command) This command is used to disable or enable th e fast external fallo ver for BGP peerin g

sessions with directly connected external peers. The session will immediately reset if a link goes down. Only directly connected peering sessions are supported.

If the BGP fast external fallover is disabled, the BGP routing process will wait until the default hold timer expires (3 keepalives) to reset the peering session.

You can verify your settings by entering the show ip bgp parameters command.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 65534 DXS-3600-32S(config-router)#no bgp fast-external-fallover DXS-3600-32S(config-router)#

In the following example, the BGP fast external fallover featur e is disabled. If the lin k through which this session is carried flaps, then the connection will not reset.

7-22 clear ip bgp

This command is used to reset Border Gateway Protocol (BGP) connections using a hard or soft reconfiguration.

clear ip bgp {all | AS-NUMBER | IP-ADDRESS} [soft [{in [prefix-filter] | out}]]

Parameters

all (Optional) Specifies the reset of all sessions except those in the VRF address family.

AS-NUMBER Specifies that sessions, with BGP peers, in the specified autonomous system the will

be reset. The range for 2-byte numbers is from 1 to 65535. The range for 4-byte numbers is from 1 to 4294967295.

IP-ADDRESS Specifies that only the identified BGP neighbor will reset. The value for this argument

is an IPv4 address.

in (Optional) Specifies to initiate an inboun d reconfiguration. If neither the in nor the out

keywords are specified, both inbound and outbound sessions will reset.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

prefix-filter (Optional) S pecifies to clear the existing outbound route filter (ORF) prefix list to

trigger a new route refresh or soft reconfiguration, which updates the ORF prefix list.

out (Optional) Specifies to initiate inbound or outbound reconfiguration. If neither the in

nor the out keywords are specified, both inbound and outbound sessions will reset.

soft (Optional) Specifies to initiate a soft reset. Does not tear down the session.

Default Command Mode Command Default Level Usage Guideline

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command can be used to initiate a hard reset or soft reconfiguration of BGP

neighbor sessions. If a hard reset is applied to the inbound session, the inbound session will be torn

down and the local inbound routing table and the remote outbound routing table will be cleared.

If a soft reset is applied to the inbound session, the session will not be rebuilt but the local inbound routing table will be cleared and needs to be rebuilt.

If a soft reconfiguration inbound is enabled, then the routing table can be rebuilt based on the stored route update information. If a soft reconfiguration inbound is disabled, then the local router will send a route refr esh request to the neighbor to ask for the route refresh.

When the inbound session undergoes a soft reset with the prefix filter option, and the capability of the prefix-list is enabled, in the sending direction, then the local BGP will send a ‘clear the routing table’ request, and notify the remote neighbor for the prefix filter.

This is a way to notify the neighbor of the prefix filter whenever a change is made to the prefix filter.

Example

DXS-3600-32S#clear ip bgp 10.100.0.1 soft in DXS-3600-32S#

Example

DXS-3600-32S#clear ip bgp 172.16.10.2 soft in prefix-filter DXS-3600-32S#

Example

DXS-3600-32S#clear ip bgp 35700 DXS-3600-32S#

In the following example, a soft reconfiguration is initiated for the inbound session with the neighbor 10.100.0.1, and the outbound session is unaffected.

In the following example, the route refresh capability is enabled on BGP neighbor routers. The existing outbound route filter (ORF) prefix list from the peer 172.16.10.2 is cleared, The new route refresh, which updates the ORF prefix list, is triggered.

In the following example, a hard reset is initiated for sessions with all routers in the autonomous system numbered 35700.

7-23 clear ip bgp vrf

This command is used to reset BGP connections using hard or soft reset for IPv4 VRF address family sessions.

clear ip bgp vrf VRF-NAME {all | IP-ADDRESS | AS-NUMBER} [soft [{in [prefix-filter] | out}]]

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Parameters

vrf VRF-NAME Specifies the VRF nam e. all Specifies to reset all BGP sessions in the IPv4 VRF address family.

IP-ADDRESS Specifies to only reset the BGP neighbor with the IP address in the VRF address

family.

AS-NUMBER Specifies to only reset the BGP neighbor with the AS number in the VRF address

family.

soft (Optional) Specifies a soft reset. The session is not torn down. in (Optional) Specifies an inbound reset. If neither the in nor out parameter is

specified, both the inbound and outbound sessions are reset.

prefix-filter (Optional) Clears the existing outbound route filter (ORF) prefix list to trigger a new

route refresh or soft reconfiguration, which updates the ORF prefix list.

out (Optional) Specifies an outbound reset. If neither the in nor out parameters is

specified, both inbound and outbound sessions are reset.

Default Command Mode Command Default Level Usage Guideline

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command can be used to initiate a hard reset or soft reset of BGP neighbor

sessions. If a hard reset is applied to the inbound session, the inbound session will be torn

down and the local inbound routing table and the remote outbound routing table will be cleared.

If a soft reset is applied to the inbound session, the session will not be rebuilt but the local inbound routing table will be cleared and needs to be rebuilt.

If a soft reset inbound is enabled, then the routing ta ble can be rebuilt based on the stored route updates information. If a soft reset inbound is disabled, then the local router will send the route refresh request to the neighbor to ask for the route refresh.

When the inbound session is soft reset with the prefix filter option, and the capability orf prefix-list is enabled in the send direction, then the local BGP will send ‘clear the routing table’, and notify the remote neighbor for th e prefix filter.

This command can only take effect for the sessions in VRF address family.

Example

DXS-3600-32S#clear ip bgp vrf VPN-A all soft in DXS-3600-32S#

In the following example, a soft reset is initiated for the inbound session for all neighbors those have been created in the view of vrf and the outbound session is unaffected.

7-24 clear ip bgp vpnv4

This command is used to reset BGP connections using a soft reset for IPv4 VPN address family sessions.

clear ip bgp vpnv4 unicast {all | IP-ADDRESS } [soft [{in [prefix-filter] | out}]]

Parameters

all Specifies to reset all BGP sessions in VPN address family.

IP-ADDRESS Specifies to only reset the BGP neighbor with the IP address.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

soft Specifies a soft reset. The session is not torn down. in (Optional) Specifies an inbound reset. If neither the in nor out parameter is

specified, both inbound and outbound sessions are reset.

prefix-filter (Optional) Clears the existing outbound route filter (ORF) prefix list to trigger a new

route refresh or soft reconfiguration, which updates the ORF prefix list.

out (Optional) Specifies an outbound reset. If neither the in nor out parameter is

specified, both inbound and outbound sessions are reset.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#clear ip bgp vpnv4 unicast all soft in DXS-3600-32S#

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command can only be used to initiate a soft reset of BGP neighbor sessions for

VPNv4 address family. If a soft reset is applied to the inbound session, the session will not be rebuilt but the

local inbound routing table will be cleared and needs to be rebuilt. If a soft reset inbound is enabled, then the routing ta ble can be rebuilt based on the

stored route updates information. If a soft reset inbound is disabled, then the local router will send the route refresh request to the neighbor to ask for the route refresh.

In the following example, a soft reconfiguration for VPNv4 address family is initiated for the inbound session for all neighbors which have been created outside VRF address family, and the outbound session is unaffected.

7-25 clear ip bgp dampening

This command is used to clear BGP route dampening information for the IPv4 unicast address family and to restore suppressed routes.

clear ip bgp dampening [{NETWORK-ADDRESS | IP-ADDRESS}]

Parameters

NETWORK-ADDRESS (Optional) Specifie s the IPv4 address of the network or neighbor to clear dampening

information.

IP-ADDRESS (Optional) Specifies the IPv4 address.

Default Command Mode Command Default Level Usage Guideline

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command is used to clear stored route dampening information for the IPv4

unicast address family. If no keywords or arguments are entered, the route dampening information for the entire routing tab le of the IPv4 u nicast addr ess family will be cleared.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#clear ip bgp dampening 192.168.10.0/24 DXS-3600-32S#

This example shows how to clear the route dampening information of 192.168.10.0/ 24 and restores suppressed routes.

7-26 clear ip bgp dampening vrf

This command is used to clear BGP route dampening information of VRF instance and to restore suppressed routes.

clear ip bgp dampening vrf VRF-NAME [{NETWORK-ADDRESS | IP-ADDRESS}]

Parameters

vrf VRF-NAME (Optional) Specifies a VRF name. The length of VRF-NAME is 12 characters.

NETWORK-ADDRESS (Optional) Specifies to only clear dampening information of the route matching th e

network address.

IP-ADDRESS (Optional) Specifies to only clear dampening information of the route match ing the IP

address.

Default Command Mode Command Default Level Usage Guideline

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command is used to clear stored route dampening information for the specified

VRF. If no keyword is specified, the dampening information of all routes in the VRF instance will be cleared.

Example

DXS-3600-32S# clear ip bgp dampening vrf VPN-A 192.168.10.0/24 DXS-3600-32S#

The following example clears route dampening information of 192.168.10.0/24 and restores suppressed routes in VRF VPN-A.

7-27 clear ip bgp external

This command is used to reset external Border Gateway Protocol (eBGP) peering sessions using the hard or soft reconfiguration.

clear ip bgp external [soft [{in [prefix-filter] | out}]]

Parameters

in (Optional) Specifies to initiate an inboun d reconfiguration. If neither the in nor the out

keywords are specified, both inbound and outbound sessions will reset.

prefix-filter (Optional) S pecifies to clear the existing outbound route filter (ORF) prefix list to

trigger a new route refresh or soft reconfiguration, which updates the ORF prefix list.

out (Optional) Specifies to initiate an inbound or outbound reconfiguration. If neither the

in nor the out keywords are specified, both inbound and outbound sessions will reset.

soft (Optional) Specifies to initiate a soft reset. Does not tear down the session.

Default Command Mode

None. Privileged Mode.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Command Default Level Usage Guideline

Level: 8. (EI Mode Only Command) This command can be used to initiate a hard reset or soft reconfiguration of eBGP

neighbor sessions. If a hard reset is applied to the inbound session, the inbound session will be torn

down and the local inbound routing table and the remote outbound routing table will be cleared.

If a soft reset is applied to the inbound session, the session will not be rebuilt but the local inbound routing table will be cleared and needs to be rebuilt.

If a soft reconfiguration inbound is enabled, then the routing table can be rebuilt based on the stored route updates information. If a soft reconfiguration inbound is disabled, then the local router will send the route refresh request to the neighbor to ask for the route refresh.

When the inbound session undergoes a soft reset with the prefix filter option, and the ‘capability_orf_prefix_list’ parameter is enabled in the sending direction, then the local BGP will send a ‘clear the routing table’ message, and notify the remote neighbor for the prefix filter.

This is a way to notify the neighbor of the prefix filter whenever a change is made to the prefix filter.

Example

DXS-3600-32S#clear ip bgp external soft in DXS-3600-32S#

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#neighbor 172.16.10.1 remote-as 200 DXS-3600-32S(config-router)#neighbor 172.16.10.1 capability orf prefix-list send DXS-3600-32S(config-router)#neighbor 172.16.10.1 filter-list myacl in DXS-3600-32S(config-router)#end DXS-3600-32S#clear ip bgp external soft in prefix-filter DXS-3600-32S#

The following example, a soft reconfiguration is configured for all inbound eBGP peering sessions.

This example shows how to send a prefix filter to a neighbor and let the neighbor readvertisement BGP routes, based on the new prefix filter. The neighbor cap ability of the prefix-list in the sending direction needs be configured, and that the local filter list in the inbound direction for the peer needs be set.

7-28 clear ip bgp flap-statistics

This command is used to clear the BGP route dampening flap statistics.

clear ip bgp flap-statistics [{IP-ADDRESS | NETWORK-ADDRESS}]

Parameters

IP-ADDRESS Specifies an IPv4 address to clear the dampening flap statistics. NETWORK-ADDRESS Specifies an IPv4 network to clear the dampening flap statistics.

Default Command Mode Command Default Level

None. Privileged Mode. Level: 8. (EI Mode Only Command)

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Example

DXS-3600-32S#clear ip bgp flap-statistics 192.168.1.0/24 DXS-3600-32S#

This command is used to clear the accumulated penalties for routes that have been received on a router which has BGP dampening enabled. If no arguments or keywords are specified, the flap statistics are cleared for all routes.

This example shows how to clear the route dampening flap statistics of network

192.168.1.0/24.

7-29 clear ip bgp flap-statistics vrf

This command is used to clear BGP route dampening flap statistics of IPv4 VRF address family sessions.

clear ip bgp flap-statistics vrf VRF-NAME [{IP-ADDRESS | NETWORK-ADDRESS}]

Parameters

vrf VRF-NAME Specifies the VRF nam e.

IP-ADDRESS (Optional) Specifies to only clear dampening flap statistics of the route matching the

IP address.

NETWORK-ADDRESS (Optional) Specifies to only clear dampening flap statistics of the route matching the

network address.

N/A Specifies to clear dampening flap statistics of all routes.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#clear ip bgp flap-statistics vrf VPN-A 192.168.1.0/24 DXS-3600-32S#

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command is used to clear the accumulated penalties for routes that have been

received on a router which has BGP dampening enabled of IPv4 VRF addre ss family sessions. If no keyword is specified, flap statistics of all routes in IPv4 VRF address family will be cleared.

This example shows how to clear the route dampening flap statistics of network

192.168.1.0/24 which in IPv4 VRF address family.

7-30 clear ip bgp peer-group

This command is used to reset Border Gateway Protocol (BGP) connections using hard or soft reconfiguration for all the members of the BGP peer group.

clear ip bgp peer-group [{vrf VRF-NAME | vpnv4}] PEER-GROUP-NAME [soft [{in [prefix-filter] | out}]]

Parameters

vrf VRF-NAME (Optional) Specifies a VRF name. The length of VRF-NAME is 12 characters. vpnv4 (Optional) Specifies to reset the sessions of the VPNv4 addre ss family.

PEER-GROUP-NAME Specifies the peer group name. The maximum length is 16 characters.

soft (Optional) Specifies to initiate a soft reset. This function does not tear down the

session. If the soft keyword is not specified, all the sessions of the members of the peer group will reset.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

in (Optional) Specifies to initiate a soft reset for inbound routing information. prefix-filter (Optional) S pecifies to clear the existing outbound route filter (ORF) prefix list to

trigger a new route refresh or soft reconfiguration, which updates the ORF prefix list.

out (Optional) Specifies to initiate a soft reset for outbound routing information.

Default Command Mode Command Default Level Usage Guideline

None. Privileged Mode. Level: 8. (EI Mode Only Command) This command is used to initiate a hard reset or a soft reset for a set of connections.

A hard reset tears down and rebuilds all the sessions for the members of the specified peer group and clears and rebuilds the loca l routing t able. A sof t re set only clears and rebuilds the local routing table.

To the soft reset, if neighbor soft-reconfiguration inbound is configured, the routing table can be rebuilt based on the stored route updates information, and if it doesn’t, the local router will send the route refresh message to the neighbors to ask for the routes.

When the inbound session is soft reset with the prefix-filter option, and the neighbor capability orf prefix-list in the send direction is configured, the local BGP will send “clear the routing table”, and notify the remote neighbor for the prefix filter.

When using the clear ip bgp peer-group PEER-GROUP-NAME command without the soft parameter, the BGP connection will be torn down, so the following log message will be generated.

[BGP(2):] BGP connection is normally closed (Peer:<ipaddress>) Where the <ipaddress> is the address of the peer. After a while, the connection will be rebuilt, and the following log message will be generated.

[BGP(1):] BGP connection is successfully established Peer:<ipaddres s> Where the <ipaddress> is the address of the peer.

This is a way to notify the neighbor of the prefix filter whenever a change is made to the prefix filter.

Example

DXS-3600-32S#clear ip bgp peer-group INTERNAL DXS-3600-32S#

Example

DXS-3600-32S#clear ip bgp peer-group INTERNAL soft DXS-3600-32S#

Example

DXS-3600-32S#clear ip bgp peer-group INTERNAL soft in prefix-filter DXS-3600-32S#

In the following example, all members of the BGP peer group named ‘INTERNAL’ will reset.

In the following example, a soft reconfiguration is initiated for both the inbound and outbound session with members of the peer group INTERNAL.

When using the parameter soft with either in or out, the soft reconfiguration is only initiated for the inbound or outbound session.

Assume that the neighbor capability of the ‘prefix-list’ in the send direction is configured, and that the local filter list in the inbound direction for the peer group is changed, using this command with parameters soft in prefix-filter to notify all the neighbors in the peer group.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-31 exit-address-family

This command is used to exit from the address family configuration mode and enter the router configuration mode.

exit-address-family

Parameters Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S(config-router)# address-family vpnv4 DXS-3600-32S(config-router-af)# neighbor 172.18.1.1 activate DXS-3600-32S(config-router-af)# exit-address-family DXS-3600-32S(config-router)#

None. None. Address Family Configuration (IPv4 Unicast, VPNv4 and VRF). Level: 8. (EI Mode Only Command) None.

The following example show how to exit from the VPNv4 address family mode and enter the router configuration mode.

7-32 ip as-path access-list

This command is used to define a BGP Autonomous System (AS) path access list or add an AS path access list entry to an existing AS path access list. Use the no form of this command to delete the access list or an entry of the AS path access list.

ip as-path access-list ACCESS-LIST-NAME [{permit | deny} REGEXP] no ip as-path access-list ACCESS-LIST-NAME [{permit | deny} REGEXP]

Parameters

ACCESS-LIST-NAME Specifies the name of the access list. The maximum length is 16 characters.

permit Specifies to permit access to the matching conditions. deny Specifies to deny access to the matching conditions.

REGEXP Specifies a regular expression to match the BGP AS paths. The maximum length is

80 characters.

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip as-path access-list mylist deny ^65535$ DXS-3600-32S(config)#

None. Global Configuration Mode. Level: 8. (EI Mode Only Command) Use this command to configure an Autonomous System path access list. An

Autonomous System path access list can be applied to inbound, outbound or both routes exchanged in a BGP peer session. If the regular expression matches the specified string represented the AS path of the route, the permit or deny condition applies. Multiple entries can be applied to a list name.

Use the show ip as-path access-list command to verify your settings.

This example shows how to define an AS path access list named ‘mylist’, to deny routes with only the AS number 65535.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#no ip as-path access-list mylist deny ^65535$ DXS-3600-32S(config)#

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#no ip as-path access-list mylist DXS-3600-32S(config)#

This example shows how to delete an entry in an AS path access list, earlier configured.

After that, the AS path access list, called ‘mylist’, has no entry, but it still exists. The following example show how to delete an AS path access list, no matter whether

it has entries or not.

7-33 ip community-list

This command is used to create a community list or add a community list entry to an existing community list. Use the no form of this command to delete the community list or one of its entries.

Standard Community Lists:

ip community-list standard COMMUNITY-LIST-NAME [{permit | deny} COMMUNITY] no ip community-list standard COMMUNITY-LIST-NAME [{permit | deny} COMMUNITY]

Expanded Community Lists:

ip community-list expanded COMMUNITY-LIST-NAME [{permit | deny} REGEXP] no ip community-list expanded COMMUNITY-LIST-NAME [{permit | deny} REGEXP]

Parameters

COMMUNITY-LIST-NAME Specifies the community list name. It can accept up to 16 characters. The syntax is

general string that does not allow space.

permit Specifies the community to accept. deny Specifies the community to reject.

COMMUNITY Specifies the community value, which is a 32-bit integer. It can be a user-specified

number represented by AA:NN, where AA (AS number) is the upper p art of the word and NN (community number, user-specified) is the lower part of the word. It can also be one of the following reserved community values:

internet - Specifies that routes are adver tised to all peers (internal and external).

local-AS - Specifies that routes not to be advertised to external BGP peers.

no-advertise - Specifies that routes not to be advertised to other BGP peers.

no-export - S pecifies that rou tes not to be advertised outside of the Autonomous

System boundary.

REGEXP Specifies to configures a regular expression that is used to specify a pattern to match

against an input string. Regular expressions can be used only with expanded community lists. The maximum length is 80 characters.

Default

Command Mode Command Default Level

The BGP community exchange is disabled by default. It is enabled on a perneighbor basis with the neighbor send-community command.

The Internet community is applied to all routes or prefixes by default, until any other community value is configured with this command or the set community command.

Global Configuration Mode. Level: 8. (EI Mode Only Command)

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Usage Guideline

Use the community-lists to specify BGP community attributes. The community attribute is used for implementing policy routing. It is an optional, transitive attribute and facilitates transfer of local policies through different autonomous systems. It includes community values that are 32 bits long. All names of the standard community list and expended community list must not be the same.

This command can be applied multiple times. BGP community attributes exchanged between BGP peers are controlled by the neighbor send-community comma nd.

If the permit rules exist, in a community list, routes with community that does not match any rule in the list will be denied. If there are no rules or only deny rules to be configured in the community list, all routes will be denied.

Use the show ip community-list command to verify your settings.

Example

This example shows how to define a standard community list named ‘mycom’ with an entry.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip community-list standard mycom deny no-export 20:30 DXS-3600-32S(config)#

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#no ip community-list standard mycom deny no-export 20:30 DXS-3600-32S(config)#

This example shows how to delete an entry in a community list, earlier configured.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#no ip community-list standard mycom DXS-3600-32S(config)#

Example

After that, the community list ‘mycom’ will have no entry, but it still exists.

This example shows how to create an expanded community list named ‘myexpcom’ with an entry.

DXS-3600-32S#configure terminal DXS-3600-32S(config)#ip community-list expanded myexpcom permit _20[0-9] DXS-3600-32S(config)#

7-34 ip extcommunity-list

This command is used to create an extended community list or add an extended community entry to an existing extended community list for VPN route filtering. Use the no form of this command to delete the extended community list or remove one of its entries.

Standard IP Extended Community Lists:

ip extcommunity-list standard EXTCOMMUNITY-LIST-NAME [{permit | deny} EXTCOMMUNITY] no ip extcommunity-list standard EXTCOMMUNITY-LIST-NAME [{permit | deny} EXTCOMMUNITY]

Expanded IP Extended Community Lists:

ip extcommunity-list expanded EXTCOMMUNITY-LIST-NAME [{permit | deny} REGEXP] no ip extcommunity-list expanded EXTCOMMUNITY-LIST-NAME [{permit | deny} REGEXP]

Parameters

EXTCOMMUNITY-LISTNAME

permit (Optional) Specifies the extended community to accept. deny (Optional) Specifies the extended community to reject.

Specifies the extended community list-name. It can accept up to 16 characters. The syntax is general string that does not allow space.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

EXTCOMMUNITY (Optional) Consists of a set of an rt VALUE or a soo VALUE. It can accept 12

VALUEs in total for one entry.

There are two different types for the rt values or soo values:

• IP address:number: The IP address should be a global IP address that is

assigned to the user and the number is assigned from a numbering space that is

administered by the user. The number can be 1-65535.

• AS number:number: The AS Number should be a public AS Number (Both 2-

bytes AS number and 4-bytes AS number works) that is assigned to the user and

the number is assigned from a numbering spa ce that is administered b y the user.

The number can be 1-4294967295 for 2-bytes AS number and 1-65535 for 4-

bytes AS number.

REGEXP (Optional) Configures a regular expression that is used to specify a pattern to match

against an input string. Regular expressions can be used only with expanded community lists. The maximum length is 80 characters.

Default

Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S(config)# ip extcommunity-list standard myecom permit rt 1:1 soo 1.1.1.1:1 DXS-3600-32S(config)#

BGP extended community exchange is disabled by default. It is enabled on a perneighbor basis with the neighbor send-community command.

Global Configuration Mode. Level: 8. (EI Mode Only Command) The extended community attribute is used for implementing policy routing. It is an

optional, transitive attribute and facilitates transfer of local policies through different autonomous systems. All names of the standard extcommunity list and expended extcommunity list must not be the same.

This command can be applied multiple times. BGP extended community attributes exchanged between BGP peers are controlled by the neighbor send-community command.

If permit rules exist in an extended community list, routes with extended community that does not match any rule in the list will be denied. If there are no rules or only deny rules to be configured in the extended community list, all routes will be denied.

Use the show ip extcommunity-list command to verify your settings.

The following example defines a standard extended commu nity list named myecom with an entry.

Example

DXS-3600-32S(config)#no ip extcommunity-list standard myecom permit rt 1:1 soo 1.1.1.1:1 DXS-3600-32S(config)#

Example

DXS-3600-32S(config)# no ip extcommunity-list standard myecom DXS-3600-32S(config)#

Example

DXS-3600-32S(config)# ip extcommunity-list expanded myexpcom permit _20[0-9] DXS-3600-32S(config)#

The following example show how to delete an entry in an extended community list early configured. After that, the community list myecom has no entry , but it still exists.

The following example show how to delete an extended community list no matter whether it has entries or not.

The following example creates an expanded extended community list named myexpcom with an entry.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

7-35 neighbor activate

This command is used to enable the exchange of information with a Border Gateway Protocol (BGP) ne ighbor. Use the no form of this command to disable the exchange of information with a BGP neighbor.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} activate no neighbor {IP-ADDRESS | PEER-GROUP-NAME} activate

Parameters

IP-ADDRESS Specifies the IP address of the BGP peer. PEER-GROUP-NAME Specifies the name of a Border Gateway Protocol (BGP) peer group. The maximum

length is 16 characters.

Default

Command Mode

Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#neighbor 10.4.4.4 remote-as 65101 DXS-3600-32S(config-router)#no neighbor 10.4.4.4 activate DXS-3600-32S(config-router)#

The exchange of addresses with BGP neighbors is enabled for the IPv4 unicast address family and is disabled for the VPNv4 address family if the default IPv4 unicast is enabled.

Router Configuration Mode. Address Family Configuration Mode (IPv4 Unicast, VPNv4 and VRF).

Level: 8. (EI Mode Only Command) If you specify a BGP peer group by using the PEER-GROUP-NAME argument, all

the members of the peer group will inherit the characteristic configured with this command. It is not allowed to disable an active peer group.

When using the no form of this command, the exchange of addresses with a BGP neighbor is disabled for the IPv4 address family, and the connection will be torn down, so the following log message will be generated:

[BGP(2):] BGP connection is normally closed (Peer:<ipaddress>) where the <ipaddress> is the address of the peer.

Use the show ip bgp neighbors or show ip bgp peer-group command to verify your settings.

This example shows how to disable address exchange for neighbor 10.4.4.4

7-36 neighbor advertisement-interval

This command is used to set the minimum interval between sending Border Gateway Protocol (BGP) routing up dates. Use the no command to return to the default configuration.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} advertisement-interval SECONDS no neighbor {IP-ADDRESS | PEER-GROUP-NAME } advertisement-interval

Parameters

IP-ADDRESS Specifies the IP address of the BGP peer. PEER-GROUP-NAME Specifies the name of a Border Gateway Protocol (BGP) peer group. The maximum

length is 16 characters.

SECONDS Specifies the interval, in seconds, between the sending of UPDATE messages. The

range is from 0 to 600. If this value is set to zero, the update or withdrawn message will be sent immediately.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Default Command Mode

Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#neighbor 10.4.4.4 remote-as 65101 DXS-3600-32S(config-router)#neighbor 10.4.4.4 advertisement-interval 15 DXS-3600-32S(config-router)#

By default, it is 30 seconds for external peers and 5 seconds for internal peers. Router Configuration Mode.

Address Family Configuration Mode (VRF). Level: 8. (EI Mode Only Command)

If you specify a BGP peer group, by using the PEER-GROUP-NAME argument, all the members of the peer group will inherit the characteristic configured with this command.

Use the show ip bgp neighbors or show ip bgp peer-group command to verify your settings.

This example shows how to set the minimum time interval between sending BGP routing updates to 15 seconds.

7-37 neighbor allowas-in

This command is used to enable routers to allow its own AS appearing in the receive d BGP update p ackets. To disable the duplicate AS number, use the no form of this command.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} allowas-in [NUMBER] no neighbor {IP-ADDRESS | PEER-GROUP-NAME } allowas-in

Parameters

IP-ADDRESS Specifies the IP address of the BGP peer. PEER-GROUP-NAME Specifies the name of a Border Gateway Protocol (BGP) peer group. The maximum

length is 16 characters.

NUMBER (Optional) Specifies the maximum number of local AS to allow appearing in the AS-

path attribute of the update packets. Th e value is from 1 to 10. If no number is supplied, the default value of 3 times is used.

Default Command Mode

Command Default Level Usage Guideline

By default, this option is disabled. Router Configuration Mode.

Address Family Configuration Mode (IPv4 Unicast, VPNv4 and VRF). Level: 8. (EI Mode Only Command) The BGP router will do AS path loop checks for the received BGP update packets. If

the BGP router’s own AS appears in the AS path list, it is identified as a loop and the packets will be discarded. If the allowas-in setting is enabled, the BGP router’s own AS is allowed in the AS path list.

Use the show ip bgp neighbors or show ip bgp peer-group command to verify your settings.

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)#router bgp 100 DXS-3600-32S(config-router)#neighbor 100.16.5.4 remote-as 65101 DXS-3600-32S(config-router)#neighbor 100.16.5.4 allowas-in 5 DXS-3600-32S(config-router)#

This example shows how to set the number of times of the local router’s own AS to allow appearing in the update packets received from the neighbor 10 0. 16 .5 .4 to 5.

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

Example

This example shows how to set the ‘allowas-in’ value to 3 without the NUMBER parameter.

7-38 neighbor as-override

This command is used to enable to override the AS number of a site with the provider’s AS numbe r on a PE router. Use the no form of the command to disable this function.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} as-override no neighbor {IP-ADDRESS | PEER-GROUP-NAME} as-override

Parameters

IP-ADDRESS Specifies the address of the peer. PEER-GROUP-NAME Specifies the name of the peer group,

Default Command Mode Command Default Level Usage Guideline

Example

DXS-3600-32S#configure terminal DXS-3600-32S(config)# router bgp 10 DXS-3600-32S(config-router)# address-family ipv4 vrf vpn1 DXS-3600-32S(config-router-af)# neighbor 3.3.3.3 remote-as 20 DXS-3600-32S(config-router-af)# neighbor 3.3.3.3 as-override

Disabled. Address Family Configuration (VRF). Level: 8. (EI Mode Only Command) This command is used to prevent routing loops between routers within a VPN.

In the VPN, the most typical application lies in that the two CE ends have the same AS number. Normally, these two CE routers can’t receive the other from the other party, because the BGP protocol will not receive the route information with the same AS number in AS path attribute as the AS of BGP instance itself. After the above command is configured on the PE router, you can let the PE replace the AS number of the CE to AS number of PE self, so that the CE from the other end can receive the route information. Only set this function for the EBGP peer.

Use the show ip bgp neighbors or show ip bgp peer-group command to verify your settings.

This example shows how to enable AS override flag of BGP peer 3.3.3.3 in VRF vpn1.

7-39 neighbor capability orf prefix-list

This command is used to advertise outbound router filter (ORF) capabilities to a peer or a peer group. Use the no form of this command to disable ORF capabilities.

neighbor {IP-ADDRESS | PEER-GROUP-NAME} capability orf prefix-list {receive | se n d | bo t h} no neighbor {IP-ADDRESS | PEER-GROUP-NAME} capability orf prefix-list {receive | send | both}

D-Link DXS-3600-16S, DXS-3600-32S, DXS-3600-EM-8T, DXS-3600-EM-8XS, DXS-3600-EM-4QXS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Basic CLI Commands

1-1 help

1-2 prompt

1-3 banner login

1-4 exit

1-5 end

802.1X Commands

2-1 dot1x default

2-2 dot1x port-control

2-3 dot1x pae authenticator

2-4 dot1x control-direction

2-5 dot1x timeout

2-6 dot1x max-req

2-7 dot1x reauthentication

2-8 dot1x re-authenticate

2-9 dot1x initialize

2-10 dot1x system-auth-control

2-11 dot1x system-max-user

2-12 dot1x port-max-user

2-13 dot1x system-fwd-pdu

2-14 dot1x port-fwd-pdu

2-15 show dot1x

Access Control List (ACL) Commands

3-1 ip access-list standard

3-2 permit | deny (ip standard access-list)

3-3 ip access-list extended

3-4 permit | deny (ip extended access-list)

3-5 ipv6 access-list

3-6 permit | deny (ipv6 access-list)

3-7 mac access-list

3-8 permit | deny (mac access-list)

3-9 expert access-list

3-10 permit | deny (expert access-list)

3-11 ip access-list resequence

3-12 list-remark text

3-13 show access-lists

3-14 ip access-group

3-15 ipv6 traffic-filter

3-16 mac access-group

3-17 expert access-group

3-18 show access-group

3-19 show ip access-group

3-20 show ipv6 access-group

3-21 show mac access-group

3-22 show expert access-group

3-23 vlan access-map

3-24 match ip / mac address

3-25 action

3-26 vlan filter

3-27 show vlan access-map

3-28 show vlan filter

Address Resolution Protocol (ARP) Commands

4-1 arp

4-2 arp timeout

4-3 clear arp cache

4-4 show arp

4-5 show arp counter

4-6 show arp timeout

4-7 show ip arp

Alternate Store and Forward (ASF) Commands

5-1 enable asf

5-2 no asf

5-3 show asf

Authentication, Authorization, and Accounting (AAA) Commands

6-1 aaa

6-2 aaa authentication login

6-3 aaa authentication enable

6-4 login authentication

6-5 aaa authorization exec

6-6 aaa authorization console

6-7 authorization exec

6-8 aaa accounting exec

6-9 accounting exec

6-10 ip http authentication aaa

6-11 aaa local authentication attempts

6-12 aaa local authentication lockout-time