M4100 Series
Managed Switches
ProSAFE
CLI Command Reference Manual
Software Version 10.0.2
April 2015
202-11166-04
350 East Plumeria Drive
San Jose, CA 95134
USA
M4100 Series ProSAFE Managed Switches
Support
Thank you for selecting NETGEAR products.
After installing your device, locate the serial number on the label of your product and use it to register your product at
https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR
recommends registering your product through the NETGEAR website.
For product updates and web support, visit http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR.
Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.
Compliance
For regulatory compliance information, visit http://www.netgear.com/about/regulatory.
See the regulatory compliance document before connecting the power supply.
Trademarks
© NETGEAR, Inc. NETGEAR and the NETGEAR Logo are trademarks of NETGEAR, Inc. Any non-NETGEAR trademarks are
used for reference purposes only.
Revision History
Publication Part Number Publish Date Comments
202-11166-03 March 2015 First publication.
2
Contents
Chapter 1 Using the Command-Line Interface
Chapter 2 Switching Commands
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Common Parameter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Slot/Port Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using a Command’s “No” Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Managed Switch Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Command Completion and Abbreviation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
CLI Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
CLI Line-Editing Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using CLI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Accessing the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Port Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Loopback Interface Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Spanning Tree Protocol (STP) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
VLAN Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Switch Port Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Double VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Voice VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Provisioning (IEEE 802.1p) Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Protected Ports Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Private VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
GARP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
GVRP Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
GMRP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Port-Based Network Access Control Commands. . . . . . . . . . . . . . . . . . . . . . . . . 80
802.1X Supplicant Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Storm-Control Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Flow Control Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Port-Channel/LAG (802.3ad) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Port Mirroring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Static MAC Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
DHCP L2 Relay Agent Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
DHCP Client Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
DHCP Snooping Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Dynamic ARP Inspection Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
3
M4100 Series ProSAFE Managed Switches
IGMP Snooping Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
IGMP Snooping Querier Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
MLD Snooping Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
MLD Snooping Querier Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Port Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
LLDP (802.1AB) Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
LLDP-MED Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Denial of Service Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
MAC Database Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
ISDP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Chapter 3 Multicast VLAN Registration Commands
About MVR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
MVR Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Chapter 4 Routing Commands
Address Resolution Protocol (ARP) Commands . . . . . . . . . . . . . . . . . . . . . . . . . 228
IP Routing Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Virtual LAN Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
DHCP and BOOTP Relay Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
IP Helper Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
ICMP Throttling Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Chapter 5 Quality of Service Commands
Class of Service (CoS) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Differentiated Services (DiffServ) Commands . . . . . . . . . . . . . . . . . . . . . . . . . 270
DiffServ Class Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
DiffServ Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
DiffServ Service Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
DiffServ Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
MAC Access Control List (ACL) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
IP Access Control List (ACL) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
IPv6 Access Control List (ACL) Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Time Range Commands for Time-Based ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . 309
AutoVoIP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Chapter 6 Power over Ethernet Commands
About PoE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
PoE Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Chapter 7 Utility Commands
Auto Install Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Dual Image Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
System Information and Statistics Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 333
4
M4100 Series ProSAFE Managed Switches
Logging Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Email Alerting and Mail Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
System Utility and Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Simple Network Time Protocol (SNTP) Commands . . . . . . . . . . . . . . . . . . . . . . 375
DHCP Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
DNS Client Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Packet Capture Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Serviceability Packet Tracing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Cable Test Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
sFlow Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
IP Address Conflict Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
RMON Stats and History Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
UniDirectional Link Detection Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
USB Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Chapter 8 Management Commands
Switch Management CPU Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Management Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Console Port Access Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
Telnet Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Secure Shell (SSH) Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Management Security Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Hypertext Transfer Protocol (HTTP) Commands . . . . . . . . . . . . . . . . . . . . . . . . 460
Access Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
User Account Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
RADIUS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
TACACS+ Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configuration Scripting Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Pre-Login Banner and System Prompt Commands . . . . . . . . . . . . . . . . . . . . . . 520
Chapter 9 Green Ethernet Commands
Green Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Energy-Detect Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Energy Efficient Ethernet (EEE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Green Ethernet Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Chapter 10 Log Messages
Core. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .535
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Routing/IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Stacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
5
M4100 Series ProSAFE Managed Switches
Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
O/S Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Command List
6
1. Using the Command-Line Interface
The command-line interface (CLI) is a text-based way to manage and monitor the system. You
can access the CLI by using a direct serial connection or by using a remote logical connection
with telnet or SSH.
This chapter describes the CLI syntax, conventions, and modes. It contains the following
sections:
• Command Syntax
• Command Conventions
• Common Parameter Values
• Slot/Port Naming Convention
• Using a Command’s “No” Form
• Managed Switch Modules
• Command Modes
• Command Completion and Abbreviation
• CLI Error Messages
• CLI Line-Editing Conventions
• Using CLI Help
• Accessing the CLI
1
Note: For more information about the topics covered in this manual, visit the
support website at support.netgear.com.
Note: Firmware updates with new features and bug fixes are made
available from time to time at
products can regularly check the site and download new firmware, or
you can check for and download new firmware manually. If the
features or behavior of your product does not match what is
described in this guide, you might need to update your firmware.
downloadcenter.netgear.com. Some
7
M4100 Series ProSAFE Managed Switches
Command Syntax
A command is one or more words that might be followed by one or more parameters.
Parameters can be required or optional values.
Some commands, such as show network and clear vlan, do not require parameters.
Other commands, such as network parms, require that you supply a value after the
command. You must type the parameter values in a specific order, and optional parameters
follow required parameters. The following example describes the network parms
command syntax:
Format network parms <ipaddr> <netmask> [gateway]
• network parms is the command name.
• <ipaddr> and <netmask> are parameters and represent required values that you must
enter after you type the command keywords.
• [gateway] is an optional keyword, so you are not required to enter a value in place of
the keyword.
This command line reference manual lists each command by the command name and
provides a brief description of the command. Each command reference also contains the
following information:
• Format shows the command keywords and the required and optional parameters.
• Mode identifies the command mode you must be in to access the command.
• Default shows the default value, if any, of a configurable setting on the device.
The show commands also contain a description of the information that the command shows.
Command Conventions
In this document, the command name is in bold font. Parameters are in <italic font>
between angle brackets. You must replace the parameter name with an appropriate value,
which might be a name or number. Parameters are order-dependent. Keyword choices are in
bold font.
The parameters for a command might include mandatory values, optional values, or keyword
choices. The following table describes the conventions this document uses to distinguish
between value types.
Table 1. Parameter Conventions
Symbol Example Description
italic font in
angle brackets
[ ] square brackets [keyword] Indicates an optional parameter.
<value> or [<value>] Indicates a variable value. You must replace the
italicized text within angle brackets with a name or
number.
Using the Command-Line Interface
8
M4100 Series ProSAFE Managed Switches
Table 1. Parameter Conventions (continued)
Symbol Example Description
{ } curly braces {choice1 | choice2} Indicates that you must select a parameter from the
list of choices.
| Vertical bars choice1 | choice2 Separates the mutually exclusive choices.
[{ }] Braces within
square brackets
[{choice1 | choice2}] Indicates a choice within an optional element. This
format is used mainly for complicated commands
Common Parameter Values
Parameter values might be names (strings) or numbers. To use spaces as part of a name
parameter, enclose the name value in double quotes. For example, the expression “System
Name with Spaces” forces the system to accept the spaces. Empty strings (““) are not valid
user-defined strings. The following table describes common parameter values and value
formatting.
Table 2. Parameter Descriptions
Parameter Description
ipaddr This parameter is a valid IPv4 address. You can enter the IP address in the following
formats:
• a (32 bits)
• a.b (8.24 bits)
• a.b.c (8.8.16 bits)
• a.b.c.d (8.8.8.8)
In addition to these formats, the CLI accepts decimal, hexadecimal and octal formats
through the following input formats (where n is any valid hexadecimal, octal or decimal
number):
• 0xn (CLI assumes hexadecimal format.)
• 0n (CLI assumes octal format with leading zeros.)
• n (CLI assumes decimal format.)
ipv6-address This parameter is a valid IPv6 address. You can enter the IP address in the following
formats:
• FE80:0000:0000:0000:020F:24FF:FEBF:DBCB
• FE80:0:0:0:20F:24FF:FEBF:DBCB
• FE80::20F24FF:FEBF:DBCB
• FE80:0:0:0:20F:24FF:128:141:49:32
For additional information, refer to RFC 3513.
Interface or
slot/port
Logical Interface Represents a logical slot and port number. This is applicable in the case of a port-channel
Character strings Use double quotation marks to identify character strings, for example, “System Name with
V alid slot and port number separated by forward slashes. For example, 0/1 represents slot
number 0 and port number 1.
(LAG). You can use the logical slot/port to configure the port-channel.
Spaces”. An empty string (“”) is not valid.
Using the Command-Line Interface
9
M4100 Series ProSAFE Managed Switches
Slot/Port Naming Convention
Managed switch software references physical entities such as cards and ports by using a
slot/port naming convention. The software also uses this convention to identify certain logical
entities, such as port-channel interfaces.
The slot number has two uses. In the case of physical ports, it identifies the card containing
the ports. In the case of logical and CPU ports it also identifies the type of interface or port.
Table 3. Type of slots
Slot Type Description
Physical slot numbers Physical slot numbers begin with zero, and are allocated up to the maximum
number of physical slots.
Logical slot numbers Logical slots immediately follow physical slots and identify port-channel (LAG) or
router interfaces.
CPU slot numbers The CPU slots immediately follow the logical slots.
The port identifies the specific physical port or logical interface being managed on a slot.
Table 4. Type of ports
Port Type Description
Physical Ports The physical ports for each slot are numbered sequentially starting from zero.
Logical Interfaces Port-channel or link aggregation group (LAG) interfaces are logical interfaces that
are only used for bridging functions.
VLAN routing interfaces are only used for routing functions.
Loopback interfaces are logical interfaces that are always up.
Tunnel interfaces are logical point-to-point links that carry encapsulated packets.
CPU ports CPU ports are handled by the driver as one or more physical entities located on
physical slots.
Note: In the CLI, loopback and tunnel interfaces do not use the slot/port
format. To specify a loopback interface, you use the loopback ID. To
specify a tunnel interface, you use the tunnel ID.
Using a Command’s “No” Form
The no keyword is a specific form of an existing command and does not represent a new or
distinct command. Almost every configuration command has a no form. In general, use the
no form to reverse the action of a command or reset a value back to the default. For example,
the no shutdown configuration command reverses the shutdown of an interface. Use the
Using the Command-Line Interface
10
M4100 Series ProSAFE Managed Switches
command without the keyword no to reenable a disabled feature or to enable a feature that
is disabled by default. Only the configuration commands are available in the no form.
Managed Switch Modules
Managed switch software consists of flexible modules that can be applied in various
combinations to develop advanced Layer 2/3/4+ products. The commands and command
modes available on your switch depend on the installed modules. Additionally, for some
show commands, the output fields might change based on the modules included in the
software.
The software suite includes the following modules:
• Switching (Layer 2)
• Routing (Layer 3)
• Quality of Service
• Management (CLI, web UI, and SNMP)
Command Modes
The CLI groups commands into modes according to the command function. Each of the
command modes supports specific software commands. The commands in one mode are
not available until you switch to that particular mode, except for the User EXEC mode
commands. You can execute the User EXEC mode commands in the Privileged EXEC
mode.
The command prompt changes in each command mode to help you identify the current
mode. The following table describes the command modes and the prompts visible in that
mode.
Note: The command modes available on your switch depend on the software
modules that are installed. For example, a switch that does not support
BGPv4 does not provide the Router BGPv4 Command Mode.
Table 5. CLI Command Modes
Command Mode Prompt Mode Description
User EXEC Switch> Contains a limited set of commands to view
basic system information.
Privileged EXEC Switch# Allows you to issue any EXEC command,
enter the VLAN mode, or enter the Global
Configuration mode.
Using the Command-Line Interface
11
M4100 Series ProSAFE Managed Switches
Table 5. CLI Command Modes (continued)
Command Mode Prompt Mode Description
Global Config Switch (Config)# Groups general setup commands and
permits you to make modifications to the
running configuration.
VLAN Config Switch (Vlan)# Groups all the VLAN commands.
Interface Config Switch (Interface <slot/port>)#
Switch (Interface Loopback <id>)#
Switch (Interface Tunnel <id>)#
Line Config Switch (line)# Contains commands to configure outbound
Policy Map
Config
Policy Class
Config
Class Map Config Switch (Config-class-map)# Contains the QoS class map configuration
Ipv6_Class-Map
Config
MAC Access-list
Config
Switch (Config-policy-map)# Contains the QoS Policy-Map configuration
Switch
(Config-policy-class-map)#
Switch (Config-class-map)# Contains the QoS class map configuration
Switch (Config-mac-access-list)# Allows you to create a MAC Access-List and
Manages the operation of an interface and
provides access to the router interface
configuration commands.
Use this mode to set up a physical port for a
specific logical connection operation.
telnet settings and console interface settings.
commands.
Consists of class creation, deletion, and
matching commands. The class match
commands specify Layer 2, Layer 3, and
general match criteria.
commands for IPv4.
commands for IPv6.
to enter the mode containing MAC
Access-List configuration commands.
TACACS Config Switch (Tacacs)# Contains commands to configure properties
for the TACACS servers.
DHCP Pool
Config
ARP Access-List
Config Mode
Switch (Config dhcp-pool)# Contains the DHCP server IP address pool
configuration commands.
Switch (Config-arp-access-list)# Contains commands to add ARP ACL rules
in an ARP Access List.
The following table explains how to enter or exit each mode.
Table 6. CLI Mode Access and Exit
Command Mode Access Method Exit or Access Previous Mode
User EXEC This is the first level of access. To exit, enter logout.
Privileged EXEC From the User EXEC mode, enter
enable.
Using the Command-Line Interface
To exit to the User EXEC mode, enter exit or press
Ctrl-Z.
12
M4100 Series ProSAFE Managed Switches
Table 6. CLI Mode Access and Exit (continued)
Command Mode Access Method Exit or Access Previous Mode
Global Config From the Privileged EXEC mode,
enter configure.
VLAN Config From the Privileged EXEC mode,
enter vlan database.
Interface Config From the Global Config mode,
enter
interface <slot/port> or
interface loopback <id> or
interface tunnel <id>
Line Config From the Global Config mode,
enter lineconfig.
Policy-Map Config From the Global Config mode,
enter policy-map <name>.
Policy-Class-Map
Config
Class-Map Config From the Global Config mode,
From the Policy Map mode enter
class.
enter class-map, and specify the
optional keyword ipv4 to specify
the Layer 3 protocol for this class.
See class-map on page 272 for
more information.
To exit to the Privileged EXEC mode, enter exit, or
press Ctrl-Z.
To exit to the Privileged EXEC mode, enter exit, or
press Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
Ipv6-Class-Map
Config
MAC Access-list
Config
TACACS Config From the Global Config mode,
DHCP Pool Config From the Global Config mode,
ARP Access-List
Config Mode
From the Global Config mode,
enter class-map and specify the
optional keyword ipv6
the Layer 3 protocol for this class.
See class-map on page 272 for
more information.
From the Global Config mode,
enter mac access-list
extended <name>.
enter tacacs-server host
<ip-addr>, in which <ip-addr>
is the IP address of the TACACS
server on your network.
enter ip dhcp pool
<pool-name>.
From the Global Config mode,
enter arp access-list.
to specify
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
To exit to the Global Config mode, enter exit. To
return to the Privileged EXEC mode, enter Ctrl-Z.
Using the Command-Line Interface
13
M4100 Series ProSAFE Managed Switches
Command Completion and Abbreviation
Command completion finishes spelling the command when you type enough letters of a
command to uniquely identify the command keyword. Once you have entered enough letters,
press the SPACEBAR or TAB key to complete the word.
Command abbreviation allows you to execute a command when you have entered there are
enough letters to uniquely identify the command.
You must enter all of the required keywords
and parameters before you enter the command.
CLI Error Messages
If you enter a command and the system is unable to execute it, an error message appears.
The following table describes the most common CLI error messages.
Table 7. CLI Error Messages
Message Text Description
% Invalid input detected at '^' marker. Indicates that you entered an incorrect or unavailable command.
The carat (^) shows where the invalid text is detected. This
message also appears if any of the parameters or values are not
recognized.
Command not found / Incomplete
command. Use a question mark (?) to
list commands.
Ambiguous command Indicates that you did not enter enough letters to uniquely identify
Indicates that you did not enter the required keywords or values.
the command.
CLI Line-Editing Conventions
The following table describes the key combinations you can use to edit commands or
increase the speed of command entry . You can access this list from the CLI by entering help
from the User or Privileged EXEC modes.
Table 8. CLI Editing Conventions
Key Sequence Description
DEL or Backspace Delete previous character
Ctrl-A Go to beginning of line
Ctrl-E Go to end of line
Ctrl-F Go forward one character
Ctrl-B Go backward one character
Using the Command-Line Interface
14
M4100 Series ProSAFE Managed Switches
Table 8. CLI Editing Conventions (continued)
Key Sequence Description
Ctrl-D Delete current character
Ctrl-U, X Delete to beginning of line
Ctrl-K Delete to end of line
Ctrl-W Delete previous word
Ctrl-T Transpose previous character
Ctrl-P Go to previous line in history buffer
Ctrl-R Rewrites or pastes the line
Ctrl-N Go to next line in history buffer
Ctrl-Y Prints last deleted character
Ctrl-Q Enables serial flow
Ctrl-S Disables serial flow
Ctrl-Z Return to root command prompt
Tab, <SPACE> Command-line completion
Exit Go to next lower command prompt
? List available commands, keywords, or parameters
Using CLI Help
Enter a question mark (?) at the command prompt to display the commands available in the
current mode.
(NETGEAR Switch) >?
enable Enter into user privilege mode.
help Display help for various special keys.
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to a specified IP address.
quit Exit this session. Any unsaved changes are lost.
show Display Switch Options and Settings.
telnet Telnet to a remote host.
Using the Command-Line Interface
15
M4100 Series ProSAFE Managed Switches
Enter a question mark (?) after each word you enter to display available command keywords
or parameters.
(NETGEAR Switch) #network ?
javamode Enable/Disable.
mgmt_vlan Configure the Management VLAN ID of the switch.
parms Configure Network Parameters of the router.
protocol Select DHCP, BootP, or None as the network config
protocol.
If the help output shows a parameter in angle brackets, you must replace the parameter with
a value.
(NETGEAR Switch) #network parms ?
<ipaddr> Enter the IP address.
If there are no additional command keywords or parameters, or if more parameters are
optional, the following message appears in the output:
<cr> Press Enter to execute the command
You can also enter a question mark (?) after typing one or more characters of a word to list
the available command or parameters that begin with the letters, as shown in the following
example:
(NETGEAR Switch) #show m?
mac-addr-table mac-address-table monitor
Accessing the CLI
You can access the CLI by using a direct console connection or by using a telnet or SSH
connection from a remote management host.
For the initial connection, you must use a direct connection to the console port. You cannot
access the system remotely until the system has an IP address, subnet mask, and default
gateway. You can set the network configuration information manually, or you can configure
the system to accept these settings from a BOOTP or DHCP server on your network. For
more information, see
Management Interface Commands on page 446.
Using the Command-Line Interface
16
2. Switching Commands
This chapter describes the switching commands available in the managed switch CLI.
The chapter contains the following sections:
• Port Configuration Commands
• Loopback Interface Commands
• Spanning Tree Protocol (STP) Commands
• VLAN Commands
• Switch Port Commands
• Double VLAN Commands
• Voice VLAN Commands
• Provisioning (IEEE 802.1p) Commands
• Protected Ports Commands
• Private VLAN Commands
• GARP Commands
• GVRP Commands
• GMRP Commands
• Port-Based Network Access Control Commands
• 802.1X Supplicant Commands
• Storm-Control Commands
• Flow Control Commands
• Port Mirroring Commands
• Static MAC Filtering Commands
• DHCP L2 Relay Agent Commands
• DHCP Client Commands
• DHCP Snooping Configuration Commands
• Dynamic ARP Inspection Commands
• IGMP Snooping Configuration Commands
• IGMP Snooping Querier Commands
• MLD Snooping Commands
2
17
M4100 Series ProSAFE Managed Switches
• MLD Snooping Querier Commands
• Port Security Commands
• LLDP (802.1AB) Commands
• LLDP-MED Commands
• Denial of Service Commands
• MAC Database Commands
• ISDP Commands
The commands in this chapter are in three functional groups:
• Show commands display switch settings, statistics, and other information.
• Configuration commands configure features and options of the switch. Every switch
command has a show command that displays the configuration setting.
• Clear commands clear some or all of the settings to factory defaults.
Switching Commands
18
M4100 Series ProSAFE Managed Switches
Port Configuration Commands
This section describes the commands you use to view and configure port settings.
interface
This command gives you access to the Interface Config mode, which allows you to enable or
modify the operation of an interface (port).
Format interface <slot/port>
Mode Global Config
interface vlan
This command gives you access to the vlan virtual interface mode, which allows certain port
configurations (for example, the IP address) to be applied to the VLAN interface. Type a
question mark (?) after entering the interface configuration mode to see the available options.
Format interface vlan <vlan id>
Mode Global Config
interface lag
This command gives you access to the LAG (link aggregation, or port channel) virtual
interface, which allows certain port configurations to be applied to the LAG interface. Type a
question mark (?) after entering the interface configuration mode to see the available options.
Note: The IP address cannot be assigned to a LAG virtual interface. The
interface must be put under a VLAN group and an IP address
assigned to the VLAN group.
Format interface lag <lag id>
Mode Global Config
auto-negotiate
This command enables automatic negotiation on a port.
Default enabled
Format auto-negotiate
Mode Interface Config
Switching Commands
19
M4100 Series ProSAFE Managed Switches
no auto-negotiate
This command disables automatic negotiation on a port.
Note: Automatic sensing is disabled when automatic negotiation is disabled.
auto-negotiate all
This command enables automatic negotiation on all ports.
Default enabled
Format auto-negotiate all
Mode Global Config
no auto-negotiate all
This command disables automatic negotiation on all ports.
Format no auto-negotiate all
Mode Global Config
description
Use this command to create an alpha-numeric description of the port.
Format description <description>
Mode Interface Config
mtu
Use the mtu command to set the maximum transmission unit (MTU) size, in bytes, for frames
that ingress or egress the interface. You can use the mtu command to configure jumbo frame
support for physical and port-channel (LAG) interfaces. The MTU size is a valid integer
between 1522–9216 for tagged packets and a valid integer between 1518–9216 for untagged
packets.
Note: To receive and process packets, the Ethernet MTU must include any
extra bytes that Layer-2 headers might require. To configure the IP
MTU size, which is the maximum size of the IP packet (IP Header + IP
payload), see ip mtu on page 239.
Switching Commands
20
M4100 Series ProSAFE Managed Switches
Default 1518 (untagged)
Format mtu <1518-9216>
Mode Interface Config
no mtu
This command sets the default MTU size (in bytes) for the interface.
Format no mtu
Mode Interface Config
shutdown
This command disables a port.
Note: You can use the shutdown command on physical and port-channel
(LAG) interfaces, but not on VLAN routing interfaces.
Format shutdown
Mode Interface Config
no shutdown
This command enables a port.
Format no shutdown
Mode Interface Config
shutdown all
This command disables all ports.
Note: You can use the shutdown all command on physical and
port-channel (LAG) interfaces, but not on VLAN routing interfaces.
Switching Commands
21
M4100 Series ProSAFE Managed Switches
Format shutdown all
Mode Global Config
no shutdown all
This command enables all ports.
Format no shutdown all
Mode Global Config
speed
This command sets the speed and duplex setting for the interface.
Format speed [auto] [{<100 | 10 | 10G> {<half-duplex | full-duplex>}}]
Mode Interface Config
Acceptable
Values
100h 100BASE-T half duplex
100f 100BASE-T full duplex
10h 10BASE-T half duplex
10f 10BASE-T full duplex
10Gh 10GBase-T full duplex
10Gf 10Gbase-T half duplex
Definition
speed all
This command sets the speed and duplex setting for all interfaces.
Format speed all [auto] [{<100 | 10> {<half-duplex | full-duplex>}}]
Mode Global Config
Acceptable
Values
Definition
100h 100BASE-T half duplex
100f 100BASE-T full duplex
10h 10BASE-T half duplex
Switching Commands
22
M4100 Series ProSAFE Managed Switches
Acceptable
Values
10f 10BASE-T full duplex
10Gh 10GBase-T full duplex
10Gf 10Gbase-T half duplex
Definition
show port advertise
Use this command to display the local administrative link advertisement configuration, local
operational link advertisement, and the link partner advertisement for an interface. It also
displays priority Resolution for speed and duplex as per 802.3 Annex 28B.3. It displays the
autonegotiation state, Phy Master/Slave Clock configuration, and Link state of the port.
If the link is down, the Clock is displayed as No Link, and a dash is displayed against the
Oper Peer advertisement, and Priority Resolution. If autonegotiation is disabled, the admin
Local Link advertisement, operational local link advertisement, operational peer
advertisement, and Priority resolution fields are not displayed.
If this command is executed without the optional slot/port parameter, it displays the
autonegotiation state and operational Local link advertisement for all the ports. Operational
link advertisement will display speed only if it is supported by both local as well as link
partner. If autonegotiation is disabled, operational local link advertisement is not displayed.
Format show port advertise [slot/port]
Mode Privileged EXEC
Command example:
The following commands show the command output with and without the optional parameter:
(NETGEAR Switch)#show port advertise 0/1
Port: 0/1
Type: Gigabit - Level
Link State: Down
Auto Negotiation: Enabled
Clock: Auto
1000f 1000h 100f 100h 10f 10h
----- ----- ---- ---- --- --Admin Local Link Advertisement no no yes no yes no
Oper Local Link Advertisement no no yes no yes no
Oper Peer Advertisement no no yes yes yes yes
Priority Resolution - - yes - - -
Switching Commands
23
M4100 Series ProSAFE Managed Switches
(NETGEAR Switch)#show port advertise
Port Type Neg Operational Link Advertisement
--------- ------------------------------ ----------- ------------------------------
0/1 Gigabit - Level Enabled 1000f, 100f, 100h, 10f, 10h
0/2 Gigabit - Level Enabled 1000f, 100f, 100h, 10f, 10h
0/3 Gigabit - Level Enabled 1000f, 100f, 100h, 10f, 10h
show port
This command displays port information.
Format show port {<slot/port> | all}
Mode Privileged EXEC
Term Definition
Interface Valid slot and port number separated by forward slashes.
Type If not blank, this field indicates that this port is a special type of port. The possible
values are:
• Mirror. This port is a monitoring port. For more information, see Port Mirroring
Commands on page 125.
• PC Mbr.
• Probe. This
Admin Mode The Port control administration state. The port must be enabled in order for it to be
allowed into the network. - May be enabled or disabled. The factory default is enabled.
Physical Mode The desired port speed and duplex mode. If autonegotiation support is selected, the
duplex mode and speed is set from the auto-negotiation process. Note that the
maximum capability of the port (full-duplex -100M) is advertised. Otherwise, this object
determines the port's duplex mode and transmission rate. The factory default is Auto.
Physical Status The port speed and duplex mode.
Link Status The Link is up or down.
Link Trap This object determines whether to send a trap when link status changes. The factory
default is enabled.
LACP Mode LACP is enabled or disabled on this port.
This port is a member of a port-channel (LAG).
port is a probe port.
show port protocol
This command displays the Protocol-Based VLAN information for either the entire system, or
for the indicated group.
Format show port protocol {<groupid> | all}
Mode Privileged EXEC
Switching Commands
24
M4100 Series ProSAFE Managed Switches
Term Definition
Group Name The group name of an entry in the Protocol-based VLAN table.
Group ID The group identifier of the protocol group.
Protocol(s) The type of protocol(s) for this group.
VLAN The VLAN associated with this Protocol Group.
Interface(s) Lists the slot/port interface(s) that are associated with this Protocol Group.
show port description
This command displays the port description for every port.
Format show port description <slot/port>
Mode Privileged EXEC
Term Definition
Interface Valid slot and port number separated by forward slashes
Description Shows the port description configured via the “description” command
show port status
This command displays the Protocol-Based VLAN information for either the entire system, or
for the indicated group.
Format show port status {<slot/port> | all}
Mode Privileged EXEC
Term Definition
Interface Valid slot and port number separated by forward slashes.
Media Type “Copper” or “Fiber” for combo port.
STP Mode Indicate the spanning tree mode of the port.
Physical Mode Either “Auto” or fixed speed and duplex mode.
Physical Status The actual speed and duplex mode.
Link Status Whether the link is Up or Down.
Loop Status Whether the port is in loop state or not.
Partner Flow
Control
Whether the remote side is using flow control or not.
Switching Commands
25
M4100 Series ProSAFE Managed Switches
Loopback Interface Commands
The commands in this section describe how to create, delete, and manage loopback
interfaces. A loopback interface is always expected to be up. This interface can provide the
source address for sent packets and can receive both local and remote packets. The
loopback interface is typically used by routing protocols.
To assign an IP address to the loopback interface, see ip address on page 234.
interface loopback
Use this command to enter the Interface Config mode for a loopback interface. The range of
the loopback ID is 0–7.
Format interface loopback <loopback-id>
Mode Global Config
no interface loopback
This command removes the loopback interface and associated configuration parameters for
the specified loopback interface.
Format no interface loopback <loopback-id>
Mode Global Config
show interface loopback
This command displays information about configured loopback interfaces.
Format show interface loopback [<loopback-id>]
Mode Privileged EXEC
If you do not specify a loopback ID, the following information appears for each loopback
interface on the system:
Term Definition
Loopback ID The loopback ID associated with the rest of the information in the row.
Interface The interface name.
IP Address The IPv4 address of the interface.
Received
Packets
Sent Packets The number of packets transmitted from this interface.
IPv6 Address The IPv6 address of this interface.
The number of packets received on this interface.
Switching Commands
26
M4100 Series ProSAFE Managed Switches
If you specify a loopback ID, the following information appears:
Term Definition
Interface Link
Status
IP Address The IPv4 address of the interface.
IPv6 is enabled
(disabled)
IPv6 Prefix is The IPv6 address of the interface.
MTU size The maximum transmission size for packets on this interface, in bytes.
Shows whether the link is up or down.
Shows whether IPv6 is enabled on the interface.
Spanning Tree Protocol (STP) Commands
This section describes the commands you use to configure Spanning Tree Protocol (STP).
STP helps prevent network loops, duplicate messages, and network instability.
spanning-tree
This command sets the spanning-tree operational mode to enabled.
Default enabled
Format spanning-tree
Mode Global Config
no spanning-tree
This command sets the spanning-tree operational mode to disabled. While disabled, the
spanning-tree configuration is retained and can be changed, but is not activated.
Format no spanning-tree
Mode Global Config
spanning-tree auto-edge
This command enables auto-edge on the interface or range of interfaces. When enabled, the
interface becomes an edge port if it does not see BPDUs for edge delay time.
Default enabled
Format spanning-tree auto-edge
Mode Interface Config
Switching Commands
27
M4100 Series ProSAFE Managed Switches
no spanning-tree auto-edge
This command disables auto-edge on the interface or range of interfaces.
Format no spanning-tree auto-edge
Mode Interface Config
spanning-tree bpdufilter
Use this command to enable BPDU Filter on an interface or range of interfaces.
Default disabled
Format spanning-tree bpdufilter
Mode Interface Config
no spanning-tree bpdufilter
Use this command to disable BPDU Filter on the interface or range of interfaces.
Default disabled
Format no spanning-tree bpdufilter
Mode Interface Config
spanning-tree bpdufilter default
Use this command to enable BPDU Filter on all the edge port interfaces.
Default disabled
Format spanning-tree bpdufilter
Mode Global Config
no spanning-tree bpdufilter default
Use this command to disable BPDU Filter on all the edge port interfaces.
Default enabled
Format no spanning-tree bpdufilter default
Mode Global Config
Switching Commands
28
M4100 Series ProSAFE Managed Switches
spanning-tree bpduflood
Use this command to enable BPDU Flood on the interface.
Default disabled
Format spanning-tree bpduflood
Mode Interface Config
no spanning-tree bpduflood
Use this command to disable BPDU Flood on the interface.
Format no spanning-tree bpduflood
Mode Interface Config
spanning-tree bpduguard
Use this command to enable BPDU Guard on the switch.
Default disabled
Format spanning-tree bpduguard
Mode Global Config
no spanning-tree bpduguard
Use this command to disable BPDU Guard on the switch.
Format no spanning-tree bpduguard
Mode Global Config
spanning-tree bpdumigrationcheck
Use this command to force a transmission of rapid spanning tree (RSTP) and multiple
spanning tree (MSTP) BPDUs. Use the <slot/port> parameter to transmit a BPDU from
a specified interface, or use the all keyword to transmit BPDUs from all interfaces. This
command forces the BPDU transmission when you execute it, so the command does not
change the system configuration or have a “no” version.
Format spanning-tree bpdumigrationcheck {<slot/port> | all}
Mode Global Config
Switching Commands
29
M4100 Series ProSAFE Managed Switches
spanning-tree configuration name
This command sets the Configuration Identifier Name for use in identifying the configuration
that this switch is currently using. The <name> is a string of up to 32 characters.
Default base MAC address in hexadecimal notation
Format spanning-tree configuration name <name>
Mode Global Config
no spanning-tree configuration name
This command resets the Configuration Identifier Name to its default.
Format no spanning-tree configuration name
Mode Global Config
spanning-tree configuration revision
This command sets the Configuration Identifier Revision Level for use in identifying the
configuration that this switch is currently using. The Configuration Identifier Revision Level is
a number in the range of 0–65535.
Default 0
Format spanning-tree configuration revision <0-65535>
Mode Global Config
no spanning-tree configuration revision
This command sets the Configuration Identifier Revision Level for use in identifying the
configuration that this switch is currently using to the default value.
Format no spanning-tree configuration revision
Mode Global Config
spanning-tree edgeport
This command specifies that this port is an Edge Port within the Common and Internal
Spanning Tree. This allows this port to transition to Forwarding State without delay.
Default Enabled
Format spanning-tree edgeport
Mode Interface Config
Switching Commands
30
M4100 Series ProSAFE Managed Switches
no spanning-tree edgeport
This command specifies that this port is not an Edge Port within the Common and Internal
Spanning Tree.
Format no spanning-tree edgeport
Mode Interface Config
spanning-tree forceversion
This command sets the Force Protocol Version parameter to a new value.
Default 802.1s
Format spanning-tree forceversion {802.1d | 802.1s | 802.1w}
Mode Global Config
• Use 802.1d to specify that the switch transmits ST BPDUs rather than MST BPDUs
(IEEE 802.1d functionality supported).
• Use 802.1s to specify that the switch transmits MST BPDUs (IEEE 802.1s functionality
supported).
• Use 802.1w to specify that the switch transmits RST BPDUs rather than MST BPDUs
(IEEE 802.1w functionality supported).
no spanning-tree forceversion
This command sets the Force Protocol Version parameter to the default value.
Format no spanning-tree forceversion
Mode Global Config
spanning-tree forward-time
This command sets the Bridge Forward Delay parameter to a new value for the Common and
Internal Spanning Tree. The forward-time value is in seconds within a range of 4–30, with the
value being greater than or equal to “(Bridge Max Age / 2) + 1”.
Default 15
Format spanning-tree forward-time <4-30>
Mode Global Config
Switching Commands
31
M4100 Series ProSAFE Managed Switches
no spanning-tree forward-time
This command sets the Bridge Forward Delay parameter for the Common and Internal
Spanning Tree to the default value.
Format no spanning-tree forward-time
Mode Global Config
spanning-tree guard
This command selects whether loop guard or root guard is enabled on an interface. If neither
is enabled, the port operates in accordance with the multiple spanning tree protocol.
Default none
Format spanning-tree guard {none | root | loop}
Mode Interface Config
no spanning-tree guard
This command disables loop guard or root guard on the interface.
Format no spanning-tree guard
Mode Interface Config
spanning-tree tcnguard
This command enables the propagation of received topology change notifications and topology
changes to other ports.
Default disable
Format spanning-tree tcnguard
Mode Interface Config
no spanning-tree tcnguard
This command disables the propagation of received topology change notifications and topology
changes to other ports.
Format no spanning-tree tcnguard
Mode Interface Config
Switching Commands
32
M4100 Series ProSAFE Managed Switches
spanning-tree max-age
This command sets the Bridge Max Age parameter to a new value for the Common and
Internal Spanning Tree. The max-age value is in seconds within a range of 6–40, with the
value being less than or equal to 2 x (Bridge Forward Delay - 1).
Default 20
Format spanning-tree max-age <6-40>
Mode Global Config
no spanning-tree max-age
This command sets the Bridge Max Age parameter for the Common and Internal Spanning
Tree to the default value.
Format no spanning-tree max-age
Mode Global Config
spanning-tree max-hops
This command sets the MSTP Max Hops parameter to a new value for the Common and
Internal Spanning Tree. The max-hops value is a range from 6 to 40.
Default 20
Format spanning-tree max-hops <1-127>
Mode Global Config
no spanning-tree max-hops
This command sets the Bridge Max Hops parameter for the Common and Internal Spanning
Tree to the default value.
Format no spanning-tree max-hops
Mode Global Config
spanning-tree mst
This command sets the Path Cost or Port Priority for this port within the multiple spanning
tree instance or in the Common and Internal Spanning Tree. If you specify an <mstid>
parameter that corresponds to an existing multiple spanning tree instance, the configurations
are done for that multiple spanning tree instance. If you specify 0 (defined as the default
CIST ID) as the <mstid>, the configurations are done for the Common and Internal
Spanning Tree instance.
If you specify the cost option, the command sets the path cost for this port within a multiple
spanning tree instance or the Common and Internal Spanning Tree instance, depending on
Switching Commands
33
M4100 Series ProSAFE Managed Switches
the <mstid> parameter . You can set the path cost as a number in the range of 1–200000000
or auto. If you select auto the path cost value is set based on Link Speed.
If you specify the external-cost option, this command sets the external-path cost for MST
instance 0 that is, CIST instance. You can set the external cost as a number in the range of
1–200000000 or auto. If you specify auto, the external path cost value is set based on Link
Speed.
If you specify the port-priority option, this command sets the priority for this port within a
specific multiple spanning tree instance or the Common and Internal Spanning
Tree instance,
depending on the <mstid> parameter. The port-priority value is a number in the range of
0–240 in increments of 16.
Default
Format spanning-tree mst <mstid> {{cost <1-200000000> | auto} |
Mode
• cost—auto
• external-cost—auto
• port-priority—128
{external-cost <1-200000000> | auto} | port-priority <0-240>}
Interface Config
no spanning-tree mst
This command sets the Path Cost or Port Priority for this port within the multiple spanning
tree instance, or in the Common and Internal Spanning
Tree to the respective default values.
If you specify an <mstid> parameter that corresponds to an existing multiple spanning tree
instance, you are configuring that multiple spanning tree instance. If you specify 0 (defined as
the default CIST ID) as the <mstid>, you are configuring the Common and Internal
Spanning Tree instance.
If you specify cost, this command sets the path cost for this port within a multiple spanning
tree instance or the Common and Internal Spanning
Tree instance, depending on the
<mstid> parameter, to the default value, that is, a path cost value based on the Link Speed.
If you specify external-cost, this command sets the external path cost for this port for mst
‘0’ instance, to the default value, that is, a path cost value based on the Link Speed.
If you specify port-priority, this command sets the priority for this port within a specific
multiple spanning tree instance or the Common and Internal Spanning
depending on the <mstid> parameter, to the default value.
Format no spanning-tree mst <mstid> [cost | external-cost | port-priority]
Mode Interface Config
Tree instance,
Switching Commands
34
M4100 Series ProSAFE Managed Switches
spanning-tree mst instance
This command adds a multiple spanning tree instance to the switch. The parameter
<mstid> is a number within a range of 1–4094, that corresponds to the new instance ID to
be added. The maximum number of multiple instances supported by the switch is 4.
Default none
Format spanning-tree mst instance <mstid>
Mode Global Config
no spanning-tree mst instance
This command removes a multiple spanning tree instance from the switch and reallocates all
VLANs allocated to the deleted instance to the Common and Internal Spanning Tree. The
parameter <mstid> is a number that corresponds to the desired existing multiple spanning
tree instance to be removed.
Format no spanning-tree mst instance <mstid>
Mode Global Config
spanning-tree mst priority
This command sets the bridge priority for a specific multiple spanning tree instance. The
parameter <mstid> is a number that corresponds to the desired existing multiple spanning
tree instance. The priority value is a number within a range of 0–61440 in increments of
4096.
If you specify 0 (defined as the default CIST ID) as the <mstid>, this command sets the
Bridge Priority parameter to a new value for the Common and Internal Spanning Tree. The
bridge priority value is a number within a range of 0–61440. The twelve least significant bits
are masked according to the 802.1s specification. This causes the priority to be rounded
down to the next lower valid priority.
Default 32768
Format spanning-tree mst priority <mstid> <0-61440>
Mode Global Config
no spanning-tree mst priority
This command sets the bridge priority for a specific multiple spanning tree instance to the
default value. The parameter <mstid> is a number that corresponds to the desired existing
multiple spanning tree instance.
Switching Commands
35
M4100 Series ProSAFE Managed Switches
If 0 (defined as the default CIST ID) is passed as the <mstid>, this command sets the
Bridge Priority parameter for the Common and Internal Spanning Tree to the default value.
Format no spanning-tree mst priority <mstid>
Mode Global Config
spanning-tree mst vlan
This command adds an association between a multiple spanning tree instance and one or
more VLANs so that the VLAN(s) are no longer associated with the Common and Internal
Spanning Tree. The parameter <mstid> is a number that corresponds to the desired
existing multiple spanning tree instance. The vlan range can be specified as a list or as a
range of values. To specify a list of VLANs, enter a list of VLAN IDs, each separated by a
comma with no spaces in between. To specify a range of VLANs, separate the beginning and
ending VLAN ID with a dash ("-").
Format spanning-tree mst vlan <mstid> <vlanid>
Mode Global Config
no spanning-tree mst vlan
This command removes an association between a multiple spanning tree instance and one
or more VLANs so that the VLAN(s) are again associated with the Common and Internal
Spanning Tree.
Format no spanning-tree mst vlan <mstid> <vlanid>
Mode Global Config
spanning-tree port mode
This command sets the Administrative Switch Port State for this port to enabled.
Default enabled
Format spanning-tree port mode
Mode Interface Config
no spanning-tree port mode
This command sets the Administrative Switch Port State for this port to disabled.
Format no spanning-tree port mode
Mode Interface Config
Switching Commands
36
M4100 Series ProSAFE Managed Switches
spanning-tree port mode all
This command sets the Administrative Switch Port State for all ports to enabled.
Default enabled
Format spanning-tree port mode all
Mode Global Config
no spanning-tree port mode all
This command sets the Administrative Switch Port State for all ports to disabled.
Format no spanning-tree port mode all
Mode Global Config
spanning-tree edgeport all
This command specifies that every port is an Edge Port within the Common and Internal
Spanning Tree. This allows all ports to transition to Forwarding State without delay.
Format spanning-tree edgeport all
Mode Global Config
no spanning-tree edgeport all
This command disables Edge Port mode for all ports within the Common and Internal
Spanning Tree.
Format no spanning-tree edgeport all
Mode Global Config
spanning-tree bpduforwarding
Normally a switch will not forward Spanning Tree Protocol (STP) BPDU packets if STP is
disabled. However, if in some network setup, the user wishes to forward BDPU packets
received from other network devices, this command can be used to enable the forwarding.
Default disabled
Format spanning-tree bpduforwarding
Mode Global Config
Switching Commands
37
M4100 Series ProSAFE Managed Switches
no spanning-tree bpduforwarding
This command will cause the STP BPDU packets received from the network to be dropped if
STP is disabled.
Format no spanning-tree bpduforwarding
Mode
Global Config
show spanning-tree
This command displays spanning tree settings for the Common and Internal Spanning Tree.
The following details are displayed.
Format show spanning-tree
Mode
Term Definition
Bridge Priority Specifies the bridge priority for the Common and Internal Spanning Tree (CST). The
Bridge Identifier The bridge identifier for the CST. It is made up using the bridge priority and the base
Time Since
Topology
Change
• Privileged EXEC
• User EXEC
value lies between 0 and 61440. It is displayed in multiples of 4096.
MAC address of the bridge.
Time in seconds.
Topology
Change Count
Topology
Change
Designated Root The bridge identifier of the root bridge. It is made up from the bridge priority and the base
Root Path Cost Value of the Root Path Cost parameter for the Common and Internal Spanning Tree.
Root Port
Identifier
Root Port Max
Age
Root Port Bridge
Forward Delay
Hello Time Configured value of the parameter for the CST.
Number of times changed.
Boolean value of the Topology Change parameter for the switch indicating if a topology
change is in progress on any port assigned to the Common and Internal Spanning Tree.
MAC address of the bridge.
Identifier of the port to access the Designated Root for the CST
Derived value.
Derived value.
Switching Commands
38
M4100 Series ProSAFE Managed Switches
Term Definition
Bridge Hold Time Minimum time between transmission of Configuration Bridge Protocol Data Units
(BPDUs).
Bridge
Max Hops Bridge max-hops count for the device.
CST Regional
Root
Regional Root
Path Cost
Associated FIDs List of forwarding database identifiers currently associated with this instance.
Associated
VLANs
Bridge Identifier of the CST Regional Root. It is made up using the bridge priority and the
base MAC address of the bridge.
Path Cost to the CST Regional Root.
List of VLAN IDs currently associated with this instance.
show spanning-tree brief
This command displays spanning tree settings for the bridge. The following information
appears.
Format show spanning-tree brief
Mode
Term Definition
Bridge Priority Configured value.
Bridge Identifier The bridge identifier for the selected MST instance. It is made up using the
• Privileged EXEC
• User EXEC
bridge priority and the base MAC address of the bridge.
Bridge Max Age Configured value.
Bridge Max Hops Bridge max-hops count for the device.
Bridge Hello Time Configured value.
Bridge Forward Delay Configured value.
Bridge Hold Time Minimum time between transmission of Configuration Bridge Protocol Data
Units (BPDUs).
Switching Commands
39
M4100 Series ProSAFE Managed Switches
show spanning-tree interface
This command displays the settings and parameters for a specific switch port within the
Common and Internal Spanning Tree. The <slot/port> is the desired switch port. The
following details are displayed on execution of the command.
Format show spanning-tree interface <slot/port>
Mode
Term Definition
Hello Time Admin hello time for this port.
Port Mode Enabled or disabled.
BPDU Guard Effect Enabled or disabled.
Root Guard Enabled or disabled.
Loop Guard Enabled or disabled.
TCN Guard Enable or disable the propagation of received topology change notifications and
BPDU Filter Mode Enabled or disabled.
BPDU Flood Mode Enabled or disabled.
Auto Edge To enable or disable the feature that causes a port that has not seen a BPDU for
Port Up Time Since
Counters Last Cleared
• Privileged EXEC
• User EXEC
topology changes to other ports.
‘edge delay’ time, to become an edge port and transition to forwarding faster.
Time since port was reset, displayed in days, hours, minutes, and seconds.
STP BPDUs Transmitted Spanning Tree Protocol Bridge Protocol Data Units sent.
STP BPDUs Received Spanning Tree Protocol Bridge Protocol Data Units received.
RSTP BPDUs
Transmitted
RSTP BPDUs Received Rapid Spanning Tree Protocol Bridge Protocol Data Units received.
MSTP BPDUs
Transmitted
MSTP BPDUs Received Multiple Spanning Tree Protocol Bridge Protocol Data Units received.
Rapid Spanning Tree Protocol Bridge Protocol Data Units sent.
Multiple Spanning Tree Protocol Bridge Protocol Data Units sent.
Switching Commands
40
M4100 Series ProSAFE Managed Switches
show spanning-tree mst port detailed
This command displays the detailed settings and parameters for a specific switch port within
a particular multiple spanning tree instance. The parameter <mstid> is a number that
corresponds to the desired existing multiple spanning tree instance. The <slot/port> is
the desired switch port.
Format show spanning-tree mst port detailed <mstid> <slot/port>
Mode
Term Definition
MST Instance ID The ID of the existing MST instance.
Port Identifier The port identifier for the specified port within the selected MST instance. It is made up
Port Priority The priority for a particular port within the selected MST instance. The port priority is
Port Forwarding
State
Port Role Each enabled MST Bridge Port receives a Port Role for each spanning tree. The port
Auto-Calculate
Port Path Cost
Port Path Cost Configured value of the Internal Port Path Cost parameter.
Designated Root The Identifier of the designated root for this port.
Root Path Cost The path cost to get to the root bridge for this instance. The root path cost is zero if the
• Privileged EXEC
• User EXEC
from the port priority and the interface number of the port.
displayed in multiples of 16.
Current spanning tree state of this port.
role is one of the following values: Root Port, Designated Port, Alternate Port, Backup
Port, Master Port, or Disabled Port
Indicates whether auto calculation for port path cost is enabled.
bridge is the root bridge for that instance.
Designated
Bridge
Designated Port
Identifier
Loop
Inconsistent
State
Bridge Identifier of the bridge with the Designated Port.
Port on the Designated Bridge that offers the lowest cost to the LAN.
The current loop inconsistent state of this port in this MST instance. When in loop
inconsistent state, the port has failed to receive BPDUs while configured with loop guard
enabled. Loop inconsistent state maintains the port in a "blocking" state until a
subsequent BPDU is received.
Switching Commands
41
Term Definition
M4100 Series ProSAFE Managed Switches
Transitions Into
Loop
Inconsistent
State
Transitions Out
of Loop
Inconsistent
State
The number of times this interface has transitioned into loop inconsistent state.
The number of times this interface has transitioned out of loop inconsistent state.
If you specify 0 (defined as the default CIST ID) as the <mstid>, this command displays the
settings and parameters for a specific switch port within the Common and Internal Spanning
Tree. The <slot/port> is the desired switch port. In this case, the following are displayed.
Term Definition
Port Identifier The port identifier for this port within the CST.
Port Priority The priority of the port within the CST.
Port Forwarding
State
Port Role The role of the specified interface within the CST.
Auto-Calculate
Port Path Cost
The forwarding state of the port within the CST.
Indicates whether auto calculation for port path cost is enabled or not (disabled).
Port Path Cost The configured path cost for the specified interface.
Auto-Calculate
External Port
Path Cost
External Port
Path Cost
Designated Root Identifier of the designated root for this port within the CST.
Root Path Cost The root path cost to the LAN by the port.
Designated
Bridge
Designated Port
Identifier
Topology
Change
Acknowledgeme
nt
Hello Time The hello time in use for this port.
Edge Port The configured value indicating if this port is an edge port.
Indicates whether auto calculation for external port path cost is enabled.
The cost to get to the root bridge of the CIST across the boundary of the region. This
means that if the port is a boundary port for an MSTP region, the external path cost is
used.
The bridge containing the designated port.
Port on the Designated Bridge that offers the lowest cost to the LAN.
Value of flag in next Configuration Bridge Protocol Data Unit (BPDU) transmission
indicating if a topology change is in progress for this port.
Switching Commands
42
M4100 Series ProSAFE Managed Switches
Term Definition
Edge Port Status The derived value of the edge port status. True if operating as an edge port; false
otherwise.
Point T
o Point
MAC Status
Derived value indicating if this port is part of a point to point link.
CST Regional
Root
CST Internal
Root Path Cost
Loop
Inconsistent
State
Transitions Into
Loop
Inconsistent
State
Transitions Out
of Loop
Inconsistent
State
The regional root identifier in use for this port.
The internal root path cost to the LAN by the designated external port.
The current loop inconsistent state of this port in this MST instance. When in loop
inconsistent state, the port has failed to receive BPDUs while configured with loop guard
enabled. Loop inconsistent state maintains the port in a "blocking" state until a
subsequent BPDU is received.
The number of times this interface has transitioned into loop inconsistent state.
The number of times this interface has transitioned out of loop inconsistent state.
show spanning-tree mst port summary
This command displays the settings of one or all ports within the specified multiple spanning
tree instance. The parameter <mstid> indicates a particular MST instance. The parameter
{<slot/port> | all} indicates the desired switch port or all ports.
If you specify 0 (defined as the default CIST ID) as the <mstid>, the status summary
displays for one or all ports within the Common and Internal Spanning
Format show spanning-tree mst port summary <mstid> {<slot/port> | all}
Mode
Term Definition
MST Instance ID The MST instance associated with this port.
Interface Valid slot and port number separated by forward slashes.
STP Mode Indicates whether spanning tree is enabled or disabled on the port.
Type Currently not used.
STP State The forwarding state of the port in the specified spanning tree instance.
• Privileged EXEC
• User EXEC
Switching Commands
43
Tree.
M4100 Series ProSAFE Managed Switches
Term Definition
Port Role The role of the specified port within the spanning tree.
Desc
Indicates whether the port is in loop inconsistent state or not. This field is blank if the loop
guard feature is not available.
show spanning-tree mst port summary active
This command displays settings for the ports within the specified multiple spanning tree
instance that are active links.
Format show spanning-tree mst port summary <mstid> active
Mode
Term Definition
mstid The ID of the existing MST instance.
Interface slot/port
STP Mode Indicates whether spanning tree is enabled or disabled on the port.
Type Currently not used.
STP State The forwarding state of the port in the specified spanning tree instance.
• Privileged EXEC
• User EXEC
Port Role The role of the specified port within the spanning tree.
Desc Indicates whether the port is in loop inconsistent state or not. This field is blank if the loop
guard feature is not available.
show spanning-tree mst summary
This command displays summary information about all multiple spanning tree instances in
the switch. On execution, the following details are displayed.
Format show spanning-tree mst summary
Mode
• Privileged EXEC
• User EXEC
Switching Commands
44
Term Definition
M4100 Series ProSAFE Managed Switches
MST Instance ID
List
For each MSTID:
• Associated
FIDs
• Associated
VLANs
List of multiple spanning trees IDs currently configured.
• List of forwarding database identifiers associated with this instance.
• List of VLAN IDs associated with this instance.
show spanning-tree summary
This command displays spanning tree settings and parameters for the switch. The following
details are displayed on execution of the command.
Format show spanning-tree summary
Mode
Term Definition
Spanning Tree
Adminmode
Spanning Tree
Version
• Privileged EXEC
• User EXEC
Enabled or disabled.
Version of 802.1 currently supported (IEEE 802.1s, IEEE 802.1w, or IEEE 802.1d) based
upon the Force Protocol Version parameter.
BPDU Guard
Mode
BPDU Filter
Mode
Configuration
Name
Configuration
Revision Level
Configuration
Digest Key
Configuration
Format Selector
MST Instances List of all multiple spanning tree instances configured on the switch.
Enabled or disabled.
Enabled or disabled.
Identifier used to identify the configuration currently being used.
Identifier used to identify the configuration currently being used.
A generated Key used in the exchange of the BPDUs.
Specifies the version of the configuration format being used in the exchange of BPDUs.
The default value is zero.
Switching Commands
45
M4100 Series ProSAFE Managed Switches
show spanning-tree vlan
This command displays the association between a VLAN and a multiple spanning tree
instance. The <vlanid> corresponds to an existing VLAN ID.
Format show spanning-tree vlan <vlanid>
Mode
Term Definition
VLAN Identifier The VLANs associated with the selected MST instance.
Associated
Instance
• Privileged EXEC
• User EXEC
Identifier for the associated multiple spanning tree instance or “CST” if associated with
the Common and Internal Spanning Tree.
VLAN Commands
This section describes the commands you use to configure VLAN settings.
vlan database
This command gives you access to the VLAN Config mode, which allows you to configure
VLAN characteristics.
Format vlan database
Mode Privileged EXEC
network mgmt_vlan
This command configures the Management VLAN ID.
Default 1
Format network mgmt_vlan <1-4093>
Mode Privileged EXEC
no network mgmt_vlan
This command sets the Management VLAN ID to the default.
Format no network mgmt_vlan
Mode Privileged EXEC
Switching Commands
46
M4100 Series ProSAFE Managed Switches
vlan
This command creates a new VLAN and assigns it an ID. The ID is a valid VLAN
identification number (ID 1 is reserved for the default VLAN). The vlan-list contains VlanId's in
range <1-4093>. Separate non-consecutive IDs with ',' and no spaces and no zeros in
between the range; Use '-' for range.
Format vlan <vlan-list>
Mode VLAN Config
no vlan
This command deletes an existing VLAN. The ID is a valid VLAN identification number (ID 1
is reserved for the default VLAN). The vlan-list contains VlanId's in range <1-4093>.
Separate non-consecutive IDs with ',' and no spaces and no zeros in between the range; Use
'-' for range.
Format no vlan <vlan-list>
Mode VLAN Config
vlan acceptframe
This command sets the frame acceptance mode per interface. For VLAN Only mode,
untagged frames or priority frames received on this interface are discarded. For Admit All
mode, untagged frames or priority frames received on this interface are accepted and
assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged
frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.
Default all
Format vlan acceptframe {untaggedonly | vlanonly | all}
Mode Interface Config
no vlan acceptframe
This command resets the frame acceptance mode for the interface to the default value.
Format no vlan acceptframe
Mode Interface Config
Switching Commands
47
M4100 Series ProSAFE Managed Switches
vlan ingressfilter
This command enables ingress filtering. If ingress filtering is disabled, frames received with
VLAN IDs that do not match the VLAN membership of the receiving interface are admitted
and forwarded to ports that are members of that VLAN.
Default disabled
Format vlan ingressfilter
Mode Interface Config
no vlan ingressfilter
This command disables ingress filtering. If ingress filtering is disabled, frames received with
VLAN IDs that do not match the VLAN membership of the receiving interface are admitted
and forwarded to ports that are members of that VLAN.
Format no vlan ingressfilter
Mode Interface Config
vlan makestatic
This command changes a dynamically created VLAN (one that is created by GVRP
registration) to a static VLAN (one that is permanently configured and defined). The ID is a
valid VLAN identification number. VLAN range is 2-4093.
Format vlan makestatic <2-4093>
Mode VLAN Config
vlan name
This command changes the name of a VLAN. The name is an alphanumeric string of up to 32
characters, and the ID is a valid VLAN identification number. ID range is 1-4093.
Default
Format vlan name <1-4093> <name>
Mode
• VLAN ID 1 - default
• other VLANS - blank string
VLAN Config
no vlan name
This command sets the name of a VLAN to a blank string.
Format no vlan name <1-4093>
Mode VLAN Config
Switching Commands
48
M4100 Series ProSAFE Managed Switches
vlan participation
This command configures the degree of participation for a specific interface in a VLAN. The
ID is a valid VLAN identification number, and the interface is a valid interface number.
Format vlan participation {exclude | include | auto} <1-4093>
Mode Interface Config
Participation options are:
Participation
Options
include The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude The interface is never a member of this VLAN. This is equivalent to registration
auto The interface is dynamically registered in this VLAN by GVRP. The interface will not
Definition
forbidden.
participate in this VLAN unless a join request is received on this interface. This is
equivalent to registration normal.
vlan participation all
This command configures the degree of participation for all interfaces in a VLAN. The ID is a
valid VLAN identification number.
Format vlan participation all {exclude | include | auto} <1-4093>
Mode Global Config
You can use the following participation options:
Participation
Options
Definition
include The interface is always a member of this VLAN. This is equivalent to registration fixed.
exclude The interface is never a member of this VLAN. This is equivalent to registration
forbidden.
auto The interface is dynamically registered in this VLAN by GVRP. The interface will not
participate in this VLAN unless a join request is received on this interface. This is
equivalent to registration normal.
Switching Commands
49
M4100 Series ProSAFE Managed Switches
vlan port acceptframe all
This command sets the frame acceptance mode for all interfaces.
Default all
Format vlan port acceptframe all {vlanonly | all}
Mode Global Config
The modes defined as follows:
Mode Definition
VLAN Only
mode
Admit All mode Untagged frames or priority frames received on this interface are accepted and assigned
Untagged frames or priority frames received on this interface are discarded.
the value of the interface VLAN ID for this port.
With either option, VLAN tagged frames are forwarded in accordance with the IEEE 802.1Q
VLAN Specification.
no vlan port acceptframe all
This command sets the frame acceptance mode for all interfaces to Admit All. For Admit All
mode, untagged frames or priority frames received on this interface are accepted and
assigned the value of the interface VLAN ID for this port. With either option, VLAN tagged
frames are forwarded in accordance with the IEEE 802.1Q VLAN Specification.
Format no vlan port acceptframe all
Mode Global Config
vlan port ingressfilter all
This command enables ingress filtering for all ports. If ingress filtering is disabled, frames
received with VLAN IDs that do not match the VLAN membership of the receiving interface
are admitted and forwarded to ports that are members of that VLAN.
Default disabled
Format vlan port ingressfilter all
Mode Global Config
Switching Commands
50
M4100 Series ProSAFE Managed Switches
no vlan port ingressfilter all
This command disables ingress filtering for all ports. If ingress filtering is disabled, frames
received with VLAN IDs that do not match the VLAN membership of the receiving interface
are admitted and forwarded to ports that are members of that VLAN.
Format no vlan port ingressfilter all
Mode Global Config
vlan port pvid all
This command changes the VLAN ID for all interface.
Default 1
Format vlan port pvid all <1-4093>
Mode Global Config
no vlan port pvid all
This command sets the VLAN ID for all interfaces to 1.
Format no vlan port pvid all
Mode Global Config
vlan port tagging all
This command configures the tagging behavior for all interfaces in a VLAN to enabled. If
tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is
transmitted as untagged frames. The ID is a valid VLAN identification number.
Format vlan port tagging all <1-4093>
Mode Global Config
no vlan port tagging all
This command configures the tagging behavior for all interfaces in a VLAN to disabled. If
tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN
identification number.
Format
Mode Global Config
no vlan port tagging all
Switching Commands
51
M4100 Series ProSAFE Managed Switches
vlan protocol group
This command adds protocol-based VLAN groups to the system. When it is created, the
protocol group will be assigned a unique number (1-128) that will be used to identify the
group in subsequent commands.
Format vlan protocol group <1-128>
Mode Global Config
no vlan protocol group
This command removes a protocol group.
Format no vlan protocol group <1-128>
Mode Global Config
vlan protocol group name
This command assigns a name to a protocol-based VLAN group. The groupname variable
can be a character string of 0–16 characters.
Format vlan protocol group name <1-128> <groupname>
Mode Global Config
no vlan protocol group name
This command removes the name from a protocol-based VLAN group.
Format no vlan protocol group name <1-128>
Mode Global Config
vlan protocol group add protocol
This command adds the protocol to the protocol-based VLAN identified by groupid. A group
may have more than one protocol associated with it. Each interface and protocol combination
can only be associated with one group. If adding a protocol to a group causes any conflicts
with interfaces currently associated with the group, this command fails and the protocol is not
added to the group. The possible values for protocol-list includes the keywords ip, arp, and
ipx and hexadecimal or decimal values ranging from 0x0600 (1536) to 0xFFFF (65535). The
protocol list can accept up to 16 protocols separated by a comma.
Default none
Format vlan protocol group add protocol <groupid> <ethertype>
{<protocol-list> | arp | ip | ipx}
Mode Global Config
Switching Commands
52
M4100 Series ProSAFE Managed Switches
no vlan protocol group add protocol
This command removes the <protocol> from this protocol-based VLAN group that is
identified by this <groupid>. The possible values for protocol are ip, arp, and ipx.
Format no vlan protocol group add protocol <groupid> <ethertype>
{<protocol-list> | arp | ip | ipx}
Mode Global Config
protocol group
This command attaches a <vlanid> to the protocol-based VLAN identified by <groupid>.
A group may only be associated with one VLAN at a time, however the VLAN association can
be changed.
Default none
Format protocol group <groupid> <vlanid>
Mode VLAN Config
no protocol group
This command removes the <vlanid> from this protocol-based VLAN group that is
identified by this <groupid>.
Format no protocol group <groupid> <vlanid>
Mode VLAN Config
protocol vlan group
This command adds the physical interface to the protocol-based VLAN identified by
<groupid>. You can associate multiple interfaces with a group, but you can only associate
each interface and protocol combination with one group. If adding an interface to a group
causes any conflicts with protocols currently associated with the group, this command fails
and the interface(s) are not added to the group.
Default none
Format protocol vlan group <groupid>
Mode Interface Config
Switching Commands
53
M4100 Series ProSAFE Managed Switches
no protocol vlan group
This command removes the interface from this protocol-based VLAN group that is identified
by this <groupid>.
Format no protocol vlan group <groupid>
Mode Interface Config
protocol vlan group all
This command adds all physical interfaces to the protocol-based VLAN identified by
<groupid>. You can associate multiple interfaces with a group, but you can only associate
each interface and protocol combination with one group. If adding an interface to a group
causes any conflicts with protocols currently associated with the group, this command will fail
and the interface(s) will not be added to the group.
Default none
Format protocol vlan group all <groupid>
Mode Global Config
no protocol vlan group all
This command removes all interfaces from this protocol-based VLAN group that is identified
by this <groupid>.
Format no protocol vlan group all <groupid>
Mode Global Config
vlan pvid
This command changes the VLAN ID per interface.
Default 1
Format vlan pvid <1-4093>
Mode Interface Config
no vlan pvid
This command sets the VLAN ID per interface to 1.
Format no vlan pvid
Mode Interface Config
Switching Commands
54
M4100 Series ProSAFE Managed Switches
vlan tagging
This command configures the tagging behavior for a specific interface in a VLAN to enabled.
If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is
transmitted as untagged frames. The vlan-list contains VlanId's in range <1-4093>. Separate
non-consecutive IDs with ',' and no spaces and no zeros in between the range; Use '-' for
range.
Format vlan tagging <vlan-list>
Mode Interface Config
no vlan tagging
This command configures the tagging behavior for a specific interface in a VLAN to disabled.
If tagging is disabled, traffic is transmitted as untagged frames. The vlan-list contains VlanId's
in range <1-4093>. Separate non-consecutive IDs with ',' and no spaces and no zeros in
between the range; Use '-' for range.
Format no vlan tagging <vlan-list>
Mode Interface Config
vlan association subnet
This command associates a VLAN to a specific IP-subnet.
Format vlan association subnet <ipaddr> <netmask> <1-4093>
Mode VLAN Config
no vlan association subnet
This command removes association of a specific IP-subnet to a VLAN.
Format no vlan association subnet <ipaddr> <netmask>
Mode VLAN Config
vlan association mac
This command associates a MAC address to a VLAN.
Format vlan association mac <macaddr> <1-4093>
Mode VLAN database
Switching Commands
55
M4100 Series ProSAFE Managed Switches
no vlan association mac
This command removes the association of a MAC address to a VLAN.
Format no vlan association mac <macaddr>
Mode
VLAN database
remote-span
This command identifies the VLAN as the RSPAN VLAN.
Format remote span
Mode VLAN configuration
show vlan
This command displays a list of all configured VLANs or detailed information for a specific
VLAN.
Format show vlan [<vlanid>]
Mode
Term Definition
VLAN ID A VLAN Identifier (VID) is associated with each VLAN. The range of the VLAN ID is
• Privileged EXEC
• User EXEC
1–4093.
VLAN Name A string associated with this VLAN as a convenience. It can be up to 32 alphanumeric
characters long, including blanks. The default is blank. VLAN ID 1 always has a name of
“Default.” This field is optional.
VLAN Type Type of VLAN, which can be Default (VLAN ID = 1) or static (one that is configured and
permanently defined), or Dynamic (one that is created by GVRP registration).
Switching Commands
56
M4100 Series ProSAFE Managed Switches
If you enter the optional <vlanid> parameter, the command output also displays detailed
information, including interface information, for a specific VLAN. The ID is a valid VLAN
identification number.
Term Definition
Interface Valid slot and port number separated by forward slashes. It is possible to set the
parameters for all ports by using the selectors on the top line.
Current The degree of participation of this port in this VLAN. The permissible values are:
• Include - This port is always a member of this VLAN. This is equivalent to
registration fixed in the IEEE 802.1Q standard.
• Exclude -
registration forbidden in the IEEE 802.1Q standard.
• Autodetect -
The port will not participate in this VLAN unless a join request is received on this
port. This is equivalent to registration normal in the IEEE 802.1Q standard.
Configured The configured degree of participation of this port in this VLAN. The permissible values
are:
• Include -
registration fixed in the IEEE 802.1Q standard.
• Exclude -
registration forbidden in the IEEE 802.1Q standard.
• Autodetect -
The port will not participate in this VLAN unless a join request is received on this
port. This is equivalent to registration normal in the IEEE 802.1Q standard.
This port is never a member of this VLAN. This is equivalent to
To allow the port to be dynamically registered in this VLAN via GVRP.
This port is always a member of this VLAN. This is equivalent to
This port is never a member of this VLAN. This is equivalent to
To allow the port to be dynamically registered in this VLAN via GVRP.
Tagging The tagging behavior for this port in this VLAN.
• T
agged - Transmit traffic for this VLAN as tagged frames.
• Untagged -
Transmit traffic for this VLAN as untagged frames.
show vlan brief
This command displays a list of all configured VLANs.
Format show vlan brief
Mode
• Privileged EXEC
• User EXEC
show vlan port
This command displays VLAN port information.
Format show vlan port {<slot/port> | all}
Mode
• Privileged EXEC
• User EXEC
Switching Commands
57
M4100 Series ProSAFE Managed Switches
Term Definition
Interface Valid slot and port number separated by forward slashes. It is possible to set the
parameters for all ports by using the selectors on the top line.
Port VLAN ID The VLAN ID that this port will assign to untagged frames or priority tagged frames
received on this port. The value must be for an existing VLAN. The factory default is 1.
Acceptable
Frame Types
Ingress Filtering May be enabled or disabled. When enabled, the frame is discarded if this port is not a
GVRP May be enabled or disabled.
Default Priority The 802.1p priority assigned to tagged packets arriving on the port.
The types of frames that may be received on this port. The options are 'VLAN only' and
'Admit All'. When set to 'VLAN only', untagged frames or priority tagged frames received
on this port are discarded. When set to 'Admit All', untagged frames or priority tagged
frames received on this port are accepted and assigned the value of the Port VLAN ID for
this port. With either option, VLAN tagged frames are forwarded in accordance to the
802.1Q VLAN specification.
member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is
identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID
specified for the port that received this frame. When disabled, all frames are forwarded in
accordance with the 802.1Q VLAN bridge specification. The factory default is disabled.
show vlan association subnet
This command displays the VLAN associated with a specific configured IP-Address and net
mask. If no IP address and net mask are specified, the VLAN associations of all the
configured IP-subnets are displayed.
Format show vlan association subnet [<ipaddr> <netmask>]
Mode Privileged EXEC
Term Definition
IP Subnet The IP address assigned to each interface.
IP Mask The subnet mask.
VLAN ID A VLAN Identifier (VID) is associated with each VLAN.
show vlan association mac
This command displays the VLAN associated with a specific configured MAC address. If no
MAC address is specified, the VLAN associations of all the configured MAC addresses are
displayed.
Format show vlan association mac [<macaddr>]
Mode Privileged EXEC
Switching Commands
58
M4100 Series ProSAFE Managed Switches
Term Definition
MAC Address A MAC address for which the switch has forwarding and or filtering information. The
format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for example
01:23:45:67:89:AB. In an IVL system the MAC address will be displayed as 8 bytes.
VLAN ID A VLAN Identifier (VID) is associated with each VLAN.
Switch Port Commands
This section describes the commands used for switch port mode.
switchport mode
Use this command to configure the mode of a switch port as access, trunk, or general:
• Trunk mode. In trunk mode, the port becomes a member of all VLANs on the switch
unless specified in the allowed list in the switchport trunk allowed vlan
command. The PVID of the port is set to the native VLAN as specified in the
switchport trunk native vlan command. This means that trunk ports accept both
tagged and untagged packets. Untagged packets are processed on the native VLAN and
tagged packets are processed on the VLAN for which the ID is contained in the packet.
MAC learning is performed on both tagged and untagged packets. Tagged packets that
are received with a VLAN ID of which the port is not a member are discarded and MAC
learning is not performed.
The trunk ports always transmit packets untagged on a native VLAN.
• Access mode. In access mode, the port becomes a member of only one VLAN. The port
sends and receives untagged traffic. The port can also receive tagged traffic. Ingress
filtering is enabled on the port. This means that when the VLAN ID of a received packet is
not identical to the access VLAN ID, the packet is discarded.
• General mode. In general mode, you can perform custom configuration of the VLAN
membership, PVID, tagging, ingress filtering, and so on. The general mode is legacy
behavior of the switch port configuration and you use legacy CLI commands to configure
the port in general mode.
Default General mode
Format switchport mode {access | trunk | general}
Mode Interface Config
Switching Commands
59
M4100 Series ProSAFE Managed Switches
no switchport mode
This command resets the switch port mode to its default value.
Format no switchport mode
Mode Interface Config
switchport trunk allowed vlan
Use this command to configure the list of allowed VLANs that can receive and send traffic on
this interface in tagged format when in trunking mode. The default is all.
You can modify the VLAN list by using the add and remove options and replace the VLAN
list with another list by using the all or except options. If you use the all option, all VLANs
are added to the list of allowed VLANs. The except option provides an exclusion list.
Default all
Format switchport trunk allowed vlan {<vlan-list> | all | {add <vlan-list>}
| {remove <vlan-list>} | {except <vlan-list>}}
Mode Interface Config
Parameter Description
all Specifies all VLANs from 1 to 4093. This keyword is not allowed for commands that do not
permit all VLANs in the list to be set at the same time.
add Adds the defined list of VLANs to those currently set instead of replacing the list.
remove Removes the defined list of VLANs from those currently set instead of replacing the list.
V alid IDs are from 1 to 4093. Extended-range VLAN IDs of the form XY or X,Y,Z are valid in
this command
except Lists the VLANs that must be calculated by inverting the defined list of VLANs. (VLANs are
added except the ones specified.)
<vlan-list> Either a single VLAN number from 1 to 4093 or a continuous range of VLANs described by
two VLAN numbers, the lesser one first, separated by a hyphen.
no switchport trunk allowed vlan
This command resets the list of allowed VLANs on the trunk port to its default value.
Format no switchport trunk allowed vlan
Mode Interface Config
switchport trunk native vlan
Use this command to configure the trunk port native VLAN (PVID) parameter of the switch
port. Any ingress untagged packets on the port are tagged with the value of the native VLAN.
Switching Commands
60
M4100 Series ProSAFE Managed Switches
The native VLAN must be in the allowed VLAN list for tagging of received untagged packets.
Otherwise, untagged packets are discarded. Packets marked with the native VLAN are
transmitted untagged from the trunk port. The default ID is 1, the default VLAN.
Default 1 (default VLAN)
Format switchport trunk native vlan <vlan-id>
Mode Interface Config
no switchport trunk native vlan
Use this command to reset the trunk mode native VLAN of the switch port to its default value.
Format no switchport trunk native vlan
Mode Interface Config
switchport access vlan
Use this command to configure the VLAN on the access port. You can assign one VLAN only
to the access port. The access port is member of VLAN 1 by default. You can assign the
access port to a VLAN other than VLAN 1. If you remove the access VLAN on the switch, the
access port becomes a member of VLAN 1. If you configure the access port as a member of
a VLAN that does not exist, an error occurs and the configuration does not change.
Default 1 (default VLAN)
Format switchport access vlan <vlan-id>
Mode Interface Config
no switchport access vlan
This command resets the switch port access mode VLAN to its default value.
Format no switchport access vlan
Mode Interface Config
show interfaces switchport
Use this command to either display the switch port status for all interfaces, for a specific
interface, or for a specific mode (access, trunk, or general). If you select a mode but do not
specify the interface for the mode, the selected mode is displayed for all interfaces.
Format show interfaces switchport {[<slot/port>] | {access | trunk |
general} [<slot/port>]}
Mode Privileged EXEC
Switching Commands
61
M4100 Series ProSAFE Managed Switches
Command example:
(NETGEAR Switch) #show interfaces switchport 1/0
Port: 1/0
VLAN Membership Mode: General
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Disabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 1
General Mode Tagged VLANs:
General Mode Forbidden VLANs:
Trunking Mode Native VLAN: 1 (default)
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: All
Protected Port: False
Command example:
(NETGEAR Switch) #show interfaces switchport access 1/0
Intf PVID
--------- ---1/0 1
Command example:
(NETGEAR Switch) #show interfaces switchport trunk 1/6
Intf PVID Allowed Vlans List
--------- ----- ------------------1/6 1 All
Command example:
(NETGEAR Switch) #show interfaces switchport general 1/5
Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic
Filtering Frame Type Vlans Vlans Vlans Vlans
--------- ----- ---------- ----------- --------- --------- --------- --------1/5 1 Enabled Admit All 7 10-50,55 9,100-200 88,96
Switching Commands
62
M4100 Series ProSAFE Managed Switches
Command example:
(NETGEAR Switch) #show interfaces switchport general
Intf PVID Ingress Acceptable Untagged Tagged Forbidden Dynamic
Filtering Frame Type Vlans Vlans Vlans Vlans
--------- ----- ---------- ----------- --------- --------- --------- ---------
1/0/1 1 Enabled Admit All 1,4-7 30-40,55 3,100-200 88,96
1/0/2 1 Disabled Admit All 1 30-40,55 none none
Double VLAN Commands
This section describes the commands you use to configure double VLAN (DVLAN). Double
VLAN tagging is a way to pass VLAN traffic from one customer domain to another through a
Metro Core in a simple and cost effective manner. The additional tag on the traffic helps
differentiate between customers in the MAN while preserving the VLAN identification of the
individual customers when they enter their own 802.1Q domain.
dvlan-tunnel ethertype
This command configures the ether-type for all interfaces. The ether-type may have the
values of 802.1Q, vman, or custom. If the ether-type has a value of custom, the optional
value of the custom ether type must be set to a value from 0 to 65535.
Default vman
Format dvlan-tunnel ethertype {802.1Q | vman | custom} [<0-65535>]
Mode Global Config
mode dot1q-tunnel
This command is used to enable Double VLAN Tunneling on the specified interface.
Default disabled
Format mode dot1q-tunnel
Mode Interface Config
no mode dot1q-tunnel
This command is used to disable Double VLAN Tunneling on the specified interface. By
default, Double VLAN Tunneling is disabled.
Format no mode dot1q-tunnel
Mode Interface Config
Switching Commands
63
M4100 Series ProSAFE Managed Switches
mode dvlan-tunnel
Use this command to enable Double VLAN Tunneling on the specified interface.
Note: When you use the mode dvlan-tunnel command on an interface,
it becomes a service provider port. Ports that do not have double
VLAN tunneling enabled are customer ports.
Default disabled
Format mode dvlan-tunnel
Mode
Interface Config
no mode dvlan-tunnel
This command is used to disable Double VLAN Tunneling on the specified interface. By
default, Double VLAN
Format no mode dvlan-tunnel
Mode Interface Config
Tunneling is disabled.
show dot1q-tunnel
Use this command without the optional parameters to display all interfaces enabled for
Double VLAN Tunneling. Use the optional parameters to display detailed information about
Double VLAN Tunneling for the specified interface or all interfaces.
Format show dot1q-tunnel [interface {<slot/port> | all}]
Mode
Term Definition
• Privileged EXEC
• User EXEC
Interface Valid slot and port number separated by forward slashes.
Mode The administrative mode through which Double VLAN Tunneling can be enabled or
disabled. The default value for this field is disabled.
EtherType A 2-byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel. There are
three different EtherT ype tags. The first is 802.1Q, which represents the commonly used
value of 0x8100. The second is vMAN, which represents the commonly used value of
0x88A8. If EtherType is not one of these two values, it is a custom tunnel value,
representing any value in the range of 0–65535.
Switching Commands
64
M4100 Series ProSAFE Managed Switches
show dvlan-tunnel
Use this command without the optional parameters to display all interfaces enabled for
Double VLAN Tunneling. Use the optional parameters to display detailed information about
Double VLAN Tunneling for the specified interface or all interfaces.
Format show dvlan-tunnel [interface {<slot/port> | all}]
Mode
Term Definition
Interface Valid slot and port number separated by forward slashes.
Mode The administrative mode through which Double VLAN Tunneling can be enabled or
EtherType A 2-byte hex EtherType to be used as the first 16 bits of the DVLAN tunnel. There are
• Privileged EXEC
• User EXEC
disabled. The default value for this field is disabled.
three different EtherT ype tags. The first is 802.1Q, which represents the commonly used
value of 0x8100. The second is vMAN, which represents the commonly used value of
0x88A8. If EtherType is not one of these two values, it is a custom tunnel value,
representing any value in the range of 0–65535.
Voice VLAN Commands
This section describes the commands you use for Voice VLAN. Voice VLAN enables switch
ports to carry voice traffic with defined priority to enable separation of voice and data traffic
coming onto the port. The benefits of using V oice VLAN is to ensure that the sound quality of
an IP phone could be safeguarded from deteriorating when the data traffic on the port is high.
Also the inherent isolation provided by VLANs ensures that inter-VLAN traffic is under
management control and that network- attached clients cannot initiate a direct attack on
voice components. QoS-based on IEEE 802.1P Class of Service (CoS) uses classification
and scheduling to sent network traf
uses the source MAC of the traffic traveling through the port to identify the IP phone data
flow.
fic from the switch in a predictable manner. The system
voice vlan (Global Config)
Use this command to enable the Voice VLAN capability on the switch.
Default disabled
Format voice vlan
Mode Global Config
Switching Commands
65
M4100 Series ProSAFE Managed Switches
no voice vlan (Global Config)
Use this command to disable the Voice VLAN capability on the switch.
Format no voice vlan
Mode Global Config
voice vlan (Interface Config)
Use this command to enable the Voice VLAN capability on the interface.
Default disabled
Format voice vlan {<id> | dot1p <priority> | none | untagged}
Mode Interface Config
You can configure Voice VLAN in any of the following ways:
Parameter Description
vlan-id Configure the IP phone to forward all voice traffic through the specified VLAN. Valid
VLAN IDs are from 1 to 4093 (the maximum supported by the platform).
dot1p Configure the IP phone to use 802.1p priority tagging for voice traffic and to use the
default native VLAN (VLAN 0) to carry all traffic. Valid <priority> range is 0–7.
none Allow the IP phone to use its own configuration to send untagged voice traffic.
untagged Configure the phone to send untagged voice traffic.
no voice vlan (Interface Config)
Use this command to disable the Voice VLAN capability on the interface.
Format no voice vlan
Mode Interface Config
voice vlan data priority
Use this command to either trust or untrust the data traffic arriving on the Voice VLAN port.
Default trust
Format voice vlan data priority {untrust | trust}
Mode Interface Config
Switching Commands
66
M4100 Series ProSAFE Managed Switches
show voice vlan
Format show voice vlan [interface {<slot/port> | all}]
Mode Privileged EXEC
When the interface parameter is not specified, only the global mode of the Voice VLAN is
displayed.
Term Definition
Administrative
Mode
The Global Voice VLAN mode.
When the interface is specified:
Term Definition
Voice VLAN Interface Mode The admin mode of the Voice VLAN on the interface.
Voice VLAN ID The Voice VLAN ID
Voice VLAN Priority The do1p priority for the Voice VLAN on the port.
Voice VLAN Untagged The tagging option for the Voice VLAN traffic.
Voice VLAN CoS Override The Override option for the voice traffic arriving on the port.
Voice VLAN Status The operational status of Voice VLAN on the port.
Provisioning (IEEE 802.1p) Commands
This section describes the commands you use to configure provisioning, which allows you to
prioritize ports.
vlan port priority all
This command configures the port priority assigned for untagged packets for all ports
presently plugged into the device. The range for the priority is 0-7. Any subsequent per port
configuration will override this configuration setting.
Format vlan port priority all <priority>
Mode Global Config
Switching Commands
67
M4100 Series ProSAFE Managed Switches
vlan priority
This command configures the default 802.1p port priority assigned for untagged packets for a
specific interface. The range for the priority is 0–7.
Default 0
Format vlan priority <priority>
Mode Interface Config
Protected Ports Commands
This section describes commands you use to configure and view protected ports on a switch.
Protected ports do not forward traffic to each other, even if they are on the same VLAN.
However, protected ports can forward traffic to all unprotected ports in their group.
Unprotected ports can forward traffic to both protected and unprotected ports. Ports are
unprotected by default.
If an interface is configured as a protected port, and you add that interface to a Port Channel
or link aggregation group (LAG), the protected port status becomes operationally disabled on
the interface, and the interface follows the configuration of the LAG port. However, the
protected port configuration for the interface remains unchanged. Once the interface is no
longer a member of a LAG, the current configuration for that interface automatically becomes
effective.
switchport protected (Global Config)
Use this command to create a protected port group. The <groupid> parameter identifies the
set of protected ports. Use the name <name> pair to assign a name to the protected port
group. The name can be up to 32 alphanumeric characters long, including blanks. The
default is blank.
Note: Port protection occurs within a single switch. Protected port configuration
does not affect traffic between ports on two different switches. No traffic
forwarding is possible between two protected ports.
Format switchport protected <groupid> name <name>
Mode Global Config
Switching Commands
68
M4100 Series ProSAFE Managed Switches
no switchport protected (Global Config)
Use this command to remove a protected port group. The <groupid> parameter identifies
the set of protected ports. Use the name keyword to remove the name from the group.
Format NO switchport protected <groupid> name
Mode
Global Config
switchport protected (Interface Config)
Use this command to add an interface to a protected port group. The <groupid> parameter
identifies the set of protected ports to which this interface is assigned. You can only configure
an interface as protected in one group.
Note: Port protection occurs within a single switch. Protected port configuration
does not affect traffic between ports on two different switches. No traffic
forwarding is possible between two protected ports.
Default unprotected
Format switchport protected <groupid>
Mode Interface Config
no switchport protected (Interface Config)
Use this command to configure a port as unprotected. The <groupid> parameter identifies
the set of protected ports to which this interface is assigned.
Format no switchport protected <groupid>
Mode Interface Config
show switchport protected
This command displays the status of all the interfaces, including protected and unprotected
interfaces.
Format show switchport protected <groupid>
Mode
• Privileged EXEC
• User EXEC
Switching Commands
69
M4100 Series ProSAFE Managed Switches
Term Definition
Group ID The number that identifies the protected port group.
Name An optional name of the protected port group. The name can be up to 32 alphanumeric
characters long, including blanks. The default is blank.
List of Physical
Ports
List of ports, which are configured as protected for the group identified with <groupid>. If
no port is configured as protected for this group, this field is blank.
show interfaces switchport (for a group ID)
This command displays the status of the interface (protected/unprotected) under the groupid.
Format show interfaces switchport <slot/port> <groupid>
Mode
Term Definition
Name A string associated with this group as a convenience. It can be up to 32 alphanumeric
Protected port Indicates whether the interface is protected or not. It shows TRUE or FALSE. If the group
• Privileged EXEC
• User EXEC
characters long, including blanks. The default is blank. This field is optional.
is a multiple groups then, it shows TRUE in Group <groupid>.
Private VLAN Commands
The Private VLANs feature separates a regular VLAN domain into two or more subdomains.
Each subdomain is defined (represented) by a primary VLAN and a secondary VLAN. The
primary VLAN ID is the same for all subdomains that belong to a private VLAN. The
secondary VLAN ID differentiates subdomains from each other and provides Layer 2 isolation
between ports of the same private VLAN. The types of VLANs within a private VLAN are as
follows:
• Primary VLAN—Forwards the traf
community ports, and other promiscuous ports in the same private VLAN. Only one
primary VLAN can be configured per private VLAN. All ports within a private VLAN share
primary VLAN.
• Isolated VLAN—A secondary VLAN that carries traf
ports. Only one isolated VLAN can be configured per private VLAN.
• Community VLAN—A secondary VLAN that forwards traf
the same community and the promiscuous ports. There can be multiple community
VLANs per private VLAN.
fic from the promiscuous ports to isolated ports,
fic from isolated ports to promiscuous
fic between ports that belong to
Switching Commands
70
M4100 Series ProSAFE Managed Switches
Three types of port designations exist within a private VLAN:
• Promiscuous Ports—An endpoint connected to a promiscuous port is allowed to
communicate with any endpoint within the private VLAN. Multiple promiscuous ports can
be defined for a single private VLAN domain.
• Isolated Ports—An endpoint connected to an isolated port is allowed to communicate
with endpoints connected to promiscuous ports only. Endpoints connected to adjacent
isolated ports cannot communicate with each other.
• Community Ports—An endpoint connected to a community port is allowed to
communicate with the endpoints within a community and with any configured
promiscuous port. The endpoints that belong to one community cannot communicate with
endpoints that belong to a different community or with endpoints connected to isolated
ports.
The Private VLANs can be extended across multiple switches through inter-switch/stack links
that transport primary, community, and isolated VLANs between devices.
switchport private-vlan
This command is used to define a private-VLAN association for an isolated or community
port or a mapping for a promiscuous port.
Format switchport private-vlan {host-association <primary-vlan-id>
<secondary-vlan-id> | mapping <primary-vlan-id> {add | remove}
<secondary-vlan-list>}
Mode Interface Config
Parameter Definition
host-association Defines VLAN association for community or host ports.
<primary-vlan-id> Primary VLAN ID of a private VLAN.
secondary-vlan-id Secondary (isolated or community) VLAN ID of a private VLAN.
mapping Defines the private VLAN mapping for promiscuous ports.
add Associates the secondary VLAN with the primary one.
remove Deletes the secondary VLANs from the primary VLAN association.
<secondary-vlan-list> A list of secondary VLANs to be mapped to a primary VLAN.
no switchport private-vlan
This command is used to remove the private-VLAN association or mapping from the port.
Format no switchport private-vlan {host-association | mapping}
Mode Interface Config
Switching Commands
71
M4100 Series ProSAFE Managed Switches
switchport mode private-vlan
This command is used to configure a port as a promiscuous or host private VLAN port. Note
that the properties of each mode can be configured even when the switch is not in that mode.
However, they will only be applicable once the switch is in that particular mode.
Format switchport mode private-vlan {host | promiscuous}
Mode Interface Config
Default General
Parameter Definition
host Configures an interface as a private VLAN host port. It can be either isolated or
community port depending on the secondary VLAN it is associated with.
promiscuous Configures an interface as a private VLAN promiscuous port. The promiscuous ports
are members of the primary VLAN.
no switchport mode
This command is used to remove the private-VLAN association or mapping from the port.
Format no switchport mode private-vlan
Mode Interface Config
private-vlan
This command is used to configure the private VLANs and to configure the association
between the primary private VLAN and secondary VLANs.
Format private-vlan {association [add | remove] <secondary-vlan-list> |
community | isolated | primary}
Mode VLAN Config
Parameter Definition
association Associates the primary and secondary VLAN.
<secondary-vlan-list> A list of secondary VLANs to be mapped to a primary VLAN.
community Designates a VLAN as a community VLAN.
isolated Designates a VLAN as the isolated VLAN.
primary Designates a VLAN as the primary VLAN.
Switching Commands
72
M4100 Series ProSAFE Managed Switches
no private-vlan
This command is used to restore normal VLAN configuration.
Format no private-vlan {association}
Mode
VLAN Config
vlan (Private VLAN)
Use this command to enter the private vlan configuration. The VLAN range is 1-4094.
Format vlan <vlan-list>
Mode Global Config
show vlan private-vlan
This command displays information about the configured private VLANs including primary
and secondary VLAN IDs, type (community , isolated, or primary) and the ports that belong to
a private VLAN.
Format show vlan private-vlan [type]
Mode
Term Definition
Private -vlan Displays information about the configured private VLANs
• Privileged EXEC
• User EXEC
type Displays only private VLAN ID and its type.
Primary Displays primary VLAN ID
Secondary Displays secondary VLAN ID
Type Displays secondary VLAN type
Ports Displays ports which are associated with a private VLAN
show interface ethernet switchport
This command displays the private VLAN mapping information for the switch interfaces.
Format show interface ethernet <slot/port> switchport
Mode
• Privileged EXEC
• User EXEC
Switching Commands
73
M4100 Series ProSAFE Managed Switches
Term Definition
Private-vlan host-association Displays VLAN association for the private-VLAN host ports.
Private-vlan mapping Displays VLAN mapping for the private-VLAN promiscuous ports
GARP Commands
This section describes the commands you use to configure Generic Attribute Registration
Protocol (GARP) and view GARP status. The commands in this section affect both GARP
VLAN Registration Protocol (GVRP) and Garp Multicast Registration Protocol (GMRP).
GARP is a protocol that allows client stations to register with the switch for membership in
VLANS (by using GVMP) or multicast groups (by using GVMP).
set garp timer join
This command sets the GVRP join time for one port (Interface Config mode) or all (Global
Config mode) and per GARP. Join time is the interval between the transmission of GARP
Protocol Data Units (PDUs) registering (or re-registering) membership for a VLAN or
multicast group. This command has an effect only when GVRP is enabled. The time is from
10 to 100 (centiseconds). The value 20 centiseconds is 0.2 seconds.
Default 20
Format set garp timer join <10-100>
Mode
• Interface Config
• Global Config
no set garp timer join
This command sets the GVRP join time (for one or all ports and per GARP) to the default and
only has an ef
Format no set garp timer join
Mode
fect when GVRP is enabled.
• Interface Config
• Global Config
set garp timer leave
This command sets the GVRP leave time for one port (Interface Config mode) or all ports
(Global Config mode) and only has an effect when GVRP is enabled. Leave time is the time
to wait after receiving a unregister request for a VLAN or a multicast group before deleting
the VLAN entry . This can be considered a buffer time for another station to assert registration
for the same attribute in order to maintain uninterrupted service. The leave time is 20–600
(centiseconds). The value 60 centiseconds is 0.6 seconds.
Switching Commands
74
M4100 Series ProSAFE Managed Switches
Default 60
Format set garp timer leave <20-600>
Mode • Interface Config
• Global Config
no set garp timer leave
This command sets the GVRP leave time on all ports or a single port to the default and only
has an ef
Format no set garp timer leave
fect when GVRP is enabled.
Mode
• Interface Config
• Global Config
set garp timer leaveall
This command sets how frequently Leave All PDUs are generated. A Leave All PDU
indicates that all registrations will be unregistered. Participants would need to rejoin in order
to maintain registration. The value applies per port and per GARP participation. The time
may range from 200 to 6000 (centiseconds). The value 1000 centiseconds is 10 seconds.
You can use this command on all ports (Global Config mode) or a single port (Interface
Config mode), and it only has an effect only when GVRP is enabled.
Default 1000
Format set garp timer leaveall <200-6000>
Mode
no set garp timer leaveall
This command sets how frequently Leave All PDUs are generated the default and only has
fect when GVRP is enabled.
an ef
• Interface Config
• Global Config
Format no set garp timer leaveall
Mode
• Interface Config
• Global Config
Switching Commands
75
M4100 Series ProSAFE Managed Switches
show garp
This command displays GARP information.
Format show garp
Mode
Term Definition
GMRP Admin Mode The administrative mode of GARP Multicast Registration Protocol (GMRP) for the
GVRP Admin Mode The administrative mode of GARP VLAN Registration Protocol (GVRP) for the
• Privileged EXEC
• User EXEC
system.
system.
GVRP Commands
This section describes the commands you use to configure and view GARP VLAN
Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN
configuration information, which allows GVRP to provide dynamic VLAN creation on trunk
ports and automatic VLAN pruning.
Note: If GVRP is disabled, the system does not forward GVRP messages.
set gvrp adminmode
This command enables GVRP on the system.
Default disabled
Format set gvrp adminmode
Mode Privileged EXEC
no set gvrp adminmode
This command disables GVRP.
Format no set gvrp adminmode
Mode Privileged EXEC
Switching Commands
76
M4100 Series ProSAFE Managed Switches
set gvrp interfacemode
This command enables GVRP on a single port (Interface Config mode) or all ports (Global
Config mode).
Default disabled
Format set gvrp interfacemode
Mode
• Interface Config
• Global Config
no set gvrp interfacemode
This command disables GVRP on a single port (Interface Config mode) or all ports (Global
Config mode). If GVRP is disabled, Join
Time, Leave Time, and Leave All Time have no
effect.
Format no set gvrp interfacemode
Mode
• Interface Config
• Global Config
show gvrp configuration
This command displays Generic Attributes Registration Protocol (GARP) information for one
or all interfaces.
Format show gvrp configuration {<slot/port> | all}
Mode
• Privileged EXEC
• User EXEC
Term Definition
Interface Valid slot and port number separated by forward slashes.
Join Timer The interval between the transmission of GARP PDUs registering (or re-registering)
membership for an attribute. Current attributes are a VLAN or multicast group. There is
an instance of this timer on a per-Port, per-GARP participant basis. Permissible values
are 10–100 centiseconds (0.1 to 1.0 seconds). The factory default is 20 centiseconds
(0.2 seconds). The finest granularity of specification is one centisecond (0.01 seconds).
Leave Timer The period of time to wait after receiving an unregister request for an attribute before
deleting the attribute. Current attributes are a VLAN or multicast group. This may be
considered a buffer time for another station to assert registration for the same attribute in
order to maintain uninterrupted service. There is an instance of this timer on a per-Port,
per-GARP participant basis. Permissible values are 20–600 centiseconds (0.2 to 6.0
seconds). The factory default is 60 centiseconds (0.6 seconds).
Switching Commands
77
M4100 Series ProSAFE Managed Switches
Term Definition
LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll
PDU indicates that all registrations will shortly be deregistered. Participants will need to
rejoin in order to maintain registration. There is an instance of this timer on a per-Port,
per-GARP participant basis. The Leave All Period Timer is set to a random value in the
range of LeaveAllTime to 1.5*LeaveAllTime. Permissible values are 200–6000
centiseconds (2–60 seconds). The factory default is 1000 centiseconds (10 seconds).
Port GVMRP
Mode
The GVRP administrative mode for the port, which is enabled or disabled (default). If this
parameter is disabled, Join Time, Leave Time, and Leave All Time have no effect.
GMRP Commands
This section describes the commands you use to configure and view GARP Multicast
Registration Protocol (GMRP) information. Like IGMP snooping, GMRP helps control the
flooding of multicast packets. GMRP-enabled switches dynamically register and deregister
group membership information with the MAC networking devices attached to the same
segment. GMRP also allows group membership information to propagate across all
networking devices in the bridged LAN that support Extended Filtering Services.
Note: If GMRP is disabled, the system does not forward GMRP messages.
set gmrp adminmode
This command enables GARP Multicast Registration Protocol (GMRP) on the system.
Default disabled
Format set gmrp adminmode
Mode Privileged EXEC
no set gmrp adminmode
This command disables GARP Multicast Registration Protocol (GMRP) on the system.
Format no set gmrp adminmode
Mode Privileged EXEC
set gmrp interfacemode
This command enables GARP Multicast Registration Protocol on a single interface (Interface
Config mode) or all interfaces (Global Config mode). If an interface which has GARP enabled
is enabled for routing or is enlisted as a member of a port-channel (LAG), GARP functionality
is disabled on that interface. GARP functionality is subsequently re-enabled if routing is
Switching Commands
78
M4100 Series ProSAFE Managed Switches
disabled and port-channel (LAG) membership is removed from an interface that has GARP
enabled.
Default disabled
Format set gmrp interfacemode
Mode
• Interface Config
• Global Config
no set gmrp interfacemode
This command disables GARP Multicast Registration Protocol on a single interface or all
interfaces. If an interface which has GARP enabled is enabled for routing or is enlisted as a
member of a port-channel (LAG), GARP functionality is disabled. GARP functionality is
subsequently re-enabled if routing is disabled and port-channel (LAG) membership is
removed from an interface that has GARP enabled.
Format no set gmrp interfacemode
Mode
• Interface Config
• Global Config
show gmrp configuration
This command displays Generic Attributes Registration Protocol (GARP) information for one
or all interfaces.
Format show gmrp configuration {<slot/port> | all}
Mode
• Privileged EXEC
• User EXEC
Term Definition
Interface The slot/port of the interface that this row in the table describes.
Join Timer The interval between the transmission of GARP PDUs registering (or re-registering)
membership for an attribute. Current attributes are a VLAN or multicast group. There is
an instance of this timer on a per-Port, per-GARP participant basis. Permissible values
are 10–100 centiseconds (0.1 to 1.0 seconds). The factory default is 20 centiseconds
(0.2 seconds). The finest granularity of specification is 1 centisecond (0.01 seconds).
Leave Timer The period of time to wait after receiving an unregister request for an attribute before
deleting the attribute. Current attributes are a VLAN or multicast group. This may be
considered a buffer time for another station to assert registration for the same attribute in
order to maintain uninterrupted service. There is an instance of this timer on a per-Port,
per-GARP participant basis. Permissible values are 20–600 centiseconds (0.2 to 6.0
seconds). The factory default is 60 centiseconds (0.6 seconds).
Switching Commands
79
M4100 Series ProSAFE Managed Switches
Term Definition
LeaveAll Timer This Leave All Time controls how frequently LeaveAll PDUs are generated. A LeaveAll
PDU indicates that all registrations will shortly be deregistered. Participants will need to
rejoin in order to maintain registration. There is an instance of this timer on a per-Port,
per-GARP participant basis. The Leave All Period Timer is set to a random value in the
range of LeaveAllTime to 1.5*LeaveAllTime. Permissible values are 200–6000
centiseconds (2–60 seconds). The factory default is 1000 centiseconds (10 seconds).
Port GMRP
Mode
The GMRP administrative mode for the port. It may be enabled or disabled. If this
parameter is disabled, Join Time, Leave Time, and Leave All Time have no effect.
show mac-address-table gmrp
This command displays the GMRP entries in the Multicast Forwarding Database (MFDB)
table.
Format show mac-address-table gmrp
Mode Privileged EXEC
Term Definition
Mac Address A unicast MAC address for which the switch has forwarding and or filtering information.
The format is 6 or 8 two-digit hexadecimal numbers that are separated by colons, for
example 01:23:45:67:89:AB. In an IVL system the MAC address is displayed as 8 bytes.
Type The type of the entry. Static entries are those that are configured by the end user.
Dynamic entries are added to the table as a result of a learning process or protocol.
Description The text description of this multicast table entry.
Interfaces The list of interfaces that are designated for forwarding (Fwd:) and filtering (Flt:).
Port-Based Network Access Control Commands
This section describes the commands you use to configure port-based network access
control (802.1x). Port-based network access control allows you to permit access to network
services only to and devices that are authorized and authenticated.
clear dot1x statistics
This command resets the 802.1x statistics for the specified port or for all ports.
Format clear dot1x statistics {<slot/port> | all}
Mode Privileged EXEC
Switching Commands
80
M4100 Series ProSAFE Managed Switches
clear radius statistics
This command is used to clear all RADIUS statistics.
Format clear radius statistics
Mode Privileged EXEC
dot1x eapolflood
Use this command to enable EAPOL flood support on the switch.
Default Disabled
Format dot1x eapolflood
Mode Global Config
no dot1x eapolflood
This command disables EAPOL flooding on the switch.
Format no dot1x eapolflood
Mode Global Config
dot1x guest-vlan
This command configures VLAN as guest vlan on a per port basis. The command specifies
an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to the maximum VLAN ID
supported by the platform.
Default disabled
Format dot1x guest-vlan <vlan-id>
Mode Interface Config
no dot1x guest-vlan
This command disables Guest VLAN on the interface.
Default disabled
Format no dot1x guest-vlan
Mode Interface Config
Switching Commands
81
M4100 Series ProSAFE Managed Switches
dot1x initialize
This command begins the initialization sequence on the specified port. This command is only
valid if the control mode for the specified port is “auto” or “mac-based”. If the control mode is
not “auto” or “mac-based,” an error is returned.
Format dot1x initialize <slot/port>
Mode Privileged EXEC
dot1x mac-auth-bypass
This command enables MAC-Based Authentication Bypass (MAB) for 802.1x-unaware
clients. MAB provides 802.1x-unaware clients controlled access to the network using the
devices’ MAC address as an identifier. This requires that the known and allowable MAC
address and corresponding access rights be pre-populated in the authentication server. MAB
works only when the port control mode of the port is MAC-based.
Format dot1x mac-auth-bypass
Mode Interface Config
no dot1x mac-auth-bypass
This command disables MAB for 802.1x-unaware clients.
Format no dot1x mac-auth-bypass
Mode Interface Config
dot1x max-req
This command sets the maximum number of times the authenticator state machine on this
port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant. The
<count> value must be in the range 1 - 10.
Default 2
Format dot1x max-req <count>
Mode Interface Config
no dot1x max-req
This command sets the maximum number of times the authenticator state machine on this
port will transmit an EAPOL EAP Request/Identity frame before timing out the supplicant.
Format no dot1x max-req
Mode Interface Config
Switching Commands
82
M4100 Series ProSAFE Managed Switches
dot1x max-users
Use this command to set the maximum number of clients supported on the port when
MAC-based dot1x authentication is enabled on the port. The maximum users supported per
port is dependent on the product. The <count> value is in the range 1 - 48.
Default 48
Format dot1x max-users <count>
Mode Interface Config
no dot1x max-users
This command resets the maximum number of clients allowed per port to its default value.
Format
Mode Interface Config
no dot1x max-req
dot1x port-control
This command sets the authentication mode to use on the specified port. Select
force-unauthorized to specify that the authenticator PAE unconditionally sets the
controlled port to unauthorized. Select force-authorized to specify that the authenticator
PAE unconditionally sets the controlled port to authorized. Select auto to specify that the
authenticator PAE sets the controlled port mode to reflect the outcome of the authentication
exchanges between the supplicant, authenticator, and the authentication server. If the
mac-based option is specified, MAC-based dot1x authentication is enabled on the port.
Default auto
Format dot1x port-control {force-unauthorized | force-authorized | auto |
mac-based}
Mode Interface Config
no dot1x port-control
This command sets the 802.1x port control mode on the specified port to the default value.
Format no dot1x port-control
Mode Interface Config
dot1x port-control all
This command sets the authentication mode to use on all ports. Select
force-unauthorized to specify that the authenticator PAE unconditionally sets the
controlled port to unauthorized. Select force-authorized to specify that the authenticator
PAE unconditionally sets the controlled port to authorized. Select auto to specify that the
Switching Commands
83
M4100 Series ProSAFE Managed Switches
authenticator PAE sets the controlled port mode to reflect the outcome of the authentication
exchanges between the supplicant, authenticator, and the authentication server. If the
mac-based option is specified, MAC-based dot1x authentication is enabled on the port.
Default auto
Format dot1x port-control all {force-unauthorized | force-authorized | auto
| mac-based}
Mode Global Config
no dot1x port-control all
This command sets the authentication mode on all ports to the default value.
Format no dot1x port-control all
Mode Global Config
dot1x re-authenticate
This command begins the re-authentication sequence on the specified port. This command is
only valid if the control mode for the specified port is “auto” or “mac-based”. If the control
mode is not “auto” or “mac-based”, an error will be returned.
Format dot1x re-authenticate <slot/port>
Mode Privileged EXEC
dot1x re-authentication
This command enables re-authentication of the supplicant for the specified port.
Default disabled
Format dot1x re-authentication
Mode Interface Config
no dot1x re-authentication
This command disables re-authentication of the supplicant for the specified port.
Format no dot1x re-authentication
Mode Interface Config
Switching Commands
84
M4100 Series ProSAFE Managed Switches
dot1x system-auth-control
Use this command to enable the dot1x authentication support on the switch. While disabled,
the dot1x configuration is retained and can be changed, but is not activated.
Default disabled
Format dot1x system-auth-control
Mode Global Config
no dot1x system-auth-control
This command is used to disable the dot1x authentication support on the switch.
Format no dot1x system-auth-control
Mode Global Config
dot1x timeout
This command sets the value, in seconds, of the timer used by the authenticator state
machine on this port. Depending on the token used and the value (in seconds) passed,
various time-out configurable parameters are set.
Default
Format dot1x timeout {{guest-vlan-period <seconds>} | {reauth-period
Mode Interface Config
• guest-vlan-period: 90 seconds
• reauth-period: 3600 seconds
• quiet-period: 60 seconds
• tx-period: 30 seconds
• supp-timeout: 30 seconds
• server-timeout: 30 seconds
<seconds>} | {quiet-period <seconds>} | {tx-period <seconds>} |
{supp-timeout <seconds>} | {server-timeout <seconds>}}
The following table describes the tokens that are supported.
Tokens Definition
guest-vlan-period The time, in seconds, for which the authenticator waits to see if any EAPOL packets are
received on a port before authorizing the port and placing the port in the guest vlan (if
configured). The guest vlan timer is only relevant when guest vlan has been configured
on that specific port.
reauth-period The value, in seconds, of the timer used by the authenticator state machine on this port
to determine when re-authentication of the supplicant takes place. The reauth-period
must be a value in the range 1 - 65535.
Switching Commands
85
M4100 Series ProSAFE Managed Switches
Tokens Definition
quiet-period The value, in seconds, of the timer used by the authenticator state machine on this port
to define periods of time in which it will not attempt to acquire a supplicant. The
quiet-period must be a value in the range 0 - 65535.
tx-period The value, in seconds, of the timer used by the authenticator state machine on this port
to determine when to send an EAPOL EAP Request/Identity frame to the supplicant. The
quiet-period must be a value in the range 1 - 65535.
supp-timeout The value, in seconds, of the timer used by the authenticator state machine on this port
to timeout the supplicant. The supp-timeout must be a value in the range 1 - 65535.
server-timeout The value, in seconds, of the timer used by the authenticator state machine on this port
to timeout the authentication server. The supp-timeout must be a value in the range 1 -
65535.
no dot1x timeout
This command sets the value, in seconds, of the timer used by the authenticator state
machine on this port to the default values. Depending on the token used, the corresponding
default values are set.
Format no dot1x timeout {guest-vlan-period | reauth-period | quiet-period |
tx-period | supp-timeout | server-timeout}
Mode Interface Config
dot1x unauthenticated-vlan
Use this command to configure the unauthenticated VLAN associated with that port. The
unauthenticated VLAN ID can be a valid VLAN ID from 0-Maximum supported VLAN ID. The
unauthenticated VLAN must be statically configured in the VLAN database to be operational.
By default, the unauthenticated VLAN is 0, that is, invalid and not operational.
Default 0
Format dot1x unauthenticated-vlan <vlan id>
Mode Interface Config
no dot1x unauthenticated-vlan
This command resets the unauthenticated-vlan associated with the port to its default value.
Format no dot1x unauthenticated-vlan
Mode Interface Config
Switching Commands
86
M4100 Series ProSAFE Managed Switches
dot1x user
This command adds the specified user to the list of users with access to the specified port or
all ports. The <user> parameter must be a configured user.
Format dot1x user <user> {<slot/port> | all}
Mode Global Config
no dot1x user
This command removes the user from the list of users with access to the specified port or all
ports.
Format no dot1x user <user> {<slot/port> | all}
Mode Global Config
clear dot1x authentication-history
This command clears the authentication history table captured during successful and
unsuccessful authentication on all interface or the specified interface.
Format clear dot1x authentication-history [slot/port]
Mode Global Config
dot1x dynamic-vlan enable
Use this command to enable the switch to create VLANs dynamically when a RADIUS
assigned VLAN does not exist in the switch.
Format dot1x dynamic-vlan enable
Mode Global Config
Default Disabled
no dot1x dynamic-vlan enable
Use this command to disable the switch from creating VLANs dynamically when a RADIUS
assigned VLAN does not exist in the switch.
Format no dot1x dynamic-vlan enable
Mode Global Config
Switching Commands
87
M4100 Series ProSAFE Managed Switches
dot1x system-auth-control monitor
Use this command to enable the 802.1X monitor mode on the switch. The purpose of Monitor
mode is to help troubleshoot port-based authentication configuration issues without
disrupting network access for hosts connected to the switch. In Monitor mode, a host is
granted network access to an 802.1X-enabled port even if it fails the authentication process.
The results of the process are logged for diagnostic purposes.
Format dot1x system-auth-control monitor
Mode Global Config
Default Disabled
no dot1x system-auth-control monitor
Use this command to disable the 802.1X monitor on the switch.
Format no dot1x system-auth-control monitor
Mode Global Config
show dot1x authentication-history
This command displays 802.1X authentication events and information during successful and
unsuccessful Dot1x authentication process for all interfaces or the specified interface. Use
the optional keywords to display only failure authentication events in summary or in detail.
Format show dot1x authentication-history {slot/port | all}
[failedauth-only] [detail]
Mode Privileged EXEC
Term Definition
Time Stamp The exact time at which the event occurs.
Interface Physical Port on which the event occurs.
Mac-Address The supplicant/client MAC address.
VLAN assigned The VLAN assigned to the client/port on authentication.
VLAN assigned
Reason
The type of VLAN ID assigned, which can be Guest VLAN, Unauth, Default, RADIUS
Assigned, or Monitor Mode VLAN ID.
Auth Status The authentication status.
Reason The actual reason behind the successful or failed authentication.
Switching Commands
88
M4100 Series ProSAFE Managed Switches
show authentication methods
This command displays information about the authentication methods.
Format show authentication methods
Mode Privileged EXEC
Command example:
Login Authentication Method Lists
________________________________
Console_Default: None
Network_Default:Local
Enable Authentication Lists
_____________________
Console_Default: Enable None
Network_Default:Enable
Line Login Method List Enable Method Lists
_____________________
Console Console_Default Console_Default
Telnet Network_Default Network_Default
SSH Network_Default Network_Default
http : Local
https : Local
dot1x :
show dot1x
This command is used to show a summary of the global dot1x configuration, summary
information of the dot1x configuration for a specified port or all ports, the detailed dot1x
configuration for a specified port and the dot1x statistics for a specified port - depending on
the tokens used.
Format show dot1x [{summary {<slot/port> | all} | detail <slot/port> |
statistics <slot/port>]
Mode Privileged EXEC
If you do not use the optional <slot/port> parameters, the command displays the global
dot1x mode, the VLAN Assignment mode, and the Dynamic VLAN Creation mode.
Term Definition
Administrative
Mode
VLAN
Assignment
Mode
Indicates whether authentication control on the switch is enabled or disabled.
Indicates whether assignment of an authorized port to a RADIUS assigned VLAN is
allowed (enabled) or not (disabled).
Switching Commands
89
Term Definition
M4100 Series ProSAFE Managed Switches
Dynamic VLAN
Creation Mode
Monitor Mode Indicates whether the Dot1x Monitor mode on the switch is enabled or disabled.
Indicates whether the switch can dynamically create a RADIUS-assigned VLAN if it does
not currently exist on the switch.
If you use the optional parameter summary {<slot/port> | all}, the dot1x configuration
for the specified port or all ports are displayed.
Term Definition
Interface The interface whose configuration is displayed.
Control Mode The configured control mode for this port. Possible values are force-unauthorized |
force-authorized | auto | mac-based | authorized | unauthorized.
Operating
Control Mode
Reauthentication
Enabled
Port Status Indicates whether the port is authorized or unauthorized. Possible values are authorized
The control mode under which this port is operating. Possible values are authorized |
unauthorized.
Indicates whether re-authentication is enabled on this port.
| unauthorized.
If you use the optional parameter detail <slot/port>, the detailed dot1x configuration for
the specified port is displayed.
Term Definition
Port The interface whose configuration is displayed.
Protocol Version The protocol version associated with this port. The only possible value is 1,
corresponding to the first version of the dot1x specification.
P AE Capabilities The port access entity (PAE) functionality of this port. Possible values are Authenticator
or Supplicant.
Control Mode The configured control mode for this port. Possible values are force-unauthorized |
force-authorized | auto | mac-based.
Authenticator P AE
State
Backend
Authentication
State
Quiet Period The timer used by the authenticator state machine on this port to define periods of time
Current state of the authenticator PAE state machine. Possible values are Initialize,
Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held,
ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled
on the port, this parameter is deprecated.
Current state of the backend authentication state machine. Possible values are
Request, Response, Success, Fail, Timeout, Idle, and Initialize. When MAC-based
authentication is enabled on the port, this parameter is deprecated.
in which it will not attempt to acquire a supplicant. The value is expressed in seconds
and will be in the range 0 and 65535.
Switching Commands
90
M4100 Series ProSAFE Managed Switches
Term Definition
Transmit Period The timer used by the authenticator state machine on the specified port to determine
when to send an EAPOL EAP Request/Identity frame to the supplicant. The value is
expressed in seconds and will be in the range of 1 and 65535.
Guest-VLAN ID The guest VLAN identifier configured on the interface.
Guest VLAN
Period
Supplicant
Timeout
Server Timeout The timer used by the authenticator on this port to timeout the authentication server.
Maximum
Requests
VLAN Id The VLAN assigned to the port by the radius server. This is only valid when the port
VLAN Assigned
Reason
Reauthentication
Period
Reauthentication
Enabled
The time in seconds for which the authenticator waits before authorizing and placing the
port in the Guest VLAN, if no EAPOL packets are detected on that port.
The timer used by the authenticator state machine on this port to timeout the supplicant.
The value is expressed in seconds and will be in the range of 1 and 65535.
The value is expressed in seconds and will be in the range of 1 and 65535.
The maximum number of times the authenticator state machine on this port will
retransmit an EAPOL EAP Request/Identity before timing out the supplicant. The value
will be in the range of 1 and 10.
control mode is not Mac-based.
The reason the VLAN identified in the VLAN Idfield has been assigned to the port.
Possible values are RADIUS, Unauthenticated VLAN, Guest VLAN, default, and Not
Assigned. When the VLAN Assigned Reason is ‘Not Assigned’, it means that the port
has not been assigned to any VLAN by dot1x. This only valid when the port control
mode is not MAC-based.
The timer used by the authenticator state machine on this port to determine when
reauthentication of the supplicant takes place. The value is expressed in seconds and
will be in the range of 1 and 65535.
Indicates if reauthentication is enabled on this port. Possible values are ‘True” or
“False”.
Key Transmission
Enabled
Control Direction The control direction for the specified port or ports. Possible values are both or in.
Maximum Users The maximum number of clients that can get authenticated on the port in the
Unauthenticated
VLAN ID
Session Timeout Indicates the time for which the session is valid. The time period in seconds is returned
Session
Termination
Action
Indicates if the key is transmitted to the supplicant for the specified port. Possible values
are True or False.
MAC-based dot1x authentication mode. This value is used only when the port control
mode is not MAC-based.
Indicates the unauthenticated VLAN configured for this port. This value is valid for the
port only when the port control mode is not MAC-based.
by the RADIUS server on authentication of the port. This value is valid for the port only
when the port control mode is not MAC-based.
This value indicates the action to be taken once the session timeout expires. Possible
values are Default, Radius-Request. If the value is Default, the session is terminated
the port goes into unauthorized state. If the value is Radius-Request, a reauthentication
of the client authenticated on the port is performed. This value is valid for the port only
when the port control mode is not MAC-based.
Switching Commands
91
M4100 Series ProSAFE Managed Switches
The show dot1x detail <slot/port> command displays the following MAC-based
dot1x fields if the port-control mode for that specific port is MAC-based. For each client
authenticated on the port, the show dot1x detail <slot/port> command displays the
following MAC-based dot1x parameters if the port-control mode for that specific port is
MAC-based.
Term Definition
Supplicant
MAC-Address
Authenticator
PAE State
Backend
Authentication
State
VLAN-Assigned The VLAN assigned to the client by the radius server.
Logical Port The logical port number associated with the client.
The MAC-address of the supplicant.
Current state of the authenticator PAE state machine. Possible values are Initialize,
Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held,
ForceAuthorized, and ForceUnauthorized.
Current state of the backend authentication state machine. Possible values are Request,
Response, Success, Fail, Timeout, Idle, and Initialize.
If you use the optional parameter statistics <slot/port>, the following dot1x statistics
for the specified port appear.
Term Definition
Port The interface whose statistics are displayed.
EAPOL Frames
Received
EAPOL Frames
Transmitted
The number of valid EAPOL frames of any type that have been received by this
authenticator.
The number of EAPOL frames of any type that have been transmitted by this
authenticator.
EAPOL Start
Frames
Received
EAPOL Logoff
Frames
Received
Last EAPOL
Frame Version
Last EAPOL
Frame Source
EAP
Response/Id
Frames
Received
The number of EAPOL start frames that have been received by this authenticator.
The number of EAPOL logoff frames that have been received by this authenticator.
The protocol version number carried in the most recently received EAPOL frame.
The source MAC address carried in the most recently received EAPOL frame.
The number of EAP response/identity frames that have been received by this
authenticator.
Switching Commands
92
Term Definition
M4100 Series ProSAFE Managed Switches
EAP Response
Frames
Received
EAP Request/Id
Frames
Transmitted
EAP Request
Frames
Transmitted
Invalid EAPOL
Frames
Received
EAP Length
Error Frames
Received
The number of valid EAP response frames (other than resp/id frames) that have been
received by this authenticator.
The number of EAP request/identity frames that have been transmitted by this
authenticator.
The number of EAP request frames (other than request/identity frames) that have been
transmitted by this authenticator.
The number of EAPOL frames that have been received by this authenticator in which the
frame type is not recognized.
The number of EAPOL frames that have been received by this authenticator in which the
frame type is not recognized.
show dot1x clients
This command displays 802.1x client information. This command also displays information
about the number of clients that are authenticated using Monitor mode and using 802.1x.
Format show dot1x clients {<slot/port> | all}
Mode Privileged EXEC
Term Definition
Clients
Authenticated
using Monitor
Mode
Clients
Authenticated
using Dot1x
Logical Interface The logical port number associated with a client.
Interface The physical port to which the supplicant is associated.
User Name The user name used by the client to authenticate to the server.
Supplicant MAC
Address
Session Time The time since the supplicant is logged on.
Filter ID Identifies the Filter ID returned by the RADIUS server when the client was authenticated.
VLAN ID The VLAN assigned to the port.
Indicates the number of the Dot1x clients authenticated using Monitor mode.
Indicates the number of Dot1x clients authenticated using 802.1x authentication process.
The supplicant device MAC address.
This is a configured DiffServ policy name on the switch.
Switching Commands
93
M4100 Series ProSAFE Managed Switches
Term Definition
VLAN Assigned The reason the VLAN identified in the VLAN ID field has been assigned to the port.
Possible values are RADIUS, Unauthenticated VLAN, or Default. When the VLAN
Assigned reason is Default, it means that the VLAN was assigned to the port because
the PVID of the port was that VLAN ID.
Session Timeout This value indicates the time for which the session is valid. The time period in seconds is
returned by the RADIUS server on authentication of the port. This value is valid for the
port only when the port-control mode is not MAC-based.
Session
Termination
Action
This value indicates the action to be taken once the session timeout expires. Possible
values are Default and Radius-Request. If the value is Default, the session is terminated
and client details are cleared. If the value is Radius-Request, a reauthentication of the
client is performed.
show dot1x users
This command displays 802.1x port security user information for locally configured users.
Format show dot1x users <slot/port>
Mode Privileged EXEC
Term Definition
Users Users configured locally to have access to the specified port.
802.1X Supplicant Commands
802.1X (“dot1x”) supplicant functionality is on point-to-point ports. The administrator can
configure the user name and password used in authentication and capabilities of the
supplicant port.
dot1x pae
Use this command to set the port’s dot1x role. The port can serve as either a supplicant or an
authenticator.
Format dot1x pae {supplicant | authenticator}
Mode Interface Config
dot1x supplicant port-control
Use this command to set the ports authorization state (Authorized or Unauthorized) either
manually or by setting the port to auto-authorize upon startup. By default all the ports are
authenticators. If the port’s attribute must be moved from authenticator to supplicant or
supplicant to authenticator, use this command.
Switching Commands
94
M4100 Series ProSAFE Managed Switches
Format dot1x supplicant port-control {auto | force-authorized |
force_unauthorized}
Mode Interface Config
Parameter Description
auto The port is in the Unauthorized state until it presents its user name and
password credentials to an authenticator. If the authenticator authorizes the
port, then it is placed in the Authorized state.
force-authorized Sets the authorization state of the port to Authorized, bypassing the
authentication process.
force- unauthorized Sets the authorization state of the port to Unauthorized, bypassing the
authentication process.
no dot1x supplicant port-control
Use this command to set the port-control mode to the default, auto.
Default Auto
Format no dot1x supplicant port-control
Mode Interface Config
dot1x supplicant max-start
Use this command to configure the number of attempts that the supplicant makes to find the
authenticator before the supplicant assumes that there is no authenticator.
Default 3
Format dot1x supplicant max-start <1-10>
Mode Interface Config
no dot1x supplicant max-start
Use this command to set the max-start value to the default.
Format no dot1x supplicant max-start
Mode Interface Config
Switching Commands
95
M4100 Series ProSAFE Managed Switches
dot1x supplicant timeout start-period
Use this command to configure the start period timer interval in seconds to wait for the EAP
identity request from the authenticator.
Default 30 seconds
Format dot1x supplicant timeout start-period <1-65535>
Mode Interface Config
no dot1x supplicant timeout start-period
Use this command to set the start-period value to the default.
Format no dot1x supplicant timeout start-period
Mode Interface Config
dot1x supplicant timeout held-period
Use this command to configure the held period timer interval in seconds to wait for the next
authentication on previous authentication fail.
Default 30 seconds
Format dot1x supplicant timeout held-period <1-65535>
Mode Interface Config
no dot1x supplicant timeout held-period
Use this command to set the held-period value to the default value.
Format no dot1x supplicant timeout held-period
Mode Interface Config
dot1x supplicant timeout auth-period
Use this command to configure the authentication period timer interval in seconds to wait for
the next EAP request challenge from the authenticator.
Default 30 seconds
Format dot1x supplicant timeout auth-period <1-65535>
Mode Interface Config
Switching Commands
96
M4100 Series ProSAFE Managed Switches
no dot1x supplicant timeout auth-period
Use this command to set the auth-period value to the default value.
Format no dot1x supplicant timeout auth-period
Mode Interface Config
dot1x supplicant user
Use this command to map the user to the port.
Format dot1x supplicant user
Mode Interface Config
Storm-Control Commands
This section describes commands you use to configure storm control and view storm control
configuration information. A traffic storm is a condition that occurs when incoming packets
flood the LAN, which creates performance degradation in the network. The storm control
feature protects against this condition.
The switch provides broadcast, multicast, and unicast story recovery for individual interfaces.
Unicast storm control protects against traffic whose MAC addresses are not known by the
system. For broadcast, multicast, and unicast storm control, if the rate of traffic ingressing on
an interface increases beyond the configured threshold for that type, the traffic is dropped.
To configure storm control, you can enable the feature for all interfaces or for individual
interfaces, and you can set the threshold (storm-control level), beyond which the broadcast,
multicast, or unicast traffic is dropped. The storm control feature allows you to limit the rate of
specific types of packets through the switch on a per-port, per-type, basis.
Configuring a storm-control level also enables that form of storm control. Disabling a
storm-control level (using the no version of the command) sets the storm control level back to
the default value and disables that form of storm control. Using the no version of the
storm-control command (without stating a level) disables that form of storm control but
maintains the configured level (to be active the next time that form of storm control is
enabled.)
Note: The actual rate of ingress traffic required to activate storm control is
based on the size of incoming packets and the hard-coded average
packet size of 512 bytes—used to calculate a packet-per-second
(pps) rate—as the forwarding-plane requires pps versus an absolute
rate kbps. For example, if the configured limit is 10 percent, this is
converted to ~25000 pps, and this pps limit is set in forwarding plane
(hardware). You get the approximate desired output when 512 bytes
packets are used.
Switching Commands
97
M4100 Series ProSAFE Managed Switches
storm-control broadcast (Interface Config)
Use this command to enable broadcast storm recovery mode for a specific interface. If the
mode is enabled, broadcast storm recovery is active and, if the rate of L2 broadcast traffic
ingressing on an interface increases beyond the configured threshold, the traffic is dropped.
Therefore, the rate of broadcast traffic will be limited to the configured threshold.
Default enabled
Format storm-control broadcast
Mode Interface Config
no storm-control broadcast
Use this command to disable broadcast storm recovery mode for a specific interface.
Format no storm-control broadcast
Mode Interface Config
storm-control broadcast level (Interface Config)
Use this command to configure the broadcast storm recovery threshold for an interface as a
percentage of link speed and enable broadcast storm recovery. If the mode is enabled,
broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an
interface increases beyond the configured threshold, the traffic is dropped. Therefore, the
rate of broadcast traffic is limited to the configured threshold.
If the shutdown option is selected, and the broadcast traffic increases beyond the threshold,
the interface shuts down instead of dropping packets. To recover the port, issue the no
shutdown command under the port manually.
Default 5
Format storm-control broadcast level <0-100> {action [ratelimit |
shutdown]}
Mode Interface Config
no storm-control broadcast level
This command sets the broadcast storm recovery threshold to the default value for an
interface and disables broadcast storm recovery.
Format no storm-control broadcast level
Mode Interface Config
Switching Commands
98
M4100 Series ProSAFE Managed Switches
storm-control broadcast rate (Interface Config)
Use this command to configure the broadcast storm recovery threshold for an interface in
packets per second. If the mode is enabled, broadcast storm recovery is active, and if the
rate of L2 broadcast traffic ingressing on an interface increases beyond the configured
threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the
configured threshold.
Default 0
Format storm-control broadcast rate <0-14880000>
Mode Interface Config
no storm-control broadcast rate
This command sets the broadcast storm recovery threshold to the default value for an
interface and disables broadcast storm recovery.
Format no storm-control broadcast rate
Mode Interface Config
storm-control broadcast (Global Config)
This command enables broadcast storm recovery mode for all interfaces. If the mode is
enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing
on an interface increases beyond the configured threshold, the traffic will be dropped.
Therefore, the rate of broadcast traffic will be limited to the configured threshold.
Default disabled
Format storm-control broadcast
Mode Global Config
no storm-control broadcast
This command disables broadcast storm recovery mode for all interfaces.
Format no storm-control broadcast
Mode Global Config
storm-control broadcast level (Global Config)
This command configures the broadcast storm recovery threshold for all interfaces as a
percentage of link speed and enables broadcast storm recovery. If the mode is enabled,
broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an
interface increases beyond the configured threshold, the traffic will be dropped. Therefore,
Switching Commands
99
M4100 Series ProSAFE Managed Switches
the rate of broadcast traffic will be limited to the configured threshold. This command also
enables broadcast storm recovery mode for all interfaces.
If the ‘shutdown’ option is selected, and the broadcast traffic increases beyond the threshold,
the interface shuts down instead of dropping packets. To recover the port, issue ‘no
shutdown’ under the port manually.
Default 5
Format storm-control broadcast level <0-100>
Mode Global Config
no storm-control broadcast level
This command sets the broadcast storm recovery threshold to the default value for all
interfaces and disables broadcast storm recovery.
Format no storm-control broadcast level
Mode Global Config
storm-control broadcast rate (Global Config)
Use this command to configure the broadcast storm recovery threshold for all interfaces in
packets per second. If the mode is enabled, broadcast storm recovery is active, and if the
rate of L2 broadcast traffic ingressing on an interface increases beyond the configured
threshold, the traffic is dropped. Therefore, the rate of broadcast traffic is limited to the
configured threshold.
Default 0
Format storm-control broadcast rate <0-14880000>
Mode Global Config
no storm-control broadcast rate
This command sets the broadcast storm recovery threshold to the default value for all
interfaces and disables broadcast storm recovery.
Format no storm-control broadcast rate
Mode Global Config
Switching Commands
100
Loading...