Zyxel GS2220-28, GS2220-50, GS2220-10HP, GS2220-50HP, GS2220-10 CLI Reference Guide

...

Download

Default Login Details

3'ŻMÍºŻGuide

Ethernet Switch Series

Managed Ethernet Switches

Out-of-Band MGMT Port

In-Band Ports http://setup.zyxel

User Name admin

Password 1234

http://192.168.0.1

http://DHCP-assigned IP

http://192.168.1.1

Version 4.80 Edition 3, 01/2023

IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE.

This is a Reference Guide for a series of products intended for people who want to configure the Switch through Command Line Interface (CLI).

Note: Some commands or command options in this guide may not be available in your

product. See your product's User’s Guide for a list of supported features. Every effort has been made to ensure that the information in this guide is accurate.

How To Use This Guide

1 Read Chapter 1 on page 10 for how to access and use the CLI (Command Line Interface).

2 Read Chapter 3 on page 17 to learn about the CLI user and privilege modes.

Do not use commands not documented in this guide.

About This CLI Reference Guide

Intended Audience

This manual is intended for people who want to configure Zyxel Switches through Command Line Interface (CLI).

The version number on the cover page refers to the latest firmware version supported by the Zyxel Switches. This guide applies to ZyNOS 4.80 at the time of writing.

Note: This guide is intended as a command reference for a series of products. Therefore many

commands in this guide may not be available in your product. See your User’s Guide for a list of supported features and details about feature implementation.

Please refer to www.zyxel.com for product specific User Guides and product certifications.

How To Use This Guide

• Read the How to Access the CLI chapter for an overview of various ways you can get to the command interface on your Switch.

• Use the Reference section in this guide for command syntax, description and examples. Each chapter describes commands related to a feature.

• To find specific information in this guide, use the Contents Overview, the Index of Commands, or search the PDF file.

Ethernet Switch CLI Reference Guide

Document Conventions

Warnings and Notes

These are how warnings and notes are shown in this CLI Reference Guide.

Warnings tell you about things that could harm you or your device. See your User’s Guide for product specific warnings.

Note: Notes tell you other important information (for example, other things you may need to

configure or helpful tips) or recommendations.

Syntax Conventions

This manual follows these general conventions:

• Zyxel’s switches may be referred to as the “Switch”, the “device”, the “system” or the “product” in this Reference Guide.

• Units of measurement may denote the “metric” value or the “scientific” value. For example, “k” for kilo may denote “1000” or “1024”, “M” for mega may denote “1000000” or “1048576” and so on.

Command descriptions follow these conventions:

• Commands are in courier new font.

• Required input values are in angle brackets <>; for example, specify an IP address for this command.

• Optional fields are in square brackets []; for instance show logins [name], the name field is optional. The following is an example of a required field within an optional field: snmp-server [contact

<system contact>], the contact field is optiona l. However, if you use contact, then you must provide the system contact information.

• In some commands you specify slots or interfaces by the Access ID <aid>, use “?” to show which types of interfaces you can specify. For example, you might be able to use: slot-<slot> | <ge|msc>-<slot>-<port> | <ge|msc>-<slot>-<port>&&-<port>.

• Use “msc-<slot>-<port>” for an uplink slot on the management switch card.

• Use “ge-<slot>-<port>” for a Gigabit Ethernet port or switch settings on a PON interface.

• Use “pon-<slot>-<port>” to configure PON interface settings.

• A “slot” is a chassis slot.

• The “port” is 1-N where N is the number of ports on the card.

• Use && to specify a range of ports.

•Lists (such as <port-list>) consist of one or more elements separated by commas. Each element might be a single value (1, 2, 3, ...) or a range of values (1–2, 3–5, ...) separate d b y a dash .

• The | (bar) symbol means “or”.

• italic terms represent user-defined input values; for example, in snmp-server [contact <system contact>], system contact can be replaced by the administrator’s name.

• A key stroke is denoted by square brackets and uppercase text, for example, [ENTER] means the “Enter” or “Return” key on your keyboard.

ping <ip> means that you must

Ethernet Switch CLI Reference Guide

Document Conventions

• <cr> means press the [ENTER] key.

• An arrow (-->) indicates that this line is a continuation of the previous line.

Command summary tables are organized as follows: Table 1 Example: Command Summary Table

COMMAND DESCRIPTION M P

show vlan vlan <1-4094>

inactive no inactive

no vlan <1-4094>

Displays the status of all VLANs. E 3 Enters config-vlan mode for the specified VLAN. Creates

the VLAN, if necessary. Disables the specified VLAN. C 13

Enables the specified VLAN. C 13 Deletes a VLAN. C 13

C13

The Table title identifies commands or the specific feature that the commands configure.

The COMMAND column shows the syntax of the command.

• If a command is not indented, you run it in the enable or config mode. See Chapter 3 on page 17 for more information on command modes.

• If a command is indented, you run it in a sub-command mode.

The DESCRIPTION column explains what the command does. It also identifies legal input values, if necessary.

The M column identifies the mode in which you run the command.

• E: The command is available in enable mode. It is also available in user mode if the privilege level (P) is less than 13.

• C: The command is available in config (not indented) or one of the sub-command modes (indented).

The P column identifies the privilege level of the command. If you do not have a high enough privilege level you may not be able to view or execute some of the commands. See Chapter 3 on page 17 for more information on privilege levels.

Ethernet Switch CLI Reference Guide

Contents Overview

Introduction .........................................................................................................................................9

Introduction ................................................................................... ........................................................ 10

Command Line Interface .......................... ............. ....... ....... ....... ....... ....... ....... ....... ....... ....... .............. 14

Privilege Level and Command Mode .................................................................... ....... ....... ....... ....... 17

Initial Setup ............................................................................................................................................ 22

Reference A-G ..................................................................................................................................29

AAA Commands .................................................................................................................................. 31

Anti-Arpscan ......................................................................................................................................... 35

ARP Commands ................................................................................................................................... 37

ARP Inspection Commands ................................................................................................................ 39

ARP Learning Commands ......................... .......................................................................................... 44

Auto Configuration Commands ......................................................................................................... 45

Bandwidth Control Commands .......................................................................................................... 47

BPDU Guard .......................................................................................................................................... 50

Broadcast Storm Commands .............................................................................................................. 51

Certificates Commands ...................................................................................................................... 54

Classifier Commands ........................................................................................................................... 57

Cluster Commands ........................................................ ....... ....... ....... ....... ....... ....... ....... ..................... 62

CLV Commands ................................................................................................................................... 65

Custom Default Commands ............................................................................................................... 71

Date and Time Commands ................................................................................................................. 72

DHCP Commands ................................................................................................................................ 75

DHCP Snooping and DHCP VLAN Commands ................................................................................. 81

DiffServ Commands ............................................................................................................................. 85

Display Commands .............................................................................................................................. 86

DVMRP Commands .............................................................................................................................. 87

Error Disable and Recovery Commands ........................................................................................... 89

Ethernet OAM Commands .................................................................................................................. 93

External Alarm Commands ................................................................................................................. 98

Flex Link Commands .......................................................................................................................... 100

GARP Commands .............................................................................................................................. 103

Green Ethernet Commands ........ ....... ....... ...... ....... ....... ....... ....... .............. ....... ....... ....... ....... ............ 105

GVRP Commands .............................................................................................................................. 109

Reference H-M ................................................................................................................................111

HTTPS Server Commands ................................................................................................................... 113

Hardware Monitor Commands ......................................................................................................... 116

Ethernet Switch CLI Reference Guide

Contents Overview

IGMP and Multicasting Commands .................................... ....... ....... ....... ....... ....... ....... ....... ............120

IGMP Snooping Commands ............................................................................ ....... ....... ....... ............ 123

Interface Commands ........................................................................................................................ 131

Interface Loopback Mode ................................................................................................................ 137

Interface Route-domain Mode ........................................................................................................ 139

IP Commands ..................................................................................................................................... 140

IP Source Binding Commands .......................................................................................................... 146

IP Source Guard .................................................................................................................................. 148

IPv6 Commands ................................................................................................................................. 150

Layer 2 Protocol Tunnel (L2PT) Commands ..................................................................................... 175

Link Layer Discovery Protocol (LLDP) Commands .......................................................................... 178

Load Sharing Commands .................................................................................................................. 190

Logging Commands .......................................................................................................................... 192

Login Account Commands ............................................................................................ ................... 194

Loopguard Commands ..................................................................................................................... 196

MAC Address Commands ................................................................................................................. 198

MAC-based VLAN .............................................................................................................................. 201

MAC Filter Commands ....................................................................................................................... 203

MAC Forwarding Commands ........................................................................................................... 205

MAC Pinning Commands .................................................................................................................. 206

Mirroring Commands ......................................................................................................................... 208

MRSTP Commands ............................................................................................................................. 213

MSTP Commands ..................................................... ....... ....... ....... ....... ....... ....... ....... ....... ................... 216

Multiple Login Commands .............................. ....... .............. ....... ....... ....... ....... ....... ....... ....... ............ 221

MVR Commands ................................................................................................................................ 222

Reference N-S .................................................................................................................................225

NLB Commands .................................................................................................................................. 227

ONVIF Commands ............................................................................................................................. 231

OSPF Commands ................................................................................................................................ 234

Password Commands ........................................................................................................................ 246

PoE Commands .................................................................................................................................. 248

Policy Commands .............................................................................................................................. 255

Policy Route Commands ................................................................................................................... 259

Port Authentication Commands ...................................................................................................... 261

Port Security Commands ................................................................................................................... 268

Port-based VLAN Commands ........................................................................................................... 270

PPPoE IA Commands ......................................................................................................................... 272

Private VLAN Commands .................................................................................................................. 278

Protocol-based VLAN Commands ...................................................................................................282

Proxy Server and NCC Discovery Commands ................................................................................ 284

Queuing Commands ......................................................................................................................... 287

RADIUS Commands ............... ............................................................................................................. 291

Ethernet Switch CLI Reference Guide

Contents Overview

Remote Management Commands ................................................................................................. 294

RIP Commands ................................................................................................................................... 297

RMON ............................................................................... .................................................................... 300

Running Configuration Commands ......................................................... ....... ....... ....... ....... ....... .....307

Service Register ................................................................................................................................... 310

sFlow ................................................................................. .................................................................... 313

SNMP Server Commands ................................................................................................................... 315

Stacking Commands ........................................................................................ ....... ....... ................... 320

STP and RSTP Commands .................................................................................................................. 325

SSH Commands .................................................................................................................................. 332

Static Multicast Commands .............................................................................................................. 334

Static Route Commands ................................................................................................................... 337

Subnet-based VLAN Commands .....................................................................................................340

Syslog Commands .............................................................................................................................. 342

Reference T-Z ..................................................................................................................................343

TACACS+ Commands ........................................................................................................................ 344

Tech Support Commands .... ....... ....... ............. ....... ....... ....... ....... ....... ....... ....... ....... ....... ....... ............ 346

TFTP Commands ................................................................................................................................. 351

Time Range Commands ................................................ .................................................................... 352

Traceroute Commands ..................................................................................................................... 354

Trunk Commands ................................................................... ....... ....... ....... ....... ....... ....... ................... 355

Vendor ID-based VLAN ...................................................................................................................... 360

VLAN Commands ............................................................................................................................... 362

VLAN IP Commands ........................................................................................................................... 368

VLAN Isolation Commands ................................................................................................................ 370

VLAN Mapping Commands .............................................................................................................. 373

VLAN Port Isolation Commands ........................................................................................................ 375

VLAN Stacking Commands ............................................................................................................... 376

VLAN Trunking Commands ............................................................................................. ................... 379

Voice VLAN Commands .................................................................................................................... 380

VRRP Commands ............................................................................................................................... 383

WoL Relay Commands ...................................................................................................................... 386

ZULD Commands ................................................................................................................................ 387

Miscellaneous Commands ................................................................................................................ 389

Appendices and Index of Commands .........................................................................................400

Ethernet Switch CLI Reference Guide

PART I

Introduction

Introduction (10)

Privilege Level and Command Mode (17)

Initial Setup (22)

1.1 Overview

This command line interface (CLI) Reference Guide introduces the command line interface of the Switch. Use the listed commands in this Guide to check the Switch status and/or configure the Switch.

At the time of writing, this Guide contains the following ZyNOS 4.80 Switches.

Some Switches require licenses to unlock additional licensed services. See Section 1.1.1 on page 10 for more information.

Table 2 ZyNOS 4.80 Switches

SERIES MODELS ADDITIONAL LICENSE

GS2220 Series GS2220-10/10HP/28/

XGS2220 Series XGS2220-30/30HP/30F/

XMG1930 Series XMG1930-30/HP Access L3 License Layer-2 CLI basic status checking. XS1930 Series XS1930-12/12HP/12F

XS3800-28 XS3800-28 Basic Routing License Layer-3 CLI full configuration in

28HP/50/50HP

54/54HP/54FP

CHAPTER 1

Introduction

SWITCH TYPE

No available license Layer-2 CLI full configuration in

Layer-3

CLI SUPPORT

Standalone mode and Cloud mode.

Requires licenses to unlock CLI full configuration in standalone mode.

Standalone mode and Cloud mode.

1.1.1 License Option

At the time of writing, the following Switch licenses unlock the below services as shown in the table. The licenses are valid for the lifetime of the Switch.

You can register your Switch and manage the Switch licenses at www.myzyxel.com. See Section 79.1 on

page 310 for the license registration information.

Note: You cannot use the unlocked services in Stacking mode and Cloud mode. Note: See your Switch’s datasheet for the default feature specification.

Ethernet Switch CLI Reference Guide

Chapter 1 Introduction

Table 3 Switch License Comparison

LICENSE NAME MODEL/SERIES LICENSED SERVICES

Basic Routing License

XS3800-28

•RIPv1,v2

•OSPF v2

•DVMRP

•IGMP

•L3 Loopback Interface

Note: XS3800-28 supports all Access L3 License features by

default.

Access L3 License

XMG1930 Series XS1930 Series

• CLI (Command Line Interface) configurati on Note: This management method is supported using the console port (XMG1930 only), telnet or SSH.

• IP Address table (up to 1,024 entries)

• MAC Address table (up to 32,000 entries)

• SNMP (Simple Network Management Protocol) Trap

• Private MIB (Management Information Base)

• Auto PD (powered device) Recovery

• Flex Link (primary/backup link)

• OAM (Operations, Administration and Maintenance)

• Asymmetric Flow Control

• BPDU (Bridge Protocol Data Units) Control

• ZULD (Zyxel Unidirectional Link Detection)

• MAC Pinning

• IGMP Snooping Smart Forward

•IPv6 Multicast

• MLD Snooping Proxy

• MVR (Multicast VLAN Registration) configuration

• Diffserv (Differentiated Services)

• sFlow (sampled Flow) agent

• MRSTP (Multiple Rapid Spanning Tree Protocol)

• Subnet / Protocol / MAC Based VLANs

•802.1Q Static VLANs (up to 4,094 entries)

• VLAN Isolation / Mapping / Stacking

• Selective QinQ

• DHCP Server Guard

• IPv4 Static Route (up to 64 entries)

• IPv6 Static Route (up to 64 entries)

• Multiple TACACS+ (Terminal Access Controller Access Control System) Server

• TACACS+ Authentication

• TACACS+ Accounting

• IPv4 Classifier (up to 256 entries)

• Policy Rule (up to 384 entries)

• Anti-Arpscan (Address Resolution Protocol scan)

• BPDU (Bridge Protocol Data Units) Guard

• Errdisable (Error-Disable)

•IPv4 / IPv6 Source Guard

• ARP (Address Resolution Protocol) Freeze

•ARP Inspection

• MAC Authentication per VLAN

• Compound Authentication

•MAC Freeze

• Auto Configuration file download

• DHCP Client Option 60

• Networked AV Mode

• IPv6 NS (Neighbor Solicitation) Tracking

•CLV Mode

Table 4 Services With Access L3 License Comparison

SERVICES WITHOUT ACCESS L3 LICENSE WITH ACCESS L3 LICENSE

IP Address table up to 512 entries up to 1,024 entries MAC Address table up to 16,000 entries up to 32,000 entries

802.1Q Static VLANs up to 1,024 entries up to 4,094 entries IPv4 Static Route up to 32 entries up to 64 entries

Ethernet Switch CLI Reference Guide

Table 4 Services With Access L3 License Comparison (continued)

SERVICES WITHOUT ACCESS L3 LICENSE WITH ACCESS L3 LICENSE

IPv6 Static Route up to 32 entries up to 64 entries IPv4 Classifier up to 128 entries up to 256 entries Policy Rule up to 256 entries up to 384 entries

If your Switch needs to be replaced due to certain causes, contact our support team for the license transfer process.

1.2 Stacking Mode

The Switch can work in Stacking mode and directly connect to other switches. The switches then operate together and act as a single switch or a virtual chassis. The stackable switches can be managed from a master switch in the stack. See Section 82.1 on page 320 for more information about stacking and the stacking commands.

Figure 1 Stacking Example

Chapter 1 Introduction

The following Switches support stacking at the time of writing. Table 5 Switch Models that Support Stacking

SERIES/MODELS MAXIMUM SWITCHES ALLOWED PER STACK

XS3800-28 4

1.3 Switch-specific Features

The following features and commands are only supported by certain Switches. Table 6 Switch-specific Features

FEATURE/COMMAND SUPPORTED MODEL/SERIES QUICK LINKS

Fiber Module Rescue XGS2220/XMG1930/XS1930 Series reset sfp <port-list> Green Ethernet – EEE GS2220/XGS2220/XMG1930/XS1930

Series XS3800-28

Ethernet Switch CLI Reference Guide

green-ethernet eee

Table 6 Switch-specific Features (continued)

FEATURE/COMMAND SUPPORTED MODEL/SERIES QUICK LINKS

Green Ethernet – Auto Power Down

Green Ethernet – Short Reach GS2220/XGS2220/XMG1930/XS1930

Trunk Non-unicast Traffic Criteria Settings

Hardware Monitor Commands GS2220/XGS2220/XMG1930/XS1930

GS2220/XGS2220/XMG1930/XS1930 Series

XS3800-28

Series XS3800-28

XS3800-28 trunk non-unicast criteria

Series XS3800-28

green-ethernet auto-power-down

green-ethernet short-reach

Hardware Monitor Commands Overview

Ethernet Switch CLI Reference Guide

Chapter 2 Command Line Interface

Command Line Interface

2.1 CLI Overview

The command line interface provides a management interface where you can check the Switch status, interface statistics, and configure the Switch settings. The CLI is also helpful when you want to troubleshoot your configuration on the Switch.

2.2 Accessing the CLI

CHAPTER 2

Use any of the following methods to access the CLI.

2.2.1 Console Port

1 Connect your computer to the console port on the Switch using the appropriate cable.

2 Use terminal emulation software with the following settings:

Table 7 Default Settings for the Console Port

SETTING DEFAULT VALUE

Terminal Emulation VT100 Baud Rate 115200 bps Parity None Number of Data Bits 8 Number of Stop Bits 1 Flow Control None

3 Press [ENTER] to open the login screen.

2.2.2 Telnet

1 Connect your computer to one of the Ethernet ports.

2 Open a Telnet session to the Switch’s IP address. If this is your first login, use the default values.

Ethernet Switch CLI Reference Guide

Table 8 Default Management IP Address

SETTING DEFAULT VALUE

IP Address 192.168.1.1 Subnet Mask 255.255.255.0

Make sure your computer IP address is in the same subnet, unless you are accessing the Switch through one or more routers.

2.2.3 SSH

1 Connect your computer to one of the Ethernet ports.

2 Use a SSH client program to access the Switch. If this is your first login, use the default values in Table 8 on

page 15 and Table 9 on page 15. Make sure your computer IP address is in the same subnet, unless you

are accessing the Switch through one or more routers.

2.3 Logging in

Chapter 2 Command Line Interface

Use the administrator username and password. If this is your first login, use the default values. Table 9 Default User Name and Password

SETTING DEFAULT VALUE

User Name admin Password 1234

Note: The Switch automatically logs you out of the management interface after 5 minutes of

inactivity. If this happens to you, simply log back in again.

2.4 Using Shortcuts and Getting Help

This table identifies some shortcuts in the CLI, as well as how to get help. Table 10 CLI Shortcuts and Help

COMMAND / KEYS DESCRIPTION

history

 (up/down arrow keys)

[CTRL]+U [TAB]

? help

Displays a list of recently-used commands. Scrolls through the list of recently-used commands. You can edit any

command or press [ENTER] to run it again. Clears the current command. Auto-completes the keyword you are typing if possible. For example, type

config, and press [TAB]. The Switch finishes the word configure. Displays the keywords and/or input values that are allowed in place of the ?.

Displays the (full) commands that are allowed in place of help.

Ethernet Switch CLI Reference Guide

Chapter 2 Command Line Interface

2.5 Saving Your Configuration

When you run a command, the Switch saves any changes to its run-time memory. The Switch loses these changes if it is turned off or loses power. Use the current configuration permanently to non-volatile memory.

sysname# write memory

Note: You should save your changes after each CLI session. All unsaved configuration

changes are lost once you restart the Switch.

2.6 Logging Out

Enter logout to log out of the CLI. You have to be in user, enable, or config mode. See Chapter 3 on

page 17 for more information about modes.

write memory command in enable mode to save the

Ethernet Switch CLI Reference Guide

Chapter 3 Privilege Level and Command Mode

CHAPTER 3

Privilege Level and

Command Mode

3.1 Privilege Level and Command Mode Overview

This chapter introduces the CLI privilege levels and command modes.

• The privilege level determines whether or not a user can run a particular command.

• If a user can run a particular command, the user has to run it in the correct mode.

3.2 Privilege Levels

Every command has a privilege level (0 – 14). Users can run a command if the session’s privilege level is greater than or equal to the command’s privilege level. The session’s privilege level initially comes from the login account’s privilege level, though it is possible to change the session’s privilege level after logging in.

3.2.1 Privilege Levels for Commands

The privilege level of each command is listed in the Reference A-G chapters on page 29.

At the time of writing, commands have a privilege level of 0, 3, 13, or 14. The following table summarizes the types of commands at each of these privilege levels.

Table 11 Types of Commands at Different Privilege Levels

PRIVILEGE LEVEL TYPES OF COMMANDS AT THIS PRIVILEGE LEVEL

0 Display basic system information. 3 Display configuration or status.

13 Configure features except for login accounts, SNMP user accounts, the authentication

method sequence and authorization settings, multiple logins, admi nistrator and enable passwords, and configuration information display.

14 Configure login accounts, SNMP user accounts, the authentication method sequence and

authorization settings, multiple logins, and administrator and enable passwords, and display configuration information.

Ethernet Switch CLI Reference Guide

3.2.2 Privilege Levels for Login Accounts

You can manage the privilege levels for login accounts in the following ways:

• Using commands. Login accounts can be configured by the admin account or any login account with a privilege level of 14. See Chapter 47 on page 194.

• Using vendor-specific attributes in an external authentication server. See the User’s Guide for more information.

The admin account has a privilege level of 14, so the administrator can run every command. You cannot change the privilege level of the admin account.

3.2.3 Privilege Levels for Sessions

The session’s privilege level initially comes from the privilege level of the login account the user used to log in to the Switch. After logging in, the user can use the following commands to change the session’s privilege level.

3.2.3.1 enable Command

This command raises the session’s privilege level to 14. It also changes the session to enable mode (if not already in enable mode). This command is available in user mode or enable mode, and users have to know the enable password.

In the following example, the login account user0 has a privilege level of 0 but knows that the enable password is 123456. Afterwards, the session’s privilege level is 14, instead of 0, and the session changes to enable mode.

sysname> enable Password: 123456 sysname#

The default enable password is 1234. Use this command to set the enable password.

password <password> <password> consists of 1 – 32 alphanumeric characters. For example, the following command sets the

enable password to 123456. See Section 62.2 on page 246 for more information about this command.

sysname(config)# password 123456

The password is sent in plain text and stored in the Switch’s buffers. Use this command to set the cipher password for password encryption.

password cipher <password> <password> consists of 32 alphanumeric characters. For example, the following command encrypts the

enable password with a 32-character cipher password. See Section 62.2 on page 246 for more information about this command.

sysname(config)# password cipher qwertyuiopasdfghjklzxcvbnm123456

Ethernet Switch CLI Reference Guide

Chapter 3 Privilege Level and Command Mode

3.2.3.2 enable <0–14> Command

This command raises the session’s privilege level to the specified level. It also changes the session to enable mode, if the specified level is 13 or 14. This command is available in user mode or enable mode, and users have to know the password for the specified privilege level.

In the following example, the login account user0 has a privilege level of 0 but knows that the password for privilege level 13 is pswd13. Afterwards, the session’s privilege level is 13, instead of 0, and the session changes to enable mode.

sysname> enable 13 Password: pswd13 sysname#

Users cannot use this command until you create passwords for specific privilege levels. Use the following command to create passwords for specific privilege levels.

password <password> privilege <0–14> <password> consists of 1 – 32 alphanumeric characters. For example, the following command sets the

password for privilege level 13 to pswd13. See Section 62.2 on page 246 for more information about this command.

sysname(config)# password pswd13 privilege 13

3.2.3.3 disable Command

This command reduces the session’s privilege level to 0. It also changes the session to user mode. This command is available in enable mode.

3.2.3.4 show privilege command

This command displays the session’s current privilege level. This command is available in user mode or enable mode.

sysname# show privilege Current privilege level : 14

3.3 Command Modes

The CLI is divided into several modes. If a user has enough privilege to run a particular command, the user has to run the command in the correct mode. The modes that are available depend on the session’s privilege level.

3.3.1 Command Modes for Privilege Levels 0 – 12

If the session’s privilege level is 0 – 12, the user and all of the allowed commands are in user mode. Users do not have to change modes to run any allowed commands.

Ethernet Switch CLI Reference Guide

Chapter 3 Privilege Level and Command Mode

3.3.2 Command Modes for Privilege Levels 13 – 14

If the session’s privilege level is 13 – 14, the allowed commands are in one of several modes. Table 12 Command Modes for Privilege Levels 13-14 and the Types of Commands in Each One

MODE PROMPT COMMAND FUNCTIONS IN THIS MODE

enable

config config-interface config-mvr config-route-

domain config-dvmrp

config-igmp

config-ma

config-ospf config-rip config-vrrp

sysname#

sysname(config)# sysname(config-interface)# sysname(config-mvr)# sysname(config-if)#

sysname(config-dvmrp)#

sysname(config-igmp)#

sysname(config-ma)#

sysname(config-ospf)# sysname(config-rip)# sysname(config-vrrp)#

Display current configuration, diagnostics, maintenance.

Configure features other than those below. Configure ports. Configure multicast VLAN. Enable and enter configuration mode for an IPv4 or

IPv6 routing domain. Configure Distance Vector Multicast Routing Protocol

(DVRMP). Configure Internet Group Management Protocol

(IGMP). Configure an Maintenance Association (MA) in

Connectivity Fault Management (CFM). Configure Open Shortest Path First (OSPF) protocol.

Configure Routing Information Protocol (RIP). Configure Virtual Router Redundancy Protocol (VRRP).

Each command is usually in one and only one mode. If a user wants to run a particular comm an d, the user has to change to the appropriate mode. The command modes are organized like a tree, and users start in enable mode. The following table explains how to change from one mode to another.

Table 13 Changing Between Command Modes for Privilege Levels 13 – 14

MODE ENTER MODE LEAVE MODE

enable

config

config-interface config-mvr config-vlan config-route-domain config-dvmrp config-igmp config-ospf config-rip config-vrrp

–configure interface port-channel <port-list> mvr <1-4094> vlan <1-4094> interface route domain <ip-address>/<mask-bits> router dvmrp router igmp router ospf <router-id> router rip router vrrp network <ip-address>/<mask-bits>

-exit exit exit exit exit exit exit exit exit exit

vr-id <1–7> uplink-gateway <ip-address>

Ethernet Switch CLI Reference Guide

Chapter 3 Privilege Level and Command Mode

3.4 Listing Available Commands

Use the help command to view the executable commands on the Switch. You must have the highest privilege level in order to view all the commands. Follow these steps to create a list of supported commands:

1 Log into the CLI. This takes you to the enable mode.

2 Type help and press [ENTER]. A list comes up which shows all the commands available in enable mode.

The example shown next has been edited for brevity’s sake.

sysname# help Commands available:

help logout exit history enable <0-14> enable <cr> . . traceroute <ip|host-name> [vlan <vlan-id>][..] traceroute help ssh <1|2> <[user@]dest-ip> <cr> ssh <1|2> <[user@]dest-ip> [command </>] sysname#

3 Copy and paste the results into a text editor of your choice. This creates a list of all the executable

commands in the user and enable modes.

4 Type configure and press [ENTER]. This takes you to the config mode.

5 Type help and press [ENTER]. A list is displayed which shows all the commands available in config mode

and all the sub-commands. The sub-commands are preceded by the command necessary to enter that sub-command mode. For example, the command name <name-str> as shown next, is preceded by the command used to enter the config-vlan sub-mode: vlan <1-4094>.

sysname# help . . no arp inspection log-buffer logs no arp inspection filter-aging-time no arp inspection <cr> vlan <1-4094> vlan <1-4094> name <name-str> vlan <1-4094> normal <port-list> vlan <1-4094> fixed <port-list>

6 Copy and paste the results into a text editor of your choice. This creates a list of all the executable

commands in config and the other submodes, for example, the config-vlan mode.

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

CHAPTER 4

Initial Setup

4.1 Initial Setup Overview

This chapter identifies tasks you might want to do when you first configure the Switch.

4.2 Changing the Administrator Password

Note: It is recommended you change the default administrator password. You can encrypt

the password using the password encryption command. See Chapter 62 on page

246 for more information.

Use this command to change the administrator password.

admin-password <pw-string> <Confirm-string>

Up to 32 characters are allowed for the new password except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ].

sysname# configure sysname(config)# admin-password t1g2y7i9 t1g2y7i9

4.3 Changing the Enable Password

Note: It is recommended you change the default enable password. You can encrypt the

password using the password encryption command. See Chapter 62 on page 246 for more information.

Use this command to change the enable password.

password <password>

Up to 32 characters are allowed for the new password except [ ? ], [ | ], [ ' ], [ " ], [ space ], or [ , ].

sysname# configure sysname(config)# password k8s8s3dl0

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

4.4 Prohibiting Concurrent Logins

By default, multiple CLI sessions are allowed through the console port or Telnet. See the User’s Guide for the maximum number of concurrent sessions for your Switch. Use this command to prohibit concurrent logins.

no multi-login

Console port has higher priority than Telnet. See Chapter 57 on page 221 for more commands.

sysname# configure sysname(config)# no multi-login

4.5 Changing the Management IP Address

The Switch has a different IP address in each VLAN. By default, the Switch has VLAN 1 with IP address

192.168.1.1 and subnet mask 255.255.255.0. Use this command in config-vlan mode to change the

management IP address in a specific VLAN.

ip address <ip> <mask>

This example shows you how to change the management IP address in VLAN 1 to 172.16.0.1 with subnet mask 255.255.255.0.

sysname# configure sysname(config)# vlan 1 sysname(config-vlan)# ip address default-management 172.16.0.1 255.255.255.0

multi-login

Note: Afterwards, you have to use the new IP address to access the Switch.

4.6 Changing the Out-of-band Management IP Address

If your Switch has a MGMT port (also referred to as the out-of-band management port), then the Switch can also be managed through this interface. By default, the MGMT port IP address is 192.168.0.1 and the subnet mask is 255.255.255.0. Use this command in config mode to change the out-of-band management IP address.

ip address <ip> <mask>

This example shows you how to change the out-of-band management IP address to 10.10.10.1 with subnet mask 255.255.255.0 and the default gateway 10.10.10.254.

sysname# configure sysname(config)# ip address 10.10.10.1 255.255.255.0 sysname(config)# ip address default-gateway 10.10.10.254

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

4.7 Using Auto Configuration

Follow the steps below to set up configurations on the Switch, so you can load an auto configuration file automatically from a TFTP server when you reboot the Switch.

Note: You need to set up configurations on a DHCP server and TFTP server first to use auto

configuration.

1 Use this command to enable auto configuration on the Switch.

auto-config

sysname# config sysname(config)# auto-config

2 Use this command to enable the DHCP mode for auto configuration.

auto-config dhcp

sysname# config sysname(config)# auto-config dhcp

3 Use this command to configure the Switch as a DHCP client.

ip address default-management dhcp-bootp

sysname# config sysname(config)# vlan 1 sysname(config-vlan)# ip address default-management dhcp-bootp

4 Use this command to enable DHCP option 60.

ip address default-management dhcp-bootp option-60

When you enable DHCP option 60, make sure you set up a Vendor Class Identifier. The Vendor Class Identifier specifies the Zyxel Switch that should receive the auto configuration file. Skip this step if you are not enabling DHCP option 60.

sysname# config sysname(config)# vlan 1 sysname(config-vlan)# ip address default-management dhcp-bootp option-60

5 Use this command to define a Vendor Class Identifier for DHCP option 60.

ip address default-management dhcp-bootp option-60 class-id <class-id>

In this example, we use “ZyxelCorp”. Skip this step if you don’t need to define a Vendor Class Identifier.

sysname# config sysname(config)# vlan 1 sysname(config-vlan)# ip address default-management dhcp-bootp option-60 class-id ZyxelCorp

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

6 Use this command to check the settings for auto configuration.

show running-config

XGS2220# show running-config Building configuration...

Current configuration:

vlan 1 name 1 normal "" fixed 1-50 forbidden "" untagged 1-50 ip address default-management dhcp-bootp ip address default-management dhcp-bootp option-60 class-id ZyxelCorp exit pwr mode consumption auto-config

7 You need to save the current configuration in a configuration file, so the Switch will load the auto

configuration files from the TFTP server automatically when rebooting. Use this command to save the current configuration in a configuration file.

write memory [<index>]

For [<index>], you can enter a value to save the current configuration to a specified configuration file. 1 is for Config 1, and 2 is for Config 2.

In this example, we save the current configuration to Config 1.

sysname# write memory 1

........................................................................

............................

8 Use this command to reboot the Switch.

reload config [1|2]

For [1|2], 1 is for Config 1, and 2 is for Config 2.

In this example, we load Config 1 to reboot the Switch.

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

sysname# reload config 1 Do you really want to reboot system with configuration file 1? [y/N]y Bootbase Version: V1.00 | 06/13/2022 DRAM calibration...PASSED RAM: Size = 131072 Kbytes

ZyNOS version : V4.80(ACCE.0) | 08/03/2022

Press any key to enter debug mode within 1 second.

....................

(Compressed) Version: XGS2220, start: b4962430 Length: 16F0668, Checksum: 03AA Compressed Length: 2EE424, Checksum: 87A5 Copyright (c) 1994 - 2017 Zyxel Communications Corp. initialize mgmt, initialize switch, ethernet address: 00:19:cb:00:00:01

Initializing MSTP.............

Initializing VLAN Database... Initializing IP Interface... Initializing Advanced Applications... Initializing Command Line Interface... Initializing Web Interface... Restore System Configuration... Start Auto Configuration...

..............

Try to download and restore configuration file from TFTP://10.90.90.11/ TestConf2

Downloading....

Get the file TestConf2, length 289 bytes.

Restoring......

Auto-config processes successfully. Press ENTER to continue...

9 Use this command to check whether the auto configuration file was loaded successfully.

Show auto-config

Mode: DHCP State: Success Filename: TFTP://10.90.90.11/TestConf2

4.8 Using Custom Default

Follow the steps below to set up configurations on the Switch, so you can load a customized default file when you reboot the Switch.

1 Use this command to enable custom default on the Switch.

custom-default

sysname# config sysname(config)# custom-default

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

2 Use this command to save the current configuration settings permanently to a customized default file on

the Switch.

copy running-config custom-default

sysname# copy running-config custom-default

........................................................................

............................

3 Use this command to reboot the system and load a saved customized default file on the Switch.

reload custom-default

sysname# reload custom-default Do you really want to restore system to custom default settings and reboot?[y/N]y

.......

Bootbase Version: V1.00 | 06/13/2022 DRAM calibration...PASSED RAM: Size = 131072 Kbytes ZyNOS Version: V4.80(ACCE.0) | 08/03/2022

Press any key to enter debug mode within 1 second.

....................

Initializing MSTP.............

4.9 Looking at Basic System Information

Use this command to look at general system information about the Switch.

show system-information

Ethernet Switch CLI Reference Guide

Chapter 4 Initial Setup

This is illustrated in the following example.

sysname# show system-information

Product Model : XGS2220-54FP System Name : XGS2220 System Mode : Standalone System Contact : System Location : System up Time : 1011:30:18 (d90bb588 ticks) Ethernet Address : b8:ec:a3:ff:f2:a2 Bootbase Version : V1.00 | 06/13/2022 ZyNOS F/W Version : V4.80(ACCE.0) | 08/03/2022 Hardware Version : V1.0 Config Boot Image : 1 Current Boot Image : 1 Current Configuration : 1 RomRasSize : 6440206 Serial Number : S222L18090003 Register MAC Address : b8:ec:a3:ff:f2:a2 sysname#

See Table 278 on page 396 for more information about these attributes.

4.10 Looking at the Operating Configuration

Use this command to look at the current operating configuration.

show running-config

This is illustrated in the following example.

sysname# show running-config Building configuration...

Current configuration:

vlan 1 name 1 normal "" fixed 1-52 forbidden "" untagged 1-52 ip address 192.168.1.1 255.255.255.0 exit interface route-domain 192.168.1.1/24 exit pwr mode consumption

Ethernet Switch CLI Reference Guide

PART II

Reference A-G

AAA Commands (31)

ARP Commands (37)

ARP Inspection Commands (39)

ARP Learning Commands (44)

Auto Configuration Commands (45)

Bandwidth Control Commands (47)

Broadcast Storm Commands (51)

Certificates Commands (54)

Classifier Commands (57)

Cluster Commands (62)

CLV Commands (65)

Custom Default Commands (71)

Date and Time Commands (72)

DHCP Commands (75)

DHCP Snooping and DHCP VLAN Commands (81)

DiffServ Commands (85)

Display Commands (86)

DVMRP Commands (87)

Error Disable and Recovery Commands (89)

Ethernet OAM Commands (93)

External Alarm Commands (98)

GARP Commands (103)

Green Ethernet Commands (105)

GVRP Commands (109)

5.1 Command Summary

Use these commands to configure authentication, authorization and accounting on the Switch.

The following section lists the commands for this feature. Table 14 aaa authentication Command Summary

COMMAND DESCRIPTION M P

show aaa authentication show aaa authentication enable

aaa authentication enable <method1> [<method2> ...]

no aaa authentication enable

show aaa authentication login

aaa authentication login <method1> [<method2> ...]

no aaa authentication login

CHAPTER 5

AAA Commands

Displays what methods are used for authentication. E 3 Displays the authentication methods for checking privilege

level of administrators. Specifies the first, second, and third method used for

checking privileges. method: local, radius, or tacacs+.

Resets the method list for checking privileges to its default value.

Displays the authentication methods for administrator login accounts.

Specifies which method should be used first, second, and third for the authentication of login accounts.

method: local, radius, or tacacs+. Resets the method list for the authentication of login

accounts to its default value.

C14

Table 15 aaa accounting Command Summary

COMMAND DESCRIPTION M P

show aaa accounting show aaa accounting update

aaa accounting update periodic <1-2147483647>

no aaa accounting update

show aaa accounting commands

aaa accounting commands <privilege> stop-only tacacs+ [broadcast]

no aaa accounting commands

Ethernet Switch CLI Reference Guide

Displays accounting settings configured on the Switch. E 3 Display the update period setting on the Switch for

accounting sessions. Sets the update period (in minutes) for accounting

sessions. This is the time the Switch waits to send an update to an accounting server after a session starts.

Resets the accounting update interval to the default value.

Displays accounting settings for recording command events.

Enables accounting of command sessions and specifies the minimum privilege level (0 – 14) for the command sessions that should be recorded. Optionally, sends accounting information for command sessions to all configured accounting servers at the same time.

Disables accounting of command sessions on the Switch. C 13

C13

Chapter 5 AAA Commands

Table 15 aaa accounting Command Summary (continued)

COMMAND DESCRIPTION M P

show aaa accounting dot1x

aaa accounting dot1x <startstop|stop-only> <radius|tacacs+> [broadcast]

no aaa accounting dot1x

show aaa accounting exec

aaa accounting exec <startstop|stop-only> <radius|tacacs+> [broadcast]

no aaa accounting exec

show aaa accounting system

aaa accounting system <radius|tacacs+> [broadcast]

no aaa accounting system

Displays accounting settings for recording IEEE 802.1x session events.

Enables accounting of IEEE 802.1x authentication sessions and specifies the mode and protocol method. Optionally, sends accounting information for IEEE 802.1x authentication sessions to all configured accounting servers at the same time.

Disables accounting of IEEE 802.1x authentication sessions on the Switch.

Displays accounting settings for recording administrative sessions through SSH, Telnet or the console port.

Enables accounting of administrative sessions through SSH, Telnet and console port and specifies the mode and protocol method. Optionally, sends accou nting information for administrative sessions through SSH, Telnet and console port to all configured accounting servers at the same time.

Disables accounting of administrative sessions through SSH, Telnet or console on the Switch.

Displays accounting settings for recording system events, for example system shut down, start up, accounting enabled or accounting disabled.

Enables accounting of system events and specifies the protocol method. Optionally, sends accou nting information for system events to all configured accounting servers at the same time.

Disables accounting of system events on the Switch. C 13

C13

Table 16 aaa authorization Command Summary

COMMAND DESCRIPTION M P

show aaa authorization show aaa authorization dot1x

show aaa authorization exec

aaa authorization console

aaa authorization dot1x radius aaa authorization exec

<radius|tacacs+> no aaa authorization console

Displays authorization settings configured on the Switch. E 3 Displays the authorization method used to allow an IEEE

802.1x client to have different bandwidth limit or VLAN ID assigned through the external server.

Displays the authorization method used to allow an administrator which logs in the Switch through Telnet or SSH to have different access privilege level assigned through the external server.

Enables authorization of allowing an administrator which logs in the Switch through the console port to have different access privilege level assigned through the external server.

Enables authorization for IEEE 802.1x clients using RADIUS. C 14 Specifies which method (radius or tacacs+) should be

used for administrator authorization. Disables authorization of allowing an administrator which

logs in the Switch through the console port to have different access privilege level assigned through the external server.

C14

Ethernet Switch CLI Reference Guide

Chapter 5 AAA Commands

Table 16 aaa authorization Command Summary (continued)

COMMAND DESCRIPTION M P

no aaa authorization dot1x no aaa authorization exec

Disables authorization for IEEE 802.1x clients using RADIUS. C 14 Disables authorization of allowing an administrator which

logs in the Switch through Telnet or SSH to have different access privilege level assigned through the external server.

C14

Table 17 aaa encryption Command Summary

COMMAND DESCRIPTION M P

aaa server key encryption

Enables AAA server key encryption. The Switch will store server (RADIUS, TACACS+) keys you set

in an encrypted format instead of plain text to enhance key security.

The encrypted secret (key) will be preceded by the word "key-cipher" in the configuration file (called running- config)."

C14

Note: If a key is encrypted, it will remain in the

encrypted format even if you later disable server key encryption.

no aaa server key encryption

Disables AAA server key encryption. The encrypted server key will not be changed back to plain text.

C14

5.2 Command Example

This example enables AAA server key encryption, and sets the RADIUS server 1 (192.168.1.15) key.

sysname# config sysname(config)# aaa server key encryption sysname(config)# radius-server host 1 192.168.1.15 key 12345678 sysname(config)# exit sysname#

Note: Be careful who can access configuration files

with plain text keys!

Ethernet Switch CLI Reference Guide

Use the following command to display the current config. You can see the displayed server key is now encrypted.

sysname# show run Building configuration...

Current configuration:

; Product Name = XS3800-28 ; Firmware Version = V4.80(ABML.0)b7 | 04/07/2022 . .

radius-server host 1 192.168.1.10 key-cipher ZJP4wRc/ 1eTprnqmowZWs7HDejwjanEb29g24zMH8XSEiKe5kN2b3Hhq7v7kTeXozkJc4dfP2BW hoKqLB

. . password encryption

aaa server key encryption

display aaa authentication authorization server sysname#

Ethernet Switch CLI Reference Guide

Chapter 6 Anti-Arpscan

6.1 Anti-Arpscan Overview

Address Resolution Protocol (ARP), RFC 826, is a protocol used to convert a network-layer IP address to a link-layer MAC address. ARP scan is used to scan the network of a certain interface for alive hosts. It shows the IP address and MAC addresses of all hosts found. Hackers could use ARP scan to find targets in your network. Anti-arpscan is used to detect unusual ARP scan activity and block suspicious hosts or ports.

Unusual ARP scan activity is determined by port and host thresholds that you set. A port threshold is determined by the number of packets received per second on the port. If the received packet rate is over the threshold, then the port is put into an Err-Disable state. You can recover the normal state of the port manually if this happens and after you identify the cause of the problem.

CHAPTER 6

Anti-Arpscan

A host threshold is determined by the number of ARP-request packets received per second. There is a global threshold rate for all hosts. If the rate of a host is over the threshold, then that host is blocked by using a MAC address filter. A blocked host is released automatically after the MAC aging time expires.

Note: A port-based threshold must be larger than the host-based threshold or the host-based

threshold will not work.

6.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 18 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 19 anti arpscan Command Summary

COMMAND DESCRIPTION M P

anti arpscan anti arpscan host threshold <2-

100>

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Enables Anti-arpscan on the Switch. C 13 Sets the maximum number of ARP-request packets

allowed by a host before it is blocked. If the rate of a host is over the threshold, then that host is blocked by using a MAC address filter. A blocked host is released automatically after the MAC aging time expires.

C13

Ethernet Switch CLI Reference Guide

Table 19 anti arpscan Command Summary (continued)

COMMAND DESCRIPTION M P

anti arpscan port threshold <2255>

anti arpscan trust host <ip- address> <mask> [ name <name> ]

clear anti arpscan host clear anti arpscan host

Sets the maximum number of packets per second allowed on the port before it is blocked.

Creates a trusted host identified by IP address and subnet mask.

Anti-arpscan is not performed on trusted hosts. Unblocks all hosts. E 13

Unblocks all hosts connected to the specified ports. E 13

C13

interface port-channel <portlist>

interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

anti arpscan trust

no anti arpscan no anti arpscan host threshold no anti arpscan port threshold no anti arpscan trust host <ip-

Sets the port as a trusted port. This prevents the port from being shutdown due to receiving too many ARP messages.

Disables Anti-arpscan on the Switch. C 13 Resets the host threshold to its default value. C 13 Resets the port threshold to its default value. C 13 Removes a trusted host. C 13

C13

address> <mask> show anti arpscan

show anti arpscan host

Displays what ports are trusted and are forwarding traffic or are disabled.

Displays the host that has been blocked. E 3

Ethernet Switch CLI Reference Guide

Chapter 7 ARP Commands

7.1 Command Summary

Use these commands to view and configure the ARP table on the Switch. The ARP table contains IP-toMAC address mappings for network devices connected to the Switch.

The following table describes user-input values available in multiple commands for this feature. Table 20 Interface Command Values

COMMAND DESCRIPTION

port-list

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

CHAPTER 7

ARP Commands

The following section lists the commands for this feature. Table 21 arp Command Summary

COMMAND DESCRIPTION M P

arp aging-time <60-1000000>

arp name <name> ip <ip-address> mac <mac-addr> vlan <vlan-id> interface port-channel <port- list>

arp name <name> ip <ip-address> mac <mac-addr> vlan <vlan-id> interface port-channel <port- list> inactive

no arp ip <ip-address> mac <mac- addr> vlan <vlan-id>

no arp ip <ip-address> mac <mac- addr> vlan <vlan-id> inactive

show ip arp show ip arp count clear ip arp clear ip arp interface port-

channel <port-list> clear ip arp ip <ip-address>

Sets how long dynamically learned ARP entries remain in the ARP table before they age out (and must be relearned).

Creates a static ARP entry which will not age out. C 13

Creates a static ARP entry but disables it. C 13

Deletes a static ARP entry from the ARP table. C 13

Enables the specified static ARP entry. C 13

Displays the ARP table. E 3 Displays the number of ARP entries in the ARP table. E 3 Removes all of the dynamic entries from the ARP table. E 13 Removes the dynamic entries learned on the specified

port. Removes the dynamic entries learned with the specified IP

address.

C13

E13

Ethernet Switch CLI Reference Guide

7.2 Command Examples

This example creates a static ARP entry and shows the ARP table on the Switch.

sysname# config sysname(config)# arp name test ip 192.168.1.99 mac 00:c5:d8:01:23:45 vlan 1 interface port-channel 3 sysname(config)# exit sysname# show ip arp Index IP MAC VLAN Port Age(s) Type 1 192.168.1.1 00:19:cb:37:00:49 1 CPU 0 static 2 192.168.1.99 00:c5:d8:01:23:45 1 3 0 sta tic 3 192.168.2.1 00:19:cb:37:00:49 465 CPU 0 static sysname#

The following table describes the labels in this screen. Table 22 show ip arp

LABEL DESCRIPTION

Index This field displays the index number. IP This field displays the learned IP address of the device. MAC This field displays the MAC address of the device. VLAN This field displays the VLAN to which the device belongs. Port This field displays the number of the port from which the IP address was learned.

CPU indicates this IP address is the Switch’s management IP address. Age(s) This field displays how long the entry remains valid. Type This field displays how the entry was learned.

dynamic: The Switch learned this entry from ARP packets.

Ethernet Switch CLI Reference Guide

Chapter 8 ARP Inspection Commands

ARP Inspection Commands

8.1 ARP Inspection Overview

ARP (Address Resolution Protocol) allows network devices to discover each other’s MAC addresses, in order to communicate. For example, Device A wants to send data to Device B, Device A broadcasts an ARP request within its broadcast domain, requesting the MAC address of Device B. Device B replies with an ARP response packet containing its MAC address and IP address.

Malicious devices can take advantage of this process by intercepting ARP requests and broadcasting spoofed ARP responses. For example: Malicious Device C receives the ARP request sent from Device A, and responds with an ARP packet containing its own MAC address and Device B’s IP address. Now all traffic meant for Device B is sent to Device C, allowing Device C to perform a man in the middle attack.

CHAPTER 8

ARP Inspection prevents this type of attack, by ensuring the Switch only relays non-malicious ARP responses.

8.1.1 ARP Inspection Process

When ARP Inspection is enabled, the Switch performs the following actions:

1 The Switch intercepts an ARP packet that is being sent through an untrusted port.

2 The Switch verifies the ARP packet is valid, meaning that it contains a correctly formatted data, and

drops the packet if it is invalid.

3 The Switch compares the IP-to-MAC-address mapping in the ARP packet to a list of trusted mappings.

The trusted list is created automatically by DHCP Snooping, and also contains all static IP Source Binding table entries.

If the packet’s IP-to-MAC-address mapping is not on the trusted list, the Switch drops the packet and then creates a MAC address filter to block all traffic from the source MAC address and from the source VLAN ID of the ARP packet.

4 The Switch optionally logs the event.

Note: You can mark ports as trusted or untrusted. The Switch only inspects ARP packets from

untrusted ports. Typically, you should only mark a port as trusted if the port is connected to another switch that also has ARP Inspection enabled.

Note: By default, the Switch performs ARP inspection on all VLANs. However, you can limit ARP

inspection to specific VLANs in order to save CPU resour ces.

Ethernet Switch CLI Reference Guide

Chapter 8 ARP Inspection Commands

8.1.2 ARP Packet Rate Limiting

Inspecting ARP packets consumes the Switch CPU resources. This allows a malicious device to perform a denial-of-service (DoS) attack on the Switch by broadcasting a very high number of ARP packets.

ARP packet rate limiting prevents these types of attacks, by limiting the number of packets per second (PPS) that a port inspects. If this limit is exceeded, the port enters an error state and drops all ARP packets.

8.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 23 Interface Command Values

COMMAND DESCRIPTION

port-list

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

The following section lists the commands for this feature. Table 24 arp inspection Command Summary

COMMAND DESCRIPTION M P

arp inspection

no arp inspection show arp inspection clear arp inspection statistics clear arp inspection statistics

Enables ARP inspection on the Switch. You still have to enable ARP inspection on specific VLAN and specify trusted ports.

Disables ARP inspection on the Switch. C 13 Displays ARP inspection configuration details. E 3 Removes all ARP inspection statistics on the Switch. E 3 Removes ARP inspection stat istics for the specified VLANs. E 3

C13

vlan <vlan-list> show arp inspection statistics show arp inspection statistics

Displays all ARP inspection statistics on the Switch. E 3 Displays ARP inspection statistics for the specified VLANs. E 3

vlan <vlan-list>

Table 25 Command Summary: arp inspection filter

COMMAND DESCRIPTION M P

show arp inspection filter [<mac-addr>] [vlan <vlan-id>]

clear arp inspection filter arp inspection filter-aging-time

<1-2147483647>

Displays the current list of MAC address filters that were created because the Switch identified an unauthorized ARP packet. Optionally, lists MAC address filters based on the MAC address or VLAN ID in the filter.

Deletes all ARP inspection filters from the Switch. E 13 Specifies how long (1 – 2147483647 seconds) MAC address

filters remain in the Switch after the Switch identifies an unauthorized ARP packet. The Switch automatically deletes the MAC address filter af terwards.

C13

Ethernet Switch CLI Reference Guide

Chapter 8 ARP Inspection Commands

Table 25 Command Summary: arp inspection filter (continued)

COMMAND DESCRIPTION M P

arp inspection filter-aging-time

Specifies the MAC address filter to be permanent. C 13

none no arp inspection filter-aging-

time

Resets how long (1 – 2147483647 seconds) the MAC address filter remains in the S witch after the Switch identifies an unauthorized ARP packet to the default value.

C13

Table 26 Command Summary: arp inspection log

COMMAND DESCRIPTION M P

show arp inspection log

clear arp inspection log arp inspection log-buffer

entries <0-1024>

arp inspection log-buffer logs <0-1024> interval <0-86400>

no arp inspection log-buffer entries

no arp inspection log-buffer logs

Displays the log settings configured on the Switch. It also displays the log entries recorded on the Switch.

Delete all ARP inspection log entries from the Switch. E 13 Specifies the maximum number (1 – 1024) of log messages

that can be generated by ARP packets and not sent to the syslog server.

If the number of log messages in the Switch exceeds this number, the Switch stops recording log messages and simply starts counting the number of entries that were dropped due to unavailable buffer.

Specifies the number of syslog messages that can be sent to the syslog server in one batch and how often (1 – 86400 seconds) the Switch sends a batch of syslog messages to the syslog server.

Resets the maximum number (1 – 1024) of log messages that can be generated by ARP packets and not sent to the syslog server to the default value.

Resets the maximum number of syslog messages the Switch can send to the syslog server in one batch to the default value.

C13

Table 27 Command Summary: interface arp inspection

COMMAND DESCRIPTION M P

show arp inspection interface

Displays the ARP inspection settings for the specified ports. E 3

port-channel <port-list> interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

arp inspection trust

no arp inspection trust

arp inspection limit rate <pps>

arp inspection limit rate <pps> burst interval <seconds>

no arp inspection limit

Sets the ports to be trusted. The Switch does not inspect or discard ARP packets passing through the ports.

Sets the ports to be untrusted. The Switch inspects all ARP packets passing through the ports.

Limits the maximum number of ARP packets per second (pps) the ports accepts. The Switch drops all packets that exceed the limit.

The value must be in the range 0 – 2048. The default value is 15.

Limits the maximum number of ARP packets per second (pps) the interface accepts within the specified time interval. After each burst interval, the pps count is reset.

Sets no limit on the number of ARP packets per second (pps) the interface accepts.

C13

Ethernet Switch CLI Reference Guide

Chapter 8 ARP Inspection Commands

Table 28 Command Summary: arp inspection vlan

COMMAND DESCRIPTION M P

show arp inspection vlan <vlanlist>

arp inspection vlan <vlan-list> no arp inspection vlan <vlan-

list> arp inspection vlan <vlan-list>

logging [all|none|permit|deny] no arp inspection vlan <vlan-

list> logging

8.3 Command Examples

This example enables ARP inspection on a range of ports, and limits the number of ARP packets per second to 5.

Displays ARP inspection settings for the specified VLANs. E 3

Enables ARP inspection on the specified VLANs. C 13 Disables ARP inspection on the specified VLANs. C 13

Enables logging of ARP inspection events on the specified VLANs. Optionally specifies which types of events to log.

Disables logging of messages generated by ARP inspection for the specified VLANs.

C13

sysname# configure sysname(config)# arp inspection sysname(config)# interface port-channel 1-3,8,10-100 sysname(config)# no arp inspection trust sysname(config)# arp inspection limit rate 5

This example looks at the current list of MAC address filters that were created because the Switch identified an unauthorized ARP packet. When the Switch identifies an unauthorized ARP packet, it automatically creates a MAC address filter to block traffic from the source MAC address and source VLAN ID of the unauthorized ARP packet.

sysname# show arp inspection filter Filtering aging timeout : 300

MacAddress VLAN Port Expiry (sec) Reason

----------------- ---- ----- ------------ ------------- Total number of bindings: 0

This example looks at log messages that were generated by ARP packets and that have not been sent to the syslog server yet.

sysname# show arp inspection log Total Log Buffer Size : 32 Syslog rate : 5 entries per 1 seconds

Port Vlan Sender MAC Sender IP Pkts Reason Time

---- ---- ----------------- --------------- ---- ---------- ----

-------------------- Total number of logs: 0

Ethernet Switch CLI Reference Guide

This example displays whether ports are trusted or untrusted ports for ARP inspection.

sysname# show arp inspection interface port-channel 1 Interface Trusted State Rate (pps) Burst Interval

--------- ------------- ---------- ------------- 1 Untrusted 15 1

Ethernet Switch CLI Reference Guide

ARP Learning Commands

9.1 Command Summary

Use these commands to configure how the Switch updates the ARP table.

The following table describes user-input values available in multiple commands for this feature. Table 29 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 30 arp-learning Command Summary

COMMAND DESCRIPTION M P

interface port-channel <portlist>

arp-learning <arpreply|gratuitous-arp|arprequest>

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

CHAPTER 9

Enters config-interface mode for the specified ports. C 13

Sets the ARP learning mode the Switch uses on the port. arp-reply: the Switch updates the ARP table only with

the ARP replies to the ARP requests sent by the Switch.

C13

no arp-learning

9.2 Command Examples

This example changes the ARP learning mode on port 8 from arp-reply to arp-request.

sysname# configure sysname(config)# interface port-channel 8 sysname(config-interface)# arp-learning arp-request

Ethernet Switch CLI Reference Guide

gratuitous-arp: the Switch updates its ARP table with either an ARP reply or a gratuitous ARP request. A gratuitous ARP is an ARP request in which both the source and destination IP address fields are set to the IP address of the device that sends this request and the destination MAC address field is set to the broadcast address.

arp-request: the Switch updates the ARP table with both ARP replies, gratuitous ARP requests and ARP requests.

Resets the ARP learning mode to its default setting (arp- reply).

C13

Chapter 10 Auto Configuration Commands

Auto Configuration

10.1 Auto Configuration Overview

The Switch can download a pre-saved auto configuration file automatically when you reboot the Switch using the DHCP or HTTPS mode. This will overwrite the running configuration stored in the Switch’s RAM instead of the startup configuration stored in the Switch’s flash memory.

You can use the DHCP mode to load an auto configuration file from a TFTP server automatically when you reboot the Switch. The Switch must have a dynamic IP address assigned by a DHCP server. Also, make sure the Switch can communicate with the TFTP server.

CHAPTER 10

Commands

Note: You need to set up configurations on a DHCP server and TFTP server first to use auto

configuration.

10.2 Command Summary

The following section lists the commands for this feature. Table 31 auto-config Command Summary

COMMAND DESCRIPTION M P

auto-config

no auto-config auto-config <dhcp | https>

Enables auto configuration. When auto configuration is enabled, the Switch can receive an auto configuration file.

Disables auto configuration. C 14 Selects the DHCP or HTTPS mode for auto configuration. dhcp: Enables the DHCP mode for auto configuration.

When auto configuration DHCP is enabled, the Switch can receive an auto configuration file from a TFTP server. The location of the TFTP server is provided by a DHCP server.

https: Enables the HTTPS mode for auto configuration. When auto configuration HTTPS is enabled, the Switch will use the URL you specified using the auto-config url command to access a web server and download the auto configuration file using HTTPS.

C14

Ethernet Switch CLI Reference Guide

Table 31 auto-config Command Summary (continued)

COMMAND DESCRIPTION M P

auto-config url <https://host/ filename>

auto-config vlan <vlan-id>

show auto-config

See Chapter 97 on page 368 for the commands to enable and disable DHCP option 60.

10.3 Command Examples

See Section 4.7 on page 24 for an example of how to configure auto configuration using the DHCP mode on the Switch.

Types the URL that can be used to access and download the auto configuration file from a web server using HTTPS. For example, https:// webserverIPaddressconfigfilename.cfg.

Enters the VLAN ID of the DHCP server that assigns the TF TP server IP address and auto configuration file name to the Switch.

The following information is displayed:

• The mode that is used for auto configuration.

• The status to see whether an auto configuration file is successfully loaded to the Switch after you reboot the Switch.

• The name of the auto configuration file that is loaded after you reboot the Switch.

C14

Ethernet Switch CLI Reference Guide

Chapter 11 Bandwidth Control Commands

Bandwidth Control

11.1 Bandwidth Control Overview

Use these commands to configure the maximum allowable bandwidth for incoming or outgoing traffic flows on a port.

Note: Bandwidth management implementation differs across Switch models.

CHAPTER 11

Commands

• Some models use a single command (bandwidth-limit ingress) to control the incoming rate of traffic on a port.

• Other models use two separate commands (bandwidth-limit cir and bandwidth-limit pir) to control the Committed Information Rate (CIR) and the Peak Information Rate (PIR) allowed on a port.

The CIR and PIR should be set for all ports that use the same uplink bandwidth. If the CIR is reached, packets are sent at the rate up to the PIR. When network congestion occurs, packets through the ingress port exceeding the CIR will be marked for drop.

Note: The CIR should be less than the PIR.

See Section 11.3 on page 48 and Section 11.4 on page 49 for examples.

11.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 32 User-input Values: running-config

COMMAND DESCRIPTION

port-list

rate

A list of one or more ports, separated by commas with no space s. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

The rate represents a bandwidth limit. Different models support different rate limiting incremental steps. See your User’s Guide for more information.

Ethernet Switch CLI Reference Guide

Chapter 11 Bandwidth Control Commands

The following section lists the commands for this feature. Table 33 Command Summary: bandwidth-control & bandwidth-limit

COMMAND DESCRIPTION M P

show interfaces config <portlist> bandwidth-control

bandwidth-control no bandwidth-control interface port-channel <port-

list>

bandwidth-limit ingress bandwidth-limit ingress

<rate> bandwidth-limit egress bandwidth-limit egress

<rate> no bandwidth-limit ingress no bandwidth-limit egress bandwidth-limit cir bandwidth-limit cir <rate>

Displays the current settings for bandwidth control on the specified ports.

Enables bandwidth control on the Switch. C 13 Disables bandwidth control on the Switch. C 13 Enters subcommand mode for configuring the specified

ports. Enables bandwidth limits for incoming traffic on the ports. C 13 Sets the maximum bandwidth allowed for incoming traffic

on the ports. Enables bandwidth limits for outgoing traffic on the ports. C 13

Sets the maximum bandwidth allowed for outgoing traffic on the ports.

Disables ingress bandwidth limits on the specified ports. C 13 Disables egress bandwidth limits on the specified ports. C 13 Enables commit rate limits on the specified ports. C 13 Sets the guaranteed bandwidth allowed for the incoming

traffic flow on a port. The commit rate should be less than the peak rate. The sum of commit rates cannot be greater than or equal to the uplink bandwidth.

C13

Note: The sum of CIRs cannot be greater than or

equal to the uplink bandwidth.

bandwidth-limit pir bandwidth-limit pir <rate>

no bandwidth-limit cir no bandwidth-limit pir

Enables peak rate limits on the specified ports. C 13 Sets the maximum bandwidth allowed for the incoming

traffic flow on the specified ports. Disables commit rate limits on the specified ports. C 13

Disables peak rate limits on the specified ports. C 13

11.3 Command Examples: ingress

This example sets the outgoing traffic bandwidth limit to 5000 Kbps and the incoming traffic bandwidth limit to 4000 Kbps for port 1.

sysname# configure sysname(config)# bandwidth-control sysname(config)# interface port-channel 1 sysname(config-interface)# bandwidth-limit egress 5000 sysname(config-interface)# bandwidth-limit ingress 4000 sysname(config-interface)# exit sysname(config)# exit

C13

Ethernet Switch CLI Reference Guide

This example deactivates the outgoing bandwidth limit on port 1.

sysname# configure sysname(config)# interface port-channel 1 sysname(config-interface)# no bandwidth-limit egress sysname(config-interface)# exit sysname(config)# exit

11.4 Command Examples: cir & pir

This example sets the guaranteed traffic bandwidth limit on port 1 to 4000 Kbps and the maximum traffic bandwidth limit to 5000 Kbps for port 1.

sysname# configure sysname(config)# bandwidth-control sysname(config)# interface port-channel 1 sysname(config-interface)# bandwidth-limit cir sysname(config-interface)# bandwidth-limit cir 4000 sysname(config-interface)# bandwidth-limit pir sysname(config-interface)# bandwidth-limit pir 5000 sysname(config-interface)# exit sysname(config)# exit

This example displays the bandwidth limits configured on port 1.

sysname# show running-config interface port-channel 1 bandwidth-limit Building configuration...

Current configuration:

interface port-channel 1 bandwidth-limit cir 4000 bandwidth-limit cir bandwidth-limit pir 5000 bandwidth-limit pir

Ethernet Switch CLI Reference Guide

12.1 BPDU Guard Overview

A BPDU (Bridge Protocol Data Units) is a data frame that contains information about STP. STP-aware switches exchange BPDUs periodically.

The BPDU guard feature allows you to prevent any new STP-aware switch from connecting to an existing network and causing STP topology changes in the network. If there is any BPDU detected on the ports on which BPDU guard is enabled, the Switch disables the ports automatically. You can then enable the ports manually through the Web Configurator or the commands. With error-disable recovery, you can also have the ports become active after a certain time interval.

12.2 Command Summary

CHAPTER 12

BPDU Guard

The following table describes user-input values available in multiple commands for this feature. Table 34 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 35 bpduguard Command Summary

COMMAND DESCRIPTION M P

bpduguard no bpduguard interface port-channel <port-

list>

bpduguard no bpduguard

show bpdupguard

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Enabled BPDU guard on the Switch. C 13 Disables BPDU guard on the Switch. C 13 Enters config-interface mode for the specified ports. C 13

Enabled BPDU guard on the ports. C 13 Disables BPDU guard on the ports. C 13 Displays whether BPDU guard is enabled on the Switch and

the port status.

Ethernet Switch CLI Reference Guide

Chapter 13 Broadcast Storm Commands

CHAPTER 13

Broadcast Storm Commands

Use these commands to limit the number of broadcast, multicast and destination lookup failure (DLF) packets the Switch receives per second on the ports.

Note: Broadcast storm control implementation differs across Switch models.

• Some models use a single command (bmstorm-limit) to control the combined rate of broadcast, multicast and DLF packets accepted on Switch ports.

• Other models use three separate commands (broadcast-limit, multicast-limit, dlf-limit) to control the number of individual types of packets accepted on Switch ports.

See Section 13.2 on page 52 and Section 13.3 on page 52 for examples.

13.1 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 36 User-input Values: broadcast-limit, multicast-limit and dlf-limit

COMMAND DESCRIPTION

pkt/s port-list

The following section lists the commands for this feature. Table 37 Command Summary: storm-control, bmstorm-limit, and bstorm-control

COMMAND DESCRIPTION M P

show interfaces config <portlist> bstorm-control

storm-control no storm-control interface port-channel <port-

list>

bmstorm-limit bmstorm-limit <rate>

Specifies the maximum number of packets per second accepted by a Switch port. A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Displays the current settings for broadcast storm control on the specified ports.

Enables broadcast storm control on the Switch. C 13 Disables broadcast storm control on the Switch. C 13 Enters subcommand mode for configuring the specified

ports. Enables broadcast storm control on the specified ports. C 13 Specifies the maximum rate at which the Switch receives

broadcast, multicast, and destination lookup failure (DLF) packets on the specified ports.

Different models support different rate limiting incremental steps. See your User’s Guide for more information.

C13

Ethernet Switch CLI Reference Guide

Chapter 13 Broadcast Storm Commands

Table 37 Command Summary: storm-control, bmstorm-limit, and bstorm-control (continued)

COMMAND DESCRIPTION M P

no bmstorm-limit broadcast-limit broadcast-limit <pkt/s>

no broadcast-limit multicast-limit multicast-limit <pkt/s>

no multicast-limit dlf-limit dlf-limit <pkt/s>

no dlf-limit

Disables broadcast storm control on the specified ports. C 13 Enables the broadcast packet limit on the specified ports. C 13 Specifies the maximum number of broadcast packets the

Switch accepts per second on the specified ports. The Switch will generate a trap and/or log when the

actual rate is higher than the specified threshold. Disables broadcast packet limit no the specified ports. C 13

Enables the multicast packet limit on the specified ports. C 13 Specifies the maximum number of multicast packets the

Switch accepts per second on the specified ports. The Switch will generate a trap and/or log when the

actual rate is higher than the specified threshold. Disables multicast packet limit on the specified ports. C 13

Enables the DLF packet limit on the specified ports. C 13 Specifies the maximum number of DLF packets the Switch

accepts per second on the specified po rts. Disables DLF packet limits no the specified ports. C 13

C13

13.2 Command Example: bmstorm-limit

This example enables broadcast storm control on port 1 and limits the combined maximum rate of broadcast, multicast and DLF packets to 128 Kbps.

sysname# configure sysname(config)# storm-control sysname(config)# interface port-channel 1 sysname(config-interface)# bmstorm-limit sysname(config-interface)# bmstorm-limit 128 sysname(config-interface)# exit sysname(config)# exit

13.3 Command Example: broadcast-limit, multicast-limit and dlf-limit

This example enables broadcast storm control on the Switch, and configures port 1 to accept up to:

• 128 broadcast packets per second,

• 256 multicast packets per second,

Ethernet Switch CLI Reference Guide

• 64 DLF packets per second.

sysname# configure sysname(config)# storm-control sysname(config)# interface port-channel 1 sysname(config-interface)# broadcast-limit sysname(config-interface)# broadcast-limit 128 sysname(config-interface)# multicast-limit sysname(config-interface)# multicast-limit 256 sysname(config-interface)# dlf-limit sysname(config-interface)# dlf-limit 64 sysname(config)# exit sysname# show interfaces config 1 bstorm-control Broadcast Storm Control Enabled: Yes

Ethernet Switch CLI Reference Guide

Chapter 14 Certificates Commands

Certificates Commands

14.1 Certificates Overview

The Switch can use HTTPS certificates that are verified by a third-party to create secure HTTPS connections between your computer and the Switch. This way, you may securely access the Switch using the Web Configurator. See Chapter 32 on page 113 for more information about HTTPS.

Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.

Use these commands to import an HTTPS certificate to the Switch. You can also clear or show the HTTPS certificate imported to the Switch.

CHAPTER 14

14.2 Command Summary

The following section lists the commands for this feature. Table 38 auto-config Command Summary

COMMAND DESCRIPTION M P

import certificate https

clear certificate https show https certificate

Imports the HTTPS certificate from the FTP server to the Switch. See Section 14.3 on page 55 for the example.

Note: You need to upload an HTTPS certificate file to

the FTP server first. The Switch is the FTP server.

Note: In stacking mode, if synchronize certificates is

enabled, then running this command on the Master Switch synchronizes the imported certificate to all stacking members (slave switches).

Removes the HTTPS certificate uploaded to the Switch. E 13 Displays the HTTPS certificates. E 3

E13

Ethernet Switch CLI Reference Guide

Chapter 14 Certificates Commands

Table 38 auto-config Command Summary (continued)

COMMAND DESCRIPTION M P

synchronize certificate

no synchronize certificate

Allows the Master Switch in stacking mode to synchronize CA-signed certificates to stacking members (slave switches). The stacking members save the certificates to non-volatile memory.

The Master Switch also deletes all CA-signed certificates on stacking members if the certificates do not exist on the Master Switch.

Stops the Master Switch in stacking mode from synchronizing CA-signed certificates to all stacking members.

C13

In an IPv6 packet header, the "Next Header" field identifies the next level protocol. The following table shows some common IPv6 Next Header values.

Table 39 Common IPv6 Next Header Values

PROTOCOL TYPE VALUE

IPv6 Hop-by-Hop Option 0 IPv4 4 TCP 6 UDP 17 IPv6 41 Routing Header for IPv6 43 Fragment Header for IPv6 44 Encapsulation Security Payload 50 Authentication Header 51 ICMP for IPv6 58 No Next Header for IPv6 59 Destination Options for IPv6 60

14.3 Command Example

This example shows you how to import the HTTPS certificate to the Switch.

FTP Server

First, we need to upload an HTTPS certificate file to the FTP server. The Switch is the FTP server.

1 Select Start > All Programs > Accessories > Command Prompt.

2 Use the ftp <ip address> command and enter the Switch IP address to have your computer ping the

Switch. In this example, we use the default out-of-band IP address (192.168.0.1) for the Switch IP address.

Use the default in-band management IP address (192.168.1.1), DHCP -assigned IP address, static IP address, or the default out-of-band IP address (192.168.0.1). It doesn’t matter which IP address you use as long as your computer can ping the Switch.

Ethernet Switch CLI Reference Guide

Chapter 14 Certificates Commands

3 Enter the login username and password of the Switch. The default username is admin and associated

default password is 1234.

C:\Users>ftp 192.168.0.1 Connected to 192.168.0.1 220 XS3800 FTP version 1.0 ready at Fri Oct 19 05:14:22 2018 User (192.168.0.1:(none)): admin 331 Enter PASS command Password: 230 Logged in ftp>

4 Enter the put <file name> https-cert command to upload an HTTPS certificate file to the Switch.

ftp> put CAfile.pfx https-cert

The Switch

Access the CLI. See Chapter 1 on page 10 for more information about how to access the CLI.

1 Enter the import certificate https command to import the HTTPS certificate from the FTP server to

the Switch.

2 Type the certificate file’s password that was created when the PKCS #12 file was exported.

sysname# import certificate https Password:*****

Import Successfully

Ethernet Switch CLI Reference Guide

Chapter 15 Classifier Commands

Classifier Commands

15.1 Classifier Overview

Use these commands to classify packets into traffic flows. After classifying traffic, policy commands (Chapter 64 on page 255) can be used to ensure that a traffic flow gets the requested treatment in the network.

15.2 Command Summary

CHAPTER 15

The following section lists the commands for this feature. Table 40 Command Summary: classifier

COMMAND DESCRIPTION M P

show classifier [<name>] clear classifier match-count

[<name>]

Displays classifier configuration details. E 3 Removes the number of times all or the specified classifier rule is

applied.

Ethernet Switch CLI Reference Guide

Chapter 15 Classifier Commands

Table 40 Command Summary: classifier (continued)

COMMAND DESCRIPTION M P

classifier <name> < [weight <0-65535> ][packet- format <802.3untag|802.3tag| EtherIIuntag|EtherIItag>] [priority <0-7>] [ innerpriority <0-7> ] [vlan <vlan-id>] [ inner-vlan <vlan-id-list> ][ethernet- type <ether- num|ip|ipx|arp|rarp|appletal k|decnet|ipv6|IPv6>] [source-mac <src-mac-addr> [mask <mask>]] [source-port <port-list>] [ source-trunk <trunk-list> ] [ destination-port <port-list> ] [destination-mac <dest- mac-addr> [mask <mask>]] [ip-packet-length <0-65535> to <0-65525>] [dscp <0-63>] [precedence <0-7>] [tos <0- 255>] [ipv6-dscp <0-63>] [ipv6-dscp <0-63>] [ipprotocol <protocol- num|tcp|udp|icmp|egp| ospf|rsvp|igmp|igp|pim|ipsec > [establish-only]] [ipv6next-header <protocol- num|tcp|udp|icmpv6> [establish-only]] [ipv6next-header <protocol- num|tcp|udp|icmpv6> [establish-only]][source-ip <src-ip-addr> [mask-bits <mask-bits>]] [ipv6-source- ip <src-ipv6-addr> [prefixlength <prefix-length>] ] [ipv6-source-ip <src-ipv6- addr> [prefix-length <prefix-length>]] [source- socket <socket-num> [to <socket-num>] ]] [destination-ip <dest-ip- addr> [mask-bits <mask-

>]] [ipv6-destination-ip

bits

<dest-ipv6-addr> [prefix- length <prefix-length>] ] [ipv6-destination-ip <dest-

Configures a classifier. Specify the parameters to identify the traffic flow:

• weight: Enter the weight the priority of the Classifier rule when the match order is in manual mode. A higher weight means a higher priority.

• priority: Type 0 to classify traffic from any priority level or type a priority level with 1 being the highest priority.

• inner-priority: Type 0 to classify traffic from any inner priority level or type a priority level with 1 being the highest priority.

• vlan-id: Type 0 to classify traffic from any VLAN or type a specific VLAN ID number.

• inner-vlan-id: Type 0 to classify traffic from any inner VLAN or type a specific inner VLAN ID number.

• ethernet-type: Enter one of the Ethernet types or type the hexadecimal number that identifies an Ethernet type (see

Table 41 on page 59).

• source-mac: Enter the source MAC address of the packet.

• source-port: Enter any to classify traffic received on any port or type a specific port number.

• source-trunk: Enter any to classify traffic from any trunk group or type a specific trunk group ID number.

• destination-port: Enter any to classify traffic to any destination port or type a specific port number.

• destination-mac: Enter the destination MAC address of the packet.

• ip-protocol: Enter one of the protocols or type the port number that identifies the protocol (see Table 42 on page

59).

• mask: type the mask for the specified MAC address to determine which bits a packet’s MAC address should match. Enter “f” for each bit of the specified MAC address that the traffic’s MAC address should match. Enter “0” for the bits of the matched traffic’s MAC address, which can be of any hexadecimal characters. For example, if you set the MAC address to 00:13:49:00:00:00 and the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this criteria.

• tos: Enter any to classify traffic from any ToS, or set an IP Precedence (the first 3 bits of the 8-bit ToS field) value and a Type of Service (the last 5 bits of the 8-bit ToS field) value.

• establish-only: Enter this to identify only TCP packets used to establish TCP connections.

• source-ip: Enter the source IPv4 address of the packet.

• ipv6-source-ip: Enter the source IPv6 address of the packet.

• source-socket: (for UDP or TCP protocols only) Specify the protocol port number.

• destination-ip: Enter the destination IPv4 address of the packet.

• ipv6-destination-ip of the packet.

• destination-socket: (for UDP or TCP protocols only) specify the protocol port number.

• time-range: Enter the name of a pre-defined time-range rule.

• inactive: Disables this classifier.

: Enter the destination IPv6 address

C13

ipv6-addr> [prefix-length <prefix-length>]] [destination-socket <socket- num> [to <socket-num>] ]] [time-range <name>] [log] [count] [inactive]>

Ethernet Switch CLI Reference Guide

Chapter 15 Classifier Commands

Table 40 Command Summary: classifier (continued)

COMMAND DESCRIPTION M P

no classifier <name>

Deletes the classifier. If you delete a classifier you cannot use policy rule related

information. Enables a classifier. C 13

C13

inactive classifier match-order

<auto|manual>

classifier logging

classifier logging interval <0-65535>

no classifier logging

Use manual to have classifier rules applied according to the weight of each rule you configured. Use auto to have classifier rules applied according to the layer of the item configured in the rule.

Creates a log when packets match a classifier rule during a defined time interval.

Enter the length of the time period (in seconds) to count matched packets for a classifier rule. Enter an integer from 0 –

65535. 0 means that no logging is done.

Disallows the Switch to create a log message when packets match a classifier rule during a defined time interval.

C13

The following table shows some other common Ethernet types and the corresponding protocol number. Table 41 Common Ethernet Types and Protocol Number

ETHERNET TYPE PROTOCOL NUMBER

IP ETHII 0800 X.75 Internet 0801 NBS Internet 0802 ECMA Internet 0803 Chaosnet 0804 X.25 Level 3 0805 XNS Compat 0807 Banyan Systems 0BAD BBN Simnet 5208 IBM SNA 80D5 AppleTalk AARP 80F3

In an IPv4 packet header, the “Protocol” field identifies the next level protocol. The following table shows some common IPv4 protocol types and the corresponding protocol number. Refer to http://

www.iana.org/assignments/protocol-numbers for a complete list.

Table 42 Common IPv4 Protocol Types and Protocol Numbers

PROTOCOL TYPE PROTOCOL NUMBER

ICMP 1 TCP 6 UDP 17 EGP 8 L2TP 115

Ethernet Switch CLI Reference Guide

Chapter 15 Classifier Commands

In an IPv6 packet header, the "Next Header" field identifies the next level protocol. The following table shows some common IPv6 Next Header values.

Table 43 Common IPv6 Next Header Values

PROTOCOL TYPE VALUE

15.3 Command Examples

This example creates a classifier for packets with a VLAN ID of 3. The resulting traffic flow is identified by the name VLAN3. The policy command can use the name VLAN3 to apply policy rules to this traffic flow. See the policy example in Chapter 64 on page 255.

sysname# config sysname(config)# classifier VLAN3 vlan 3 sysname(config)# exit sysname# show classifier Index Active Name Rule 1 Yes VLAN3 VLAN = 3;

This example creates a classifier (Class1) for packets which have a source MAC address of 11:22:33:45:67:89 and are received on port 1. You can then use the policy command and the name Class1 to apply policy rules to this traffic flow. See the policy example in Chapter 64 on page 255.

sysname# config sysname(config)# classifier Class1 source-mac 11:22:33:45:67:89 source-port 1 sysname(config)# exit sysname# show classifier Index Active Name Rule 1 Yes Class1 SrcMac = 11:22:33:45:67:89; S...

Ethernet Switch CLI Reference Guide

Chapter 15 Classifier Commands

The default value of match-order is auto. Use the following command to make weight work by changing the default value of match-order to manual and configuring a classifier weight value where the higher the weight, the higher the priority.

sysname# config sysname(config)#classifier match-order manual sysname(config)#classifier 1 weight 12345 source-port 1/1

Ethernet Switch CLI Reference Guide

Cluster Commands

16.1 Command Summary

The following section lists the commands for this feature. Table 44 cluster Command Summary

COMMAND DESCRIPTION M P

show cluster cluster <vlan-id> no cluster cluster name <cluster name>

show cluster candidates

cluster member <mac> password <password>

show cluster member show cluster member config show cluster member mac <mac> cluster rcommand <mac> no cluster member <mac>

CHAPTER 16

Displays cluster management status. E 3 Enables clustering in the specified VLAN group. C 13 Disables cluster management on the Switch. C 13 Sets a descriptive name for the cluster.

<cluster name>: You may use up to 32 printable characters (spaces are allowed).

Displays the switches that are potential cluster members. The switches must be directly connected.

Adds the specified device to the cluster. You have to specify the password of the device too.

Displays the cluster members and their running status. E 3 Displays the current cluster members. E 3 Displays the running status of the cluster members. E 3 Logs into the CLI of the specified cluster member. C 13 Removes the cluster member. C 13

C13

Ethernet Switch CLI Reference Guide

Chapter 16 Cluster Commands

16.2 Command Examples

This example creates the cluster CManage in VLAN 1. Then, it looks at the current list of candidates for membership in this cluster and adds two switches to cluster.

sysname# configure sysname(config)# cluster 1 sysname(config)# cluster name CManage sysname(config)# exit sysname# show cluster candidates Clustering Candidates: Index Candidates(MAC/HostName/Model) 0 00:13:49:00:00:01/GS2220-10HP/GS2220-10HP 1 00:13:49:00:00:02/XS3800-28/XS3800-28 2 00:19:cb:00:00:02/GS2220-28HP/GS2220-28HP sysname# configure sysname(config)# cluster member 00:13:49:00:00:01 password 1234 sysname(config)# cluster member 00:13:49:00:00:02 password 1234 sysname(config)# exit sysname# show cluster member Clustering member status: Index MACAddr Name Status 1 00:13:49:00:00:01 GS2220-10HP Online 2 00:13:49:00:00:02 XS3800-28 Online

The following table describes the labels in this screen. Table 45 show cluster member

LABEL DESCRIPTION

Index This field displays an entry number for each member. MACAddr This field displays the member’s MAC address. Name This field displays the member’s system name. Status This field displays the current status of the member in the cluster.

Online: The member is accessible. Error: The member is connected but not accessible. For example, the member’s

password has changed, or the member was set as the manager and so left the member list. This status also appears while the Switch finishes adding a ne w member to the cluster.

Offline: The member is disconnected. It takes approximately 1.5 minutes after the link goes down for this status to appear.

Ethernet Switch CLI Reference Guide

This example logs in to the CLI of member 00:13:49:00:00:01, looks at the current firmware version on the member Switch, logs out of the member’s CLI, and returns to the CLI of the manager.

sysname# configure sysname(config)# cluster rcommand 00:13:49:00:00:01 Connected to 127.0.0.2 Escape character is '^]'.

User name: admin

XS3800-28# show version Current ZyNOS version: V4.80(ABML.0)b7 | 04/07/2022 XS3800-28# exit Telnet session with remote host terminated.

Closed sysname(config)#

This example looks at the current status of the Switch’s cluster.

sysname# show cluster Cluster Status: Manager VID: 1 Manager: 00:13:49:ae:fb:7a

The following table describes the labels in this screen. Table 46 show cluster

LABEL DESCRIPTION

Cluster Status This field displays the role of this Switch within the cluster.

Manager: This Switch is the device through which you manage the cluster member switches.

Member: This Switch is managed by the specified manager. None: This Switch is not in a cluster.

VID This field displays the VLAN ID used by the cluster. Manager This field displays the cluster manager’s MAC address.

Ethernet Switch CLI Reference Guide

17.1 CLV Overview

Use these commands to configure VLAN settings on the Switch in clv mode. In Zyxel configuration mode, you need to use the VLAN commands to configure a VLAN first, then specify the ports which you want to configure and tag all outgoing frames with the specified VLAN ID. In clv mode, you need to specify the ports first, then configure frames which you want to tag with the specified VLAN ID.

Note: CLV mode is supported only in the Command Line Interface (CLI). If you have enabled

CLV mode to configure the Switch's VLAN settings, further VLAN changes you make through the Web Configurator will not be saved and applied completely. You can still use the Web Configurator to view the VLAN status.

Chapter 17 CLV Commands

CHAPTER 17

CLV Commands

If you want to configure VLAN settings in both the Web Configurator and the CLI, just return to Zyxel configuration mode by turning off CLV mode.

17.2 Command Summary

The following section lists the commands for this feature. There are three different ways that you can configure ports on the Switch. Use Access mode to untag outgoing frames; usually connect a port in Access mode to a computer. Use Trunk mode to tag outgoing frames; usually connect a port in Trunk mode to another Switch. Use Hybrid mode to tag or untag outgoing frames; usually connect a port in Hybrid mode to another Switch or computer.

Suppose port 1 is configured as a native VLAN with VLAN ID 100. Then all untagged incoming traffic that goes out from port 1 will be tagged with VLAN ID 100.

Suppose port 2 is configured in Access mode. Then all outgoing traffic from port 2 will be untagged.

Suppose port 3 is configured in Trunk mode. Then all outgoing traffic from port 3 will be tagged with VLAN ID 100.

Ethernet Switch CLI Reference Guide

Chapter 17 CLV Commands

Figure 2 Trunk - Access Mode Example

Table 47 Interface Command Values

COMMAND DESCRIPTION

port-list

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Table 48 vlan Command Summary

COMMAND DESCRIPTION M P

show vlan show vlan <vlan-id>

Displays the status of all VLANs. E 3 Displays the status of the specified VLAN. E 3

Table 49 clv Command Summary

COMMAND DESCRIPTION M P

clv no clv

Enables clv mode. C 13 Disables clv mode. C 13

Table 50 switchport mode Command Summary

COMMAND DESCRIPTION M P

interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

Ethernet Switch CLI Reference Guide

Chapter 17 CLV Commands

Table 50 switchport mode Command Summary (continued)

COMMAND DESCRIPTION M P

switchport mode <access|trunk|hybrid>

no switchport mode

Specifies VLAN configuration mode on the specified ports.

•Use Access to untag outgoing frames with a VLAN ID.

•Use Trunk to tag outgoing frames with a VLAN ID.

•Use Hybrid to tag or untag outgoing frames with a VLAN ID.

Resets VLAN configuration mode to the default switchport mode. The default switchport mode is hybrid mode.

C13

Table 51 switchport access Command Summary

COMMAND DESCRIPTION M P

interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

switchport mode access switchport access <vlan-id> no switchport access vlan

Sets the specified interface in access mode. C 13 Untags all outgoing frames with the specified VLAN ID. C 13 Resets all outgoing frames to the default VLAN ID. The

default VLAN ID is VLAN 1.

C13

Table 52 switchport trunk Command Summary

COMMAND DESCRIPTION M P

interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

switchport mode trunk switchport trunk allowed

Sets the specified interface in trunk mode. C 13 Tags all outgoing frames with the specified VLAN ID. C 13

vlan <vlan-list> no switchport trunk allowed

Disables the specified VLAN trunk on the ports. C 13

vlan <vlan-list> switchport trunk allowed

Tags all outgoing frames for all VLANs. C 13

vlan all no switchport trunk allowed

Disables all VLAN trunks on the ports. C 13

vlan all switchport trunk native vlan

<vlan-id>

no switchport trunk native vlan

Tags all incoming untagged frames with the specified VLAN ID. The default VLAN ID is VLAN 1 for all ports. Sets a VLAN ID in the range 1 to 4094.

Resets all incoming untagged frames to the default VLAN ID. The default VLAN ID is VLAN 1.

C13

Table 53 switchport hybrid Command Summary

COMMAND DESCRIPTION M P

interface port-channel <port-

Enters config-interface mode for the specified ports. C 13

list>

switchport mode hybrid switchport hybrid allowed

Sets the specified interface in hybrid mode. C 13 Tags all outgoing frames with the specified VLAN ID. C 13

vlan <vlan-list> tagged switchport hybrid allowed

Untags all outgoing frames with the specified VLAN ID. C 13

vlan <vlan-list> untagged no switchport hybrid allowed

Disables the specified VLAN ID on the ports. C 13

vlan <vlan-list>

Ethernet Switch CLI Reference Guide

Table 53 switchport hybrid Command Summary (continued)

COMMAND DESCRIPTION M P

switchport hybrid pvid <vlan-id>

no switchport hybrid pvid <vlan-id>

Table 54 switchport forbidden Command Summary

COMMAND DESCRIPTION M P

interface port-channel <portlist>

switchport forbidden vlan add <vlan-list>

switchport forbidden vlan add all

switchport forbidden vlan remove <vlan-list>

switchport forbidden vlan remove all

Tags all incoming untagged frames with the specified VLAN ID.

Resets all incoming untagged frames to the default VLAN ID. The default VLAN ID is VLAN 1.

Enters config-interface mode for the specified ports. C 13

Prohibits the specified ports from joining the specified VLAN group.

Prohibits the specified ports from joining all VLAN groups. C 13

Sets forbidden ports in the spe cified VLAN to normal ports. C 13

Sets all forbidden ports in the port list to normal ports. C 13

C13

17.3 Command Examples

This example configures clv mode.

sysname# config sysname(config)# clv

Note: The following commands all have clv mode enabled.

This example configures clv for VLAN 20 on port 1.

sysname# config sysname(config)# interface port-channel 1 sysname(config-interface)# switchport mode access sysname(config-interface)# switchport access vlan 20 sysname(config-interface)# exit

This example activates clv for VLAN 100 and VLAN 20 on ports 1 to 3. This example prohibits ports 1 to 3 from joining VLAN 200.

sysname# config sysname(config)# interface port-channel 1-3 sysname(config-interface)# switchport mode trunk sysname(config-interface)# switchport trunk allowed vlan 100 sysname(config-interface)# switchport trunk native vlan 20 sysname(config-interface)# switchport forbidden vlan add 200 sysname(config-interface)# exit

Ethernet Switch CLI Reference Guide

Chapter 17 CLV Commands

This example configures port 4 as the tagged port in VLAN 20 and the untagged port in VLAN 100. This example also configures 200 as the PVID on port 4.

sysname# config sysname(config)# interface port-channel 4 sysname(config-interface)# switchport mode hybrid sysname(config-interface)# switchport hybrid allowed vlan 20 tagged sysname(config-interface)# switchport hybrid allowed vlan 100 untagged sysname(config-interface)# switchport hybrid pvid 200 sysname(config-interface)# exit

This example shows the VLAN table.

sysname# show vlan The Number of VLAN : 4 Idx. VID Status Elap-Time TagCtl

---- ---- --------- ----------- ----------------------------------

---

1 1 Static 145:03:37 Access :1-3,6-52 Trunk :

2 20 Static 1:47:09 Access : Trunk :4

3 100 Static 26:04:36 Access :4 Trunk :1-3

4 200 Static 2:01:54 Access : Trunk :

The following table describes the labels in this screen. Table 55 show vlan

LABEL DESCRIPTION

The Number of VLAN This field displays the number of VLANs on the Switch. Idx. This field displays an entry number for each VLAN. VID This field displays the VLAN identification number. Status This field displays how this VLA N was added to the Switch.

Dynamic: The VLAN was added through GVRP. Static: The VLAN was added as a permanent entry Other: The VLAN was added in another way, such as Multicast VLAN Registration

(MVR).

Elap-Time This field di splays how long it has been si nce a dynamic V LAN was registered or a stati c

TagCtl This field displays untagged and tagged ports.

VLAN was set up.

Access: These ports do not tag outgoing frames with the VLAN ID. Trunk: These ports tag outgoing frames with the VLAN ID.

Ethernet Switch CLI Reference Guide

Chapter 17 CLV Commands

This example shows the VLAN 100 status.

sysname# show vlan 100

802.1Q VLAN ID : 100 Name : Status : Static Elapsed Time : 26:05:15

Port Information Mode

---------------- --- 1 Trunk 2 Trunk 3 Trunk 4 Hybrid

Ethernet Switch CLI Reference Guide

CHAPTER 18

Custom Default Commands

18.1 Custom Default Overview

You can save the current configuration settings to a customized default file, so you can load it when you reboot the Switch.

18.2 Command Summary

The following section lists the commands for this feature. Table 56 custom-default Command Summary

COMMAND DESCRIPTION M P

custom-default no custom-default

Enables custom default. C 14 Disables custom default. C 14

See Chapter 78 on page 307 for the commands to save the current configuration settings permanently to a customized default file, and load it when rebooting the Switch.

18.3 Command Examples

See Section 4.8 on page 26 for an example of how to configure custom default on the Switch.

Ethernet Switch CLI Reference Guide

Chapter 19 Date and Time Commands

Date and Time Commands

19.1 Command Summary

Use these commands to configure the date and time on the Switch.

The following table describes user-input values available in multiple commands for this feature. Table 57 time User-input Values

COMMAND DESCRIPTION

week

day month o’clock

Possible values (daylight-saving-time commands only): first, second, third, fourth, last.

Possible values ( daylight-saving-time commands only): Sunday, Monday, Tuesday, ....

Possible values ( daylight-saving-time commands only): January, February, March, ....

Possible values ( daylight-saving-time commands only): 0 – 23

CHAPTER 19

The following section lists the commands for this feature. Table 58 time Command Summary

COMMAND DESCRIPTION M P

show time time <hour:min:sec>

time date <month/day/year>

time timezone <-1200|...|1200>

time daylight-saving-time

Displays current system time an d date. E 3 Sets the current time on the Switch.

hour: 0 – 23 min: 0 – 59 sec: 0 – 59

Note: If you configure Daylight Saving Time after

you configure the time, the Switch will apply Daylight Saving Time.

Sets the current date on the Switch.

month: 1 – 12 day: 1 – 31 year: 1970 – 2037

Selects the time difference between UTC (formerly known as GMT) and your time zone.

Note: You can configure a time zone with a 30-

minute offset (for example, UTC –630).

Enables daylight saving time. The current time is updated if daylight saving time has started.

C13

Ethernet Switch CLI Reference Guide

Chapter 19 Date and Time Commands

Table 58 time Command Summary (continued)

COMMAND DESCRIPTION M P

time daylight-saving-time startdate <week> <day> <month> <o’clock>

time daylight-saving-time enddate <week> <day> <month> <o’clock>

no time daylight-saving-time time daylight-saving-time help

Sets the day and time when Daylight Saving Time starts. In most parts of the United States, Daylight Saving Time

starts on the second Sunday of March at 2 A.M. local time. In the European Union, Daylight Saving Time starts on the last Sunday of March at 1 A.M. GMT or UTC, so the o’clock field depends on your time zone.

Sets the day and time when Daylight Saving Time ends. In most parts of the United States, Daylight Saving Time

ends on the first Sunday of November at 2 A.M. local time. In the European Union, Daylight Saving Time ends on the last Sunday of October at 1 A.M. GMT or UTC, so the o’clock field depends on your time zone.

Disables daylight saving on the Swi t ch. C 13 Provides more information about the specified command. C 13

C13

Table 59 timesync Command Summary

COMMAND DESCRIPTION M P

show timesync timesync server <ip|domain name>

timesync <daytime|time|ntp>

no timesync

Displays time server information. E 3 Sets the IP address or domain name of the timeserver. The

Switch attempts to connect to the timeserver for up to 60 seconds.

The Switch synchronizes with the time server in the following situations:

• When the Switch starts up.

• Every 24 hours after the Switch starts up.

• When the time server IP address or protocol is updated.

Sets the time server protocol. You have to configure a time server before you can specify the protocol.

Disables timeserver settings. C 13

C13

19.2 Command Examples

This example sets the current date, current time, time zone, and daylight savings time.

sysname# configure sysname(config)# time date 06/04/2007 sysname(config)# time timezone -600 sysname(config)# time daylight-saving-time sysname(config)# time daylight-saving-time start-date second Sunday

--> March 2 sysname(config)# time daylight-saving-time end-date first Sunday

--> November 2 sysname(config)# time 13:24:00 sysname(config)# exit sysname# show time Current Time 13:24:03 (UTC-05:00 DST) Current Date 2007-06-04

Ethernet Switch CLI Reference Guide

Chapter 19 Date and Time Commands

This example looks at the current time server settings.

sysname# show timesync

Time Configuration

---------------------------- Time Zone :UTC -600 Time Sync Mode :USE_DAYTIME Time Server IP Address :172.16.37.10

Time Server Sync Status:CONNECTING

The following table describes the labels in this screen. Table 60 show timesync

LABEL DESCRIPTION

Time Zone This field displays the time zone. Time Sync Mode This field displays the time server protocol the Switch uses. It displays NO_TIMESERVICE if

the time server is disabled. Time Server IP Address This field displays the IP address of the time server. Time Server Sync Status This field displays the status of the connection with the time server.

NONE: The time server is disabled.

CONNECTING: The Switch is trying to connect with the specified time server.

OK: Synchronize with time server done.

FAIL: Synchronize with time server fail.

Ethernet Switch CLI Reference Guide

20.1 DHCP Overview

Use these commands to configure DHCP features on the Switch.

• Use the dhcp option commands to configure DHCP Option 82 profiles.

• Use the dhcp relay commands to configure DHCP relay for specific VLAN.

• Use the dhcp smart-relay commands to configure DHCP relay for all broadcast domains.

• Use the dhcp server commands to configure the Switch as a DHCP server. (This command is available on a layer 3 Switch only.)

Chapter 20 DHCP Commands

CHAPTER 20

DHCP Commands

20.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 61 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 62 dhcp option Command Summary

COMMAND DESCRIPTION M P

dhcp option profile <name> [ circuit-id [slot-port] [vlan] [hostname] [string <string>] ] [ remote-id [mac] [string <string>] ]

no dhcp option profile <name> show dhcp option profile

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Creates a DHCPv4 option 82 profile. C 13

Deletes the specified DHCPv4 option 82 profile. C 13 Displays DHCP option 82 profile settings. E 3

Ethernet Switch CLI Reference Guide

Chapter 20 DHCP Commands

Table 63 dhcp relay Command Summary

COMMAND DESCRIPTION M P

show dhcp relay <vlan-id> dhcp relay <vlan-id> helper-

address <remote-dhcp-server1> [<remote-dhcp-server2>]

Displays DHCP relay settings for the specified VLAN. E 3 Enables DHCP relay on the specified VLAN and sets the IP

address of up to 3 DHCP servers. Optionally, sets the Switch to add relay agent information and system name.

C13

[<remote-dhcp-server3>] [option] [information]

Note: You have to configure the VLAN before you

configure a DHCP relay for the VLAN. You have to disable dhcp smart-relay before you can enable dhcp relay.

dhcp relay <vlan-id> helperaddress <remote-dhcp-server1> [<remote-dhcp-server2>] [<remote-dhcp-server3>] [option profile <name>]

Enables DHCP relay on the specified VLAN and sets the IP address of up to 3 DHCP servers. Optionally, specify a predefined DHCP option 82 profile that the Switch applies to all ports in this VLAN.

Note: You have to configure the VLAN before you

C13

configure a DHCP relay for the VLAN. You have to disable dhcp smart-relay before you can enable dhcp relay.

dhcp relay <vlan-id> interface port-channel <port-list> option profile <name>

dhcp relay <vlan-id> sourceaddress <ip-addr>

no dhcp relay <vlan-id> no dhcp relay <vlan-id>

information no dhcp relay <vlan-id>

interface port-channel <port-

Specifies a pre-defined DHCP option 82 profile that the Switch applies to the specified ports in this VLAN. The Switch adds the Circuit ID sub-option and/or Remote ID sub-option specified in the profile to DHCP requests that it relays to a DHCP server.

Specifies the source IP address that the Switch adds to DHCP requests from clients in this VLAN before forwarding them.

The source IP address helps DHCP clients obtain an appropriate IP address when you configure multiple routing domains on a VLAN.

Disables DHCP relay. C 13 System name is not appended to option 82 information

field. Sets the Switch to not apply a DHCP option 82 profile to the

specified ports in this VLAN.

C13

list> option no dhcp relay <vlan-id> source-

address

no dhcp relay <vlan-id> option

Removes the source IP address setting and sets this field set to 0.0.0.0. The Switch automatically sets the source IP address of the DHCP requests to the IP address of the interface on which the packet is received.

Disables the relay agent information option 82. C 13

C13

Table 64 dhcp relay-broadcast Command Summary

COMMAND DESCRIPTION M P

dhcp relay-broadcast

no dhcp relay-broadcast

The broadcast behavior of DHCP packets (within the VLANs on which DHCP relay is enabled) will not be terminated by the Switch.

The Switch terminates the broadcast behavior of DHCP packets within the VLANs on which DHCP relay is enabled.

C13

Ethernet Switch CLI Reference Guide

Table 65 dhcp smart-relay Command Summary

COMMAND DESCRIPTION M P

show dhcp smart-relay dhcp smart-relay

Displays global DHCP relay settings. E 3 Enables DHCP relay for all broadcast domains on the

Switch.

C13

Note: You have to disable dhcp relay before you

can enable dhcp smart-relay.

no dhcp smart-relay dhcp smart-relay helper-address

Disables global DHCP relay settings. C 13 Sets the IP addresses of up to 3 DHCP servers. C 13

<remote-dhcp-server1> [<remote- dhcp-server2>] [<remote-dhcpserver3>]

dhcp smart-relay interface portchannel <port-list> option

Specifies a pre-defined DHCP option 82 profile that the Switch applies to the specified ports.

C13

profile <name>

Note: The profile you specify here has priority over

the one you set using the dhcp smart-relay

option profile <name> command.

dhcp smart-relay option profile <name>

no dhcp smart-relay interface port-channel <port-list>

Specifies a pre-defined DHCPv4 option 82 profile that the Switch applies to all ports. The Switch adds the Circuit ID sub-option and/or Remote ID sub-option specified in the profile to DHCP requests that it relays to a DHCP server.

Sets the Switch to not apply a DHCP option 82 profile to the specified ports.

C13

Table 66 dhcp server Command Summary

COMMAND DESCRIPTION M P

dhcp server <vlan-id> startingaddress <ip-addr> <subnet-mask>

Enables DHCP server for the specified VLAN and specifies the TCP/IP configuration details to send to DHCP clients.

C13

size-of-client-ip-pool <1-1024> dhcp server <vlan-id> starting-

address <ip-addr> <subnet-mask> size-of-client-ip-pool <1-1024> [default-gateway <ip-addr>] [primary-dns <ip-addr>]

Enables DHCP server for the specified VLAN and specifies the TCP/IP configuration details to send to DHCP clients.

Including default gateway IP address and DNS server information.

C13

[secondary-dns <ip-addr>] dhcp server guard

Enables DHCP Server Guard on the Switch. When enabled, the Switch only forwards DHCP packets

received on trusted ports. DHCP packets received on untrusted ports are dropped.

You can set ports as trusted or untrusted using the interface port-channel command. By default, all ports are untrusted.

C13

Note: DHCP Server Guard cannot be enabled if

DHCP Snooping is enabled.

no dhcp server guard interface port-channel <port-

Disables DHCP Server Guard on the Switch. C 13 Enters config-interface mode for the specified ports. C 13

list>

dhcp server trust

Sets the specified ports as trusted for DHCP Server Guard. The Switch forwards DHCP packets received on the port.

C13

Ethernet Switch CLI Reference Guide

Table 66 dhcp server Command Summary (continued)

COMMAND DESCRIPTION M P

no dhcp server trust

no dhcp server <vlan-id> no dhcp server <vlan-id>

default-gateway no dhcp server <vlan-id>

primary-dns no dhcp server <vlan-id>

secondary-dns show dhcp server show dhcp server <vlan-id>

20.3 Command Examples

In this example, the Switch relays DHCP requests for the VLAN1 and VLAN2 domains. There is only one DHCP server for DHCP clients in both domains.

Sets the specified ports as untrusted for DHCP Server Guard.

If DHCP Server Guard is enabled, the Switch drops DHCP packets received on the port.

Disables DHCP server for the specified VLAN. C 13 Disables DHCP server default gateway settings. C 13

Disables DHCP primary DNS server settings. C 13

Disables DHCP server secondary DNS settings. C 13

Displays DHCP server settings. E 13 Displays DHCP server settings in a specified VLAN. E 13

C13

Figure 3 Example: Global DHCP Relay

Ethernet Switch CLI Reference Guide

Chapter 20 DHCP Commands

This example shows how to configure the Switch for this configuration. DHCP relay agent information option 82 is also enabled.

sysname# configure sysname(config)# dhcp smart-relay sysname(config)# dhcp smart-relay helper-address 192.168.1.100 sysname(config)# dhcp smart-relay option sysname(config)# exit sysname# show dhcp smart-relay DHCP Relay Agent Configuration Active: Yes Remote DHCP Server 1:192.168.1.100 Remote DHCP Server 2: 0.0.0.0 Remote DHCP Server 3: 0.0.0.0 Option82: Enable Option82Inf: Disable

In this example, there are two VLANs (VIDs 1 and 2) in a campus network. Two DHCP servers are installed to serve each VLAN. The Switch forwards DHCP requests from the dormitory rooms (VLAN 1) to the DHCP server with IP address 192.168.1.100. DHCP requests from the academic buildings (VLAN 2) are sent to the other DHCP server with IP address 172.16.10.100.

Figure 4 Example: DHCP Relay for Two VLANs

This example shows how to configure these DHCP servers. The VLANs are already configured.

sysname# configure sysname(config)# dhcp relay 1 helper-address 192.168.1.100 sysname(config)# dhcp relay 2 helper-address 172.16.10.100 sysname(config)# exit

In this example, the Switch is a DHCP server for clients on VLAN 1 and VLAN 2. The DHCP clients in VLAN 1 are assigned IP addresses in the range 192.168.1.100 to 192.168.1.200 and clients on VLAN 2 are assigned IP addresses in the range 172.16.1.30 to 172.16.1.130.

Ethernet Switch CLI Reference Guide

Chapter 20 DHCP Commands

Figure 5 Example: DHCP Relay for Two VLANs

This example shows how to configure the DHCP server for VLAN 1 with the configuration shown in Figure

5 on page 80. It also provides the DHCP clients with the IP address of the default gateway and the DNS

server.

sysname# configure sysname(config)# dhcp server 1 starting-address 192.168.1.100

255.255.255.0 size-of-client-ip-pool 100 default-gateway 192.168.1.1 primary-dns 192.168.5.1

In this example, we enable DHCP Server Guard, set ports 5 and 6 as trusted (as they are connected to a DHCP server), and then verify the settings are active on the Switch.

sysname# configure sysname(config)# dhcp server guard sysname(config)# interface port-channel 5-6 sysname(config-interface)# dhcp server trust sysname(config-interface)# exit sysname# show running-config interface port-channel 5 dhcp server trust interface port-channel 6 dhcp server trust dhcp server guard

Ethernet Switch CLI Reference Guide

CHAPTER 21

DHCP Snooping and DHCP

VLAN Commands

21.1 DHCP Snooping and DHCP VLAN Overview

Use the dhcp snooping commands to configure the DHCP snooping on the Switch and the dhcp vlan commands to specify a DHCP VLAN on your network. DHCP snooping filters unauthorized DHCP server packets on the network and builds a binding table dynamically by snooping DHCP server packets. The Switch allows only the authorized DHCP server on a trusted port to assign IP addresses. Clients on your network will only receive DHCP packets from the authorized DHCP server.

21.2 Command Summary

The following section lists the commands for this feature. Table 67 dhcp snooping Command Summary

COMMAND DESCRIPTION M P

show dhcp snooping show dhcp snooping binding show dhcp snooping database

show dhcp snooping database detail

show dhcp snooping option [vlan <vlan-list>] [interface <port- list>]

dhcp snooping

no dhcp snooping dhcp snooping database <tftp://

host/filename>

no dhcp snooping database dhcp snooping database timeout

Displays DHCP snooping configuration on the Switch. E 3 Displays the DHCP binding table. E 3 Displays DHCP snooping database update statistics and

settings. Displays DHCP snooping database update statistics in full

detail form. Displays the DHCP option 82 profile that the Switch applies

to ports in the specified VLAN or to the specified ports.

Enables DHCP Snooping on the Switch.

Note: DHCP Snooping cannot be enabled if DHCP

Server Guard is enabled.

Disables DHCP Snooping on the Switch. C 13 Specifies the location of the DHCP snooping database.

The location should be expressed like this: tftp://{domain name or IP address}/directory, if applicable/file name; for example, tftp://192.168.10.1/database.txt.

Removes the location of the DHCP snooping database. C 13 Specifies how long (10 – 65535 seconds) the Switch tries to

complete a specific update in the DHCP snooping database before it gives up.

C13

Ethernet Switch CLI Reference Guide

Chapter 21 DHCP Snooping and DHCP VLAN Commands

Table 67 dhcp snooping Command Summary (continued)

COMMAND DESCRIPTION M P

no dhcp snooping database timeout

dhcp snooping database writedelay <seconds>

no dhcp snooping database writedelay

dhcp snooping vlan <vlan-list>

no dhcp snooping vlan <vlan- list>

Resets how long (10 – 65535 seconds) the Switch tries to complete a specific update in the DHCP snooping database before it gives up to the default value (300).

Specifies how long (10 – 65535 seconds) the Switch waits to update the DHCP snooping database the first time the current bindings change after an update.

Resets how long (10 – 65535 seconds) the Switch waits to update the DHCP snooping database the first time the current bindings change after an update to the default value (300).

Specifies the VLAN IDs for VLANs you want to enable DHCP snooping on.

Specifies the VLAN IDs for VLANs you want to disable DHCP snooping on.

C13

Note: When DHCP Snooping is disabled on a VLAN,

the Switch still uses CPU resources to examine packets from the VLAN. To prevent the Switch from processing packets from a VLAN at the hardware level, use the command dhcp

snooping bypass-vlan.

dhcp snooping vlan <vlan-list> interface port-channel <port-

Specifies a pre-defined DHCP option 82 profile that the Switch applies to the specif ied ports in the specified VLAN.

C13

list> option profile <name> no dhcp snooping vlan <vlan-

list> interface port-channel

Sets the Switch to not apply a DHCP option 82 profile to the specified ports.

C13

<port-list> option dhcp snooping vlan <vlan-list>

option profile <name> clear dhcp snooping database

statistics dhcp snooping bypass-vlan <vlan-

list>

no dhcp snooping bypass-vlan <vlan-list>

renew dhcp snooping database

renew dhcp snooping database <tftp://host/filename>

interface port-channel <port-

Specifies a pre-defined DHCP option 82 profile that the Switch applies to all ports in the specified VLAN.

Delete all statistics records of DHCP requests going through the Switch.

Sets the Switch to not process DHCP packets from the specified VLANs.

When DHCP Snooping is disabled on a VLAN, the Switch still uses CPU resources to examine packets from the VLAN. This command prevent the Switch from processing packets from a VLAN at the hardware level.

Sets the Switch to process DHCP packets from the specified VLANs.

Loads dynamic bindings from the default DHCP snooping database.

Loads dynamic bindings from the sp ecified DHCP snooping database.

Enables a port or a list of ports for configuration. C 13

C13

E13

C13

E13

list>

dhcp snooping trust

Sets this port as a trusted DHCP snooping port. Trusted ports are connected to DHCP servers or other switches, and the Switch discards DHCP packets from trusted ports only if the rate at which DHCP packets arrive is too high.

C13

Ethernet Switch CLI Reference Guide

Chapter 21 DHCP Snooping and DHCP VLAN Commands

Table 67 dhcp snooping Command Summary (continued)

COMMAND DESCRIPTION M P

dhcp snooping limit rate <pps>

no dhcp snooping trust

no dhcp snooping limit rate

The following table describes the dhcp-vlan commands. Table 68 dhcp-vlan Command Summary

COMMAND DESCRIPTION M P

dhcp dhcp-vlan <vlan-id> no dhcp dhcp-vlan

21.3 Command Examples

Sets the maximum rate in packets per second (pps) that DHCP packets are allowed to arrive at a trusted DHCP snooping port.

Disables this port from being a trusted port for DHCP snooping.

Resets the DHCP snooping rate to the default (0). C 13

Specifies the VLAN ID of the DHCP VLAN. C 13 Disables DHCP VLAN on the Switch. C 13

C13

This example:

• Enables DHCP snooping on the Switch.

• Sets up an external DHCP snooping database on a network server with IP address 172.16.37.17.

• Enables DHCP snooping on VLANs 1,2,3,200 and 300.

• Sets the Switch to add the slot number, port number and VLAN ID to DHCP requests that it broadcasts to the DHCP VLAN.

• Sets the Switch to not process DHCP packets on VLAN 5.

• Sets ports 1 – 5 as DHCP snooping trusted ports.

• Sets the maximum number of DHCP packets that can be received on ports 1 – 5 to 100 packets per second.

• Configures a DHCP VLAN with a VLAN ID 300.

Ethernet Switch CLI Reference Guide

Chapter 21 DHCP Snooping and DHCP VLAN Commands

•Displays DHCP snooping configuration details.

sysname(config)# dhcp snooping sysname(config)# dhcp snooping database tftp://172.16.37.17/ snoopdata.txt sysname(config)# dhcp snooping vlan 1,2,3,200,300 sysname(config)# dhcp snooping vlan 1,2,3,200,300 option sysname(config)# dhcp snooping bypass-vlan 5 sysname(config)# interface port-channel 1-5 sysname(config-interface)# dhcp snooping trust sysname(config-interface)# dhcp snooping limit rate 100 sysname(config-interface)# exit sysname(config)# dhcp dhcp-vlan 300 sysname(config)# exit sysname# show dhcp snooping Switch DHCP snooping is enabled DHCP Snooping is configured on the following VLANs: 1-3,200,300 Option 82 is configured on the following VLANs: 1-3,200,300 Appending system name is configured on the following VLANs:

DHCP VLAN is enabled on VLAN 300 Interface Trusted Rate Limit (pps)

--------- ------- --------------- 1 yes 100 2 yes 100 3 yes 100 4 yes 100 5 yes 100 6 no unlimited 7 no unlimited 8 no unlimited

Ethernet Switch CLI Reference Guide

Chapter 22 DiffServ Commands

DiffServ Commands

22.1 Command Summary

Use these commands to configure Differentiated Services (DiffServ) on the Switch.

The following section lists the commands for this feature. Table 69 diffserv Command Summary

COMMAND DESCRIPTION M P

show diffserv diffserv no diffserv diffserv dscp <0-63> priority

<0-7> interface port-channel <port-

list>

CHAPTER 22

Displays general DiffServ settings. E 3 Enables DiffServ on the Switch. C 13 Disables DiffServ on the Switch. C 13 Sets the DSCP-to-IEEE 802.1q mappings. C 13

Enters config-interface mode for the specified ports. The list consists of one or more ports, separated by

commas with no spaces.

C13

diffserv no diffserv

The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Enables DiffServ on the ports. C 13 Disables DiffServ on the ports. C 13

Ethernet Switch CLI Reference Guide

Chapter 23 Display Commands

Display Commands

23.1 Command Summary

Use these commands to display configuration information.

The following section lists the commands for this feature. Table 70 display Command Summary

COMMAND DESCRIPTION M P

display user <[system][snmp]>

no display user <[system][snmp]>

display aaa <[authentication][authorization][ server]>

no display aaa <[authentication][authorization][ server]>

CHAPTER 23

Displays all or specific user account information in the configuration file.

system: Displays system account information, such as admin, enable or login username and password.

snmp: Displays SNMP user account information. Hide all or specific user account information in the

configuration file. Displays all or specific AAA information in the

configuration file. authentication: Displays authentication information in

the configuration file. authorization: Displays authorization information in the

configuration file. server: Displays authentication server information in the

configuration file. Hide all or specific AAA information in the configuration

file.

C14

Ethernet Switch CLI Reference Guide

Chapter 24 DVMRP Commands

DVMRP Commands

24.1 DVMRP Overview

DVMRP (Distance Vector Multicast Routing Protocol) is a protocol used for routing multicast data. DVMRP is used when a router receives multicast traffic and it wants to find out if other multicast routers it is connected to need to receive the data. DVMRP sends the data to all attached routers and waits for a reply. Routers which do not need to receive the data (do not have multicast group member connected) return a “prune” message, which stops further multicast traffic for that group from reaching the router.

CHAPTER 24

24.2 Command Summary

The following section lists the commands for this feature. Table 71 Command Summary: DVMRP

COMMAND DESCRIPTION M P

show ip dvmrp group show ip dvmrp interface show ip dvmrp neighbor show ip dvmrp prune show ip dvmrp route show router dvmrp router dvmrp

exit threshold <ttl-value>

no router dvmrp interface route-domain <ip-address>/

<mask-bits>

ip dvmrp

no ip dvmrp

Displays DVMRP group information. E 3 Displays DVMRP interface information. E 3 Displays DVMRP neighbor information. E 3 Displays the DVMRP prune information. E 3 Displays the DVMRP routes. E 3 Displays DVMRP settings. E 3 Enables and enters the DVMRP configuration

mode. Leaves the DVMRP configuration mode. C 13 Sets the DVMRP threshold value. Multicast

packets with TTL (Time-To-Live) value lower than the threshold are not forwarded by the Switch.

Disables DVMRP on the Switch. C 13 Enters the configuration mode for this routing

domain. Activates this routing domain in participating in

DVMRP. Disables this routing domain from participating in

DVMRP.

C13

Ethernet Switch CLI Reference Guide

Chapter 24 DVMRP Commands

24.3 Command Examples

In this example, the Switch is configured to exchange DVMRP information with other DVMRP enabled routers as shown next. The Switch is a DVMRP router (C). DVMRP is activated on IP routing domains

10.10.10.1/24 and 172.16.1.1/24 so that it can exchange DVMRP information with routers A and B.

Figure 6 DVMRP Network Example

• Enables IGMP and DVMRP on the Switch.

• Enables DVMRP on the following routing domains: 10.10.10.1/24, 172.16.1.1/24.

• Displays DVMRP settings configured on the Switch.

sysname(config)# router igmp sysname(config-igmp)# exit sysname(config)# router dvmrp sysname(config-dvmrp)# exit sysname(config)# interface route-domain 10.10.10.1/24 sysname(config-if)# ip dvmrp sysname(config-if)# exit sysname(config)# interface route-domain 172.16.1.1/24 sysname(config-if)# ip dvmrp sysname(config-if)# exit sysname(config)# exit sysname# show router dvmrp TTL threshold: 50

IP Address Subnet Mask Active

----------------------------------------

10.10.10.1 255.255.255.0 Yes

172.16.1.1 255.255.255.0 Yes

192.168.1.1 255.255.255.0 No

Ethernet Switch CLI Reference Guide

Error Disable and Recovery

25.1 CPU Protection Overview

Switches exchange protocol control packets in a network to get the latest networking information. If a Switch receives large numbers of control packets, such as ARP, BPDU or IGMP packets, which are to be processed by the CPU, the CPU may become overloaded and be unable to handle regular tasks properly.

The CPU protection feature allows you to limit the rate of ARP, BPDU and IGMP packets to be delivered to the CPU on a port. This enhances the CPU efficiency and protects against potential DoS attacks or errors from other networks. You then can choose to drop control packets that exceed the specified rate limit or disable a port on which the packets are received.

CHAPTER 25

Commands

25.2 Error-Disable Recovery Overview

Some features, such as loop guard or CPU protection, allow the Switch to shut down a port or discard specific packets on a port when an error is detected on the port. For example, if the Switch detects that packets sent out the ports loop back to the Switch, the Switch can shut down the ports automatically. After that, you need to enable the ports or allow the packets on a port manually through the Web Configurator or the commands. With error-disable recovery, you can set the disabled ports to become active or start receiving the packets again after the time interval you specify.

User Input Values

This section lists the common term definition appears in this chapter. Table 72 error-disable recovery command user input values

USER INPUT DESCRIPTION

port-list

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Ethernet Switch CLI Reference Guide

Chapter 25 Error Disable and Recovery Commands

25.3 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 73 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 74 cpu-protection Command Summary

COMMAND DESCRIPTION M P

interface port-channel <portlist>

cpu-protection cause <ARP|BPDU|IGMP> rate-limit <0-256>

clear cpu-protection interface port-channel <port-list> cause <ARP|BPDU|IGMP>

reset cpu-protection interface port-channel <port-list> cause <ARP|BPDU|IGMP>

show cpu-protection interface port-channel <port-list>

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Enables a port or a list of ports for configuration. C 13

Sets the maximum number of ARP, BPDU or IGMP packets that the specified ports are allowed to receive or transmit per second. 0 means no rate limit.

Resets the “Total Drop” counters for the specified ports to zero (0). You can see the counter using the show cpu- protection command. The “Total Drops” means the number of ARP, BPDU or IGMP packets that have been dropped due to the Error Disable feature in rate- limitation mode.

Sets the specified ports to handle all ARP, BPDU or IGMP packets in stead of ignoring them, if the ports are in

inactive-reason mode (set by using the errdisable detet cause command).

Shows the CPU Protection settings and the number of ARP, BPDU and/or IGMP packets that has been dropped by the Error Disable feature for the specified ports.

C13

E13

Table 75 errdisable recovery Command Summary

COMMAND DESCRIPTION M P

errdisable detect cause <ARP|BPDU|IGMP>

errdisable detect cause <ARP|BPDU|IGMP> mode <inactiveport|inactive-reason|ratelimitation>

errdisable recovery errdisable recovery cause

<loopguard|ARP|BPDU|IGMP|anti-

Sets the Switch to detect if the number of ARP, BPDU or IGMP packets exceeds the rate limit on ports (set by using the cpu-protection cause command).

Sets the action that the Switch takes when the number of ARP, BPDU or IGMP packets exceeds the rate limit on ports.

inactive-port: The Switch shuts down the port. inactive-reason: The Switch bypasses the processing of

the specified control packets (such as ARP or IGMP packets), or drops all the specified control packets (such as BPDU) on the port.

rate-limitation: The Switch drops the additional control packets the ports have to handle in every one second.

Turns on the disabled port recovery function on the Switch. C 13 Enables the recovery timer for the specified feature that

causes the Switch to shut down ports.

C13

arpscan|bpduguard|zuld>

Ethernet Switch CLI Reference Guide

Chapter 25 Error Disable and Recovery Commands

Table 75 errdisable recovery Command Summary (continued)

COMMAND DESCRIPTION M P

errdisable recovery cause <loopguard|ARP|BPDU|IGMP|anti-

Sets how many seconds the Switch waits before enabling the ports which was shut down.

C13

arpscan|bpduguard|zuld> interval <30-2592000>

no errdisable detect cause <ARP|BPDU|IGMP>

no errdisable recovery no errdisable recovery cause

<loopguard|ARP|BPDU|IGMP|anti-

Disables the rate limit for ARP, BPDU or IGMP packets on ports, set by using the cpu-protection cause command.

Turns off the disabled port recovery function on the Switch. C 13 Disables the recovery timer for the specified feature that

causes the Switch to shut down a port.

C13

arpscan|bpduguard|zuld> show errdisable

show errdisable detect

show errdisable recovery

Displays which ports are detected (by Error Disable), the mode of the ports, and which packets (ARP, BPDU, or IGMP) are being detected.

Displays the Error Disable settings including the available protocol of packets (ARP, BPDU or IGMP), the current status (enabled or disabled), and the corresponding action the Switch takes when a detected port is handling packets over the limit.

Displays the disabled port recovery settings and after how many seconds which ports will be activated.

E13

25.4 Command Examples

This example shows you how to configure the following:

• limit the number of ARP packets that port 7 can handle to 100 packets per second.

• set to shut down port 7 when the number ARP packets the port should handle exceeds the rate limit.

• display the CPU protection settings that you just set for port 7.

Ethernet Switch CLI Reference Guide

Chapter 25 Error Disable and Recovery Commands

• display the Error Disable status and action mode for ARP packet handling.

sysname# config sysname(config)# interface port-channel 7 sysname(config-interface)# cpu-protection cause ARP rate-limit 100 sysname(config-interface)# exit sysname(config)# errdisable detect cause ARP sysname(config)# errdisable detect cause ARP mode inactive-port sysname(config)# exit sysname# show cpu-protection interface port-channel 7 Port : 7

Reason Rate Mode Total Drops

------ ------- --------------- ---------- ARP 100 inactive-port BPDU 0 inactive-port IGMP 0 inactive-port -

sysname# show errdisable detect

Reason Status Mode

------ ------- -------------- ARP enable inactive-port BPDU enable rate-limitation IGMP enable inactive-port sysname#

This example enables the disabled port recovery function and the recovery timer for the loopguard feature on the Switch. If a port is shut down due to the specified reason, the Switch activates the port 300 seconds (the default value) later. This example also shows the number of the disabled ports and the time left before the ports becomes active.

sysname# configure sysname(config)# errdisable recovery sysname(config)# errdisable recovery cause loopguard sysname(config)# exit sysname# show errdisable recovery Errdisable Recovery Status:Enable

Reason Timer Status Time

---------- ------------ ------ loopguard Enable 300 ARP Disable 300 BPDU Disable 300 IGMP Disable 300 anti-arpscan Disable 300 bpduguard Disable 300 zuld Disable 300

Interfaces that will be enabled at the next timeout:

Interface Reason Time left(sec) Mode

--------- ---------- -------------- --------------sysname#

Ethernet Switch CLI Reference Guide

Chapter 26 Ethernet OAM Commands

CHAPTER 26

Ethernet OAM Commands

26.1 IEEE 802.3ah Link Layer Ethernet OAM Overview

Link layer Ethernet OAM (Operations, Administration and Maintenance) as described in IEEE 802.3ah is a link monitoring protocol. It utilizes OAM Protocol Data Units or OAM PDU’s to transmit link status information between directly connected Ethernet devices. Both devices must support IEEE 802.3ah. Because link layer Ethernet OAM operates at layer two of the OSI (Open Systems Interconnection Basic Reference) model, neither IP or SNMP are necessary to monitor or troubleshoot network connection problems.

The Switch supports the following IEEE 802.3ah features:

• Discovery – this identifies the devices on each end of the Ethernet link and their OAM configuration.

• Remote Loopback – this can initiate a loopback test between Ethernet devices.

26.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 76 Interface Command Values

COMMAND DESCRIPTION

port-list

The following section lists the commands for this feature. Table 77 ethernet oam Command Summary

COMMAND DESCRIPTION M P

show ethernet oam discovery <port-list>

show ethernet oam statistics <port-list>

show ethernet oam summary

ethernet oam no ethernet oam ethernet oam remote-loopback

start <port>

A list of one or more ports, separated by commas with no spaces. The list may also contain ranges of ports signified by a hyphen. For example: 1,3,5–8,10.

Displays OAM configuration details and operational status of the specified ports.

Displays the number of OAM packets transferred for the specified ports.

Displays the configuration details of each OAM activated port.

Enables Ethernet OAM on the Switch. C 13 Disables Ethernet OAM on the Switch. C 13 Initiates a remote-loopback test from the specified port by

sending Enable Loopback Control PDUs to the remote device.

E13

Ethernet Switch CLI Reference Guide

Table 77 ethernet oam Command Summary (continued)

COMMAND DESCRIPTION M P

ethernet oam remote-loopback stop <port>

ethernet oam remote-loopback test <port> [<number-of-packets> [<packet-size>]]

interface port-channel <port-

Terminates a remote-loopback test from the specified port by sending Disable Loopback Control PDUs to the remote device.

Performs a remote-loopback test from the specified port. You can also define the allowable packet number and packet size of the loopback test frames.

Enters config-interface mode for the specified ports. C 13

E13

list>

ethernet oam no ethernet oam ethernet oam mode

<active|passive>

ethernet oam remote-loopback ignore-rx

ethernet oam remote-loopback

Enables Ethernet OAM on the ports. C 13 Disables Ethernet OAM on the ports. C 13 Specifies the OAM mode on the ports.

active: Allows the port to issue and respond to Ethernet OAM commands.

passive: Allows the port to respond to Ethernet OAM commands.

Sets the Switch to ignore loopback commands received on the ports.

Enables the remote loopback feature on the ports. C 13

C13

supported no ethernet oam remote-

loopback ignore-rx no ethernet oam remote-

Sets the Switch to process loopback commands received on the ports.

Disables the remote loopback feature on the ports. C 13

C13

loopback supported no ethernet oam mode

Resets the OAM mode to the default value. C 13

26.3 Command Examples

This example enables Ethernet OAM on port 7 and sets the mode to active.

sysname# configure sysname(config)# ethernet oam sysname(config)# interface port-channel 7 sysname(config-interface)# ethernet oam sysname(config-interface)# ethernet oam mode active sysname(config-interface)# exit sysname(config)# exit

Ethernet Switch CLI Reference Guide

Chapter 26 Ethernet OAM Commands

This example performs Ethernet OAM discovery from port 7.

sysname# show ethernet oam discovery 7 Port 7 Local client

----------- OAM configurations: Mode : Active Unidirectional : Not supported Remote loopback : Not supported Link events : Not supported Variable retrieval: Not supported Max. OAMPDU size : 1518

Operational status: Link status : Down Info. revision : 3 Parser state : Forward Discovery state : Active Send Local

The following table describes the labels in this screen. Table 78 show ethernet oam discovery

LABEL DESCRIPTION

OAM configurations The remote device uses this information to determine what functions are supported. Mode This field displays the OAM mode. The device in active mode (typically the service

Unidirectional This field indicates whether or not the Switch can send information PDUs to transmit

Remote loopback This field indicates whether or not the Switch can use loopback control PDUs to put the

Link events This field indicates whether or not the Switch can interpret link events, such as link fault

Variable retrieval This field indicates whether or not the Switch can respond to requests for more

Max. OAMPDU size This field displays the maximum size of PDU for receipt and delivery. Operational status Link status This field indicates that the link is up or down. Info. revision This field displays the current version of local state and configuration. This two-octet

provider's device) controls the device in passive mode (typically the subscriber's device).

Active: The Switch initiates OAM discovery; sends information PDUs; and may send event notification PDUs, variable request/response PDUs, or loopback control PDUs.

Passive: The Switch waits for the remote device to initiate OAM discovery; sends information PDUs; may send event notification PDUs; and may respond to variable request PDUs or loopback control PDUs.

The Switch might not support some types of PDUs, as indicated in the fields below.

fault information when the receive path is non-operational.

remote device into loopback mode.

and dying gasp. Link events are sent in event notification PDUs and indicate when the number of errors in a given interval (time, number of frames, number of symbols, or number of errored frame seconds) exceeds a specified threshold. Organizations may create organization-specific link event TLVs as well.

information, such as requests for Ethernet counters and statistics, about link events.

value starts at zero and increments every time the local state or configuration changes.

Ethernet Switch CLI Reference Guide

Chapter 26 Ethernet OAM Commands

Table 78 show ethernet oam discovery (continued)

LABEL DESCRIPTION

Parser state This field indicates the current state of the parser.

Forward: The packet is forwarding packets normally. Loopback: The Switch is in loopback mode. Discard: The Switch is discarding non-OAMPDUs because it is trying to or has put the

remote device into loopback mode.

Discovery state This field indicates the state in the OAM discovery process. OAM-enabled devices use

this process to detect each other and to exchange information about their OAM configuration and capabilities. OAM discovery is a handshake protocol.

Fault: One of the devices is transmitting OAM PDUs with link fault information, or the interface is not operational.

Active Send Local: The Switch is in active mode and is trying to see if the remote device supports OAM.

Passive Wait: The Switch is in passive mode and is waiting for the remote device to begin OAM discovery.

Send Local Remote: This state occurs in the following circumstances.

• The Switch has discovered the remote device but has not accepted or rejected the connection yet.

• The Switch has discovered the remote device and rejected the connection.

Send Local Remote OK: The Switch has discovered the remote device and has accepted the connection. In addition, the remote device has not accepted or rejected the connection yet, or the remote device has rejected the connected.

Send Any: The Switch and the remote device have accepted the connection. This is the operating state for OAM links that are fully operational.

This example looks at the number of OAM packets transferred on port 1.

sysname# show ethernet oam statistics 1 Port 1 Statistics:

---------- Information OAMPDU Tx : 0 Information OAMPDU Rx : 0 Event Notification OAMPDU Tx : 0 Event Notification OAMPDU Rx : 0 Loopback Control OAMPDU Tx : 0 Loopback Control OAMPDU Rx : 0 Variable Request OAMPDU Tx : 0 Variable Request OAMPDU Rx : 0 Variable Response OAMPDU Tx : 0 Variable Response OAMPDU Rx : 0 Unsupported OAMPDU Tx : 0 Unsupported OAMPDU Rx : 0

The following table describes the labels in this screen. Table 79 show ethernet oam statistics

LABEL DESCRIPTION

Information OAMPDU Tx This field displays the number of OAM PDUs sent on the port. Information OAMPDU Rx This field displays the number of OAM PDUs received on the port.

Ethernet Switch CLI Reference Guide

Chapter 26 Ethernet OAM Commands

Table 79 show ethernet oam statistics (continued)

LABEL DESCRIPTION

Event Notification OAMPDU Tx

Event Notification OAMPDU Rx

Loopback Control OAMPDU Tx

Loopback Control OAMPDU Rx

Variable Request OAMPDU Tx

Variable Request OAMPDU Rx

Variable Response OAMPDU Tx

Variable Response OAMPDU Rx

Unsupported OAMPDU Tx This field displays the number of unsupported OAM PDUs sent on the port. Unsupported OAMPDU Rx This field displays the number of unsupported OAM PDUs received on the port.

This field displays the number of unique or duplicate OAM event notification PDUs sent on the port.

This field displays the number of unique or duplicate OAM event notification PDUs received on the port.

This field displays the number of loopback control OAM PDUs sent on the port.

This field displays the number of loopback control OAM PDUs received on the port.

This field displays the number of OAM PDUs sent to request MIB objects on the remote device.

This field displays the number of OAM PDUs received requesting MIB objects on the Switch.

This field displays the number of OAM PDUs sent by the Switch in response to requests.

This field displays the number of OAM PDUs sent by the remote device in response to requests.

This example looks at the configuration of ports on which OAM is enabled.

sysname# show ethernet oam summary

OAM Config: U : Unidirection, R : Remote Loopback L : Link Events , V : Variable Retrieval

Local Remote

------------- ----------------------------------------Port Mode MAC Addr OUI Mode Config

----- ------- ----------------- ------ ------- -------1 Active

The following table describes the labels in this screen. Table 80 show ethernet oam summary

LABEL DESCRIPTION

Local This section displays information about the ports on the Switch. Port This field displays the port number. Mode This field displays the operational state of the port. Remote This section displays information about the remote device. MAC Addr This field display s the MAC address of the remote device. OUI This field displays the OUI (first three bytes of the MAC address) of the remote device. Mode This field displays the operational state of the remote device. Config This field displays the capabilities of the Switch and remote device. The capabilities are

identified in the OAM Config section.

Ethernet Switch CLI Reference Guide

External Alarm Commands

27.1 Command Summary

Use these commands to configure the external alarm features on the Switch.

The following section lists the commands for this feature. Table 81 external-alarm Command Summary

COMMAND DESCRIPTION M P

external-alarm <index> name <name_string>

no external-alarm <index> no external-alarm all show external-alarm

CHAPTER 27

Sets the name of the specified external alarm.

index: 1 – 4 name_string: Enters a name of up to 32 ASCII characters.

Removes the name of the specified external alarm. C 13 Removes the name of all external alarms. C 13 Displays external alarm settings and status. E 13

C13

Ethernet Switch CLI Reference Guide

27.2 Command Examples

This example configures and shows the name and status of the external alarms.

sysname# configure sysname(config)# external-alarm 1 name dooropen sysname(config)# exit sysname# show external-alarm External Alarm 1

Status: Not asserted Name: dooropen

External Alarm 2

Status: Not asserted Name:

External Alarm 3

Status: Not asserted Name:

External Alarm 4

Status: Not asserted Name: sysname#

Ethernet Switch CLI Reference Guide

Flex Link Commands

28.1 Flex Link Overview

Use these commands to set up a backup link for a primary link on the Switch.

A flex link pair consists of a primary link and a backup link on a layer-2 interface. A primary link runs on a primary port; a backup link runs on a backup port. The ports have two states: FORWARDING and BLOCKING. When one link is up and running (port state: FORWARDING), the other link is in down or in standby mode (port state: BLOCKING). Only one port is forwarding traffic (FORWARDING) at a time. When the primary link goes down, the backup link automatically goes up and is able to forward traffic.

Preemption

Enable preemption to have the Switch automatically return the primary port to FORWARDING state after the primary port recovers from error state, and the backup port return to BLOCKING. The Switch will wait for the specified preemption-delay time before changing the primary port state to FORWARDING and backup port state to BLOCKING.

CHAPTER 28

28.2 Command Summary

The following table describes user-input values available in multiple commands for this feature. Table 82 Interface Command Values

COMMAND DESCRIPTION

port-id

A port number on the Switch.

Ethernet Switch CLI Reference Guide

100

Zyxel GS2220-28, GS2220-50, GS2220-10HP, GS2220-50HP, GS2220-10 CLI Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Ethernet Switch Series

About This CLI Reference Guide

Document Conventions

Contents Overview

Introduction

1.1 Overview

Introduction

1.1.1 License Option

1.2 Stacking Mode

1.3 Switch-specific Features

Command Line Interface

2.1 CLI Overview

2.2 Accessing the CLI

2.2.1 Console Port

2.2.2 Telnet

2.2.3 SSH

2.3 Logging in

2.4 Using Shortcuts and Getting Help

2.5 Saving Your Configuration

2.6 Logging Out

3.1 Privilege Level and Command Mode Overview

3.2 Privilege Levels

3.2.1 Privilege Levels for Commands

3.2.2 Privilege Levels for Login Accounts

3.2.3 Privilege Levels for Sessions

3.3 Command Modes

3.3.1 Command Modes for Privilege Levels 0 – 12

3.3.2 Command Modes for Privilege Levels 13 – 14

3.4 Listing Available Commands

Initial Setup

4.1 Initial Setup Overview

4.2 Changing the Administrator Password

4.3 Changing the Enable Password

4.4 Prohibiting Concurrent Logins

4.5 Changing the Management IP Address

4.6 Changing the Out-of-band Management IP Address

4.7 Using Auto Configuration

4.8 Using Custom Default

4.9 Looking at Basic System Information

4.10 Looking at the Operating Configuration

Reference A-G

5.1 Command Summary

AAA Commands

5.2 Command Example

6.1 Anti-Arpscan Overview

Anti-Arpscan

6.2 Command Summary

7.1 Command Summary

ARP Commands

7.2 Command Examples

ARP Inspection Commands

8.1 ARP Inspection Overview

8.1.1 ARP Inspection Process

8.1.2 ARP Packet Rate Limiting

8.2 Command Summary

8.3 Command Examples

ARP Learning Commands

9.1 Command Summary

9.2 Command Examples

10.1 Auto Configuration Overview

10.2 Command Summary

10.3 Command Examples

11.1 Bandwidth Control Overview

11.2 Command Summary

11.3 Command Examples: ingress

11.4 Command Examples: cir & pir

12.1 BPDU Guard Overview

12.2 Command Summary

BPDU Guard

Broadcast Storm Commands

13.1 Command Summary

13.2 Command Example: bmstorm-limit

13.3 Command Example: broadcast-limit, multicast-limit and dlf-limit

Certificates Commands

14.1 Certificates Overview

14.2 Command Summary