CLI Tesla SG350X SG350XG 2 2 5 PDF
CLI Tesla SG350X SG350XG 2 2 5 PDF
CLI Tesla SG350X SG350XG 2 2 5 PDF
3 ACL Commands............................................................................................... 93
ip access-list (IP extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
permit ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
deny ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
ipv6 access-list (IPv6 extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
permit ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
1 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
deny ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
permit ( MAC ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
deny (MAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
service-acl input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
service-acl output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
show time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
show access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
show interfaces access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
clear access-lists counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show interfaces access-lists trapped packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
ip access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
ipv6 access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 2
1
show bridge multicast address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
show bridge multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
show bridge multicast unregistered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
show ports security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
show ports security addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
bridge multicast reserved-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
show bridge multicast reserved-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
3 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
cdp log mismatch duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
cdp log mismatch native . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
cdp log mismatch voip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
cdp mandatory-tlvs validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
cdp pdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
cdp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
cdp source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
cdp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
clear cdp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
clear cdp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
show cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
show cdp entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
show cdp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
show cdp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
show cdp tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
show cdp traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 4
1
security-suite deny syn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
security-suite deny syn-fin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
security-suite dos protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
security-suite dos syn-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
security-suite enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
security-suite syn protection mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
security-suite syn protection recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
security-suite syn protection threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
show security-suite configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
show security-suite syn protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
5 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show ip dhcp pool network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
show ip dhcp pre-allocated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
show ip dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
time-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 6
1
15 DNS Client Commands .................................................................................. 366
clear host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
ip domain lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
ip domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
ip domain polling-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
ip domain retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
ip domain timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ip name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
show hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
7 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
18 File System Commands ................................................................................ 420
File Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
System Flash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Flash File System on Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
boot config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
boot localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
boot system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
cd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
mkdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
rmdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
service mirror-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
show bootvar / show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
show mirror-configuration service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 8
1
ip igmp query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
ip igmp query-max-response-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
ip igmp robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
ip igmp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
show ip igmp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
show ip igmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
show ip igmp groups summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
show ip igmp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
9 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
show arp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
interface ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
show ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
show ip dhcp client interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 10
1
ipv6 nd ra suppress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
ipv6 nd reachable-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
ipv6 nd router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
ipv6 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
ipv6 policy route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
ipv6 redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
ipv6 unicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
ipv6 unreachables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
show ipv6 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
show ipv6 link-local default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
show ipv6 nd prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
show ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
show ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
show ipv6 route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
show ipv6 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
11 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
ipv6 nd raguard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
ipv6 nd raguard attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
ipv6 nd raguard hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
ipv6 nd raguard managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
ipv6 nd raguard other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
ipv6 nd raguard router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
ipv6 neighbor binding address-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
ipv6 neighbor binding address-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
ipv6 neighbor binding address-prefix-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
ipv6 neighbor binding attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
ipv6 neighbor binding attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
ipv6 neighbor binding lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
ipv6 neighbor binding logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
ipv6 neighbor binding max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
ipv6 neighbor binding static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
ipv6 source guard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
logging binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
logging packet drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
match ra address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
match ra prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
match reply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
match server address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
sec-level minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
show ipv6 dhcp guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
show ipv6 dhcp guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
show ipv6 first hop security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
show ipv6 first hop security active policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
show ipv6 first hop security attached policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
show ipv6 first hop security counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
show ipv6 first hop security error counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
show ipv6 first hop security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
show ipv6 nd inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
show ipv6 nd inspection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
show ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
show ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
show ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 12
1
show ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
show ipv6 neighbor binding prefix table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
show ipv6 neighbor binding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
show ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
show ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
trusted-port (IPv6 Source Guard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
validate source-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
13 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
36 Link Layer Discovery Protocol (LLDP) Commands.................................... 774
clear lldp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
lldp chassis-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
lldp hold-multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
lldp lldpdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
lldp management-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
lldp med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
lldp med notifications topology-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
lldp med fast-start repeat-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
lldp med location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
lldp med network-policy (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
lldp med network-policy (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
lldp med network-policy voice auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
lldp notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
lldp notifications interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
lldp optional-tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
lldp optional-tlv 802.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
lldp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
lldp receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
lldp reinit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
lldp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
lldp transmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
lldp tx-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
show lldp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
show lldp local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
show lldp local tlvs-overloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
show lldp med configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
show lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 14
1
management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
show management access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
show management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
15 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show snmp views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
show snmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
snmp-server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
show snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
snmp-server filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
show snmp filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
snmp-server engineID local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
snmp-server engineID remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
show snmp engineID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
snmp-server enable traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
snmp-server trap authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
snmp-server contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
snmp-server location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
snmp-server set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
snmp trap link-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 16
1
qos advanced-mode trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928
class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
show class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
show policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
police . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
service-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944
show qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
police aggregate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
wrr-queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
wrr-queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
priority-queue out num-of-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
traffic-shape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
traffic-shape queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
show qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955
show qos interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956
qos map policed-dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
qos map dscp-queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
qos trust (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
qos trust (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
qos cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
qos dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
qos map dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966
show qos map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
clear qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
qos statistics policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
qos statistics aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
qos statistics queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
show qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
17 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show radius-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982
show radius-servers key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 18
1
52 Router Resources Commands ....................................................................1036
system router resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
show system router resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1040
19 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
sflow receiver source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 20
1
ip ssh-client server fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157
ip ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1158
ipv6 ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1159
ip ssh-client username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1160
show ip ssh-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1161
show ip ssh-client server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1164
60 SSD Commands............................................................................................1167
ssd config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1167
passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1167
ssd rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1169
show SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1171
ssd session read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1173
show ssd session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1174
ssd file passphrase control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175
ssd file integrity control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1176
21 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1206
service cpu-utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1207
show cpu input rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1208
show cpu utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
show environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1209
show inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1212
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213
show sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215
show system languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1217
show system tcam utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218
show services tcp-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1218
show tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1219
show system fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1221
show system sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222
show system power-supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1222
show system id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1224
show ports leds configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225
show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1225
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1226
show hardware version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1227
system recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1228
64 TACACS+ Commands..................................................................................1229
tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1229
tacacs-server host source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1230
tacacs-server host source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1231
tacacs-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1232
tacacs-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1233
show tacacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1234
show tacacs key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235
66 UDLD Commands.........................................................................................1248
show udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248
udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252
udld message time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 22
1
udld port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254
23 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show vlan protocols-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1297
map mac macs-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1298
switchport general map macs-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299
show vlan macs-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301
map subnet subnets-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1301
switchport general map subnets-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1302
show vlan subnets-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1303
show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1304
private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1306
private-vlan association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1307
switchport private-vlan mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1308
switchport private-vlan host-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1309
show vlan private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1310
switchport access multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1311
switchport customer multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1312
show vlan multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1313
vlan prohibit-internal-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1314
show vlan internal usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1316
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 24
1
25 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
This section describes how to use the Command Line Interface (CLI). It contains
the following topics:
• Product Notes
• Overview
• Editing Features
• Loopback Interface
• PHY Diagnostics
Product Notes
This CLI guide provides CLI commands and guidelines for both the SG350XG
product line and the SG350X product line. Besides a few CLI commands, which
will be mentioned below, the CLI commands included in this document can be
applied to both product lines. Following are the notes and differences in CLI
command support in regards to these product lines:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 26
1 Introduction
CLI examples in this document use the XG port type in examples, but the
same commands can be applied to GE port type, unless there is a
difference in feature implementation between port types.
• Stacking:
• IPv6 tunnels—IPv6 Manual, 6to4 and ISATAP routing tunnels are supported
on the SG350XG, and are not supported on SG350X. Therefore commands
relevant for these tunnel types are supported only for the SG350XG and not
on the SG350X.
Overview
The CLI is divided into various command modes. Each mode includes a group of
commands. These modes are described in CLI Command Modes.
27 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Users are assigned privilege levels. Each user privilege level can access specific
CLI modes. User levels are described in the section below.
• Level 1—Users with this level can only run User EXEC mode commands.
Users at this level cannot access the web GUI or commands in the
Privileged EXEC mode.
• Level 7—Users with this level can run commands in the User EXEC mode
and a subset of commands in the Privileged EXEC mode. Users at this level
cannot access the web GUI.
• Level 15—Users with this level can run all commands. Only users at this
level can access the web GUI.
A system administrator (user with level 15) can create passwords that allow a
lower level user to temporarily become a higher level user. For example, the user
may go from level 1 to level 7, level 1 to 15, or level 7 to level 15.
The passwords for each level are set (by an administrator) using the following
command:
Using these passwords, you can raise your user level by entering the command:
enable and the password for level 7 or 15. You can go from level 1 to level 7 or
directly to level 15. The higher level holds only for the current session.
To create a user and assign it a user level, use the username command. Only users
with command level 15, can create users at this level.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 28
1 Introduction
switchxxxxxx#configure
switchxxxxxx<conf>#
switchxxxxxx#configure
switchxxxxxx<conf> username john password john1234
privilege 1
switchxxxxxx<conf>
Example 2— Switch between Level 1 to Level 15. The user must know the
password:
switchxxxxxx#
switchxxxxxx# enable
29 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
• Global Configuration mode
Each command mode has its own unique console prompt and set of CLI
commands. Entering a question mark at the console prompt displays a list of
available commands for the current mode and for the level of the user. Specific
commands are used to switch from one mode to another.
Users are assigned privilege levels that determine the modes and commands
available to them. User levels are described in User (Privilege) Levels.
The user-level prompt consists of the switch host name followed by a #. The
default host name is switchxxxxxx where xxxxxx is the last six digits of the
device’s MAC address, as shown below
switchxxxxxx#
The default host name can be changed via the hostname command in Global
Configuration mode.
Users with level 1 can enter Privileged Exec mode by entering the enable
command, and when prompted, the password for level 15.
To return from the Privileged EXEC mode to the User EXEC mode, use the disable
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 30
1 Introduction
To access Global Configuration mode from Privileged EXEC mode, enter the
configure command at the Privileged EXEC mode prompt and press Enter. The
Global Configuration mode prompt, consisting of the device host name followed
by (config)#, is displayed:
switchxxxxxx(config)#
Use any of the following commands to return from Global Configuration mode to
the Privileged EXEC mode:
• exit
• end
• Ctrl+Z
The following example shows how to access Global Configuration mode and
return to Privileged EXEC mode:
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# exit
switchxxxxxx#
For instance to perform several operations on a specific port or range of ports, you
can enter the Interface Configuration mode for that interface.
The following example enters Interface Configuration mode for vlan1 and then sets
their speed:
31 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
The exit command returns to Global Configuration mode.
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config-if)#speed 10
switchxxxxxx(config-if)#exit
switchxxxxxx(config)#
To return from any Interface Configuration mode to the Global Configuration mode,
use the exit command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 32
1 Introduction
—or—
If access is via a Telnet or SSH connection, ensure that the following conditions are
met before using CLI commands:
• There is an IP path such that the computer and the switch can reach each
other.
Click Enter twice, so that the device sets the serial port speed to match the PC's
serial port speed.
When the CLI appears, enter cisco at the User Name prompt and then enter cisco
for the Password prompt.
The switchxxxxxx# prompt is displayed. You can now enter CLI commands to
manage the switch. For detailed information on CLI commands, refer to the
appropriate chapter(s) of this reference guide.
33 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Using Telnet over an Ethernet Interface
Telnet provides a method of connecting to the CLI over an IP network.
To establish a telnet session from the command prompt, perform the following
steps:
STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a
command prompt.
Figure 1 Start > All Programs > Accessories > Command Prompt
STEP 2 At the prompt, enter telnet 1<IP address of switch>, then press Enter.
Convention Description
[ ] In a command line, square brackets indicate an optional entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 34
1 Introduction
Convention Description
{ } In a command line, curly brackets indicate a selection of
compulsory parameters separated the | character. One option must
be selected. For example, flowcontrol {auto|on|off} means that for
the flowcontrol command, either auto, on, or off must be selected.
"" (inverted When the input string contains space and/or reserved words (i.e.
commas) VLAN), put the string in inverted commas.
Screen Display Fixed-width font indicates CLI prompts, CLI commands entered by
the user, and system messages displayed on the console.
text When free text can be entered as a parameter for a command (for
example in command: snmp-server contact) if the text consists of
multiple words separated by blanks, the entire string must appear
in double quotes. For example: snmp-server contact "QA on floor 8"
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a
command, and arguments specify configuration parameters. For example, in the
command show interfaces status Gigabitethernet 1, show, interfaces and status
are keywords, Gigabitethernet is an argument that specifies the interface type,
and1 specifies the port.
To enter commands that require parameters, enter the required parameters after
the command keyword. For example, to set a password for the administrator,
enter:
35 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
switchxxxxxx(config)# username admin password alansmith
When working with the CLI, the command options are not displayed. The standard
command to request help is ?.
To assist in using the CLI, there is an assortment of editing features. The following
features are described:
• Command Completion
• Keyboard Shortcuts
Keyword Description
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 36
1 Introduction
By default, the history buffer system is enabled, but it can be disabled at any time.
For more information on enabling or disabling the history buffer, refer to the history
command.
There is a standard default number of commands that are stored in the buffer. The
standard number of 10 commands can be increased to 216. By configuring 0, the
effect is the same as disabling the history buffer system. For more information on
configuring the command history buffer, refer to the history size command.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid parameters,
then the appropriate error message is displayed. This assists in entering the
correct command. By pressing Tab after an incomplete command is entered, the
system will attempt to identify and complete the command. If the characters
already entered are not enough for the system to identify a single matching
command, press ? to display the available commands matching the characters
already entered.
37 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands.
The following table describes the CLI shortcuts.
NOTE It is the user’s responsibility to ensure that the text copied into the device consists
of legal commands only.
When copying and pasting commands from a configuration file, make sure that the
following conditions exist:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 38
1 Introduction
• VLAN—Written as VLAN
• Tunnel—Written as tunnel or tu
Within the CLI, interfaces are denoted by concatenating the following elements:
{<port-type>[ ][<unit-number>/]<slot-number>/<port-number>} |
{port-channel | po | }[ ]<port-channel-number> |
{tunnel | tu}[ ]<tunnel-number> | vlan[ ]<vlan-id>
switchxxxxxx((config)#interface te1/0/1
switchxxxxxx(config)#interface po1
39 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Interface Range
Interfaces may be described on an individual basis or within a range. The interface
range command has the following syntax:
<interface-range> ::=
{<port-type>[
][<unit-number>/]<slot-number>/<first-port-number>[ -
<last-port-number]} |
port-channel[ ]<first-port-channel-number>[ -
<last-port-channel-number>] |
switchxxxxxx#configure
NOTE Range lists can contain either ports and port-channels or VLANs. Combinations of
port/port-channels and VLANs are not allowed
When a range list is defined, a space after the first entry and before the comma (,)
must be entered.
switchxxxxxx#configure
switchxxxxxx(config)#interface range te1/0/1-5, vlan 1-2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 40
1 Introduction
where:
If the egress interface is not specified, the default interface is selected. Specifying
egress interface = 0 is equal to not defining an egress interface.
Loopback Interface
When an IP application on a router wants to communicate with a remote IP
application, it must select the local IP address to be used as its IP address. It can
use any IP address defined on the router, but if this link goes down, the
communication is aborted, even though there might well be another IP route
between these IP applications.
The loopback interface is a virtual interface whose operational state is always up.
If the IP address that is configured on this virtual interface is used as the local
address when communicating with remote IP applications, the communication will
not be aborted even if the actual route to the remote application was changed.
41 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Layer 3 Specification
IP Interface
IPv4 and IPv6 addresses can be assigned to a loopback interface.
Routing Protocols
A routing protocol running on the switch supports the advertising of the IP prefixes
defined on the loopback interfaces via the routing protocol redistribution
mechanism.
If a layer 2 switch with one IPv4 address supports a loopback interface, the above
rules are replaced by the following ones:
This is the definition of the IP configuration when the device is in layer 2 mode:
• Two IPv4 interfaces can be configured: one on a VLAN and one on the
loopback interface.
• If the IPv4 address was configured on the default VLAN and the default
VLAN is changed, the switch moves the IPv4 address to the new default
VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 42
1 Introduction
Configuration Examples
Static Routing
The following example shows you how to configure IP on a switch with static
routing :
Switch(config-if)# exit
Switch(config-if)# exit
Switch(config)# interface loopback 1
The neighbor router 10.10.11.1 should be configured with the following static
route: ip route 172.25.13.2 /32 10.10.10.2.
The neighbor router 10.11.11.1 should be configured with the following static
route: ip route 172.25.13.2 /32 10.11.11.2.
43 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
The neighbor router 2001:DB8:2222:7270::1 connected to VLAN 1 should be
configured with the following static route:
If the switch supports more than one IP interface, when you specify a remote IP
address or a DNS name, you must also specify the IP stack that is being referred
to.
PHY Diagnostics
The following exceptions exist:
• 10G ports—TDR test is supported when the operational port speed is 10G.
Cable length resolution is 20 meters.
• begin: Start output from the first line that has a sequence of characters
matching the given regular expression pattern
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 44
1 Introduction
• include: Includes only lines that have a sequence of characters matching the
given regular expression pattern.
• exclude: Excludes all lines that have a sequence of characters matching the
given regular expression pattern.
• count: Counts all lines that have a sequence of characters matching the
given regular expression pattern and displays the result (no other output is
displayed).
NOTE Only 1 output modifier can be used in each command. The remainder of the text
typed in is part of the regular expression pattern.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single
character in the command output. You can use any letter (A-Z, a-z) or digit (0-9) as
a single-character pattern. You can also use other keyboard characters (such as !
or ~) as single-character patterns, but certain keyboard characters have special
meaning when used in regular expressions. Table lists the keyboard characters
that have special meanings.
Character Meaning
45 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
Character Meaning
^ Matches the beginning of the string.
You can simplify ranges by entering only the endpoints of the range separated by
a dash (-). Simplify the previous range as follows:
[a-dA-D]
You can also include a right square bracket (]) as a single-character pattern in your
range, as shown here:
[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or
uppercase alphabet, a dash, or a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of
the range. The following example matches any letter except the ones listed:
[^a-dqsv]
The following example matches anything except a right square bracket (]) or the
letter d:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 46
1 Introduction
[^\]d]
Multiple-Character Patterns
When creating regular expressions, you can also specify a pattern containing
multiple characters. You create multiple-character regular expressions by joining
letters, digits, or keyboard characters that do not have special meaning. For
example, a4% is a multiple-character regular expression.
You can remove the special meaning of the period character by inserting a
backslash before it. For example, when the expression a\. is used in the command
syntax, only the string a. will be matched.
You can create a multiple-character regular expression containing all letters, all
digits, all keyboard characters, or a combination of letters, digits, and other
keyboard characters. For example, telebit 3107 v32bis is a valid regular
expression.
Multipliers
You can create more complex regular expressions that instruct the system to
match multiple occurrences of a specified regular expression. To do so, use some
special characters with your single-character and multiple-character patterns.
Table 1 lists the special characters that specify multiples of a regular expression.
Character Description
* Matches 0 or more single-character or
multiple-character patterns.
47 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Introduction 1
a*
The following pattern requires that at least one letter a be in the string to be
matched:
a+
The following pattern matches one or more instances of alphanumeric pairs, but
not none (that is, an empty string is not a match):
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct
first. Nested constructs are matched from outside to inside. Concatenated
constructs are matched beginning at the left side of the construct. Thus, the
regular expression above matches A9b3, but not 9Ab3 because the letters are
specified before the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You
separate the alternative patterns with a vertical bar (|). Only one of the alternatives
can match the string. For example, the regular expression codex|telebit either
matches the string codex or the string telebit, but not both codex and telebit.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 48
1 Introduction
Anchoring
You can instruct the system to match a regular expression pattern against the
beginning or the end of the string. You anchor these regular expressions to a
portion of the string using the special characters shown in Table 2..
Character Description
^ Matches the beginning of the string.
For example, the regular expression ^con matches any string that starts with con,
and $sole matches any string that ends with sole.
49 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.0
Syntax
Parameters
Default Configuration
RADIUS server.
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 50
2 802.1X Commands
Example
The following example sets the 802.1X authentication mode to RADIUS server
authentication. Even if no response was received, authentication succeeds.
Syntax
authentication open
no authentication open
Parameters
Default Configuration
Disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
Open Access or Monitoring mode allows clients or devices to gain network
access before authentication is performed. In the mode the switch performs
failure replies received from a Radius server as success.
Example
51 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
2.3 clear dot1x statistics
To clear 802.1X statistics, use the clear dot1x statistics command in Privileged
EXEC mode.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command clears all the counters displayed in the show dot1x and show dot1x
statistics command.
Example
2.4 data
To specify web-based page customizing, the data command is used in
Web-Based Page Customization Configuration mode.
Syntax
data value
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 52
2 802.1X Commands
Default Configuration
No user customization.
Command Mode
User Guidelines
A user can only customize the web-based authentication pages by using the WEB
interface.
Examples
switchxxxxxx(config-web-page)# exit
Example 2—The following example shows how Web-Based Page customization is displayed when
running the show running-config command:
data ********
exit
53 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
.
Syntax
dot1x auth-not-req
no dot1x auth-not-req
Parameters
N/A
Default Configuration
Access is enabled.
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 54
2 802.1X Commands
Syntax
dot1x authentication [802.1x] [mac] [web]
no dot1x authentication
Parameters
Default Configuration
802.1X-Based authentication is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Static MAC addresses cannot be authorized by the MAC-based method.
55 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Example
The following example enables authentication based on 802.1x and the station’s
MAC address on port te1/0/1:
Syntax
dot1x guest-vlan
no dot1x guest-vlan
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 56
2 802.1X Commands
Example
Syntax
dot1x guest-vlan enable
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
If the port does not belong to the guest VLAN itThe port is added to the guest
VLAN as an egress untagged port.
57 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
If the authentication mode is single-host or multi-host, the value of PVID is set to
the guest VLAN_ID.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
from unauthorized hosts are mapped to the guest VLAN.
See the User Guidelines of the dot1x host-mode command for more information.
Example
The following example enables unauthorized users on te1/0/1 to access the guest
VLAN.
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 58
2 802.1X Commands
User Guidelines
This command is relevant if the guest VLAN is enabled on the port. Configuring the
timeout adds a delay from enabling 802.1X (or port up) to the time the device adds
the port to the guest VLAN.
Example
The following example sets the delay between enabling 802.1X and adding a port
to a guest VLAN to 60 seconds.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Single-Host Mode
59 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
The single-host mode manages the authentication status of the port: the port is
authorized if there is an authorized host. In this mode, only a single host can be
authorized on the port.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from the authorized host is
bridged based on the static vlan membership configured at the port. Traffic from
other hosts is dropped.
A user can specify that untagged traffic from the authorized host will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS-assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Host Mode
The multi-host mode manages the authentication status of the port: the port is
authorized after at least one host is authorized.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from all hosts connected to
the port is bridged based on the static vlan membership configured at the port.
A user can specify that untagged traffic from the authorized port will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Sessions Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 60
2 802.1X Commands
authorized on the port. The dot1x max-hosts command can limit the maximum
number of authorized hosts allowed on the port.
Each authorized client requires a TCAM rule. If there is no available space in the
TCAM, the authentication is rejected.
When using the dot1x host-mode command to change the port mode to
single-host or multi-host when authentication is enabled, the port state is set to
unauthorized.
If the dot1x host-mode command changes the port mode to multi-session when
authentication is enabled, the state of all attached hosts is set to unauthorized.
To change the port mode to single-host or multi-host, set the port (dot1x
port-control) to force-unauthorized, change the port mode to single-host or
multi-host, and set the port to authorization auto.
When the guest VLAN is enabled, untagged and tagged traffic from unauthorized
hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.
Traffic from an authorized hosts is bridged in accordance with the port static
configuration. A user can specify that untagged and tagged traffic from the
authorized host not belonging to the unauthenticated VLANs will be remapped to
a VLAN that is assigned by a RADIUS server during the authentication process.
See the dot1x radius-attributes vlan command to enable RADIUS VLAN
assignment at a port.
The switch does not remove from FDB the host MAC address learned on the port
when its authentication status is changed from authorized to unauthorized. The
MAC address will be removed after the aging timeout expires.
Example
61 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
2.11 dot1x max-hosts
To configure the maximum number of authorized hosts allowed on the interface,
use the dot1x max-hosts command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x max-hosts count
no dot1x max-hosts
Parameters
Default Configuration
No limitation.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the number of authorized hosts allowed on an interface is not limited.
To limit the number of authorized hosts allowed on an interface, use the dot1x
max-hosts command.
This command is relevant only for multi-session mode.
Example
The following example limits the maximum number of authorized hosts on Ethernet
port te1/0/1 to 6:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 62
2 802.1X Commands
Syntax
dot1x max-login-attempts count
no dot1x max-login-attempts
Parameters
Default Configuration
Unlimited.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the switch does not limit the number of failed login attempts. To specify
the number of allowed fail login attempts, use this command. After this number of
failed login attempts, the switch does not allow the host to be authenticated for a
period defined by the dot1x timeout quiet-period command.
Example
63 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
2.13 dot1x max-req
To set the maximum number of times that the device sends an Extensible
Authentication Protocol (EAP) request/identity frame (assuming that no response
is received) to the client before restarting the authentication process, use the
dot1x max-req command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
The following example sets the maximum number of times that the device sends
an EAP request/identity frame to 6.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 64
2 802.1X Commands
Syntax
Parameters
N/A
Default Configuration
No user customization.
Command Mode
User Guidelines
The command should not be entered or edited manually (unless when using
copy-paste). It is a part of the configuration file produced by the switch.
A user must customize the web-based authentication pages by using the browser
Interface.
Example
switchxxxxxx(config-web-page)# exit
65 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
2.15 dot1x port-control
To enable manual control of the port authorization state, use the dot1x port-control
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x port-control {auto | force-authorized | force-unauthorized} [time-range
time-range-name]
Parameters
Default Configuration
Command Mode
User Guidelines
The switch removes all MAC addresses learned on a port when its authorization
control is changed from force-authorized to another.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 66
2 802.1X Commands
Example
sing
Syntax
Parameters
• reject—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN the supplicant is rejected. If the parameter is omitted,
this option is applied by default.
• static—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN, the supplicant is accepted.
Default Configuration
reject
Command Mode
User Guidelines
67 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
If a RADIUS server assigns a client with a non-existing VLAN, the switch creates
the VLAN. The VLAN is removed when it is no longer being used.
If RADIUS provides valid VLAN information and the port does not belong to the
VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
When the last authorized client assigned to the VLAN becomes unauthorized or
802.1x is disabled on the port, the port is excluded from the VLAN.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
are mapped to the VLAN using TCAM.
If the last authorized host assigned to a VLAN received from RADIUS connected to
a port in the multi-sessions mode changes its status to unauthorized, the port is
removed from the VLAN if it is not in the static configuration.
See the User Guidelines of the dot1x host-mode command for more information.
If the static keyword is configured and the RADIUS server authorizes the host then
even though the RADIUS accept message does not assign a VLAN to the
supplicant, authentication is accepted and the traffic from the host is bridged in
accordance with port static configuration.
If this command is used when there are authorized ports/hosts, it takes effect at
subsequent authentications. To manually re-authenticate, use the dot1x
re-authenticate command.
• WEB-Based authentication
• Multicast TV-VLAN
• Q-in-Q
• Voice VLAN
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 68
2 802.1X Commands
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
Parameters
• interface-id—Specifies an Ethernet port or OOB port.
Default Configuration
Command Mode
69 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Example
Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
N/A
Default Configuration
Periodic re-authentication is disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 70
2 802.1X Commands
Syntax
dot1x system-auth-control
no dot1x system-auth-control
Parameters
N/A
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
Syntax
dot1x timeout quiet-period seconds
Parameters
71 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Default Configuration
Command Mode
User Guidelines
During the quiet period, the device does not accept or initiate authentication
requests.
The default value of this command should only be changed to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
To provide faster response time to the user, a smaller number than the default
value should be entered.
For WEB-based authentication, the quite period is applied after a number of failed
attempts. This number is configured by the dot1x max-login-attempts command.
Example
The following example sets the time interval that the device remains in the quiet
state following a failed authentication exchange to 120 seconds.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 72
2 802.1X Commands
Parameters
Default Configuration
3600
Command Mode
User Guidelines
Example
Syntax
dot1x timeout server-timeout seconds
Parameters
73 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Default Configuration
Command Mode
User Guidelines
The actual timeout period can be determined by comparing the value specified by
this command to the result of multiplying the number of retries specified by the
radius-server retransmit command by the timeout period specified by the
radius-server retransmit command, and selecting the lower of the two values.
Example
The following example sets the time interval between retransmission of packets to
the authentication server to 3600 seconds.
Syntax
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 74
2 802.1X Commands
Command Mode
User Guidelines
The silence time is the number of seconds that if an authorized client does not
send traffic during this period, the client is changed to unauthorized.
If an authorized client does not send traffic during the silence period specified by
the command, the state of the client is changed to unauthorized.
The command is only applied to WEB-based authentication.
Example
The following example sets the authentication silence time to 100 seconds:
Syntax
Parameters
Default Configuration
The default timeout period is 30 seconds.
75 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Command Mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
The following example sets the time interval during which the device waits for a
response to an EAP request frame from the client before resending the request to
3600 seconds.
Syntax
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 76
2 802.1X Commands
Command Mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
The following command sets the time interval during which the device waits for a
response to an EAP request/identity frame to 60 seconds.
Syntax
Parameters
Default Configuration
77 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Command Mode
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be
configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a MAC address fails to be
authorized by the 802.1X mac-authentication access control.
Syntax
dot1x traps authentication quiet
Parameters
N/A
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 78
2 802.1X Commands
User Guidelines
The traps are sent after the client is set to the quiet state after the maximum
sequential attempts of login.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a host is set in the quiet state:
Syntax
Parameters
• 802.1x—Enables traps for 802.1X-based authentication.
Default Configuration
Command Mode
79 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be
configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a MAC address is successfully
authorized by the 802.1X MAC-authentication access control.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Use this command to unlock a client that was locked after the maximum allowed
authentication failed attempts and to end the quiet period. If the client is not in the
quiet period, the command has no affect.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 80
2 802.1X Commands
Example
Syntax
Parameters
• restrict—Generates a trap when a station, whose MAC address is not the
supplicant MAC address, attempts to access the interface. The minimum
time between the traps is 1 second. Those frames are forwarded but their
source addresses are not learned.
• protect—Discard frames with source addresses that are not the supplicant
address.
• trap seconds - Send SNMP traps, and specifies the minimum time between
consecutive traps. If seconds = 0 traps are disabled. If the parameter is not
specified, it defaults to 1 second for the restrict mode and 0 for the other
modes.
Default Configuration
Protect
Command Mode
81 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
User Guidelines
BPDU message whose MAC addresses are not the supplicant MAC address
cause a shutdown in Shutdown mode.
Example
Syntax
Parameters
• interface-id—Specifies an Ethernet port or OOB port.
• detailed—Displays information for non-present ports in addition to present
ports.
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 82
2 802.1X Commands
Authentication is enabled
te1/0/1
Server-timeout: 30 sec
Reauthentication is enabled
Tx period: 30 sec
max-req: 2
Authentication success: 9
Authentication fails: 1
te1/0/2
83 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Host mode: single-host
Server-timeout: 30 sec
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Reauthentication is enabled
Tx period: 30 sec
max-req: 2
Authentication success: 2
Authentication fails: 0
te1/0/3
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 84
2 802.1X Commands
Server-timeout: 30 sec
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Reauthentication is enabled
Tx period: 30 sec
max-req: 2
Authentication success: 20
Authentication fails: 0
85 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
Guest VLAN: disabled
Server-timeout: 30 sec
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Reauthentication is enabled
Tx period: 30 sec
max-req: 2
Authentication success: 0
Authentication fails: 0
Supplicant Configuration:
retry-max: 2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 86
2 802.1X Commands
•single-host
•multi-host
•multi-sessions
• Authentication methods—Authentication
methods configured on port. Possible
values are combinations of the following methods:
•802.1x
•mac
•wba
• Port Administrated status—The port administration (configured) mode. Possible values:
force-auth, force-unauth, auto.
• Port Operational status—The port operational (actual) mode. Possible values: authorized or
unauthorized.
• Username—Username representing the supplicant identity. This field shows the username if the
port control is auto. If the port is Authorized, it displays the username of the current user. If the port
is Unauthorized, it displays the last user authorized successfully.
• Quiet period—Number of seconds that the device remains in the quiet state following a failed
authentication exchange (for example, the client provided an invalid password).
• Silence period—Number of seconds that If an authorized client does not send traffic during the
silence period specified by the command, the state of the client is changed to unauthorized.
• Max req—Maximum number of times that the device sends an EAP request frame (assuming that
no response is received) to the client before restarting the authentication process.
• Server timeout—Number of seconds that the device waits for a response from the authentication
server before resending the request.
87 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
• Authentication success—Number of times the state machine received a Success message from
the Authentication Server.
• Authentication fails—Number of times the state machine received a Failure message from the
Authentication Server.
Syntax
Parameters
N/A
Command Mode
User Guidelines
Use the show dot1x locked clients command to display all locked (in the quiet
period) clients.
Examples
The following example displays locked clients:
Example 1
te1/0/1 0008.3b79.8787 20
te1/0/1 0008.3b89.3128 40
te1/0/2 0008.3b89.3129 10
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 88
2 802.1X Commands
Syntax
Parameters
Default Configuration
N/A
Command Mode
Example
EapolFramesRx: 11
EapolFramesTx: 12
EapolStartFramesRx: 1
EapolLogoffFramesRx: 1
EapolRespIdFramesRx: 3
EapolRespFramesRx: 6
EapolReqIdFramesTx: 3
EapolReqFramesTx: 6
InvalidEapolFramesRx: 0
EapLengthErrorFramesRx: 0
LastEapolFrameVersion: 1
LastEapolFrameSource: 00:08:78:32:98:78
89 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
The following table describes the significant fields shown in the display:
Field Description
EapolFramesRx Number of valid EAPOL frames of any
type that have been received by this
Authenticator.
EapolFramesTx Number of EAPOL frames of any type
that have been transmitted by this
Authenticator.
EapolStartFramesRx Number of EAPOL Start frames that
have been received by this
Authenticator.
EapolLogoffFramesRx Number of EAPOL Logoff frames that
have been received by this
Authenticator.
EapolRespIdFramesRx Number of EAP Resp/Id frames that
have been received by this
Authenticator.
EapolRespFramesRx Number of valid EAP Response frames
(other than Resp/Id frames) that have
been received by this Authenticator.
EapolReqIdFramesTx Number of EAP Req/Id frames that have
been transmitted by this Authenticator.
EapolReqFramesTx Number of EAP Request frames (other
than Req/Id frames) that have been
transmitted by this Authenticator.
InvalidEapolFramesRx Number of EAPOL frames that have
been received by this Authenticator for
which the frame type is not recognized.
EapLengthErrorFramesR Number of EAPOL frames that have
x been received by this Authenticator in
which the Packet Body Length field is
invalid.
LastEapolFrameVersion Protocol version number carried in the
most recently received EAPOL frame.
LastEapolFrameSource Source MAC address carried in the
most recently received EAPOL frame.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 90
2 802.1X Commands
Syntax
Parameters
Default Configuration
Command Mode
Examples
Example 2. The following example displays 802.1X user with supplicant username
Bob:
switchxxxxxx# show dot1x users username Bob
91 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
802.1X Commands 2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 92
3
ACL Commands
3.0
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
An IPv4 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Example
switchxxxxxx(config-ip-al)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 93
ACL Commands 3
3.2 permit ( IP )
Use the permit IP Access-list Configuration mode command to set permit
conditions for an IPv4 access list (ACL). Permit conditions are also known as
access control entries (ACEs). Use the no form of the command to remove the
access control entry.
Syntax
[log-input]
[log-input]
[log-input]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 94
3 ACL Commands
[log-input]
[log-input]
Parameters
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
95 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
information-reply, address-mask-request, address-mask-reply, traceroute,
datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 96
3 ACL Commands
Default Configuration
Command Mode
User Guidelines
If a range of ports is used for source port in an ACE, it is not counted again, if it is
also used for a source port in another ACE. If a range of ports is used for the
destination port in an ACE, it is not counted again if it is also used for destination
port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
3.3 deny ( IP )
Use the deny IP Access-list Configuration mode command to set deny conditions
for IPv4 access list. Deny conditions are also known as access control entries
(ACEs). Use the no form of the command to remove the access control entry.
Syntax
97 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
deny igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type][ace-priority priority] [dscp number | precedence
number] [time-range time-range-name] [disable-port |log-input ]
deny tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [match-all list-of-flags][time-range
time-range-name] [disable-port |log-input ]
deny udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [time-range time-range-name]
[disable-port |log-input ]
no deny protocol {any | source source-wildcard} {any | destination
destination-wildcard} [dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input ]
no deny icmp {any | source source-wildcard} {any | destination
destination-wildcard} [any | icmp-type] [any | icmp-code]] [dscp number |
precedence number][time-range time-range-name] [disable-port |log-input ]
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 98
3 ACL Commands
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
99 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
Default Configuration
Command Mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port, it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 100
3 ACL Commands
Syntax
ipv6 access-list [acl-name]
Parameters
acl-name—Name of the IPv6 access list. Range 1-32 characters.
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
IPv6 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Every IPv6 ACL has an implicit permit icmp any any nd-ns any, permit icmp any
any nd-na any, and deny ipv6 any any statements as its last match conditions. (The
former two match conditions allow for ICMPv6 neighbor discovery.)
The IPv6 neighbor discovery process uses the IPv6 network layer service,
therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets
to be sent and received on an interface. In IPv4, the Address Resolution Protocol
(ARP), which is equivalent to the IPv6 neighbor discovery process, uses a
separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow
ARP packets to be sent and received on an interface.
Example
101 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
switchxxxxxx(config-ip-al)# permit tcp 2001:0DB8:0300:0201::/64 any any 80
Syntax
permit protocol {any |{source-prefix/length}{any | destination-prefix/length}
[ace-priority priority][dscp number | precedence number] [time-range
time-range-name] [log-input]
permit icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [ace-priority priority][dscp number | precedence
number] [time-range time-range-name] [log-input]
permit tcp {any | {source-prefix/length} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [ace-priority
priority][dscp number | precedence number] [match-all list-of-flags] [time-range
time-range-name] [log-input]
permit udp {any | {source-prefix/length}} {any | source-port/port-range}}{any |
destination-prefix/length} {any | destination-port/port-range} [ace-priority
priority][dscp number | precedence number][time-range time-range-name]
[log-input]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 102
3 ACL Commands
Parameters
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
103 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
• source-port—Specifies the UDP/TCP source port. Predefined port names
are defined in the destination-port parameter. (Range: 0–65535)
Default Configuration
No IPv6 access list is defined.
Command Mode
User Guidelines
If a range of ports is used for the destination port in an ACE, it is not counted again
if it is also used for destination port in another ACE.
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE, it is not counted again if it is also used for a
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 104
3 ACL Commands
Example
This example defines an ACL by the name of server and enters a rule (ACE) for tcp
packets.
Syntax
105 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
precedence number] [match-all list-of-flags] [time-range time-range-name]
[disable-port |log-input]
Parameters
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 106
3 ACL Commands
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
Default Configuration
Command Mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for a destination port in ACE
it is not counted again if it is also used for a destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
107 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
Syntax
Parameters
acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).
Default Configuration
Command Mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 108
3 ACL Commands
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
Syntax
Parameters
• source—Source MAC address of the packet.
• source-wildcard—Wildcard bits to be applied to the source MAC address.
Use 1s in the bit position that you want to be ignored.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
109 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
• eth-type—The Ethernet type in hexadecimal format of the packet.
• vlan-id—The VLAN ID of the packet. (Range: 1–4094)
• cos—The Class of Service of the packet. (Range: 0–7)
• cos-wildcard—Wildcard bits to be applied to the CoS.
• time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Default Configuration
Command Mode
MAC Access-list Configuration mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 110
3 ACL Commands
Syntax
deny {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority][{eth-type 0}| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range
time-range-name] [disable-port |log-input ]
no deny {any | source source-wildcard} {any | destination destination-wildcard}
[{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name]
[disable-port |log-input ]
Parameters
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
111 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
Command Mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
Use the no form of this command to remove all ACLs from the interface.
Syntax
no service-acl input
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 112
3 ACL Commands
• deny-any—Deny all packets (that were ingress at the port) that do not meet
the rules in this ACL.
• permit-any—Forward all packets (that were ingress at the port) that do not
meet the rules in this ACL.
Default Configuration
No ACL is assigned.
Command Mode
User Guidelines
The following rules govern when ACLs can be bound or unbound from an
interface:
• IPv4 ACLs and IPv6 ACLs can be bound together to an interface.
Example
113 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
Syntax
Parameters
Default
No ACL is assigned.
Command Mode
User Guidelines
The rule actions: log-input is not supported. Trying to use it will result in an error.
The deny rule action disable-port is not supported. Trying to use it will result in an
error.
A MAC ACL cannot be bound on an interface together with an IPv4 ACL or IPv6
ACL.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 114
3 ACL Commands
An ACL cannot be added to a port that is already bounded to an ACL, without first
removing the current ACL and binding the two ACLs together.
An ACL cannot be bound as output if it has been bound as input.
Example
switchxxxxxx(config-mac-al)# exit
3.12 time-range
Use the time-range Global Configuration mode command to define time ranges for
different functions. In addition, this command enters the Time-range Configuration
mode. All commands after this one refer to the time-range being defined.
This command sets a time-range name. Use the absolute and periodic commands
to actually configure the time-range.
Use the no form of this command to remove the time range from the device.
Syntax
time-range time-range-name
no time-range time-range-name
Parameters
Default Configuration
115 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
Command Mode
User Guidelines
After adding the name of a time range with this command, use the absolute and
periodic commands to actually configure the time-range. Multiple periodic
commands are allowed in a time range. Only one absolute command is allowed.
If a time-range command has both absolute and periodic values specified, then
the periodic items are evaluated only after the absolute start time is reached, and
are not evaluated again after the absolute end time is reached.
• dot1x port-control
• power inline
• operation time
• permit (IP)
• deny (IP)
• permit (IPv6)
• deny (IPv6)
• permit (MAC)
• deny (MAC)
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 116
3 ACL Commands
3.13 absolute
Use the absolute Time-range Configuration mode command to specify an
absolute time when a time range is in effect. Use the no form of this command to
remove the time limitation.
Syntax
absolute start hh:mm day month year
no absolute start
Parameters
• start—Absolute time and date that the permit or deny statement of the
associated function going into effect. If no start time and date are specified,
the function is in effect immediately.
• end—Absolute time and date that the permit or deny statement of the
associated function is no longer in effect. If no end time and date are
specified, the function is in effect indefinitely.
• hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
Default Configuration
Command Mode
Example
117 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005
3.14 periodic
Use the periodic Time-range Configuration mode command to specify a recurring
(weekly) time range for functions that support the time-range feature. Use the no
form of this command to remove the time limitation.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 118
3 ACL Commands
Command Mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–
Monday means that the time range is effective on Thursday, Friday, Saturday,
Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
Syntax
Parameters
Command Mode
Example
http-allowed
--------------
119 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
3.16 show access-lists
Use the show access-lists Privileged EXEC mode command to display access
control lists (ACLs) configured on the switch.
Syntax
Parameters
• name—Specifies the name of the ACL.(Range: 1-160 characters).
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 120
3 ACL Commands
Syntax
show interfaces access-lists [interface-id]
Parameters
Command Mode
Privileged EXEC mode
Example
Interface ACLs
--------- -----------------------
Egress : ip
Syntax
121 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
Parameters
Command Mode
Example
Syntax
Parameters
• port-channel—Specifies a port-channel.
• VLAN—Specifies a VLAN
Command Mode
User Guidelines
This command shows whether packets were trapped from ACE hits with logging
enable on an interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 122
3 ACL Commands
Examples
Example 1:
Example 2:
Syntax
Parameters
Default Configuration
123 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
Command Mode
User Guidelines
Use the ip access-list command to configure IP address filtering. Access lists are
configured with permit or deny keywords to either permit or deny an IP address
based on a matching condition. An implicit deny is applied to address that does
not match any access-list entry.
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 32.
Evaluation of an IP address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IP address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
Examples
Example 1 - The following example of a standard access list allows only the three
specified networks. Any IP address that does not match the access list statements
will be rejected.
switchxxxxxx(config)# ip access-list 1 permit 192.168.34.0/24
Example 2 - The following example of a standard access list allows access for IP
addresses in the range from 10.29.2.64 to 10.29.2.127. All IP addresses not in this
range will be rejected.
switchxxxxxx(config)# ip access-list apo permit 10.29.2.64/26
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 124
3 ACL Commands
Syntax
Parameters
Default Configuration
no access list
Command Mode
User Guidelines
Use the ipv6 access-list command to configure IPv6 address filtering. Access lists
are configured with permit or deny keywords to either permit or deny an IPv6
address based on a matching condition. An implicit deny is applied to address that
does not match any access-list entry.
125 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
ACL Commands 3
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 128.
Evaluation of an IPv6 address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IPv6 address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
The IPv6 standard access list is used to filter received and sent IPv6 routing
information.
Example
The following example of an access list allows only the one specified prefix: Any
IPv6 address that does not match the access list statements will be rejected.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 126
4
Address Table Commands
4.0
Syntax
Parameters
Default Configuration
Multicast address filtering is disabled. All Multicast addresses are flooded to all
ports.
Command Mode
Global Configuration mode
User Guidelines
When this feature is enabled, unregistered Multicast traffic (as opposed to
registered) will still be flooded.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 127
Address Table Commands 4
Example
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Use the mac-group option when using a network management system that uses a
MIB based on the Multicast MAC address. Otherwise, it is recommended to use
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 128
4 Address Table Commands
The following table describes the actual data that is written to the Forwarding
Data Base (FDB) as a function of the IGMP version that is used in the network:
(*) Note that (*,G) cannot be written to the FDB if the mode is ipv4-src-group. In that
case, no new FDB entry is created, but the port is added to the static (S,G) entries
(if they exist) that belong to the requested group. It is recommended to set the FDB
mode to ipv4-group or mac-group for IGMP version 2.
If an application on the device requests (*,G), the operating FDB mode is changed
to
ipv4-group.
Example
129 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
4.3 bridge multicast address
To register a MAC-layer Multicast address in the bridge table and statically add or
remove ports to or from the group, use the bridge multicast address Interface
(VLAN) Configuration mode command. To unregister the MAC address, use the no
form of this command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the mac-multicast-address parameter only.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 130
4 Address Table Commands
Examples
Example 1 - The following example registers the MAC address to the bridge table:
Example 2 - The following example registers the MAC address and adds ports
statically.
Syntax
Parameters
131 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
• ethernet interface-list—Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
Default Configuration
No forbidden addresses are defined.
Command Mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered, using
bridge multicast address.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 132
4 Address Table Commands
Syntax
Parameters
Default Configuration
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the ip-multicast-address parameter only.
Example
The following example registers the specified IP address to the bridge table:
133 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
switchxxxxxx(config-if)# bridge multicast ip-address 239.2.2.2
The following example registers the IP address and adds ports statically.
Syntax
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 134
4 Address Table Commands
Command Mode
User Guidelines
Example
The following example registers IP address 239.2.2.2, and forbids the IP address
on port te1/0/4 within VLAN 8.
Syntax
Parameters
• add—(Optional) Adds ports to the group for the specific source IP address.
• remove—(Optional) Removes ports from the group for the specific source
IP address.
135 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
• ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
Default Configuration
No Multicast addresses are defined.
Command Mode
User Guidelines
You can execute the command before the VLAN is created.
Example
The following example registers a source IP address - Multicast IP address pair to
the bridge table:
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 136
4 Address Table Commands
Parameters
• add—(Optional) Forbids adding ports to the group for the specific source IP
address.
• remove—(Optional) Forbids removing ports from the group for the specific
source IP address.
Default Configuration
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
Example
137 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
4.9 bridge multicast ipv6 mode
To configure the Multicast bridging mode for IPv6 Multicast packets, use the
bridge multicast ipv6 mode Interface (VLAN) Configuration mode command. To
return to the default configuration, use the no form of this command.
Syntax
bridge multicast ipv6 mode {mac-group | ip-group | ip-src-group}
Parameters
Default Configuration
Command Mode
User Guidelines
Use the mac-group mode when using a network management system that uses a
MIB based on the Multicast MAC address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 138
4 Address Table Commands
For each Forwarding Data Base (FDB) mode, use different CLI commands to
configure static entries for IPv6 Multicast addresses in the FDB, as described in
the following table::
The following table describes the actual data that is written to the Forwarding
Data Base (FDB) as a function of the MLD version that is used in the network:
(*) Note that (*,G) cannot be written to the FDB if the mode is ip-src-group. In that
case, no new FDB entry is created, but the port is added to the (S,G) entries (if they
exist) that belong to the requested group.
If an application on the device requests (*,G), the operating FDB mode is changed
to ip-group.
Example
139 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
switchxxxxxx(config-if)# bridge multicast ipv6 mode
ip-group
Syntax
Parameters
Default Configuration
Command Mode
Interface (VLAN) Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 140
4 Address Table Commands
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the ipv6-multicast-address parameter only.
Examples
Example 1 - The following example registers the IPv6 address to the bridge table:
Example 2 - The following example registers the IPv6 address and adds ports
statically.
Syntax
bridge multicast ipv6 forbidden ip-address {ipv6-multicast-address} {add |
remove} {ethernet interface-list | port-channel port-channel-list}
Parameters
141 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
• add—(Optional) Forbids adding ports to the group.
Default Configuration
Command Mode
User Guidelines
Example
The following example registers an IPv6 Multicast address, and forbids the IPv6
address on port te1/0/4 within VLAN 8.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 142
4 Address Table Commands
Syntax
Parameters
• add—(Optional) Adds ports to the group for the specific source IPv6
address.
• remove—(Optional) Removes ports from the group for the specific source
IPv6 address.
Default Configuration
Command Mode
Interface (VLAN) Configuration mode
Example
The following example registers a source IPv6 address - Multicast IPv6 address
pair to the bridge table:
143 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
switchxxxxxx(config-if)# bridge multicast source 2001:0:0:0:4:4:4 group
FF00:0:0:0:4:4:4:1
Syntax
Parameters
• add—Forbids adding ports to the group for the specific source IPv6
address.
• remove—Forbids removing ports from the group for the specific source
IPv6 address.
Default Configuration
No forbidden addresses are defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 144
4 Address Table Commands
Command Mode
User Guidelines
Example
The following example registers a source IPv6 address - Multicast IPv6 address
pair to the bridge table, and forbids adding the pair to te1/0/4 on VLAN 8:
Syntax
Parameters
• forwarding—Forwards unregistered Multicast packets.
Default Configuration
145 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Command Mode
User Guidelines
Example
The following example specifies that unregistered Multicast packets are filtered
on te1/0/1:
Syntax
Parameters
• add—Forces forwarding of all Multicast packets.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 146
4 Address Table Commands
Default Configuration
Forwarding of all Multicast packets is disabled.
Command Mode
Example
Syntax
Parameters
147 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
• port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen
to designate a range of port channels.
Default Configuration
Ports are not forbidden to dynamically join Multicast groups.
Command Mode
User Guidelines
Use this command to forbid a port to dynamically join (by IGMP, for example) a
Multicast group.
Example
The following example forbids forwarding of all Multicast packets to te1/0/1 within
VLAN 2.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 148
4 Address Table Commands
Parameters
Default Configuration
Forwarding.
Command Mode
Example
The following example drops Unicast packets on te1/0/1 when the destination is
unknown.
Syntax
Parameters
interface-id—(Optional) Specify an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel
Command Mode
Example
149 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 150
4 Address Table Commands
Default Configuration
No static addresses are defined. The default mode for an added address is
permanent.
Command Mode
User Guidelines
Use the command to add a static MAC address with given time-to-live in any
mode or to add a secure MAC address in a secure mode.
Each MAC address in the MAC address table is assigned two attributes: type and
time-to-live.
• static— MAC address manually added by the command with the following
keywords specifying its time-of-live:
- permanent
- delete-on-reset
- delete-on-timeout
151 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Examples
Example 1 - The following example adds two permanent static MAC address:
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 152
4 Address Table Commands
Parameters
Default Configuration
For dynamic addresses, if interface-id is not supplied, all dynamic entries are
deleted.
Command Mode
Examples
Example 1 - Delete all dynamic entries from the FDB.
Example 2 - Delete all secure entries from the FDB learned on secure port te1/0/1.
Syntax
153 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Parameters
Default Configuration
300
Command Mode
Example
Syntax
no port security
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 154
4 Address Table Commands
Command Mode
User Guidelines
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
See the mac address-table static command for information about MAC address
attributes (type and time-to-live) definitions.
When the port security command enables the lock mode on a port all dynamic
addresses learned on the port are changed to permanent secure addresses.
When the port security command enables a mode on a port differing from the lock
mode all dynamic addresses learned on the port are deleted.
When the no port security command cancels a secure mode on a port all secure
addresses defined on the port are changed to dynamic addresses.
Additionally to set a mode, use the port security command to set an action that the
switch should perform on a frame which source MAC address cannot be learned.
Example
The following example forwards all packets to port te1/0/1 without learning
addresses of packets from unknown sources and sends traps every 100 seconds,
if a packet with an unknown source address is received.
switchxxxxxx(config-if)# exit
155 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Syntax
Parameters
• lock— Secure mode without MAC learning. The static and secure MAC
addresses may be added on the port manually by the mac address-table
static command.
Default Configuration
The default port security mode is
lock.
Command Mode
User Guidelines
The default port mode is called regular. In this mode, the port allows unlimited
learning of dynamic addresses.
The static MAC addresses may be added on the port manually by the mac
address-table static command.
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 156
4 Address Table Commands
Use the port security mode command to change the default mode before the port
security command.
Example
lock
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
157 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
User Guidelines
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
Use this command to change the default value before the port security command.
Example
switchxxxxxx(config-if)# exit
Syntax
port security routed secure-address mac-address
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 158
4 Address Table Commands
User Guidelines
This command enables adding secure MAC addresses to a routed port in port
security mode. The command is available when the port is a routed port and in
port security mode. The address is deleted if the port exits the security mode or is
not a routed port.
Example
Syntax
Parameters
• dynamic—(Optional) Displays only dynamic MAC address table entries.
159 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Default Configuration
Command Mode
User Guidelines
Internal usage VLANs (VLANs that are automatically allocated on routed ports) are
presented in the VLAN column by a port number and not by a VLAN ID.
Examples
Example 1 - Displays entire address table.
Example 2 - Displays address table entries containing the specified MAC address.
switchxxxxxx# show mac address-table address 00:3f:bd:45:5a:b1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 160
4 Address Table Commands
Syntax
Parameters
Command Mode
Example
Capacity : 16384
Free : 16379
Used : 5
Secure : 0
Dynamic : 2
Static : 2
Internal : 1
console#
161 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Syntax
Parameters
Command Mode
Example
The following example displays the Multicast bridging mode for all VLANs
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 162
4 Address Table Commands
Parameters
• source —(Optional) Specifies the source address. The possible values are:
Default Configuration
If MAC or IP address is not supplied, entries for all addresses are displayed.
Command Mode
163 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
User Guidelines
Ports that were defined via the bridge multicast forbidden forward-all command
are displayed in all forbidden MAC entries.
Changing the Multicast mode can move static Multicast addresses that are written
in the device FDB to a shadow configuration because of FDB hash collisions.
Example
The following example displays bridge Multicast address information.
8 01:00:5e:02:02:03 te1/0/4
1 232.5.6.5
1 233.22.2.6
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 164
4 Address Table Commands
8 239.2.2.2 * te1/0/4
8 ff02::4:4:4 te1/0/4
fe00:200
8 ff02::4:4:4 * te1/0/4
e00:200
165 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
4.30 show bridge multicast address-table
static
To display the statically-configured Multicast addresses, use the show bridge
multicast address-table static Privileged EXEC mode command.
Syntax
Parameters
Default Configuration
When all/mac/ip is not specified, all entries (MAC and IP) will be displayed.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 166
4 Address Table Commands
User Guidelines
Example
MAC-GROUP table
Vlan MAC Address Ports
19 231.2.2.8 te1/0/2-3
1 231.2.2.3 te1/0/4
19 231.2.2.8 te1/0/3
IPv4-SRC-GROUP Table:
Vlan Group Address Source address Ports
167 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Vlan IP Address Ports
11 FF12::3 te1/0/4
IPv6-SRC-GROUP Table:
Vlan Group Address Source address Ports
Syntax
Parameters
Default Configuration
None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 168
4 Address Table Commands
Command Mode
Example
Filtering: Enabled
VLAN: 1
Forward-All
Port Static Status
te1/0/3 - Forward(d)
Syntax
Parameters
Default Configuration
Command Mode
169 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Example
------- -------------
te1/0/1 Forward
te1/0/2 Filter
te1/0/3 Filter
Syntax
Parameters
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 170
4 Address Table Commands
Addresses
Addresses
Field Description
Port The port number.
Status The port security status. The possible values are:
Enabled or Disabled.
Action The action taken on violation.
Maximum The maximum number of addresses that can be
associated on this port in the Max-Addresses mode.
Trap The status of SNMP traps. The possible values are:
Enable or Disable.
Frequency The minimum time interval between consecutive
traps.
Syntax
Parameters
• interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
171 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Example
The following example displays dynamic addresses in all currently locked port:
Disabled Lock 0 1
te1/0/2
Disabled Lock 0 1
te1/0/3
Disabled Lock 0 1
te1/0/4
...
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 172
4 Address Table Commands
Parameters
• llc sap—(Optional) Specifies that the packet type is LLC and the
DSAP-SSAP field (16 bits in hexadecimal format). (Range: 0xFFFF)
Default Configuration
Command Mode
User Guidelines
Specific configurations (that contain service type) have precedence over less
specific configurations (contain only MAC address).
The packets that are bridged are subject to security ACLs.
173 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Address Table Commands 4
The actions define by this command has precedence over forwarding rules
defined by applications/protocols (STP, LLDP etc.) supported on the device.
Example
Syntax
Command Mode
Example
switchxxxxxx # show bridge multicast reserved-addresses
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 174
5
Authentication, Authorization and Accounting
(AAA) Commands
5.0
Syntax
Parameters
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the locally-defined usernames for
authentication.
none Uses no authentication.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 175
Authentication, Authorization and Accounting (AAA) Commands 5
Keyword Description
radius Uses the list of all RADIUS servers for authentication.
Uses the list of all TACACS+ servers for
tacacs
authentication.
Default Configuration
If no methods are specified, the default are the locally-defined users and
passwords. This is the same as entering the command aaa authentication login
local.
Command Mode
User Guidelines
The default and list names created with this command are used with the login
authentication command.
Example
The following example sets the authentication login methods for the console.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 176
5 Authentication, Authorization and Accounting (AAA) Commands
Syntax
Parameters
• default—Uses the listed authentication methods that follow this argument
as the default method list, when accessing higher privilege levels.
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for authentication.
Default Configuration
The enable password command defines the default authentication login method.
This is the same as entering the command aaa authentication enable default
enable.
Command Mode
177 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
User Guidelines
All aaa authentication enable requests sent by the device to a RADIUS server
include the username $enabx$., where x is the requested privilege level.
All aaa authentication enable requests sent by the device to a TACACS+ server
include the username that is entered for login authentication.
The additional methods of authentication are used only if the previous method
returns an error, not if it fails. Specify none as the final method in the command line
to ensure that the authentication succeeds even if all methods return an error.
Example
The following example sets the enable password for authentication for accessing
higher privilege levels.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 178
5 Authentication, Authorization and Accounting (AAA) Commands
Parameters
• default—Uses the default list created with the aaa authentication login
command.
• list-name—Uses the specified list created with the aaa authentication login
command.
Default Configuration
default
Command Mode
Examples
Example
Example 2 - The following example sets the authentication login methods for the
console as a list of methods.
Syntax
179 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
no enable authentication
Parameters
• default—Uses the default list created with the aaa authentication enable
command.
Default Configuration
default.
Command Mode
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 180
5 Authentication, Authorization and Accounting (AAA) Commands
Syntax
Parameters
• method [method2...]—Specifies a list of methods that the authentication
algorithm tries, in the given sequence. The additional authentication
methods are used only if the previous method returns an error, not if it fails.
Specify none as the final method in the command line to ensure that the
authentication succeeds, even if all methods return an error. Select one or
more methods from the following list:
Keyword Description
local Uses the local username database for authentication.
none Uses no authentication.
radius Uses the list of all RADIUS servers for authentication.
tacacs Uses the list of all TACACS+ servers for
authentication.
Default Configuration
The local user database is the default authentication login method. This is the
same as entering the ip http authentication local command.
Command Mode
User Guidelines
Example
181 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
5.6 show authentication methods
The show authentication methods Privileged EXEC mode command displays
information about the authentication methods.
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
switchxxxxxx# show
authentication methods
Login Authentication Method Lists
---------------------------------
Default: Radius, Local, Line
Console_Login: Line, None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 182
5 Authentication, Authorization and Accounting (AAA) Commands
5.7 password
Use the password Line Configuration mode command to specify a password on a
line (also known as an access method, such as a console or Telnet). Use the no
form of this command to return to the default password.
Syntax
Parameters
• password—Specifies the password for this line. (Length: 0–159 characters)
• encrypted—Specifies that the password is encrypted and copied from
another device configuration.
Default Configuration
No password is defined.
Command Mode
Example
183 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
switchxxxxxx(config-line)# password secret
Syntax
enable password [level privilege-level] {unencrypted-password | encrypted
encrypted-password}
no enable password [level level]
Parameters
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 184
5 Authentication, Authorization and Accounting (AAA) Commands
Passwords are encrypted by default. You only are required to use the encrypted
keyword when you are actually entering an encrypted keyword.
Examples
Example 1 - The command sets a password that has already been encrypted. It
will copied to the configuration file just as it is entered. To use it, the user must
know its unencrypted form.
Example 2 - The command sets an unencrypted password for level 7 (it will be
encrypted in the configuration file).
Syntax
service password-recovery
no service password-recovery
185 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
• If password recovery is enabled, the user can access the boot menu and
trigger the password recovery in the boot menu. All configuration files and
user files are kept.
• If password recovery is disabled, the user can access the boot menu and
trigger the password recovery in the boot menu. The configuration files
and user files are removed.
Example
The following command disables password recovery:
Note that choosing to use Password recovery option in the Boot Menu during
the boot process will remove the configuration files and the user files.
Would you like to continue ? Y/N.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 186
5 Authentication, Authorization and Accounting (AAA) Commands
5.10 username
Use the username Global Configuration mode command to establish a
username-based authentication system. Use the no form to remove a user name.
Syntax
no username name
Parameters
Default Configuration
No user is defined.
Command Mode
Usage Guidelines
The last level 15 user (regardless of whether it is the default user or any user)
cannot be removed and cannot be a remote user.
187 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
Examples
Example 1 - Sets an unencrypted password for user tom (level 15). It will be
encrypted in the configuration file.
Example 2 - Sets a password for user jerry (level 15) that has already been
encrypted. It will be copied to the configuration file just as it is entered. To use it,
the user must know its unencrypted form.
switchxxxxxx(config)# username jerry privilege 15 encrypted
4b529f21c93d4706090285b0c10172eb073ffebc4
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
The following example displays information about the users local database:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 188
5 Authentication, Authorization and Accounting (AAA) Commands
The following table describes the significant fields shown in the display:
Field Description
Username The user name.
Privilege The user’s privilege level.
Password Expiry The user's password expiration date.
date
Syntax
Parameters
Default Configuration
Disabled
Command Mode
189 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
User Guidelines
It records only users that were identified with a username (e.g. a user that was
logged in with a line password is not recorded).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 190
5 Authentication, Authorization and Accounting (AAA) Commands
Example
Syntax
Parameters
N/A
Default Configuration
Disabled
Command Mode
191 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
User Guidelines
The device uses the configured priorities of the available RADIUS servers in order
to select the RADIUS server.
If a new supplicant replaces an old supplicant (even if the port state remains
authorized), the software sends a stop message for the old supplicant and a start
message for the new supplicant.
The software does not send start/stop messages if the port is force-authorized.
The software does not send start/stop messages for hosts that are sending traffic
on the guest VLAN or on the unauthenticated VLANs.
The following table describes the supported Radius accounting Attributes Values
and when they are sent by the switch.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 192
5 Authentication, Authorization and Accounting (AAA) Commands
Example
Syntax
show accounting
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
193 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
switchxxxxxx# show accounting
Login: Radius
802.1x: Disabled
Syntax
Parameters
N/A
Default Configuration
Enabled
Command Mode
User Guidelines
• Does not repeat or reverse the user name or any variant reached by
changing the case of the characters.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 194
5 Authentication, Authorization and Accounting (AAA) Commands
• Does not repeat or reverse the manufacturer’s name or any variant reached
by changing the case of the characters.
You can control the above attributes of password complexity with specific
commands described in this section.
If you have previously configured other complexity settings, then those settings
are used. This command does not wipe out the other settings. It works only as a
toggle.
Example
The following example configures requiring complex passwords that fulfill the
minimum requirements specified in the User Guidelines above.
Minimal classes: 3
switchxxxxxx#
Syntax
195 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
no passwords complexity min-length | min-classes | not-current | no-repeat |
not-username | not-manufacturer-name
Parameters
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 196
5 Authentication, Authorization and Accounting (AAA) Commands
Syntax
Parameters
• days—Specifies the number of days before a password change is forced.
You can use 0 to disable aging. (Range: 0–365).
Default Configuration
180
Command Mode
User Guidelines
Aging is relevant only to users of the local database with privilege level 15 and to
enable a password of privilege level 15.
Example
197 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands 5
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
switchxxxxxx# show passwords configuration
Minimal classes: 3
Enable Passwords
Level
-----
15
Line Passwords
Line
-----
Console
Telnet
SSH
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 198
5 Authentication, Authorization and Accounting (AAA) Commands
199 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
Auto-Update and Auto-Configuration
6.0
Syntax
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 200
6 Auto-Update and Auto-Configuration
Examples
Example 1. The following example specifies the auto mode and specifies "scon" as
the SCP extension:
Example 2. The following example specifies the auto mode and does not provide
an SCP extension.
Example 3. The following example specifies that only the SCP protocol will be
used:
Syntax
Parameters
• tftp—Only the TFTP protocol is used by auto-update.
201 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Auto-Update and Auto-Configuration 6
• extension—The SCP file extension. When no value is specified, 'scp' is used.
(Range: 1-16 characters)
Default Configuration
Command Mode
User Guidelines
Examples
Example 1—The following example specifies the auto mode and specifies "scon"
as the SCP extension:
Example 2—The following example specifies the auto mode and does not provide
an SCP extension. In this case "scp" is used.
Example 3—The following example specifies that only the SCP protocol will be
used:
Syntax
show boot
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 202
6 Auto-Update and Auto-Configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Examples
Auto Config
------------
Auto Update
-----------
Auto Config
------------
Auto Update
203 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Auto-Update and Auto-Configuration 6
-----------
Auto Config
------------
Auto Update
-----------
Auto Config
------------
Auto Update
-----------
Auto Config
------------
Auto Update
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 204
6 Auto-Update and Auto-Configuration
-----------
Syntax
ip dhcp tftp-server ip address ip-addr
Parameters
Default Configuration
No IP address
Command Mode
User Guidelines
Examples
205 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Auto-Update and Auto-Configuration 6
Example 2. The example specifies the IPv6 address of TFTP server:
Syntax
Parameters
• file-path—Full file path and name of the configuration file on the server.
Default Configuration
No file name
Command Mode
User Guidelines
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 206
6 Auto-Update and Auto-Configuration
Syntax
Parameters
• file-path—Full indirect file path and name of the configuration file on the
server.
Default Configuration
No file name
Command Mode
User Guidelines
Examples
switchxxxxxx(config)# ip dhcp tftp-server image file imag/imag-file
Syntax
207 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Auto-Update and Auto-Configuration 6
Parameters
N/A
Default Configuration
N/A
Command Mode
User Guidelines
Example
server address
manual 2.2.2.2
manual conf/conf-file1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 208
7
Bonjour Commands
7.0
Syntax
bonjour enable
no bonjour enable.
Default Configuration
Enable
Command Mode
Examples
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 209
Bonjour Commands 7
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
Use the bonjour interface range interface-list command, to add the specified
interfaces to the Bonjour L2 interface list.
Use the no bonjour interface range interface-list command, to remove the
specified interfaces from the Bonjour L2 interface list.
Use the no bonjour interface range command, to clear the Bonjour L2 interface list.
Examples
Syntax
Parameters
• interface-id—Specifies an interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 210
7 Bonjour Commands
Command Mode
Examples
211 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
8.0
Syntax
cdp advertise-v2
no cdp advertise-v2
Parameters
N/A
Default Configuration
Version 2.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 212
8 CDP Commands
Syntax
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
This MIB specifies the Voice Vlan ID (VVID) to which this port belongs:
• 0—The CDP packets transmitting through this port contain Appliance
VLAN-ID TLV with value of 0. VoIP and related packets are expected to be
sent and received with VLAN-ID=0 and an 802.1p priority.
Example
213 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
8.3 cdp device-id format
To specify the format of the Device-ID TLV, use the cdp device-id format command
in Global Configuration mode. To return to default, use the no form of this
command.
Syntax
cdp device-id format {mac | serial-number | hostname}
Parameters
• mac—Specifies that the Device-ID TLV contains the device’s MAC address.
Default Configuration
Command Mode
Example
Syntax
cdp enable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 214
8 CDP Commands
Parameters
N/A
Default Configuration
Enabled
Command Mode
User Guidelines
For CDP to be enabled on an interface, it must first be enabled globally using cdp
advertise-v2.
Example
Syntax
no cdp holdtime
Parameters
Parameters range
seconds—10 - 255.
215 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Default Configuration
180 seconds.
Command Mode
Example
Syntax
Parameters
N/A
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 216
8 CDP Commands
Syntax
cdp log mismatch native
Parameters
N/A
Default Configuration
The switch reports native VLAN mismatches from all ports.
Command Mode
Global Configuration mode
Example
217 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Interface (Ethernet) Configuration mode. To disable the generation of the SYSLOG
messages, use the no format of the CLI command.
Syntax
Parameters
N/A
Default Configuration
The switch reports VoIP mismatches from all ports.
Command Mode
Example
Syntax
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 218
8 CDP Commands
Default Configuration
Enabled.
Command Mode
User Guidelines
Use the command to delete CDP packets not including all the mandatory TLVs.
Example
Syntax
no cdp pdu
Parameters
Default Configuration
bridging
219 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Command Mode
User Guidelines
In the flooding mode, VLAN filtering rules are not applied, but STP rules are
applied. In case of MSTP, the CDP packets are classified to instance 0.
Example
Syntax
cdp run
no cdp run
Parameters
N/A
Default Configuration
Enabled.
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 220
8 CDP Commands
incapable devices, the CDP/LLDP capable devices may be able to receive the
advertisement from other device(s) only if the CDP/LLDP incapable devices flood
the CDP/LLDP packets they receives. If the CDP/LLDP incapable devices perform
VLAN-aware flooding, then CDP/LLDP capable devices can hear each other only if
they are in the same VLAN. It should be noted that a CDP/LLDP capable device
may receive advertisement from more than one device if the CDP/LLDP incapable
devices flood the CDP/LLDP packets.
Example
Syntax
Parameters
interface-id—Source port used for Source IP address selection.
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
221 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Example
Syntax
no cdp timer
Parameters
Default Configuration
60 seconds.
Command Mode
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 222
8 CDP Commands
Parameters
Command Mode
User Guidelines
Use the command clear cdp counters without parameters to clear all the counters.
Use the clear cdp counters global to clear only the global counters.
Use the clear cdp counters interface-id command to clear the counters of the
given interface.
Example
Example 3. The example clears the CDP counters of Ethernet port te1/0/1:
223 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Syntax
Parameters
N/A
Command Mode
Example The example deletes all entries from the CDP Cache tables:
Syntax
show cdp
Parameters
N/A
Command Mode
Example
switchxxxxxx# show cdp
Global CDP information:
cdp is globally enabled
cdp log duplex mismatch is globally enabled
cdp log voice VLAN mismatch is globally enabled
cdp log native VLAN mismatch is globally disabled
Mandatory TLVs are
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 224
8 CDP Commands
Syntax
Parameters
Default Configuration
Version
Command Mode
Example
225 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
switchxxxxxx# show cdp entry
device.cisco.com
Device ID: device.cisco.com
Advertisement version: 2
Entry address(es):
IP address: 192.168.68.18
CLNS address: 490001.1111.1111.1111.00
DECnet address: 10.1
Platform: cisco 4500, Capabilities: Router
Interface: te1/0/1, Port ID (outgoing port): Ethernet0
Holdtime: 125 sec
Version:
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 226
8 CDP Commands
Syntax
Parameters
interface-id—Port ID.
Command Mode
Example
Syntax
Parameters
• interface-id—Displays the neighbors attached to this port.
227 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
• detail—Displays detailed information about a neighbor (or neighbors) from
the main cache including network address, enabled protocols, hold time,
and software version.
Default Configuration
Command Mode
Privileged EXEC mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 228
8 CDP Commands
-------------------------
Advertisement version: 2
Entry address(es):
IP address: 172.19.169.83
Version :
Duplex: half
-------------------------
Entry address(es):
IP address: 172.19.169.87
Advertisement version: 2
Entry address(es):
IP address: 1.6.1.81
Version :
P00303020204
Duplex: full
sysName: a-switch
229 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
Power drawn: 6.300 Watts
TimeToLive: 157
Capabilities: R S
VLAN-ID: 10
Platform: 206VXRYC
TimeToLive: 163
Capabilities: R S
VLAN-ID: 10
Platform: ABCD-VSD
Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
TimeToLive: 140
Capabilities: R S
VLAN-ID: 1210
Platform: QACSZ
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 230
8 CDP Commands
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
TimeToLive: 132
Capabilities: T
VLAN-ID: 1005
Platform: CAT-3000
Field Definitions:
• COS for Untrusted Ports—The COS value with which all packets received
on an untrusted port should be marked by a simple switching device which
cannot itself classify individual packets.
• Device ID—The name of the neighbor device and either the MAC address
or the serial number of this device.
• Interface—The protocol and port number of the port on the current device.
231 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
transmitted by a stub router, it is a list of network prefixes of stub networks
to which the sending stub router can forward IP packets.
• MTU—The MTU of the interface via which the CDP packet is sent.
Note: For IP Phones the value shown is the maximum requested power (6.3
Watts). This value can be different than the actual power supplied by the
routing device (generally 5 watts; shown using the show power command).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 232
8 CDP Commands
• VTP Management Domain—A string that is the name of the collective group
of VLANs associated with the neighbor device.
Syntax
show cdp tlv [interface-id]
Parameters
interface-id—Port ID.
Default Configuration
Command Mode
Privileged EXEC mode
User Guidelines
You can use the show cdp tlv command to verify the TLVs configured to be sent in
CDP packets. The show cdp tlv command displays information for a single port if
specified or for all ports if not specified. Information for a port is displayed if only
CDP is really running on the port, i.e. CDP is enabled globally and on the port,
which is UP.
Examples:
233 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
cdp globally is disabled
Example 2 - In this example, CDP is globally enabled but disabled on the port and
no information is displayed.
Example 3 - In this example, CDP is globally enabled and enabled on the port, but
the port is down and no information is displayed.
Example 4 - In this example, CDP is globally enabled, and no ports are specified,
so information is displayed for all ports on which CDP is enabled who are up.
switchxxxxxx# show cdp tlv interface
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 234
8 CDP Commands
CDP is enabled
Capabilities: S, I
sysName: a-switch
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Example 5 - In this example, CDP is globally enabled and enabled on the PSE PoE
port, which is up and information is displayed.
235 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
switchxxxxxx# show cdp tlv interface te1/0/1
CDP is enabled
Capabilities: S, I
sysName: a-switch
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 236
8 CDP Commands
Syntax
show cdp traffic [global | interface-id]
Parameters
• global—Display only the global counters
Command Mode
User Guidelines
Use the command show cdp traffic without parameters to display all the counters.
Use the show cdp traffic global to display only the global counters.
Use the show cdp traffic interface-id command to display the counters of the
given port.
Example
te1/0/1
237 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
CDP Commands 8
No memory in main cache: 0, in secondary cache: 0
te1/0/2
Field Definition:
• No memory—The number of times the local device did not have enough
memory to store the CDP advertisements in the advertisement cache table
when the device was attempting to assemble advertisement packets for
transmission and parse them when receiving them.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 238
8 CDP Commands
239 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
9.0
9.1 absolute
To specify an absolute time when a time range is in effect, use the absolute
command in Time-range Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
absolute start hh:mm day month year
no absolute start
absolute end hh:mm day month year
no absolute end
Parameters
• start—Absolute time and date that the permit or deny statement of the
associated function going into effect. If no start time and date are specified,
the function is in effect immediately.
• end—Absolute time and date that the permit or deny statement of the
associated function is no longer in effect. If no end time and date are
specified, the function is in effect indefinitely.
• hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
• day—Day (by date) in the month. (Range: 1–31)
• month—Month (first three letters by name). (Range: Jan...Dec)
• year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Command Mode
Time-range Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 240
9 Clock Commands
Example
Syntax
clock dhcp timezone
Parameters
N/A
Default Configuration
Disabled
Command Mode
User Guidelines
The TimeZone taken from the DHCP server has precedence over the static
TimeZone.
The Summer Time taken from the DHCP server has precedence over static
SummerTime.
The TimeZone and SummerTime remain effective after the IP address lease time
has expired.
The TimeZone and SummerTime that are taken from the DHCP server are cleared
after reboot.
241 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
The no form of the command clears the dynamic Time Zone and Summer Time
from the DHCP server are cleared.
In case of multiple DHCP-enabled interfaces, the following precedence is applied:
Disabling the DHCP client from where the DHCP-TimeZone option was taken,
clears the dynamic Time Zone and Summer Time configuration.
Example
Syntax
Parameters
• month—Specifies the current month using the first three letters of the
month name. (Range: Jan–Dec)
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 242
9 Clock Commands
User Guidelines
After boot the system clock is set to the time of the image creation.
Example
The following example sets the system time to 13:32:00 on March 7th, 2005.
Syntax
Parameters
Default Configuration
SNTP
Command Mode
User Guidelines
After boot the system clock is set to the time of the image creation.
243 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
if the command is executed twice, each time with a different clock source, both
sources will be operational, SNTP has higher priority than time from browser.
Example
The following example configures an SNTP server as an external time source for
the system clock.
switchxxxxxx(config)# exit
Syntax
clock summer-time zone recurring {usa | eu | {week day month hh:mm week day
month hh:mm}} [offset]
clock summer-time zone date day month year hh:mm date month year hh:mm
[offset]
clock summer-time zone date month day year hh:mm month day year hh:mm
[offset]
no clock summer-time
Parameters
• zone—The acronym of the time zone to be displayed when summer time is
in effect. (Range: up to 4 characters)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 244
9 Clock Commands
• date—Indicates that summer time starts on the first date listed in the
command and ends on the second date in the command.
Default Configuration
Command Mode
User Guidelines
In both the date and recurring forms of the command, the first part of the command
specifies when summer time begins, and the second part specifies when it ends.
All times are relative to the local time zone. The start time is relative to standard
time. The end time is relative to summer time. If the starting month is
chronologically after the ending month, the system assumes that you are in the
southern hemisphere.
245 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
- Time: 2 AM local time
• Before 2007:
Example
switchxxxxxx(config)# clock summer-time abc date apr 1 2010 09:00 aug 2 2010
09:00
Syntax
no clock timezone
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 246
9 Clock Commands
Default Configuration
Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), which is the
same:
• Offsets are 0.
• Acronym is empty.
Command Mode
User Guidelines
The system internally keeps time in UTC, so this command is used only for display
purposes and when the time is manually set.
Example
9.7 periodic
To specify a recurring (weekly) time range for functions that support the
time-range feature, use the periodic command in Time-range Configuration mode.
To restore the default configuration, use the no form of this command.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
247 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Parameters
• day-of-the-week—The starting day that the associated time range is in
effect. The second occurrence is the ending day the associated statement
is in effect. The second occurrence can be the following week (see
description in the User Guidelines). Possible values are: mon, tue, wed, thu,
fri, sat, and sun.
Default Configuration
There is no periodic time when the time range is in effect.
Command Mode
Time-range Configuration mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–
Monday means that the time range is effective on Thursday, Friday, Saturday,
Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 248
9 Clock Commands
Syntax
Parameters
• both—(Optional) Specifies the IPv4 and IPv6 SNTP Anycast clients are
enabled. If the parameter is not defined it is the default value.
Default Configuration
Command Mode
User Guidelines
Example
Syntax
sntp authenticate
no sntp authenticate
249 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Parameters
N/A
Default Configuration
Authentication is disabled.
Command Mode
Examples
The following example enables authentication for received SNTP traffic and sets
the key and encryption key.
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 250
9 Clock Commands
Default Configuration
Command Mode
Examples
Syntax
Parameters
• both—(Optional) Specifies the IPv4 and IPv6 SNTP Broadcast clients are
enabled. If the parameter is not defined it is the default value.
Default Configuration
251 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Command Mode
User Guidelines
Use the sntp broadcast client enable Interface Configuration mode command to
enable the SNTP Broadcast client on a specific interface.
After entering this command, you must enter the clock source command with the
sntp keyword for the command to be run. If this command is not run, the switch will
not synchronize with Broadcast servers.
Example
Syntax
Parameters
• interface-id—Specifies an interface ID, which can be one of the following
types: Ethernet port, Port-channel or VLAN.
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 252
9 Clock Commands
User Guidelines
Use the sntp client enable command to enable SNTP Broadcast and Anycast
clients.
Example
The following example enables the SNTP Broadcast and Anycast clients on VLAN
100:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
This command enables the SNTP Broadcast and Anycast client on an interface.
Use the no form of this command to disable the SNTP client.
253 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Example
The following example enables the SNTP broadcast and anycast client on an
interface.
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
The following servers with polling and without authentication are defined:
• time-a.timefreq.bldrdoc.gov
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 254
9 Clock Commands
• time-b.timefreq.bldrdoc.gov
• time-c.timefreq.bldrdoc.gov
Command Mode
User Guidelines
Use the sntp server {ip-address | hostname} [poll] [key keyid] command to define a
SNTP server. The switch supports up to 8 SNTP servers.
Use the sntp server default command to return to the default configuration.
Use the no sntp server ip-address | hostname command to remove one SNTP
server.
Example
The following example configures the device to accept SNTP traffic from the
server on 192.1.1.1 with polling.
Syntax
no sntp source-interface
Parameters
255 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the interface is applied.
Example
Syntax
sntp source-interface-ipv6 interface-id
no sntp source-interface-ipv6
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 256
9 Clock Commands
Default Configuration
The IPv6 source address is the IPv6 address defined of the outgoing interface and
selected in accordance with RFC6724.
Command Mode
User Guidelines
The outgoing interface is selected based on the SNTP server's IP address. If the
source interface is the outgoing interface, the IPv6 address defined on the
interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the interface and with the scope of the destination IPv6 address is
applied.
Example
The following example configures the VLAN 10 as the source interface.
Syntax
Parameters
257 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Default Configuration
Command Mode
User Guidelines
The trusted key is used for authentication of all servers not having personal keys
assigned by the sntp server command.
Examples
The following example authenticates key 8.
Syntax
Parameters
N/A
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 258
9 Clock Commands
Command Mode
User Guidelines
Use the sntp server Global Configuration mode command to define SNTP servers.
Example
The following example enables the device to use SNTP Unicast clients.
Syntax
Parameters
N/A
Default Configuration
Polling is enabled.
Command Mode
User Guidelines
259 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Example
Syntax
Parameters
• detail—(Optional) Displays the time zone and summer time configuration.
Command Mode
User Guidelines
Before the time, there is displayed either a star (*), period (.), or blank:
Examples
Example 1 - The following example displays the system time and date.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 260
9 Clock Commands
Example 2 - The following example displays the system time and date along with
the time zone and summer time configuration.
Acronym is RAIN
Offset is UTC+2
Offset is UTC+0
Acronym is SUN
Offset is 60 minutes.
Summertime (Static):
Acronym is GMT
Offset is 60 minutes.
261 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Examples
-----------------------------------
2 John123
3 Alice456
-----------------------------------
No trusted keys
Server: 1.1.1.121
Polling: disabled
Server: 3001:1:1::1
Polling: enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 262
9 Clock Commands
Server: dns_server1.comapany.com
Polling: enabled
Server: dns_server2.comapany.com
Polling: enabled
No Broadcast Interfaces
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
263 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Clock is synchronized, stratum 4, reference is 176.1.1.8, unicast
Reference time is afe2525e.70597b34 (00:10:22.438 PDT Jul 5 1993)
Unicast servers:
Server: 176.1.1.8
Source: DHCPv4 on VLAN 1
Status: Up
Last response: 19:58:22.289 PDT Feb 19 2005
Stratum Level: 1
Offset: 7.33mSec
Delay: 117.79mSec
Server: dns_server.comapany.com
Source: static
Status: Unknown
Last response: 12:17.17.987 PDT Feb 19 2005
Stratum Level: 1
Offset: 8.98mSec
Delay: 189.19mSec
Server: 3001:1:1::1
Source: DHCPv6 on VLAN 2
Status: Unknown
Last response:
Offset: mSec
Delay: mSec
Server: dns1.company.com
Source: DHCPv6 on VLAN 20
Status: Unknown
Last response:
Offset: mSec
Delay: mSec
Anycast servers:
Server: 176.1.11.8
Interface: VLAN 112
Status: Up
Last response: 9:53:21.789 PDT Feb 19 2005
Stratum Level: 10
Offset: 9.98mSec
Delay: 289.19mSec
Broadcast servers:
Server: 3001:1::12
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 264
9 Clock Commands
Syntax
show time-range time-range-name
Parameters
• time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
Example
http-allowed
--------------
9.24 time-range
To define time ranges and to enter to Time-range Configuration mode, use the
time-range command to define time ranges and to enter to Time-range
Configuration mode in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
time-range time-range-name
no time-range time-range-name
265 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Clock Commands 9
Parameters
• time-range-name—Specifies the name for the time range. (Range: 1–32
characters).
Default Configuration
No time range is defined
Command Mode
Global Configuration mode
User Guidelines
After entering to Time-range Configuration mode with this command, use the
absolute and periodic commands to actually configure the time-range. Multiple
periodic commands are allowed in a time range. Only one absolute command is
allowed.
If a time-range command has both absolute and periodic values specified, then
the periodic items are evaluated only after the absolute start time is reached, and
are not evaluated again after the absolute end time is reached.
To ensure that the time range entries take effect at the desired times, the software
clock should be set by the user or by SNTP. If the software clock is not set by the
user or by SNTP, the time range is not activated.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 266
10
Denial of Service (DoS) Commands
10.0
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 267
Denial of Service (DoS) Commands 10
User Guidelines
Example
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Syntax
Parameters
• ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 268
10 Denial of Service (DoS) Commands
Command Mode
User Guidelines
This command discards ICMP packets with "ICMP type= Echo request" that
ingress the specified interface.
Example
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Syntax
269 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
/prefix-length}} | remove {ip-address {mask | /prefix-length}}, and removes all
entries added by the user. The user can remove a specific entry by using remove
ip-address {mask | /prefix-length} parameter.
There is no no form of the security-suite deny martian-addresses reserved {add |
remove} command. Use instead the security-suite deny martian-addresses
reserved remove command to remove protection (and free up hardware
resources).
Parameters
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 270
10 Denial of Service (DoS) Commands
Note that if the reserved addresses are included, individual reserved addresses
cannot be removed.
Example
The following example discards all packets with a source or destination address in
the block of the reserved IP addresses.
271 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
Syntax
Parameters
• tcp-port | any—Specifies the destination TCP port. The possible values are:
http, ftp-control, ftp-data, ssh, telnet, smtp, or port number. Use any to
specify all ports.
Default Configuration
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Example
The following example attempts to block the creation of TCP connections from an
interface. It fails because security suite is enabled globally and not per interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 272
10 Denial of Service (DoS) Commands
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Syntax
Parameters
Default Configuration
Command Mode
Example
The following example blocks TCP packets in which both SYN and FIN flags are
set.
273 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
10.6 security-suite dos protect
To protect the system from specific well-known Denial of Service (DoS) attacks,
use the security-suite dos protect Global Configuration mode command. There
are three types of attacks against which protection can be supplied (see
parameters below).
Syntax
Parameters
Default Configuration
No protection is configured.
Command Mode
User Guidelines
Example
The following example protects the system from the Invasor Trojan DOS attack.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 274
10 Denial of Service (DoS) Commands
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
275 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"
for the specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to
the packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of “SYN”
packets is short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails
because security suite is enabled globally and not per interface.
To perform this command, DoS Prevention must be enabled in the per-interface mode.
When this command is used, hardware resources are reserved. These hardware
resources are released when the no security-suite enable command is entered.
The security-suite feature can be enabled in one of the following ways:
To disable the security suite feature, use the no form of this command.
When security-suite is enabled, you can specify the types of protection required.
The following commands can be used:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 276
10 Denial of Service (DoS) Commands
Syntax
no security-suite enable
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
MAC ACLs must be removed before the security-suite is enabled. The rules can
be re-entered after the security-suite is enabled.
Examples
Example 1—The following example enables the security suite feature and
specifies that security suite commands are global commands only. When an
attempt is made to configure security-suite on a port, it fails.
277 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
switchxxxxxx(config)# security-suite enable global-rules-only
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Example 2—The following example enables the security suite feature globally and
on interfaces. The security-suite command succeeds on the port.
switchxxxxxx(config)# security-suite enable
switchxxxxxx(config-if)#
To set the TCP SYN protection mode to default, use the no form of this command.
Syntax
Parameters
• disabled—Feature is disabled
• block—TCP SYN traffic from attacking ports destined to the local system is
blocked, and a rate-limited SYSLOG message (one per minute) is generated
Default Configuration
The default mode is block.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 278
10 Denial of Service (DoS) Commands
User Guidelines
On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP SYN
packets. In case the protection mode is block but SYN Traffic cannot be blocked, a relevant
SYSLOG message will be created, e.g.: “port te1/0/1 is under TCP SYN attack. TCP SYN traffic
cannot be blocked on this port since the port is bound to an ACL.”
Examples
Example 1: The following example sets the TCP SYN protection feature to report
TCP SYN attack on ports in case an attack is identified from these ports.
Example 2: The following example sets the TCP SYN protection feature to block
TCP SYN attack on ports in case an attack is identified from these ports.
Syntax
279 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
Parameters
timeout—Defines the timeout (in seconds) by which an interface from which SYN packets are blocked
gets unblocked. Note that if a SYN attack is still active on this interface it might become blocked again.
(Range: 10-600)
Default Configuration
The default timeout is 60 seconds.
Command Mode
User Guidelines
If the timeout is modified, the new value will be used only on interfaces which are
not currently under attack.
Example
The following example sets the TCP SYN period to 100 seconds.
To set the threshold to its default value, use the no form of this command.
Syntax
Parameters
syn-packet-rate—defines the rate (number of packets per second) from each specific port that triggers
identification of TCP SYN attack. (Range: 20-200)
Default Configuration
The default threshold is 80pps (packets per second).
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 280
10 Denial of Service (DoS) Commands
Example
The following example sets the TCP SYN protection threshold to 40 pps.
Syntax
Command Mode
User EXEC mode
Example
281 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands 10
Interface IP Address
--------------- --------------
te1/0/2 176.16.23.0\24
Fragmented packets filtering
Interface IP Address
-------------- --------------
te1/0/2 176.16.23.0\24
Syntax
Parameters
interface-id—(Optional) Specifies an interface-ID. The interface-ID can be one of the following types:
Ethernet port of Port-Channel.
Command Mode
User EXEC mode
User Guidelines
Example
The following example displays the TCP SYN protection feature configuration and current status on all
interfaces. In this example, port te1/0/2 is attacked but since there is a user-ACL on this port, it cannot
become blocked so its status is Reported and not Blocked and Reported.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 282
10 Denial of Service (DoS) Commands
283 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
11
DHCP Relay Commands
11.0
Syntax
Parameters
N/A
Default Configuration
Command Mode
Example
The following example enables the DHCP relay feature on the device.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 284
11 DHCP Relay Commands
Syntax
ip dhcp relay enable
Parameters
N/A
Default Configuration
Disabled
Command Mode
Interface Configuration mode
User Guidelines
The operational status of DHCP Relay on an interface is active if one of the
following conditions exist:
Or
Example
285 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Relay Commands 11
11.3 ip dhcp relay address (Global)
Use the ip dhcp relay address Global Configuration mode command to define the
DHCP servers available for the DHCP relay. Use the no form of this command to
remove the server from the list.
Syntax
ip dhcp relay address ip-address
Parameters
Default Configuration
No server is defined.
Command Mode
Global Configuration mode
User Guidelines
Use the ip dhcp relay address command to define a global DHCP Server IP
address. To define a few DHCP Servers, use the command a few times.
To remove a DHCP Server, use the no form of the command with the ip-address
argument.
The no form of the command without the ip-address argument deletes all global
defined DHCP servers.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 286
11 DHCP Relay Commands
Syntax
Parameters
Default Configuration
No server is defined.
Command Mode
User Guidelines
Use the ip dhcp relay address command to define a DHCP Server IP address per
the interface. To define multiple DHCP Servers, use the command multiple times.
To remove a DHCP server, use the no form of the command with the ip-address
argument.
The no form of the command without the ip-address argument deletes all DHCP
servers.
Example
287 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Relay Commands 11
11.5 show ip dhcp relay
Use the show ip dhcp relay EXEC mode command to display the DHCP relay
information.
Syntax
Command Mode
Examples
Example 1. Option 82 is not supported:
Option 82 is Disabled
No servers configured
Option 82 is disabled
Active:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 288
11 DHCP Relay Commands
Active:
Inactive: 1, 2, 4, 5
Option 82 is enabled
Active: te1/0/1
Inactive: po1-2
Active: 1, 2, 4, 5
Inactive:
Example 3. Option 82 is supported (enabled) and there DHCP Servers defined per
interface:
Option 82 is enabled
Active: te1/0/1
Inactive: po1-2
289 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Relay Commands 11
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active: 1, 2, 4, 5
Inactive:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
DHCP option 82 would be enabled only if DHCP snooping or DHCP relay are
enabled.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 290
11 DHCP Relay Commands
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
291 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
12.0
Syntax
Parameters
• address—Specifies the client IP address.
• mask—Specifies the client network mask.
• prefix-length—Specifies the number of bits that comprise the address
prefix. The prefix is an alternative way of specifying the client network
mask. The prefix length must be preceded by a forward slash (/).
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 292
12 DHCP Server Commands
User Guidelines
To classify the DHCP client, DHCP server uses either the client identifier passed in
Option 61, if the client-identifier keyword is configured or the client MAC address,
if the hardware-address keyword is configured.
Example
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config)#
Syntax
Parameters
293 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
• prefix-length—Specifies the number of bits that comprise the address
prefix. The prefix is an alternative way of specifying the client network
mask. The prefix length must be preceded by a forward slash (/).
Default Configuration
If the low address is not specified, it defaults to the first IP address in the network.
If the high address is not specified, it defaults to the last IP address in the network.
Command Mode
DHCP Pool Network Configuration mode
Example
The following example configures the subnet number and mask for a DHCP
address pool on a DHCP server.
12.3 auto-default-router
To enable auto default router, use the auto-default-router command in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To disable
auto default router, use the no form of this command.
Syntax
auto-default-router
no auto-default-router
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 294
12 DHCP Server Commands
Command Mode
Default Configuration
Enabled.
User Guidelines
If the feature is enabled then the DHCP server returns an IP address defined on the input
interface as a default router when an default router is not configured in the following case:
Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
switchxxxxxx(config-dhcp)# no auto-default-router
12.4 bootfile
To specify the default boot image file name for a DHCP client, use the bootfile
command in DHCP Pool Network Configuration mode or in DHCP Pool Host
Configuration mode. To delete the boot image file name, use the no form of this
command.
Syntax
bootfile filename
no bootfile
Parameters
• filename—Specifies the file name used as a boot image. (Length: 1–128
characters).
295 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Command Mode
Example
The following example specifies boot_image_file as the default boot image file
name for a DHCP client.
Syntax
Parameters
Command Mode
User Guidelines
Typically, the address supplied denotes the client IP address. If the asterisk (*)
character is specified as the address parameter, DHCP clears all dynamic
bindings.
Use the no ip dhcp pool Global Configuration mode command to delete a manual
binding.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 296
12 DHCP Server Commands
Example
The following example deletes the address binding 10.12.1.99 from a DHCP
server database:
12.6 client-name
To define the name of a DHCP client, use the client-name command in DHCP Pool
Host Configuration mode. To remove the client name, use the no form of this
command.
Syntax
client-name name
no client-name
Parameters
• name—Specifies the client name, using standard ASCII characters. The
client name should not include the domain name. For example, the .name
Mars should not be specified as mars.yahoo.com. (Length: 1–32 characters).
Command Mode
Default Configuration
Example
The following example defines the string client1 as the client name.
297 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
12.7 default-router
To configure the default router list for a DHCP client, use the default-router
command in DHCP Pool Network Configuration mode or in DHCP Pool Host
Configuration mode. To remove the default router list, use the no form of this
command.
Syntax
no default-router
Parameters
Command Mode
Default Configuration
User Guidelines
The router IP address should be on the same subnet as the client subnet.
If the auto-default-router command is configured then the DHCP server returns an
IP address defined on the input interface as a default router when an default router is not configured in
the following case:
Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 298
12 DHCP Server Commands
12.8 dns-server
To configure the Domain Name System (DNS) IP server list available to a DHCP
client, use the dns-server command in DHCP Pool Network Configuration mode or
in DHCP Pool Host Configuration mode. To remove the DNS server list, use the no
form of this command.
Syntax
no dns-server
Parameters
Command Mode
Default Configuration
User Guidelines
If DNS IP servers are not configured for a DHCP client, the client cannot correlate
host names to IP addresses.
Example
The following example specifies 10.12.1.99 as the client domain name server IP
address.
299 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
12.9 domain-name
To specify the domain name for a DHCP client, use the domain-name command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To remove the domain name, use the no form of this command.
Syntax
domain-name domain
no domain-name
Parameters
Command Mode
Default Configuration
Example
The following example specifies yahoo.com as the DHCP client domain name
string.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 300
12 DHCP Server Commands
Parameters
Default Configuration
Command Mode
User Guidelines
The DHCP server assumes that all pool addresses can be assigned to clients. Use
this command to exclude a single IP address or a range of IP addresses.
Example
Syntax
301 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Parameters
Default Configuration
Command Mode
User Guidelines
During execution of this command, the configuration mode changes to the DHCP
Pool Configuration mode. In this mode, the administrator can configure host
parameters, such as the IP subnet number and default router list.
Example
switchxxxxxx(config-dhcp)#
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 302
12 DHCP Server Commands
Parameters
Default Configuration
Command Mode
User Guidelines
During execution of this command, the configuration mode changes to DHCP Pool
Network Configuration mode. In this mode, the administrator can configure pool
parameters, such as the IP subnet number and default router list.
Example
switchxxxxxx(config-dhcp)#
Syntax
ip dhcp server
no ip dhcp server
Default Configuration
303 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Command Mode
Example
12.14 lease
To configure the time duration of the lease for an IP address that is assigned from a
DHCP server to a DHCP client, use the lease command in DHCP Pool Network
Configuration mode. To restore the default value, use the no form of this command.
Syntax
no lease
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 304
12 DHCP Server Commands
Examples
switchxxxxxx(config-dhcp)# lease 1
switchxxxxxx(config-dhcp)# lease 0 1
switchxxxxxx(config-dhcp)# lease 0 0 1
12.15 netbios-name-server
To configure the NetBIOS Windows Internet Naming Service (WINS) server list that
is available to Microsoft DHCP clients, use the netbios-name-server in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To
remove the NetBIOS name server list, use the no form of this command.
Syntax
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
NetBIOS WINS name servers. Up to eight addresses can be specified in
one command line.
305 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Command Mode
Default Configuration
Example
12.16 netbios-node-type
To configure the NetBIOS node type for Microsoft DHCP clients, use the
netbios-node-type command in DHCP Pool Network Configuration mode or in
DHCP Pool Host Configuration mode. To return to default, use the no form of this
command.
Syntax
no netbios-node-type
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 306
12 DHCP Server Commands
Default Configuration
Example
12.17 next-server
To configure the next server (siaddr) in the boot process of a DHCP client, use the
next-server command in DHCP Pool Network Configuration mode or in DHCP Pool
Host Configuration mode. To remove the next server, use the no form of this
command.
Syntax
next-server ip-address
no next-server
Parameters
• ip-address—Specifies the IP address of the next server in the boot
process.
Default Configuration
If the next-server command is not used to configure a boot server list, the DHCP
server uses inbound interface helper addresses as boot servers.
Command Mode
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to
download the configuration file.
307 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Example
The following example specifies 10.12.1.99 as the IP address of the next server:
12.18 next-server-name
To configure the next server name (sname) in the boot process of a DHCP client,
use the next-server-name command in DHCP Pool Network Configuration mode or
in DHCP Pool Host Configuration mode. To remove the boot server name, use the
no form of this command.
Syntax
next-server-name name
no next-server-name
Parameters
• name—Specifies the name of the next server in the boot process. (Length:
1–64 characters).
Command Mode
Default Configuration
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to
download the configuration file.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 308
12 DHCP Server Commands
12.19 option
To configure the DHCP server options, use the option command in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To
remove the options, use the no form of this command.
Syntax
option code {boolean {false | true} | integer value | ascii string | hex {string | none} | ip
{address} | ip-list {ip-address1 [ip-address2 …]}} [description text]
no option code
Parameters
• code—Specifies the DHCP option code. The supported values are defined
in the User Guidelines.
• ip address—Specifies an IP address.
309 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Command Mode
User Guidelines
The option command enables defining any option that cannot be defined by other
special CLI commands. A new definition of an option overrides the previous
definition of this option.
The boolean keyword may be configured for the following options: 19, 20, 27,
29-31, 34, 36, and 39.
The integer keyword may be configured for the following options: 2, 13, 22-26, 35,
37-38, 132-134, and 211. The switch checks the value range and builds the value
field of the size in accordance with the option definition.
The ascii keyword may be configured for the following options: 14, 17-18, 40, 64,
130, 209, and 210.
The ip keyword may be configured for the following options: 16, 28, 32, 128-129,
131, 135, and 136.
The ip-list keyword may be configured for the following options: 5, 7-11, 33, 41, 42,
45, 48, 49, 65, 68-76, and 150.
The hex keyword may be configured for any option in the range 1-254 except for
the following: 1, 3-4, 6, 12, 15, 44, 46, 50-51, 53-54, 56, 66-67, 82, and 255. The
switch does not validate the syntax of an option defined by this format.
Examples
Example 1. The following example configures DHCP option 19, which specifies
whether the client should configure its IP layer for packet forwarding:
Example 2. The following example configures DHCP option 2, which specifies the
offset of the client in seconds from Coordinated Universal Time (UTC):
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 310
12 DHCP Server Commands
Example 3. The following example configures DHCP option 72, which specifies the
World Wide Web servers for DHCP clients. World Wide Web servers 172.16.3.252
and 172.16.3.253 are configured in the following example:
Syntax
show ip dhcp
Command Mode
Example
Syntax
Parameters
311 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Command Mode
Example
The following example displays the output of various forms of this command:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 312
12 DHCP Server Commands
The following table describes the significant fields shown in the display.
Field Description
IP address The host IP address as recorded on the DHCP
Server.
Hardware The MAC address or client identifier of the host as
address recorded on the DHCP Server.
Lease The lease expiration date of the host IP address.
expiration
Type The manner in which the IP address was assigned
to the host.
Syntax
Parameters
Command Mode
Examples
The following examples display the DHCP server binding address parameters.
313 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
The number of declined entries is 2
12:00 AM
The following table describes the significant fields shown in the display.
Field Description
IP address The host IP address as recorded on the DHCP
Server.
Client Identifier The MAC address or client identifier of the host as
recorded on the DHCP Server.
Lease The lease expiration date of the host IP address.
expiration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 314
12 DHCP Server Commands
Field Description
Type The manner in which the IP address was assigned
to the host.
State The IP Address state.
Syntax
Parameters
Command Mode
Example
The following example displays the output of various forms of this command:
172.16.1.11 00a0.9802.32de
172.16.3.254 02c7.f800.0422
315 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
172.16.1.11 00a0.9802.32de
Syntax
Command Mode
Example
Excluded addresses:
Syntax
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 316
12 DHCP Server Commands
Example
172.16.1.11 00a0.9802.32de
172.16.3.254 02c7.f800.0422
172.16.1.13 00a0.9802.32de
Syntax
Parameters
• address—(Optional) Specifies the client IP address.
• name—(Optional) Specifies the DHCP pool name. (Length: 1-32 characters)
Command Mode
317 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
Examples
Example 1. The following example displays the configuration of all DHCP host
pools:
Example 2. The following example displays the DHCP pool host configuration of
the pool named station:
Mask: 255.255.0.0
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Options:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 318
12 DHCP Server Commands
2 integer 4 3600
14 ascii 16 qq/aaaa/bbb.txt
Option"
21 ip 4 134.14.14.1
47 hex 5 02af00aa00
Syntax
Parameters
Command Mode
Examples
----------------------------------------------------
319 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
finance 10.1.2.8-10.1.2.178 255.255.255.0 0d:12h:0m
--------------------------------- ------------------------
Statistics:
162 150 68 50 20 3 9
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Options:
2 integer 4 3600
14 ascii 16 qq/aaaa/bbb.txt
Option"
21 ip 4 134.14.14.1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 320
12 DHCP Server Commands
47 hex 5 02af00aa00
Syntax
Parameters
Command Mode
Examples
172.16.1.11 00a0.9802.32de
172.16.3.254 02c7.f800.0422
172.16.1.15 00a0.9802.32de
321 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Server Commands 12
12.29 show ip dhcp server statistics
To display DHCP server statistics, use the show ip dhcp server statistics
command in User EXEC mode.
Syntax
Command Mode
Example
12.30 time-server
To specify the time servers list for a DHCP client, use the time-server command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To remove the time servers list, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 322
12 DHCP Server Commands
Syntax
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
Time servers. Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
Default Configuration
User Guidelines
The time server’s IP address should be on the same subnet as the client subnet.
Example
323 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
13.0
Syntax
ip dhcp snooping
no ip dhcp snooping
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
For any DHCP Snooping configuration to take effect, DHCP Snooping must be
enabled globally. DHCP Snooping on a VLAN is not active until DHCP Snooping on
a VLAN is enabled by using the ip dhcp snooping vlan Global Configuration mode
command.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 324
13 DHCP Snooping Commands
Syntax
ip dhcp snooping vlan vlan-id
Parameters
Default Configuration
Command Mode
User Guidelines
Example
325 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Syntax
Parameters
N/A
Default Configuration
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Configure as trusted the ports that are connected to a DHCP server or to other
switches or routers. Configure the ports that are connected to DHCP clients as
untrusted.
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 326
13 DHCP Snooping Commands
Parameters
N/A
Default Configuration
DHCP packets with option-82 information from an untrusted port are discarded.
Command Mode
Example
The following example allows a device to accept DHCP packets with option-82
information from an untrusted port.
Syntax
Default Configuration
The switch verifies that the source MAC address in a DHCP packet received on an
untrusted port matches the client hardware address in the packet.
Command Mode
327 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Example
The following example configures a device to verify that the source MAC address
in a DHCP packet received on an untrusted port matches the client hardware
address.
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
To ensure that the lease time in the database is accurate, the Simple Network Time
Protocol (SNTP) must be enabled and configured.
The device writes binding changes to the binding database file only if the device
system clock is synchronized with SNTP.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 328
13 DHCP Snooping Commands
Example
The following example enables the DHCP Snooping binding database file.
Syntax
Parameters
• expiry
Default Configuration
Command Mode
329 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
User Guidelines
Use the ip dhcp snooping binding command to add manually a dynamic entry to
the DHCP database.
After entering this command, an entry is added to the DHCP Snooping database. If
the DHCP Snooping binding file exists, the entry is also added to that file.
The entry would not be added to the configuration files. The entry would be
displayed in the show commands as a “DHCP Snooping” entry.
An entry added by this command can override the existed dynamic entry.
An entry added by this command cannot override the existed static entry added
by the ip source-guard binding command.
A dynamic temporary entries for which the IP address is 0.0.0.0 cannot be deleted.
Example
The following example adds a binding entry to the DHCP Snooping binding
database.
Syntax
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 330
13 DHCP Snooping Commands
Command Mode
Example
Syntax
show ip dhcp snooping [interface-id]
Parameters
Command Mode
Example
The following example displays the DHCP snooping configuration.
331 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
DHCP snooping file update frequency is configured to: 6666 seconds
Interface Trusted
--------- -------
te1/0/1 Yes
te1/0/2 Yes
Syntax
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 332
13 DHCP Snooping Commands
Example
The following examples displays the DHCP snooping binding database and
configuration information for all interfaces on a device.-
13.11 ip source-guard
Use the ip source-guard command in Configuration mode or Interface
Configuration mode to enable IP Source Guard globally on a device or in Interface
Configuration (Ethernet, Port-channel) mode to enable IP Source Guard on an
interface.
Use the no form of this command to disable IP Source Guard on the device or on
an interface.
Syntax
ip source-guard
no ip source-guard
Parameters
N/A
Default Configuration
Command Mode
333 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
User Guidelines
Example
switchxxxxxx(config-if)# ip source-guard
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 334
13 DHCP Snooping Commands
User Guidelines
Use the ip source-guard binding command to add a static entry to the DHCP
database.
Use the no ip source-guard binding command to delete an entry from the DHCP
database.
Example
The following example configures the static IP source bindings.
Syntax
Parameters
• seconds—Specifies the retries frequency in seconds. (Range: 10–600)
• never—Disables automatic searching for TCAM resources.
Default Configuration
Command Mode
335 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
By default, once every minute the software conducts a search for available space
in the TCAM for the inactive IP Source Guard addresses. Use this command to
change the search frequency or to disable automatic retries for TCAM space.
The show ip source-guard inactive EXEC mode command displays the inactive IP
Source Guard addresses.
Example
The following example sets the frequency of retries for TCAM resources to 2
minutes.
Syntax
Parameters
N/A
Command Mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 336
13 DHCP Snooping Commands
By default, once every 60 seconds the software conducts a search for available
space in the TCAM for the inactive IP Source Guard addresses.
Execute the ip source-guard tcam retries-freq command with the never keyword
to disable automatic retries for TCAM space, and then execute this command to
manually retry locating TCAM resources for the inactive IP Source Guard
addresses.
The show ip source-guard inactive EXEC mode command displays the inactive IP
source guard addresses.
Example
Syntax
Parameters
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Command Mode
337 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Example
--------- -------
te1/0/1 Enabled
te1/0/2 Enabled
te1/0/3 Enabled
te1/0/4 Enabled
Syntax
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 338
13 DHCP Snooping Commands
Example
Syntax
Parameters
N/A
Command Mode
User EXEC mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
By default, once every minute the software conducts a search for available space
in the TCAM for the inactive IP Source Guard addresses.
Use the ip source-guard tcam locate command to manually retry locating TCAM
resources for the inactive IP Source Guard addresses.
339 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
This command displays the inactive IP source guard addresses.
Example
Syntax
Parameters
Command Mode
Example
switchxxxxxx# show ip source-guard statistics
2 2 3
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 340
13 DHCP Snooping Commands
Syntax
ip arp inspection
no ip arp inspection
Parameters
N/A
Default Configuration
ARP inspection is disabled.
Command Mode
Global Configuration mode
User Guidelines
Note that if a port is configured as an untrusted port, then it should also be
configured as an untrusted port for DHCP Snooping, or the
IP-address-MAC-address binding for this port should be configured statically.
Otherwise, hosts that are attached to this port cannot respond to ARPs.
Example
341 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Syntax
Parameters
• vlan-id—Specifies the VLAN ID.
Default Configuration
Command Mode
User Guidelines
This command enables ARP inspection on a VLAN based on the DHCP snooping
database. Use the ip arp inspection list assign command to enable static ARP
inspection.
Example
The following example enables DHCP Snooping based ARP inspection on VLAN
23.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 342
13 DHCP Snooping Commands
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
The device does not check ARP packets that are received on the trusted interface;
it only forwards the packets.
For untrusted interfaces, the device intercepts all ARP requests and responses. It
verifies that the intercepted packets have valid IP-to-MAC address bindings
before updating the local cache and before forwarding the packet to the
appropriate destination. The device drops invalid packets and logs them in the log
buffer according to the logging configuration specified with the ip arp inspection
logging interval command.
Example
Syntax
343 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 344
13 DHCP Snooping Commands
Parameters
Default Configuration
Command Mode
User Guidelines
Use the ip arp inspection list assign command to assign the list to a VLAN.
Example
The following example creates the static ARP binding list ‘servers’ and enters the
ARP list configuration mode.
13.24 ip mac
Use the ip mac ARP-list Configuration mode command to create a static ARP
binding. Use the no form of this command to delete a static ARP binding.
Syntax
Parameters
Default Configuration
345 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Command Mode
Example
Syntax
Parameters
• vlan-id—Specifies the VLAN ID.
• name—Specifies the static ARP binding list name.
Default Configuration
Command Mode
Example
The following example assigns the static ARP binding list Servers to VLAN 37.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 346
13 DHCP Snooping Commands
Syntax
ip arp inspection logging interval {seconds | infinite}
Parameters
Default Configuration
The default minimum ARP SYSLOG message logging time interval is 5 seconds.
Command Mode
Example
The following example sets the minimum ARP SYSLOG message logging time
interval to 60 seconds.
Syntax
347 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
Parameters
Command Mode
Example
Interface Trusted
----------- -----------
te1/0/1 Yes
te1/0/2 Yes
Syntax
Parameters
N/A
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 348
13 DHCP Snooping Commands
Example
----------- --------------
172.16.1.1 0060.704C.7322
172.16.1.2 0060.704C.7322
Syntax
Parameters
Command Mode
User Guidelines
To clear ARP Inspection counters use the clear ip arp inspection statistics
command. Counters values are kept when disabling the ARP Inspection feature.
Example
---- -----------------------------------------------
349 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands 13
2 1500100 80
Syntax
Parameters
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 350
14
DHCPv6 Commands
14.0
Syntax
Parameters
• interface-id—Interface identifier.
Default Configuration
N/A
Command Mode
User Guidelines
This command restarts DHCP for an IPv6 client on a specified interface after first
releasing and unconfiguring previously-acquired prefixes and other configuration
options (for example, Domain Name System [DNS] servers).
Example
The following example restarts the DHCP for IPv6 client on VLAN 100:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 351
DHCPv6 Commands 14
14.2 ipv6 dhcp client information refresh
To configure the refresh time for IPv6 client information refresh time on a specified
interface if the DHCPv6 server reply does not include the Information Refresh
Time, use the ipv6 dhcp client information refresh command in Interface
Configuration mode. To return to the default value of the refresh time, use the no
form of this command.
Syntax
Parameters
• seconds—The refresh time, in seconds. The value cannot be less than the
minimal acceptable refresh time configured by the ipv6 dhcp client
information refresh command. The maximum value that can be used is
4,294967,294 seconds (0xFFFFFFFE).
Default Configuration
Command Mode
User Guidelines
The ipv6 dhcp client information refresh command specifies the information
refresh time. If the server does not sends an information refresh time option then a
value configured by the command is used.
Use the infinite keyword, to prevent refresh, if the server does not send an
information refresh time option.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 352
14 DHCPv6 Commands
switchxxxxxx(config-if)# exit
Syntax
Parameters
• seconds—The refresh time, in seconds. The minimum value that can be
used is 600 seconds. The maximum value that can be used is 4,294,967,294
seconds (0xFFFFFFFE).
Default Configuration
Command Mode
User Guidelines
The ipv6 dhcp client information refresh minimum command specifies the
minimum acceptable information refresh time. If the server sends an information
refresh time option of less than the configured minimum refresh time, the
configured minimum refresh time will be used instead.
353 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
• For planned changes, including renumbering. An administrator can gradually
decrease the time as the planned event nears.
• Limit the amount of time before new services or servers are available to the
client, such as the addition of a new Simple Network Time Protocol (SNTP)
server or a change of address of a Domain Name System (DNS) server.
If you configure the infinite keyword client never refreshes the information.
Example
The following example configures an upper limit of 2 days:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 354
14 DHCPv6 Commands
User Guidelines
Enabling this command starts the DHCPv6 client process if this process is not yet
running and IPv6 interface is enabled on the interface.
This command enables the DHCPv6 Stateless service on the interface. The
service allows to receive the configuration from a DHCP server, passed in the
following options:
Example
switchxxxxxx(config-if)# exit
355 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
14.5 ipv6 dhcp duid-en
To set the Vendor Based on Enterprise Number DHVPv6 Unique Identified
(DUID-EN) format, use the ipv6 dhcp duid-en command in Global Configuration
mode.
Syntax
Parameters
Default Configuration
DUID Based on Link-layer Address (DUID-LL) is used. The base MAC Address is
used as a Link-layer Address.
Command Mode
User Guidelines
By default, the DHCPv6 uses the DUID Based on Link-layer Address (see
RFC3315) with the Base MAC Address as a Link-layer Address.
Use this command to change the DUID format to the Vendor Based on Enterprise
Number.
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 356
14 DHCPv6 Commands
Example 2. The following sets the DIID-EN format using colons as delimiter:
Syntax
ipv6 dhcp relay destination {ipv6-address [interface-id]} | interface-id
Parameters
Default Configuration
357 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
Command Mode
User Guidelines
Unspecified, loopback, and Multicast addresses are not acceptable as the relay
destination.
Use the no form of the command with the ipv6-address and interface-id
arguments to remove only the given globally-defined address with the given
output interface.
Use the no form of the command with the ipv6-address argument to remove only
the given globally-defined address for all output interfaces.
The no form of the command without the arguments removes all the
globally-defined addresses.
Examples
Example 1. The following example sets the relay unicast link-local destination
address per VLAN 200:
Example 2. The following example sets that client messages are forwarded to
VLAN 200:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 358
14 DHCPv6 Commands
Example 3. The following example sets the unicast global relay destination
address:
Syntax
Parameters
• ipv6-address [interface-id]—Relay destination IPv6 address in the form
documented in RFC 4291 where the address is specified in hexadecimal
using 16-bit values between colons. There are the following types of relay
destination address:
Default Configuration
359 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
Command Mode
User Guidelines
When relay service is running on an interface, a DHCP for IPv6 message received
on that interface will be forwarded to all configured relay destinations configured
per interface and globally.
The incoming DHCP for IPv6 message may have come from a client on that
interface, or it may have been relayed by another relay agent.
The relay destination can be a Unicast address of a server or another relay agent,
or it may be a Multicast address. There are two types of relay destination
addresses:
• A link-local Unicast or Multicast IPv6 address, for which a user must specify an
output interface.
Note that it is not necessary to enable the relay function on an interface for it to
accept and forward an incoming relay reply message from servers. By default, the
relay function is disabled, and there is no relay destination on an interface.
Use the no form of the command with arguments to remove a specific address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 360
14 DHCPv6 Commands
Use the no form of the command without arguments to remove all the defined
addresses and to disable the relay on the interface.
Examples
Example 1. The following example sets the relay Unicast link-local destination
address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not
enabled:
switchxxxxxx(config-if)# exit
Example 2. The following example sets the relay well known Multicast link-local
destination address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if
it was not enabled:
switchxxxxxx(config-if)# exit
Example 3. The following example sets the Unicast global relay destination
address and enables the DHCPv6 Relay on VLAN 100 if it was not enabled:
switchxxxxxx(config-if)# exit
361 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
Parameters
NA
Command Mode
User Guidelines
This command uses the DUID, which is based on the link-layer address for both
client and server identifiers. The device uses the MAC address from the
lowest-numbered interface to form the DUID.
Examples
Example 1. The following is sample output from this command when the switch’s
DUID format is vendor based on enterprise number:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 362
14 DHCPv6 Commands
Format: 2
Enterprise Number: 9
Identifier: 0CC084D303000912
Example 2. The following is sample output from this command when the switch’s
DUID format is the vendor-based on link-layer address:
Format: 3
Hardware type: 1
Example 3. The following is sample output from this command when the switch’s
DUID format is vendorbased on link-layer address and DHCPv6 Relay is
supported:
Format: 3
Hardware type: 1
Relay Destinations:
2001:001:250:A2FF:FEBF:A056
2001:1001:250:A2FF:FEBF:A056
363 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCPv6 Commands 14
14.9 show ipv6 dhcp interface
To display DHCP for IPv6 interface information, use the show ipv6 dhcp interface
command in User EXEC mode.
Syntax
Parameters
• interface-id—Interface identifier.
Command Mode
User Guidelines
If no interfaces are specified in the command, all interfaces on which DHCP for
IPv6 (client or server) is enabled are displayed. If an interface is specified in the
command, only information about the specified interface is displayed.
Example
The following is sample output from this command when only the Stateless
service is enabled:
DHCP server:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 364
14 DHCPv6 Commands
Preference: 20
Relay destinations:
2001:001:250:A2FF:FEBF:A056
365 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
15.0
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
To remove the dynamic entry that provides mapping information for a single
hostname, use the hostname argument. To remove all the dynamic entries, use the
* keyword.
To define a static hostname-to-address mappings in the DNS hostname cache,
use the ip host command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 366
15 DNS Client Commands
Example
The following example deletes all dynamic entries from the DNS client
name-to-address cache.
Syntax
ip domain lookup
no ip domain lookup
Parameters
N/A
Default Configuration
Enabled.
Command Mode
Example
367 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DNS Client Commands 15
15.3 ip domain name
Use the ip domain name command in Global Configuration mode. to define a
default domain name that the switch uses to complete unqualified hostnames
(names without a dotted-decimal domain name).
To delete the static defined default domain name, use the no form of this
command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Any IP hostname that does not contain a domain name (that is, any name without a
dot) will have the dot and the default domain name appended to it before being
added to the host table.
Domain names and host names are restricted to the ASCII letters A through Z
(case-insensitive), the digits 0 through 9, the underscore and the hyphen. A period
(.) is used to separate labels.
The maximum size of each domain level is 63 characters. The maximum name size
is 158 bytes.
Example
The following example defines the default domain name as ‘www.website.com’.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 368
15 DNS Client Commands
Syntax
no ip domain polling-interval
Parameters
seconds—Polling interval in seconds. The range is from (2*(R+1)*T) to 3600.
Default Configuration
The default value is 2 * (R+1) * T, where
Command Mode
User Guidelines
Example
The following example shows how to configure the polling interval of 100
seconds:
369 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DNS Client Commands 15
15.5 ip domain retry
Use the ip domain retry command in Global Configuration mode to specify the
number of times the device will send Domain Name System (DNS) queries when
there is no replay.
Syntax
no ip domain retry
Parameters
number—Number of times to retry sending a DNS query to the DNS server. The
range is from 0 to 16.
Default Configuration
Command Mode
User Guidelines
The number argument specifies how many times the DNS query will be sent to a
DNS server until the switch decides that the DNS server does not exist.
Example
The following example shows how to configure the switch to send out 10 DNS
queries before giving up:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 370
15 DNS Client Commands
Syntax
no ip domain timeout
Parameters
Default Configuration
The default value is 2 seconds.
Command Mode
User Guidelines
Use the command to change the default time out value. Use the no form of this
command to return to the default time out value.
Example
The following example shows how to configure the switch to wait 50 seconds for a
response to a DNS query:
15.7 ip host
Use the ip host Global Configuration mode command to define the static host
name-to-address mapping in the DNS host name cache.
Use the no form of this command to remove the static host name-to-address
mapping.
Syntax
371 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DNS Client Commands 15
no ip host name ip host name [address1...address8]
Parameters
Default Configuration
No host is defined.
Command Mode
User Guidelines
Host names are restricted to the ASCII letters A through Z (case-insensitive), the
digits 0 through 9, the underscore and the hyphen. A period (.) is used to separate
labels.
Example
The following example defines a static host name-to-address mapping in the host
cache.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 372
15 DNS Client Commands
15.8 ip name-server
Use the ip name-server command in Global Configuration mode to specify the
address of one or more name servers to use for name and address resolution.
Use the no form of this command to remove the static specified addresses.
Syntax
no ip name-server [server-address1...server-address8]
Parameters
Default Configuration
Command Mode
User Guidelines
The preference of the servers is determined by the order in which they were
entered.
Example
The following example shows how to specify IPv4 hosts 172.16.1.111, 172.16.1.2,
and IPv6 host 2001:0DB8::3 as the name servers:
373 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DNS Client Commands 15
15.9 show hosts
Use the show hosts command in privileged EXEC mode to display the default
domain name, the style of name lookup service, a list of name server hosts, and
the cached list of hostnames and addresses.
Syntax
show hosts [all | hostname]
Parameters
• all—The specified host name cache information is to be displayed for all
configured DNS views. This is the default.
Command Mode
Default Configuration
Default is all.
User Guidelines
This command displays the default domain name, a list of name server hosts, and
the cached list of host names and addresses.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 374
15 DNS Client Commands
static website.com
static 1 192.0.2.204
static 2 192.0.2.205
static 3 192.0.2.105
Casche Table
375 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
1
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
EEE is enabled.
Command Mode
User Guidelines
In order for EEE to work, the device at the other end of the link must also support
EEE and have it enabled. In addition, for EEE to work properly, auto-negotaition
must be enabled; however, if the port speed is negotiated as 1Giga, EEE always
works regardless of whether the auto-negotiation status is enabled or disabled.
If auto-negotiation is not enabled on the port and its speed is less than 1 Giga, the
EEE operational status is disabled.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 376
16 EEE Commands
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
EEE is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If auto-negotiation is not enabled on the port and its speed is 1 Giga, the EEE
operational status is disabled.
Example
Syntax
377 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
EEE Commands 16
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled
Command Mode
User Guidelines
Enabling EEE LLDP advertisement enables devices to choose and change system
wake-up times in order to get the optimal energy saving mode.
Example
Syntax
Parameters
Defaults
None
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 378
16 EEE Commands
User Guidelines
If the port is a 10G port, but the link speed is 1G, the EEE Remote status cannot be
resolved (and displayed).
Examples
Example 2 - The following is the information displayed when a port is in the Not
Present state; no information is displayed if the port supports EEE.
Example 3 - The following is the information displayed when the port is in status
DOWN.
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
379 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
EEE Commands 16
Speed 10G: EEE not supported
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 4 - The following is the information displayed when the port is in status
UP and does not support EEE.
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
Example 5 - The following is the information displayed when the neighbor does
not support EEE.
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 380
16 EEE Commands
Example 6 - The following is the information displayed when EEE is disabled on the
port.
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
Example 7 - The following is the information displayed when EEE is running on the
port, and EEE LLDP is disabled.
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
381 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
EEE Commands 16
Resolved Timer: 25 usec
Example 8 - The following is the information displayed when EEE and EEE LLDP are
running on the port.
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
Example 9 - The following is the information displayed when EEE is running on the
port, EEE LLDP is enabled but not synchronized with the remote link partner.
Port Status: up
EEE capabilities:
Speed 10M: EEE not supported
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 382
16 EEE Commands
Resolved Tx Timer: 64
Local Tx Timer: 64
Resolved Rx Timer: 16
Local Rx Timer: 16
Example 10 - The following is the information displayed when EEE and EEE LLDP
are running on the port.
show eee te1/0/3
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
383 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
EEE Commands 16
Local Rx Timer: 20 usec
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 384
17
Ethernet Configuration Commands
17.0
17.1 interface
To enter Interface configuration mode in order to configure an interface, use the
interface Global Configuration mode command.
Syntax
interface interface-id
Parameters
Default Configuration
None
Command Mode
Examples
switchxxxxxx(config-if)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 385
Ethernet Configuration Commands 17
switchxxxxxx(config)# interface po1
switchxxxxxx(config-if)#
Syntax
interface range interface-id-list
Parameters
Default Configuration
None
Command Mode
Interface (Ethernet, Port Channel, VLAN) Configuration mode
User Guidelines
Example
switchxxxxxx(config-if-range)#
17.3 shutdown
To disable an interface, use the shutdown Interface Configuration mode command.
To restart a disabled interface, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 386
17 Ethernet Configuration Commands
Syntax
shutdown
no shutdown
Parameters
Default Configuration
Command Mode
User Guidelines
The shutdown command set a value of ifAdminStatus (see RFC 2863) to DOWN.
When ifAdminStatus is changed to DOWN, ifOperStatus will be also changed to
DOWN.
The DOWN state of ifOperStatus means that the interface does not
transmit/receive messages from/to higher levels. For example, if you shut down a
VLAN, on which an IP interface is configured, bridging into the VLAN continues, but
the switch cannot transmit and receive IP traffic on the VLAN.
Notes:
• If the switch shuts down an Ethernet port it additionally shuts down the port
MAC sublayer too.
• If the switch shuts down a port channel it additionally shuts down all ports
of the port channel too.
Examples
switchxxxxxx(config-if)# shutdown
switchxxxxxx(config-if)#
387 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Example 2—The following example restarts the disabled Ethernet port.
switchxxxxxx(config-if)# no shutdown
switchxxxxxx(config-if)#
switchxxxxxx(config-if)# shutdown
switchxxxxxx(config-if)#
switchxxxxxx(config-if)# shutdown
switchxxxxxx(config-if)#
switchxxxxxx(config-if)# shutdown
switchxxxxxx(config-if)#
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 388
17 Ethernet Configuration Commands
no operation time
Parameters
Default Configuration
There is no time range configured on the port authorized state.
Command Mode
User Guidelines
Example
The operation time command influences the port if the port status is up. This
command defines the time frame during which the port stays up and at which time
the port will be shutdown. While the port is in shutdown because of other reasons,
this command has no effect.
The following example activates an operation time range (named "morning") on
port te1/0/1.
17.5 description
To add a description to an interface, use the description Interface (Ethernet, Port
Channel) Configuration mode command. To remove the description, use the no
form of this command.
389 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Syntax
description string
no description
Parameters
Default Configuration
Command Mode
Example
The following example adds the description ‘SW#3’ to te1/0/4.
17.6 speed
To configure the speed of a given Ethernet interface when not using
auto-negotiation, use the speed Interface (Ethernet, Port Channel) Configuration
mode command. To restore the default configuration, use the no form of this
command.
Syntax
speed {100 | 1000 | 10000}
no speed
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 390
17 Ethernet Configuration Commands
Default Configuration
Command Mode
User Guidelines
Example
The following example configures the speed of te1/0/4 to 100 Mbps operation.
switchxxxxxx(config)# interface te1/0/4
17.7 duplex
To configure the full/half duplex operation of a given Ethernet interface when not
using auto-negotiation, use the duplex Interface (Ethernet, Port Channel)
Configuration mode command. To restore the default configuration, use the no
form of this command.
Syntax
Parameters
• half—Forces half-duplex operation.
Default Configuration
391 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Command Mode
Example
17.8 negotiation
To enable auto-negotiation operation for the speed and duplex parameters and
master-slave mode of a given interface, use the negotiation Interface (Ethernet,
Port Channel) Configuration mode command. To disable auto-negotiation, use the
no form of this command.
Syntax
no negotiation
Parameters
- 10h—Advertise 10 half-duplex
- 10f—Advertise 10 full-duplex
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 392
17 Ethernet Configuration Commands
Default Configuration
If capability is unspecified, defaults to list of all the capabilities of the port and
preferred slave mode.
Command Mode
Example
switchxxxxxx(config-if)# negotiation
17.9 flowcontrol
To configure the Flow Control on a given interface, use the flowcontrol Interface
(Ethernet, Port Channel) Configuration mode command. To disable Flow Control,
use the no form of this command.
Syntax
no flowcontrol
Parameters
Default Configuration
Command Mode
393 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
User Guidelines
Example
switchxxxxxx(config-if)# flowcontrol on
17.10 mdix
To enable cable crossover on a given interface, use the mdix Interface (Ethernet)
Configuration mode command. To disable cable crossover, use the no form of this
command.
Syntax
no mdix
Parameters
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 394
17 Ethernet Configuration Commands
17.11 back-pressure
To enable back pressure on a specific interface, use the back-pressure Interface
(Ethernet) Configuration mode command. To disable back pressure, use the no
form of this command.
Syntax
back-pressure
no back-pressure
Parameters
Default Configuration
Back pressure is disabled.
Command Mode
User Guidelines
Back-pressure cannot be enabled when EEE is enabled.
Example
switchxxxxxx(config-if)# back-pressure
395 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Syntax
port jumbo-frame
no port jumbo-frame
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
Example
Syntax
no link-flap prevention
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 396
17 Ethernet Configuration Commands
Default Configuration
Command Mode
User Guidelines
You can use the following commands to reset an interface shut down by link-flap prevention:
The errdisable recovery reset command with the link-flapping parameter to recover all
interfaces in this state due to link-flap prevention, or the interface interface-id parameter to reset a
given interface.
The errdisable recovery cause with the link-flapping parameter to automatically recover
from the link-flap prevention error-disabled state.
The command sequence of "shutdown" and then "no shutdown" on required interface.
Example
Syntax
397 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Parameters
Default Configuration
Command Mode
Example
The following example clears the statistics counters for te1/0/1.
Syntax
Parameters
Command Mode
User Guidelines
This command is used to activate interfaces that were configured to be active, but
were shut down by the system.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 398
17 Ethernet Configuration Commands
Example
Syntax
Parameters
• all—Enables the error recovery mechanism for all reasons described below.
• udld—Enables the error recovery mechanism for the UDLD Shutdown state.
399 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Default Configuration
Command Mode
Example
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 400
17 Ethernet Configuration Commands
Example
The following example sets the error recovery timeout interval to 10 minutes.
Syntax
Parameters
401 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Default Configuration
None.
Command Mode
Examples
Example 3—The following example enables all interfaces in the port security
Err-Disable state
Syntax
Parameters
• interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 402
17 Ethernet Configuration Commands
Default Configuration
Display all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Example
Flow Admin
Cont
403 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Legend
Neg: Negotiation
Syntax
Parameters
Command Mode
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 404
17 Ethernet Configuration Commands
Flow Link
Syntax
Parameters
• interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
405 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Examples
Port:te1/0/1
Type: 1G-Copper
Link state: Up
Preference: Master
10h 10f 100h 100f 1000f
Port: te1/0/1
Type: 1G-Copper
Link state: Up
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 406
17 Ethernet Configuration Commands
Syntax
Parameters
Default Configuration
Display description for all interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
Example
The following example displays the description of all configured interfaces.
------ ---------------------------------------------
te1/0/2
te1/0/3
te1/0/4
PO Description
---- -----------
Po1 Output
407 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Syntax
Parameters
Default Configuration
Display counters for all interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
Example
The following example displays traffic seen by all the physical interfaces.
te1/0/1 0 0 0 0
te1/0/1 0 1 35 7051
FCS Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 408
17 Ethernet Configuration Commands
Oversize Packets: 0
Symbol Errors: 0
409 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
The following table describes the fields shown in the display.
Field Description
InOctets Number of received octets.
InUcastPkts Number of received Unicast packets.
InMcastPkts Number of received Unicast packets.
InBcastPkts Number of received broadcast packets.
OutOctets Number of transmitted octets.
OutUcastPkts Number of transmitted Unicast packets.
OutMcastPkts Nmber of transmitted Unicast packets.
OutBcastPkts Number of transmitted Broadcast
packets.
FCS Errors Number of frames received that are an
integral number of octets in length but do
not pass the FCS check.
Single Collision Frames Number of frames that are involved in a
single collision, and are subsequently
transmitted successfully.
Multiple Collision Number of frames that are involved in
Frames more than one collision and are
subsequently transmitted successfully.
SQE Test Errors Number of times that the SQE TEST
ERROR is received. The SQE TEST
ERROR is set in accordance with the
rules for verification of the SQE detection
mechanism in the PLS Carrier Sense
Function as described in IEEE Std. 802.3,
2000 Edition, section 7.2.4.6.
Deferred Transmissions Number of frames for which the first
transmission attempt is delayed because
the medium is busy.
Late Collisions Number of times that a collision is
detected later than one slotTime into the
transmission of a packet.
Excessive Collisions Number of frames for which transmission
fails due to excessive collisions.
Oversize Packets Number of frames received that exceed
the maximum permitted frame size.
Internal MAC Rx Errors Number of frames for which reception
fails due to an internal MAC sublayer
receive error.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 410
17 Ethernet Configuration Commands
Field Description
Received Pause Number of MAC Control frames received
Frames with an opcode indicating the PAUSE
operation.
Transmitted Pause Number of MAC Control frames
Frames transmitted on this interface with an
opcode indicating the PAUSE operation.
Syntax
Parameters
Default Configuration
None
Command Mode
Example
The following example displays whether jumbo frames are enabled on the device.
411 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
17.25 show link-flap prevention
To display whether link-flap prevention is enabled on the device, use the show
link-flap prevention Privileged EXEC mode command.
Syntax
Parameters
Default Configuration
None
Command Mode
Example
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 412
17 Ethernet Configuration Commands
Default Configuration
None
Command Mode
Example
---------------------- ------------------
port-security Disable
dot1x-src-address Disable
acl-deny Enable
stp-bpdu-guard Disable
stp-loopback-guard Disable
loop-detection Disable
udld Disable
link-flap Disable
Syntax
413 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
Parameters
Default Configuration
Command Mode
Example
The following example displays the Err-Disable state of te1/0/1.
Interface Reason
------------ ------------------
te1/0/1 stp-bpdu-guard
Syntax
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 414
17 Ethernet Configuration Commands
Command Mode
Example
Syntax
show switchport monitor interface-id {seconds | minutes | hours } [utilization | tx | rx |
frames]
show switchport monitor interface-id {days |weeks}
show switchport monitor utilization [interface-id]
Parameters
415 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
• tx —shows sent counters statistics.
Default Configuration
Command Mode
User Guidelines
The show switchport monitor utilization is used to show a utilization summary per
interface of the last time frame in each time frame(i.e. last minute, last hour, last day
and last week).
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 416
17 Ethernet Configuration Commands
Sent
417 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Ethernet Configuration Commands 17
The following table describes the fields shown in the display.
Field Description
Time Time stamp of the current sample in
system real time clock.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 418
17 Ethernet Configuration Commands
Field Description
Tx Utilization Utilization in percentage for Sent frames
on the interface.
Rx/Tx Utilization An average of the Rx Utilization and the
Tx Utilization in percentage on the
interface.
419 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
18.0
Note. Although inside the switch supports the File System on FLASH of all stack
units the File System CLI commands allow access only to flash files on Master.
Needed file synchronizations between Master and other units is performed by the
switch automatically.
Uniform Resource Locators (URLs) are used to specify the location of a file or a
directory. The URL has the following syntax:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 420
18 File System Commands
Filenames and directory names consist only of characters from the portable
filename character set. The set includes the following characters:
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• abcdefghijklmnopqrstuvwxyz
• <space>
• 0123456789._-
The last three characters are the <period>, <underscore>, and <hyphen>
characters, respectively. If an URL includes spaces it must be enclosed by the "
characters.
For example:
- readable
- executable
- readable
- executable
- readable
421 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
• localization. The predefined URL alias specifies the Secondary Language
Dictionary file. This file has the following permissions:
- readable
• logging. The predefined URL alias specifies the Syslog file. This file has the
following permissions:
- readable
- readable
Example
Example 1. The following example specifies a file on TFTP server using an IPv4
address:
tftp://1.1.1.1/aaa/dat/file.txt
Example 2. The following example specifies a file on TFTP server using an IPv6
address:
tftp://3000:1:2::11/aaa/dat/file.txt
Example 3. The following example specifies a file on TFTP server using a DNS
name:
tftp://files.export.com/aaa/dat/file.txt
flash://aaa/dat/file.txt
Example 5. The following example specifies files using the current directory:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 422
18 File System Commands
./dat/file.txt
dat/file.txt
Example 6. The following example specifies a file using the higher directory:
../dat/file.txt
usb://aaa/dat/file.txt
usb:aaa/dat/file.txt
usb:./aaa/dat/file.txt
usb:../aaa/dat/file.txt
• Inner System files. The files are created by the switch itself. For example the
Syslog file.
423 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
• Files installed/Uninstalled by user. This group includes the following files:
- Startup Configuration
• boot config
• boot localization
• boot system
Additionally, the following commands from previous versions can be used too:
• write
Note. Reset to Factory Default removes all files from the FLASH except the
following files:
• active-image
• inactive-image
• mirror-config
• localization
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 424
18 File System Commands
• For non-Backup slave’s File system only the following files are synchronized:
Syntax
no boot config
Parameters
• startup-config-url—the url of a file. The predefined URLs cannot be
configured.
Default Configuration
N/A
Command Mode
425 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
User Guidelines
• Converts the file format from the text format in the inner binary format.
Use the boot config running-config command to install Startup Configuration from
Running Configuration.
Use the boot config mirror-config command to install Startup Configuration from
the Mirror Configuration file.
Use the no boot config command, to uninstall Startup Configuration. The
uninstalled file is deleted.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 426
18 File System Commands
Example 4. The following example installs Startup Configuration from the Running
Configuration file:
Example 5. The following example installs Startup Configuration from the Mirror
Configuration file:
Syntax
no boot localization
Parameters
Default Configuration
Default language.
Command Mode
User Guidelines
427 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
• Validates its format. If the file does not have the correct format the file is
deleted and the command is finished with an error.
• Installs Secondary Language Dictionary on all the all other stack units.
Example
Example 1. The following example installs the Secondary Language Dictionary file
from a TFTP server:
Example 2. The following example installs the Secondary Language Dictionary file
from FLASH:
Syntax
Parameters
• image-url—The URL of a file. The predefined URLs cannot be configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 428
18 File System Commands
Default Configuration
No default.
Command Mode
User Guidelines
Use the boot system image-url command to install a new active image from the
image-url file. The command performs the following actions:
• Copies the file into the system directory flash://system/image/
• Validates its format. If the file does not have the correct image format the file
is deleted and the command is finished with an error.
• Installs the copied file as the active image that will be used be loaded at
startup. The previous active image file is save as inactive image. The
previous inactive image is deleted.
Use the boot system inactive-image command to set the inactive image as active
one and the active image as inactive one.
The command installs the inactive image as active in all stack units.
Use the show bootvar / show version command to display information about the
active and inactive images.
Example
Example 1. The following example sets a new active image from a TFTP server:
Example 2. The following example sets a new active image from FLASH:
429 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
switchxxxxxx(config)# boot system inactive-image
18.7 cd
To change the current directory or file system, use the cd command in User EXEC
mode.
Syntax
cd url
Parameters
Default Configuration
Command Mode
User Guidelines
When a terminal session is started the current directory of the session is set to
flash://. Use the cd command to change the current directory.
Example
Example 1. The following example sets a new current directory on FLASH:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 430
18 File System Commands
switchxxxxxx> pwd
flash://
switchxxxxxx> cd usb://
switchxxxxxx> pwd
usb://
18.8 copy
To copy any file from a source to a destination, use the copy command in
Privileged EXEC mode.
Syntax
copy src-url dst-url
Parameters
• exclude—The file does not include sensitive data in the file being copied.
Command Mode
User Guidelines
431 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
• You cannot copy one network file to another network file.
• Use the copy src-url dst-url command to copy any file. If the dst-url
argument defines an existed flash file the command fails if this file does not
have the writable permission. If the dst-url argument defines a directory file
then the file is copied into the directory with the same name. No file format
validation or conversion is performed. If the src-url argument and dst-url
arguments define flash files the dst-url file will have the permissions of the
src-url file. If the src-url argument defines a non-flash file and the dst-url
argument defines a flash files the dst-url file will have the following
permissions:
- readable
- writable
• Use the copy src-url running-config command to add a file to the Running
Configuration file.
Example
Example 1. The following example copies file file1 from the TFTP server
172.16.101.101 to the flash://aaaa/file1 file:
Example 2. The following example saves the Startup configuration file in the
tftp://172.16.101.101/config.txt file:
Example 3. The following example copies the Running Configuration file to the
Startup configuration:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 432
18 File System Commands
Example 4. The following example copies the Syslog file to a TFTP server:
Example 5. The following example copies a file from the mass-storage device
connected to the USB port to Flash:
18.9 delete
To delete a local file, use the delete command in Privileged EXEC mode.
Syntax
delete url
delete startup-config
delete localization
Parameters
• url—Specifies the local URL of the local file to be deleted. The predefined
and network URLs cannot be configured.
Command Mode
User Guidelines
The delete url command cannot delete a network file.
Use the delete startup-config command to delete the Startup Configuration file.
433 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Example
Example 1. The following example deletes the file called ‘backup/config’ from
FLASH:
switchxxxxxx# cd flash://backup/
Example 2. The following example deletes the file called ‘aaa/config’ from the
mass-storage device connected to the USB port:
18.10 dir
To display a list of files on a file system, use the dir command in User EXEC mode.
Syntax
dir [url]
Parameters
• url—Specifies the local URL of the directory to be displayed. The
predefined and network URLs cannot be configured. If the argument is
omitted the current directory is used.
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 434
18 File System Commands
Examples
18.11 mkdir
To create a new directory, use the mkdir command in Privileged EXEC mode.
Syntax
mkdir url
Parameters
• url—Specifies the URL of the created directory. The predefined and
network URLs cannot be configured.
Command Mode
435 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
User Guidelines
All directories defined in the url argument except the created one must exist.
Example
18.12 more
To display the contents of a file, use the more command in User EXEC mode.
Syntax
more url
Parameters
• url—Specifies the local URL or predefined file name of the file to display.
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 436
18 File System Commands
The more startup-config command displays the same output as the show
startup-config command regardless the specified format.
The more active-image and more inactive-image commands display only the
version number of the image regardless the specified format.
Example
no spanning-tree
speed 1000
exit
no lldp run
line console
exec-timeout 0
18.13 pwd
To show the current directory, use the pwd command in User EXEC mode.
Syntax
pwd [usb: I flash:]
Parameters
• usb:—Display the current directory on the USB driver.
Command Mode
User Guidelines
Use the pwd usb: I flash: command to show the current directory on the specified
driver.
437 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Use the pwd command to show the current directory set by the recent cd
command.
Example
The following example uses the cd command to change the current directory and
then uses the pwd command to display that current directory:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
18.14 reload
To reload the operating system, use the reload command in Privileged EXEC
mode.
Syntax
reload
reload cancel
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 438
18 File System Commands
Command Mode
User Guidelines
Use the reload {in hhh:mm | mmm | at hh:mm [day month]} command the command
to specify scheduled switch reload.
The at keyword can be configured only if the system clock has been set on the
switch.
When you specify the reload time using the at keyword, if you specify the month
and day, the reload takes place at the specified time and date. If you do not
specify the month and day, the reload takes place at the specified time on the
current day (if the specified time is later than the current time), or on the next day (if
the specified time is earlier than the current time). Specifying 00:00 schedules the
reload for midnight. The reload must take place within 24 days.
To display information about a scheduled reload, use the show reload command.
Example
switchxxxxxx# reload
This command will reset the whole system and disconnect your current session.
Do you want to continue? (Y/N) [Y]
switchxxxxxx# reload in 10
439 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 11:57:08 UTC Fri Apr 21 2012 (in 10 minutes). Do you
want to continue? (Y/N) [Y]
18.15 rename
To rename a local file or directory, use the rename command in Privileged EXEC
mode.
Syntax
Parameters
• url—Specifies the URL of the file or directory to be renamed. The
predefined and network URLs cannot be configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 440
18 File System Commands
Command Mode
User Guidelines
The url and new-url arguments must specifies the same driver.
Examples
switchxxxxxx# cd flash://archive
switchxxxxxx# rename flash://bin/text1.txt ./text1sav.txt
switchxxxxxx# pwd
flash://a/b/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://a
File Name Permission File Size Last Modified
--------- ---------- --------- --------------------
b drw- 472148 Dec 13 2010 15:49:36
switchxxxxxx> dir flash://e/g/h
441 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name Permission File Size Last Modified
--------- ---------- --------- --------------------
switchxxxxxx# rename flash://a/b flash://e/g/h
switchxxxxxx# pwd
flash://e/g/h/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://mng/
File Name Permission File Size Last Modified
--------- ---------- --------- --------------------
switchxxxxxx> dir flash://e/g/h
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name Permission File Size Last Modified
--------- ---------- --------- --------------------
c drw- 720148 Dec 12 2010 17:49:36
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 442
18 File System Commands
18.16 rmdir
To remove a local directory, use the rmdir command in Privileged EXEC mode.
Syntax
rmdir url
Parameters
Command Mode
User Guidelines
Example
Example 2. The following example removes the directory called ‘aaa/config’ from
the mass-storage device connected to the USB port:
443 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
18.17 service mirror-configuration
Use the service mirror-configuration Global Configuration mode command to
enable the mirror-configuration service. Use no service mirror-configuration
command to disable the service.
Syntax
service mirror-configuration
no service mirror-configuration
Parameters
Default Configuration
The default configuration is mirror-configuration service enabled.
Command Mode
Global Configuration mode
User Guidelines
The mirror-configuration service automatically keeps a copy of the last known
stable configuration (startup configuration that has not been modified for 24H).
Examples
This operation will delete the mirror-config file if exists. Do you want to continue?
(Y/N) [N]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 444
18 File System Commands
Service is enabled.
Syntax
show bootvar
show version
Parameters
Command Mode
User Guidelines
The show bootvar and show version commands have the same functionality.
Example
Example 1. The following example gives an example of the command output after
reload:
445 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Time: 11:13:17
Example 2. This example continues the inactive one, after applying the boot
system tftp://1.1.1.1/image_v14-01.ros command:
Example 3. This example continues the inactive one, after a system reload:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 446
18 File System Commands
Example 4. This example continues the inactive one, after applying the boot
system inactive-image command:
Example 5. This example continues the inactive one, after a system reload:
Example 7. The following example gives an example of the command output after
applying the boot system command two times:
447 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-01.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-04.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-04.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 448
18 File System Commands
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
Example 8. The following example gives an example of the command output after
applying the boot system tftp://1.1.1.1/image_v14-01.ros command and the boot
system inactive-image command:
449 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Syntax
Command Mode
User EXEC mode
Example
The following example displays the status of the mirror-configuration service
switchxxxxxx# show mirror-configuration service
Syntax
show reload
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 450
18 File System Commands
Parameters
Command Mode
User Guidelines
You can use the show reload command to display a pending image reload. To
cancel the reload, use the reload command with the cancel keyword.
Example
Example 1. The following example displays information when scheduled reload
has been configured:
Image reload scheduled for 00:00:00 UTC Sat April 20 (in 3 hours and 12 minutes)
No scheduled reload
Parameters
451 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
Default Configuration
All interfaces are displayed. If the detailed or brief keyword is not specified, the
brief keyword is applied.
Command Mode
Example
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 452
18 File System Commands
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
exit
line console
exec-timeout 0
exit
switchxxxxxx#
Syntax
Parameters
Command Mode
Example
453 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
File System Commands 18
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
exit
line console
exec-timeout 0
exit
switchxxxxxx#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 454
18 File System Commands
18.23 write
To save the running configuration to the startup configuration file, use the write
command in Privileged EXEC mode.
Syntax
write
write memory
Parameters
Command Mode
User Guidelines
Use the write command or the write memory command to save the Running
Configuration file into the Startup Configuration file.
Examples
The following example shows how to overwrite the startup-config file with the
running-config file with the write command.
switchxxxxxx# write
Overwrite file [startup-config] ?[Yes/press any key for no]....15-Sep-2010
11:27
:48 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL
flash://startup-config
15-Sep-2010 11:27:50 %COPY-N-TRAP: The copy operation was completed
successfully
Copy succeeded
455 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
19
GARP VLAN Registration Protocol (GVRP)
Commands
19.0
Syntax
Parameters
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 456
19 GARP VLAN Registration Protocol (GVRP) Commands
Syntax
gvrp enable
no gvrp enable
Parameters
Default Configuration
GVRP is globally disabled.
Command Mode
Global Configuration mode
Example
The following example enables GVRP globally on the device.
Syntax
gvrp enable
no gvrp enable
457 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
GARP VLAN Registration Protocol (GVRP) Commands 19
Parameters
Default Configuration
Command Mode
User Guidelines
An access port does not dynamically join a VLAN because it is always a member
of a single VLAN only. Membership in an untagged VLAN is propagated in the
same way as in a tagged VLAN. That is, the PVID must be manually defined as the
untagged VLAN ID.
Example
Syntax
gvrp registration-forbid
no gvrp registration-forbid
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 458
19 GARP VLAN Registration Protocol (GVRP) Commands
Default Configuration
Command Mode
Example
Syntax
gvrp vlan-creation-forbid
no gvrp vlan-creation-forbid
Parameters
Default Configuration
Enabled.
Command Mode
Example
459 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
GARP VLAN Registration Protocol (GVRP) Commands 19
switchxxxxxx(config-if)# interface te1/0/3
Syntax
Parameters
Default Configuration
All GVRP statistics are displayed for all interfaces. If detailed is not used, only
present ports are displayed.
Command Mode
User EXEC mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 460
19 GARP VLAN Registration Protocol (GVRP) Commands
Syntax
Parameters
Default Configuration
Command Mode
Example
----------------------
Legend:
te1/0/1 0 0 0 0 0
te1/0/2 0 0 0 0 0
461 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
GARP VLAN Registration Protocol (GVRP) Commands 19
te1/0/3 0 0 0 0 0
te1/0/4 0 0 0 0 0
Syntax
Parameters
Default Configuration
Command Mode
Example
GVRP statistics:
----------------
Legend:
rJE : Join Empty Received rJIn: Join In Received
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 462
19 GARP VLAN Registration Protocol (GVRP) Commands
Port rJE rJIn rEmp rLIn rLE rLA sJE sJIn sEmp sLIn sLE sLA
----- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---
te1/0/1 0 0 0 0 0 0 0 0 0 0 0 0
te1/0/2 0 0 0 0 0 0 0 0 0 0 0 0
te1/0/3 0 0 0 0 0 0 0 0 0 0 0 0
te1/0/4 0 0 0 0 0 0 0 0 0 0 0 0
463 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
20
Green Ethernet
.1
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
Default Configuration
Disabled.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 464
20 Green Ethernet
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
Default Configuration
Enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Energy-Detect only works on copper ports. When a port is enabled for auto
selection, copper/fiber Energy-Detect cannot work.
It takes the PHY ~5 seconds to fall into sleep mode when the link is lost after
normal operation.
Example
Syntax
green-ethernet short-reach
no green-ethernet short-reach
465 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Green Ethernet 20
Parameters
Default Configuration
Disabled.
Command Mode
Example
Syntax
green-ethernet short-reach
no green-ethernet short-reach
Parameters
Default Configuration
Disabled.
Command Mode
User Guidelines
The VCT length check can be performed only on a copper port operating at a
speed of 1000 Mbps. If the media is not copper or the link speed is not 1000,
Mbps Short-Reach mode is not applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 466
20 Green Ethernet
When the interface is set to enhanced mode, after the VCT length check has
completed and set the power to low, an active monitoring for errors is done
continuously. In the case of errors crossing a certain threshold, the PHY will be
reverted to long reach.
Example
Syntax
Parameters
Default Configuration
None
Command Mode
Example
467 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Green Ethernet 20
Syntax
Parameters
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
User Guidelines
The power savings displayed is relevant to the power saved by:
• Port LEDs
• Energy detect
• Short reach
The EEE power saving is dynamic by nature since it is based on port utilization and
is therefore not taken into consideration.
The following describes the reasons for non-operation displayed by this
command.
If there are a several reasons, then only the highest priority reason is displayed.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 468
20 Green Ethernet
Example
469 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
21.0
Syntax
Parameters
• interface-id—(Optional) Interface Identifier
Command Mode
User Guidelines
Use the clear ip igmp counters command to clear the IGMP counters, which keep
track of the number of joins and leaves received. If you omit the optional
interface-id argument, the clear ip igmp counters command clears the counters on
all interfaces.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 470
21 IGMP Commands
Syntax
ip igmp last-member-query-count count
no ip igmp last-member-query-count
Parameters
Default Configuration
Command Mode
User Guidelines
Use the ip igmp robustness command to change the IGMP last member query
counter.
Example
The following example changes a value of the IGMP last member query counter to
3:
471 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Commands 21
Configuration mode. To restore the default IGMP query interval, use the no form of
this command.
Syntax
Parameters
• milliseconds—Interval, in milliseconds, at which IGMP group-specific host
query messages are sent on the interface. (Range: 100–25500).
Default Configuration
The default IGMP last member query interval is 1000 milliseconds.
Command Mode
User Guidelines
Example
The following example shows how to increase the the IGMP last member query
interval to 1500 milliseconds:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 472
21 IGMP Commands
Syntax
Parameters
• seconds—Frequency, in seconds, at which the switch sends IGMP query
messages from the interface. The range is from 30 to 18000.
Default Configuration
The default IGMP query interval is 125 seconds.
Command Mode
User Guidelines
Use the ip igmp query-interval command to configure the frequency at which the
IGMP querier sends IGMP host-query messages from an interface. The IGMP
querier sends query-host messages to discover which multicast groups have
members on the attached networks of the router.
The query interval must be bigger than the maximum query response time.
Example
The following example shows how to increase the frequency at which the IGMP
querier sends IGMP host-query messages to 180 seconds:
473 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Commands 21
Syntax
Parameters
• seconds—Maximum response time, in seconds, advertised in IGMP
queries. (Range: 5–20)
Default Configuration
10 seconds.
Command Mode
User Guidelines
This command controls the period during which the responder can respond to an
IGMP query message before the router deletes the group.
This command controls how much time the hosts have to answer an IGMP query
message before the router deletes their group. Configuring a value of fewer than
10 seconds enables the router to prune groups faster.
The maximum query response time must be less than the query interval.
Note. If the hosts do not respond fast enough, they might be pruned inadvertently.
Therefore, the hosts must know to respond faster than 10 seconds (or the value
you configure).
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 474
21 IGMP Commands
Syntax
ip igmp robustness count
no ip igmp robustness
Parameters
Default Configuration
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp robustness command to change the IGMP robustness variable.
Example
475 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Commands 21
Syntax
ip igmp version {1 | 2 | 3}
no ip igmp version
Parameters
• 1—IGMP Version 1.
• 2—IGMP Version 2.
• 3—IGMP Version 3.
Default Configuration
Command Mode
User Guidelines
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 476
21 IGMP Commands
Parameters
Command Mode
User Guidelines
Use the show ip igmp counters command to check if the expected number of
IGMP protocol messages have been received and sent.
If you omit the optional interface-id argument, the show ip igmp counters
command displays counters of all interfaces.
Example
The following example displays the IGMP protocol messages received and sent:
VLAN 100
477 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Commands 21
Syntax
Parameters
Command Mode
User Guidelines
Use the show ip igmp groups [detail] command to display all directly connected
groups.
Examples
Example 1. The following is sample output from the show ip igmp groups
command. It shows all of the groups joined by VLAN 100:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 478
21 IGMP Commands
Example 2. The following is sample output from the show ip igmp groups
command using the detail keyword:
Group: 225.1.1.1
20.1.1.1 00:04:08
120.1.1.1 00:02:01
Group: 226.1.1.2
2.2.2.1 00:04:08
192.168.1.1 00:04:08
12.1.1.10 00:00:00
40.3.4.2 00:00:00
479 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Commands 21
Syntax
Parameters
Command Mode
User Guidelines
The show ip igmp groups summary command displays the number of directly
connected multicast groups.
Example
The following is sample output from the show ip igmp groups summary command:
Field Descriptions:
No. of (*,G) routes = 5—Displays the number of groups present in the IGMP cache.
No. of (S,G) routes = 0—Displays the number of include and exclude mode sources present in the IGMP
cache.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 480
21 IGMP Commands
Syntax
Parameters
Command Mode
User Guidelines
If you omit the optional interface-id argument, the show ip igmp interface
command displays information about all interfaces.
Example
The following is sample output from the show ip igmp interface command for
Ethernet interface 2/1/1:
VLAN 100 is up
481 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
IGMP Proxy Commands
22.0
22.1 ip igmp-proxy
To add downstream interfaces to an IGMP proxy tree, use the ip igmp-proxy
command in Interface Configuration mode. To remove downstream from
interfaces to an IGMP proxy tree, use the no form of this command.
Syntax
ip igmp-proxy upstream-interface-id
no ip igmp-proxy
Parameters
Default Configuration
Command Mode
User Guidelines
Use the no format of the command to remove the downstream interface. When the
last downstream interface is removed from the proxy tree it is deleted too.
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 482
22 IGMP Proxy Commands
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
483 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Proxy Commands 22
Example
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 484
22 IGMP Proxy Commands
Example
The following example prohibits forwarding from downstream interface vlan 100:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
485 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Proxy Commands 22
Use the no ip igmp-proxy ssm command to remove all defined ranges.
Example
The following example shows how to configure SSM service for the default IP
address range and the IP address ranges defined by access list list1:
Syntax
Parameters
Command Mode
User Guidelines
Examples
Example 1. The following example displays IGMP Proxy status on all interfaces
where the IGMP Proxy is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 486
22 IGMP Proxy Commands
IP Forwarding is enabled
Example 2. The following is sample output from the show ip igmp-proxy interface
command for given upstream interface:
IP Forwarding is enabled
Downstream interfaces:
487 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Proxy Commands 22
*vlan 102, *vlan 110, vlan 113
Example 3. The following is sample output from the show ip igmp-proxy interface
command for given downstream interface:
IP Forwarding is enabled
Example 4. The following is sample output from the show ip igmp-proxy interface
command for an interface on which IGMP Proxy is disabled:
IP Forwarding is enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 488
23
IGMP Snooping Commands
23.0
Syntax
ip igmp snooping
no ip igmp snooping
Default Configuration
Disabled.
Command Mode
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 489
IGMP Snooping Commands 23
no ip igmp snooping vlan vlan-id
Parameters
Default Configuration
Disabled
Command Mode
User Guidelines
The user guidelines of the bridge multicast mode command describes the
configuration that is written into the FDB as a function of the FDB mode and the
IGMP version that is used in the network.
Example
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 490
23 IGMP Snooping Commands
Default Configuration
Command Mode
User Guidelines
Example
Syntax
Parameters
• vlan-id—Specifies the VLAN.
• interface-list—Specifies the list of interfaces. The interfaces can be one of
the following types: Ethernet port or Port-channel.
491 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
Default Configuration
No ports defined
Command Mode
User Guidelines
A port that is defined as a Multicast router port receives all IGMP packets (reports
and queries) as well as all Multicast data.
Example
Syntax
ip igmp snooping vlan vlan-id forbidden mrouter interface interface-list
Parameters
Default Configuration
No ports defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 492
23 IGMP Snooping Commands
Command Mode
User Guidelines
A port that is a forbidden mrouter port cannot be a Multicast router port (i.e. cannot
be learned dynamically or assigned statically).
Example
Syntax
Parameter
• vlan-id—Specifies the VLAN.
• ip-address—Specifies the IP Multicast address.
• interface interface-list—(Optional) Specifies a list of interfaces. The
interfaces can be of one of the following types: Ethernet port or
Port-channel.
Default Configuration
No Multicast addresses are defined.
493 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
Command Mode
User Guidelines
Example
Syntax
Parameters
• vlan-id—Specifies the VLAN
• ip-multicast-address—Multicast IP address
• count number—(Optional) Configures multiple contiguous Multicast IP
addresses. If not specified, the default is 1. (Range: 1–256)
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 494
23 IGMP Snooping Commands
Command Mode
User Guidelines
Example
Syntax
Parameters
• cpe-vlan-id—Specifies the CPE VLAN ID.
• vlan-id—Specifies the Multicast-TV VLAN ID.
Default Configuration
No mapping exists.
Command Mode
495 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
User Guidelines
Use this command to associate the CPE VLAN with a Multicast-TV VLAN.
If an IGMP message is received on a customer port tagged with a CPE VLAN, and
there is mapping from that CPE VLAN to a Multicast-TV VLAN, the IGMP message
is associated with the Multicast-TV VLAN.
Example
Syntax
Parameters
N/A
Default Configuration
Enabled
Command Mode
User Guidelines
To run the IGMP Snooping querier on a VLAN, you have enable it globally and on
the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 496
23 IGMP Snooping Commands
Example
Syntax
Parameters
Default Configuration
Disabled
Command Mode
User Guidelines
The IGMP Snooping querier can be enabled on a VLAN only if IGMP Snooping is
enabled for that VLAN.
Example
497 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
23.11 ip igmp snooping vlan querier address
To define the source IP address that the IGMP snooping querier uses, use the ip
igmp snooping vlan querier address command in Global Configuration mode. To
return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier address ip-address
Parameters
Default Configuration
If an IP address is configured for the VLAN, it is used as the source address of the
IGMP snooping querier. If there are multiple IP addresses, the minimum IP address
defined on the VLAN is used.
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 498
23 IGMP Snooping Commands
Syntax
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Enabled
Command Mode
User Guidelines
Use the no form of the ip igmp snooping vlan querier election command to disable
IGMP Querier election mechanism on a VLAN.
If the IGMP Querier election mechanism is enabled, the IGMP Snooping querier
supports the standard IGMP Querier election mechanism specified in RFC2236
and RFC3376.
Example
499 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
23.13 ip igmp snooping vlan querier version
To configure the IGMP version of an IGMP Snooping querier on a specific VLAN,
use the ip igmp snooping vlan querier version command in Global Configuration
mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier version {2 | 3}
Parameters
Default Configuration
IGMPv2.
Command Mode
Example
The following example sets the version of the IGMP Snooping Querier VLAN 1 to 3:
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 500
23 IGMP Snooping Commands
Parameters
Default Configuration
Disabled
Command Mode
User Guidelines
Example
Syntax
Parameters
• vlan vlan-id —(Optional) Specifies the CPE VLAN ID.
Command Mode
501 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
Example
The following example displays the CPE VLAN to Multicast TV VLAN mappings.
Syntax
Parameters
Command Mode
User Guidelines
To see all Multicast groups learned by IGMP snooping, use the show ip igmp
snooping groups command without parameters.
Use the show ip igmp snooping groups command with parameters to see a
needed subset of all Multicast groups learned by IGMP snooping
To see the full Multicast address table (including static addresses), use the show
bridge multicast address-table command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 502
23 IGMP Snooping Commands
Example
Syntax
Parameters
Command Mode
Example
The following example displays the IGMP snooping configuration for VLAN 1000
503 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
Automatic learning of Multicast router ports is enabled
Syntax
Parameters
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 504
23 IGMP Snooping Commands
Syntax
Parameters
Command Mode
Example
The following example displays the IP addresses associated with all Multicast TV
VLANs.
VLAN IP Address
---- -----------
1000 239.255.0.0
1000 239.255.0.1
1000 239.255.0.2
1000 239.255.0.3
1000 239.255.0.4
1000 239.255.0.5
1000 239.255.0.6
505 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IGMP Snooping Commands 23
1000 239.255.0.7
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 506
24
IP Addressing Commands
24.0
• Ethernet port
• Port channel
• VLAN
• Loopback port
• OOB port
Lists of Commands
24.1 ip address
Use the ip address Interface Configuration (Ethernet, VLAN, Port-channel) mode
command to define an IP address for an interface. Use the no form of this
command to remove an IP address definition.
Syntax
OOB port:
no ip address
In-Band interfaces:
no ip address [ip-address]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 507
IP Addressing Commands 24
Parameters
Default Configuration
No IP address is defined for interfaces.
Command Mode
User Guidelines
OOB port
One IP address is supported. A new IP address defined on the OOB port overrides
the previously defined IP address on the OOB port.
Defining a static IP address on the OOB port stops a DHCP client running on the
OOB port and deletes an IP address assigned by the DHCP client.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 508
24 IP Addressing Commands
Examples
switchxxxxxx(config)# exit
switchxxxxxx(config)# exit
switchxxxxxx(config)# exit
509 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
24.2 ip address dhcp
Use the ip address dhcp Interface Configuration (Ethernet, VLAN, Port-channel)
mode command to acquire an IP address for an Ethernet interface from the
Dynamic Host Configuration Protocol (DHCP) server. Use the no form of this
command to release an acquired IP address.
Syntax
ip address dhcp
no ip address dhcp
Parameters
N/A
Command Mode
User Guidelines
Use the ip address dhcp command to enable DHCP client on the interface.
The ip address dhcp command removes all the manually configured addresses on
the interface.
The default route (Default Gateway) received in DHCP Router option (Option 3) is
assigned a metric of 8 for an In-Band interface and 4 for OOB.
Example
The following example acquires an IP address for VLAN 100 from DHCP.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 510
24 IP Addressing Commands
Syntax
Parameters
• interface-id—Specifies an interface.
• force-autoconfig - If the DHCP server holds a DHCP option 67 record for the
assigned IP address, the record overwrites the existing device
configuration.
Command Mode
User Guidelines
Example
The following example renews an IP address on VLAN 19 that was acquired from
a DHCP server:
switchxxxxxx# renew dhcp vlan 19
24.4 ip default-gateway
The ip default-gateway Global Configuration mode command defines a default
gateway (device). Use the no form of this command to restore the default
configuration.
Syntax
ip default-gateway ip-address
511 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
no ip default-gateway [ip-address]
Parameters
Command Mode
Default Configuration
User Guidelines
The ip default-gateway command adds the default route with metric of 6 for the
gateway connected on an In-Band interface and 2 for the gateway connected on
OOB.
Example
Syntax
Parameters
• interface-id—Specifies an interface ID on which IP addresses are defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 512
24 IP Addressing Commands
Default Configuration
All IP addresses.
Command Mode
Examples
Example 1 - The following example displays all configured IP addresses and their
types:
!source_precedence_is_supported &&
!broadcast_address_configuration_is_supported && ip_redirects_is_supported
IP Address I/F I/F Status Type Directed Redirect Status
admin/oper Broadcast
------------- ------ ----------- ------- -------- --------- -----
10.5.230.232/24 vlan 1 UP/UP Static disable Enabled Valid
!source_precedence_is_supported &&
!broadcast_address_configuration_is_supported && ip_redirects_is_supported
IP Address I/F I/F Status Type Directed Redirect Status
admin/oper Broadcast
------------- ------ ----------- ------- -------- --------- -----
10.5.230.232/24 vlan 1 UP/UP Static disable Enabled Valid
513 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
24.6 arp
Use the arp Global Configuration mode command to add a permanent entry to the
Address Resolution Protocol (ARP) cache. Use the no form of this command to
remove an entry from the ARP cache.
Syntax
arp ip-address mac-address [interface-id]
no arp ip-address
Parameters
Command Mode
Default Configuration
User Guidelines
The software uses ARP cache entries to translate 32-bit IP addresses into 48-bit
hardware (MAC) addresses. Because most hosts support dynamic address
resolution, static ARP cache entries generally do not need to be specified.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 514
24 IP Addressing Commands
Syntax
arp timeout seconds
no arp timeout
Parameters
Default Configuration
The default ARP timeout is 60000 seconds, if IP Routing is enabled, and 300
seconds if IP Routing is disabled.
Command Mode
Example
Syntax
515 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
Parameters
N/A
Default
Enabled by default.
Command Mode
User Guidelines
Example
24.9 ip proxy-arp
Use the ip proxy-arp Interface Configuration mode command to enable an ARP
proxy on specific interfaces. Use the no form of this command disable it.
Syntax
ip proxy-arp
no ip proxy-arp
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 516
24 IP Addressing Commands
User Guidelines
Example
The following example enables ARP proxy when the switch is in router mode.
switchxxxxxx(config-if)# ip proxy-arp
Syntax
clear arp-cache
Command Mode
Example
The following example deletes all dynamic entries from the ARP cache.
Syntax
517 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
Parameters
Command Mode
User Guidelines
Since the associated interface of a MAC address can be aged out from the FDB
table, the Interface field can be empty.
If an ARP entry is associated with an IP interface that is defined on a port or
port-channel, the VLAN field is empty.
Example
The following example displays entries in the ARP table.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 518
24 IP Addressing Commands
Parameters
Command Mode
Example
Global configuration:
Interface configuration:
VLAN 1:
VLAN 10:
VLAN 20:
24.13 interface ip
Use the interface ip Global Configuration mode command to enter the IP Interface
Configuration mode.
Syntax
interface ip ip-address
Parameters
519 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
Command Mode
Example
switchxxxxxx(config-ip)#
24.14 ip helper-address
Use the ip helper-address Global Configuration mode command to enable the
forwarding of UDP Broadcast packets received on an interface to a specific
(helper) address. Use the no form of this command to disable the forwarding of
broadcast packets to a specific (helper) address.
Syntax
ip helper-address {ip-interface | all} address [udp-port-list]
Parameters
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 520
24 IP Addressing Commands
If udp-port-list is not specified, packets for the default services are forwarded to
the helper address.
Command Mode
User Guidelines
This command forwards specific UDP Broadcast packets from one interface to
another, by specifying a UDP port number to which UDP broadcast packets with
that destination port number are forwarded. By default, if no UDP port number is
specified, the device forwards UDP broadcast packets for the following six
services:
The setting of a helper address for a specific interface has precedence over the
setting of a helper address for all the interfaces.
Forwarding of BOOTP/DHCP (ports 67, 68) cannot be enabled with this command.
Use the DHCP relay commands to relay BOOTP/DHCP packets.
Example
521 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
24.15 show ip helper-address
Use the show ip helper-address Privileged EXEC mode command to display the IP
helper addresses configuration on the system.
Syntax
show ip helper-address
Parameters
Command Mode
User Guidelines
Example
The following example displays the IP helper addresses configuration on the
system:
switchxxxxxx# show ip
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 522
24 IP Addressing Commands
Parameters
• interface-id—Interface identifier.
Command Mode
User Guidelines
If no interfaces are specified, all interfaces on which DHCP client is enabled are
displayed. If an interface is specified, only information about the specified
interface is displayed.
Example
The following is sample output of the show ip dhcp client interface command:
523 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Addressing Commands 24
Image Path Name: qqq/image/aaa_image.ros
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 524
25
IP Routing Protocol-Independent Commands
25.0
Syntax
no ip policy route-map
Parameters
• map-tag—Name of the route map to use for policy routing. The name must
match a map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
Command Mode
User Guidelines
The IP packets matched to the route-map conditions specified by the route map
with the map-tag name will take a route depended on the action of the matched
ACL:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 525
IP Routing Protocol-Independent Commands 25
• Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
The not matched IP packets will be forwarded using the obvious shortest path.
IP policy routing on a Layer 2 interface is performed only when IP interface is
defined, its status is UP, and the next hop is reachable. If the IP policy routing is not
applied then the matched IP packets will be forwarded using the obvious shortest
path.
Note. Of course, like in the case of regular IP Routing Policy Based IP Router routes
only MAC "tome" IP frames.
• VLAN ACL
Example
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 526
25 IP Routing Protocol-Independent Commands
25.2 ip redirects
Use the ip redirects command in IP Interface Configuration mode to enable the
sending of ICMP redirect messages to re-send a packet through the same
interface on which the packet was received. To disable the sending of redirect
messages, use the no form of this command.
Syntax
ip redirects
no ip redirects
Parameters
N/A.
Default Configuration
Command Mode
IP Configuration mode
Example
switchxxxxxx(config-ip)# no ip redirects
switchxxxxxx(config-ip)# exit
switchxxxxxx(config-ip)# ip redirects
switchxxxxxx(config-ip)# exit
527 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands 25
25.3 ip route
To establish static routes, use the ip route command in global configuration mode.
To remove static routes, use the no form of this command.
Syntax
Parameters
• prefix—IP route prefix for the destination.
• mask—Prefix mask for the destination.
• /prefix-length—Prefix mask for the destination.Specifies the number of bits
that comprise the IP address prefix. The prefix length must be preceded by
a forward slash (/). (Range: 0–32)
• ip-address—IP address of the next hop that can be used to reach that
network.
• metric value—Metric of the route. The default metric is 6 for the Next Hop
on an In-Band interface and 2 for the Next Hop on OOB. Range: 1–255.
Default Configuration
Command Mode
User Guidelines
Use the no ip route comamnd without the ip-address parameter to remove all
static routes to the given subnet.
Use the no ip route comand with the ip-address parameter to remove only one
static route to the given subnet via the given next hop.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 528
25 IP Routing Protocol-Independent Commands
Examples
Example 1—The following example shows how to route packets for network
172.31.0.0 to a router at 172.31.6.6 using mask:
Example 2—The following example shows how to route packets for network
172.31.0.0 to a router at 172.31.6.6 using prefix length :
Example 3—The following example shows how to reject packets for network
194.1.1.0:
Example 4—The following example shows how to remove all static routes to
network 194.1.1.0/24:
Example 5—The following example shows how to remove one static route to
network 194.1.1.0/24 via 1.1.1.1:
25.4 ip routing
To enable IP routing, use the ip routing command in global configuration mode. To
disable IP routing, use the no form of this command.
Syntax
ip routing
529 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands 25
no ip routing
Parameters
Default Configuration
IP routing is enabled.
Command Mode
User Guidelines
The switch supports one IPv4 stack on in-band interfaces and the OOB port.
The IP stack is always running on the OOB port as an IP host regardless whether IP
routing is enabled.
The switch blocks routing between in-band interfaces and the OOB interface.
In the case when there are two best routes - one via an in-band and one via the
OOB port, the switch will use the route via the OOB port.
switchxxxxxx(config)# ip routing
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 530
25 IP Routing Protocol-Independent Commands
Parameters
Command Mode
User EXEC mode
User Guidelines
Use this command without parameters to display the whole IPv6 Routing table.
Examples
Example 1. The following is sample output from the show ip route command when
IP Routing is not enabled:
IP Forwarding: disabled
531 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands 25
S> 10.10.0.0/16 1/1 10.120.254.244 00:02:22 vlan3
Example 2. The following is sample output from the show ip route command when
IP Routing is enabled:
IP Forwarding: enabled
Policy Routing
VLAN 1
Status: Active
VLAN 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 532
25 IP Routing Protocol-Independent Commands
VLAN 110
VLAN 200
Status: Active
IP Forwarding: enabled
533 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands 25
Policy Routing
VLAN 1
Status: Active
VLAN 100
VLAN 110
VLAN 200
Status: Active
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 534
25 IP Routing Protocol-Independent Commands
Syntax
Parameters
N/A.
Command Mode
535 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands 25
User Guidelines
Example
The following is sample output from the show ip route summary command:
35 connected, 25 static
Number of prefixes:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 536
26
IP System Management Commands
26.0
26.1 ping
Use the ping EXEC mode command to send ICMP echo request packets to
another node on the network.
Syntax
ping [ip] {ipv4-address | hostname} [size packet_size] [count packet_count]
[timeout time_out] [source source-address]
Parameters
• ip—Use IPv4 to check the network connectivity.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 537
IP System Management Commands 26
Default Usage
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Press Esc to stop pinging. Following are sample results of the ping command:
• Destination does not respond—If the host does not respond, a “no answer
from host” appears within 10 seconds.
When using the ping ipv6 command to check network connectivity of a directly
attached host using its link local address, the egress interface may be specified in
the IPv6Z format. If the egress interface is not specified, the default interface is
selected.
When using the ping ipv6 command with a Multicast address, the information
displayed is taken from all received echo responses.
When the source keyword is configured and the source address is not an address
of the switch, the command is halted with an error message and pings are not
sent.
Examples
Example 1 - Ping an IP address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 538
26 IP System Management Commands
539 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands 26
64 bytes from FF02::1: icmp_seq=2. time=1050 ms
26.2 ssh
To start an encrypted session with a remote networking device, use the ssh
command in user EXEC or privileged EXEC mode.
Syntax
ssh {ip-address | hostname} [port] [keyword...]
Parameters
• ip-address—Specifies the destination host IP address (IPv4 or IPv6).
• hostname—Hostname to ping (Length: 1-158 characters. Maximum label
size for each part of the host name: 58.)
• port—Specifies the decimal TCP port number. The default port is the SSH
port (22).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 540
26 IP System Management Commands
Keywords Table
Options Description
/password password Specifies the password to use when logging in on
the remote networking device running the SSH
server. If the keyword is not specified, the password
configured by the ip ssh-client password command
is used. If this keyword is specified the the /user
keyword must be specified too.
/source-interface Specifies the source interface which minimal
interface-id IPv4/v6 address will be used as the source IPv4/v6
address. If the keyword is not specified, the source
IPv4/IPv6 address configured by the ip ssh-client
source-interface command is used.
/user user-name Specifies the user name to use when logging in on
the remote networking device running the SSH
server. If the keyword is not specified, the user name
configured by the ip ssh-client username command
is used. If this keyword is specified the /password
keyword must be specified too.
Default Configuration
The default port is the SSH port (22) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
The ssh command enables the switch to make a secure, encrypted connection to
another switch running an SSH server. This connection provides functionality that
is similar to that of a Telnet connection except that the connection is encrypted.
With authentication and encryption, the SSH client allows for a secure
communication over an insecure network.
Only one SSH terminal connection can be active at the same time.
541 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands 26
Examples
Example 1. The following example sets a secure session between the local device
and the edge device HQedge. The user name and password configured by the ip
ssh-client username and ip ssh-client password commands are used.
Example 2. The following example sets a secure session between the local device
and the edge device 1.1.1.1. The user name is HQhost and the password is a
password configured by the ip ssh-client password command.
Example 3. The following example sets a secure session between the local device
and the edge device HQedge. The user name is HQhost and the password is
ar3245ddd.
26.3 telnet
The telnet EXEC mode command logs on to a host that supports Telnet.
Syntax
telnet {ip-address | hostname} [port] [keyword...]
Parameters
• ip-address—Specifies the destination host IP address (IPv4 or IPv6).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 542
26 IP System Management Commands
• port—Specifies the decimal TCP port number or one of the keywords listed
in the Ports table in the User Guidelines.
Default Configuration
The default port is the Telnet port (23) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
Telnet software supports special Telnet commands in the form of Telnet
sequences that map generic terminal control functions to operating
system-specific functions. To enter a Telnet sequence, press the escape
sequence keys (Ctrl-shift-6) followed by a Telnet command character.
Special Telnet Sequences
At any time during an active Telnet session, available Telnet commands can be
listed by pressing the ?/help keys at the system prompt.
A sample of this list follows.
switchxxxxxx> ?/help
^^ C sends telnet IP
543 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands 26
^^ H sends telnet EC
^^ O sends telnet AO
^^ U sends telnet EL
This command lists concurrent Telnet connections to remote hosts that were
opened by the current Telnet session to the local device. It does not list Telnet
connections to remote hosts that were opened by other Telnet sessions.
Keywords Table
Options Description
/echo Enables local echo.
/quiet Prevents onscreen display of all messages from
the software.
/source-interfac Specifies the source interface.
e
/stream Turns on stream processing, which enables a raw
TCP stream with no Telnet control sequences. A
stream connection does not process Telnet
options and can be appropriate for connections
to ports running UNIX-to-UNIX Copy Program
(UUCP) and other non-Telnet protocols.
Ctrl-shift-6 x Returns to the System Command Prompt.
Ports Table
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 544
26 IP System Management Commands
545 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands 26
Example
The following example displays logging in to IP address 176.213.10.50 via Telnet.
26.4 traceroute
To display the routes that packets will take when traveling to their destination, use
the traceroute EXEC mode command.
Syntax
traceroute ip {ipv4-address | hostname} [size packet_size] [ttl max-ttl] [count
packet_count] [timeout time_out] [source ip-address]
traceroute ipv6 {ipv6-address | hostname} [size packet_size] [ttl max-ttl] [count
packet_count] [timeout time_out] [source ip-address]
Parameters
• ip—Use IPv4 to discover the route.
• ttl max-ttl—The largest TTL value that can be used. The default is 30. The
traceroute command terminates when the destination is reached or when
this value is reached. (Range: 1–255)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 546
26 IP System Management Commands
Default Usage
N/A
Command Mode
Privileged EXEC mode
User Guidelines
The traceroute command works by taking advantage of the error messages
generated by routers when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of
one. This causes the first router to discard the probe datagram and send back an
error message. The traceroute command sends several probes at each TTL level
and displays the round-trip time for each.
The traceroute command sends out one probe at a time. Each outgoing packet can
result in one or two error messages. A "time exceeded” error message indicates
that an intermediate router has seen and discarded the probe. A "destination
unreachable" error message indicates that the destination node has received the
probe and discarded it because it could not deliver the packet. If the timer goes
off before a response comes in, the traceroute command prints an asterisk (*).
The traceroute command terminates when the destination responds, when the
maximum TTL is exceeded, or when the user interrupts the trace with Esc.
The traceroute ipv6 command is not relevant to IPv6 link local addresses.
Example
547 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands 26
7 so-0-2-0x1.aa1.mich.net (192.122.183.9) 56 msec 53 msec 54 msec
9 * * *
Trace completed
The following table describes the significant fields shown in the display:
Field Description
1 Indicates the sequence number of the router
in the path to the host.
i2-gateway.stanford. Host name of this router.
edu
192.68.191.83 IP address of this router.
1 msec 1 msec 1 Round-trip time for each of the probes that
msec are sent.
The following are characters that can appear in the traceroute command output:
Field Description
* The probe timed out.
? Unknown packet type.
A Administratively unreachable. Usually, this output
indicates that an access list is blocking traffic.
F Fragmentation required and DF is set.
H Host unreachable.
N Network unreachable.
P Protocol unreachable.
Q Source quench.
R Fragment reassembly time exceeded
S Source route failed.
U Port unreachable.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 548
27
IPv4 IPM Router Commands
27.0
27.1 ip multicast-routing
To enable IPv4 Multicast routing on all IP-enabled interfaces of the router and to
enable Multicast forwarding, use the ip multicast-routing command in global
configuration mode. To stop Multicast routing and forwarding, use the no form of
this command.
Syntax
ip multicast-routing igmp-proxy
no ip multicast-routing
Parameters
Default Configuration
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 549
IPv4 IPM Router Commands 27
switchxxxxxx(config)# ip multicast-routing igmp-proxy
Syntax
no ip multicast ttl-threshold
Parameters
Default Configuration
Command Mode
User Guidelines
Multicast packets with a TTL value less than the threshold will not be forwarded
on the interface.
The default value of 0 means all Multicast packets are forwarded on the interface.
A value of 256 means that no Multicast packets are forwarded on the interface.
You should configure the TTL threshold only on border routers. Conversely, routers
on which you configure a TTL threshold value automatically become border
routers.
Example
The following example sets the TTL threshold on a border router to 200:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 550
27 IPv4 IPM Router Commands
switchxxxxxx(config-if)# exit
Syntax
Parameters
Command Mode
User Guidelines
Use the show ip mroute command to display information about Mroute entries in
the mroute table. The switch populates the Multicast routing table by creating (S,
G) entries from (*, G) entries. The asterisk (*) refers to all source addresses, the “S”
refers to a single source address, and the “G” is the destination Multicast group
address. In creating (S, G) entries, the switch uses the best path to that destination
group found in the Unicast routing table (that is, through Reverse Path Forwarding
[RPF]).
Examples
551 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv4 IPM Router Commands 27
(*, 224.0.255.1) and (192.168.37.100/32, 224.0.255.1)—Entry in the IP Multicast
routing table. The entry consists of the IP address of the source router followed by
the IP address of the Multicast group. An asterisk (*) in place of the source router
indicates all sources.
Entries in the first format are referred to as (*, G) or “star comma G” entries. Entries
in the second format are referred to as (S, G) or “S comma G” entries. (*, G) entries
are used to build (S, G) entries.
Incoming interface: —Expected interface for a Multicast packet from the source. If
the packet is not received on this interface, it is discarded.
Example 1. The following is sample output from the show ip mroute command with
the summary keyword:
Example 2. The following is sample output from the show ip mroute command:
Timers: Uptime/Expires
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 552
27 IPv4 IPM Router Commands
vlan100, 5:29:15/0:02:57
vlan5, 05:29:15/00:02:57
Syntax
Parameters
Command Mode
User Guidelines
Use the show ip multicast command without the interface keyword to display
general information about the state of IP Multicast on the router.
Use the show ip multicast command with the interface keyword to display the IP
Multicast information about the specified interface.
Examples
Example 1. The following is sample output from the show ip multicast command
without the interface keyword when no IP Multicast Routing protocol is enabled:
553 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv4 IPM Router Commands 27
IP Unicast Forwarding: enabled
IP Multicast Protocol: No
Example 2. The following is sample output from the show ip multicast command
without the interface keyword when IGMP Proxy is enabled:
Example 3. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is enabled on the interface and the interface
is an IGMP Proxy Upstream interface:
vlan 200
TTL-threshold: 0
Example 4. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is enabled on the interface and the interface
is an IGMP Proxy Downlink interface:
vlan 200
TTL-threshold: 0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 554
27 IPv4 IPM Router Commands
Example 5. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is disabled on the interface:
vlan 200
IP Status: enabled
hop-threshold: 100
555 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
28.0
Syntax
Parameters
N/A
Command Mode
User Guidelines
Example
The following example deletes all entries, except static entries, in the neighbor
discovery cache:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 556
28 IPv6 Commands
Syntax
Parameters
• ipv6-address—Specifies the global unicast IPv6 address assigned to the
interface. This argument must be in the form documented in RFC4293
where the address is specified in hexadecimal using 16-bit values between
colons.
Default Configuration
Command Mode
User Guidelines
Example
The following example defines the IPv6 global address 2001:DB8:2222:7272::72
on vlan 100:
switchxxxxxx(config-if)# exit
557 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
28.3 ipv6 address anycast
Use the ipv6 address anycast command in Interface Configuration mode to
configure a global unicast IPv6 Anycast address and enable IPv6 processing on an
interface. To remove the address from the interface, use the no form of this
command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Anycast addresses can be used only by a router, not a host, and Anycast
addresses must not be used as the source address of an IPv6 packet.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 558
28 IPv6 Commands
The subnet router Anycast address has a prefix concatenated by a series of zeros
(the interface ID). The subnet router Anycast address can be used to reach a router
on the link that is identified by the prefix in the subnet router Anycast address.
The ipv6 address anycast command cannot be applied to define an IPv6 address
on an ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on the interface, assigns the
prefix 2001:0DB8:1:1::/64 to the interface, and configures the IPv6 Anycast
address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE:
switchxxxxxx(config-if)# exit
Syntax
Parameters
N/A.
559 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Default Configuration
Command Mode
User Guidelines
This command enables IPv6 on an interface (if it was disabled) and causes the
switch to perform IPv6 stateless address auto-configuration to discover prefixes
on the link and then to add the eui-64 based addresses to the interface.
When IPv6 forwarding is changed from disabled to enabled, and stateless auto
configuration is enabled the switch stops stateless auto configuration and
removes all stateless auto configured ipv6 addresses from all interfaces.
When IPv6 forwarding is changed from enabled to disabled and stateless auto
configuration is enabled the switch resumes stateless auto configuration.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example assigns the IPv6 address automatically:
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 560
28 IPv6 Commands
Syntax
Parameters
• ipv6-prefix—Specifies the global unicast IPv6 address assigned to the
interface. This argument must be in the form documented in RFC4293
where the address is specified in hexadecimal using 16-bit values between
colons.
Default Configuration
Command Mode
User Guidelines
If the value specified for the prefix-length argument is greater than 64 bits, the
prefix bits have precedence over the interface ID.
The IPv6 address is built from ipv6-prefix and the EUI-64 Interface ID by the
following way:
• The first prefix-length bits are taken from ipv6-prefix.
- The last 64 bits are taken from the EUI-64 Interface ID.
• If prefix-length equals to 64 then the following 64 bits are taken from the
EUI-64 Interface ID.
• If prefix-length > 64 then the following (128-prefix-length) bits are taken from
the last (64-(prefix-length -64)) bits of the EUI-64 Interface ID.
561 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
If the switch detects another host using one of its IPv6 addresses, it adds the IPv6
address and displays an error message on the console.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on VLAN 1, configures IPv6 global
address 2001:0DB8:0:1::/64 and specifies an EUI-64 interface ID in the low order
64 bits of the address:
switchxxxxxx(config-if)# exit
Syntax
Parameters
• ipv6-address—Specifies the IPv6 network assigned to the interface. This
argument must be in the form documented in RFC4293 where the address
is specified in hexadecimal using 16-bit values between colons.
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 562
28 IPv6 Commands
User Guidelines
The switch automatically generates a link local address for an interface when IPv6
processing is enabled on the interface, typically when an IPv6 address is
configured on the interface. To manually specify a link local address to be used by
an interface, use the ipv6 address link-local command.
The ipv6 address link-local command cannot be applied to define an IPv6 address
on an ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
switchxxxxxx(config-if)# exit
Syntax
Parameters
• ipv6-address—Specifies the IPv6 address of an IPv6 router that can be
used to reach a network.
563 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Default Configuration
Command Mode
User Guidelines
The command is an alias of the ipv6 route command with the predefined (default)
route:
Examples
Example 1. The following example defines a default gateway with a global IPv6
address:
Example 2. The following example defines a default gateway with a link-local IPv6
address:
switchxxxxxx(config)# ipv6 default-gateway FE80::260:3EFF:FE11:6770%vlan1
To disable IPv6 processing on an interface that has not been configured with an
explicit IPv6 address, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 564
28 IPv6 Commands
Syntax
ipv6 enable
no ipv6 enable
Parameters
N/A.
Default Configuration
IPv6 interface is disabled.
Command Mode
User Guidelines
Example
The following example enables VLAN 1 for the IPv6 addressing mode.
switchxxxxxx(config-if)# exit
Syntax
565 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
no ipv6 hop-limit
Parameters
Default Configuration
Command Mode
Example
The following example configures a maximum number of 15 hops for all IPv6
packets that are originated from the router:
Syntax
Parameters
• milliseconds—Time interval between tokens being placed in the bucket.
Each token represents a single ICMP error message. The acceptable range
is from 0 to 2147483647. A value of 0 disables ICMP rate limiting.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 566
28 IPv6 Commands
Default Configuration
The default interval is 100ms and the default bucketsize is 10 i.e. 100 ICMP error
messages per second.
Command Mode
User Guidelines
Use this command to limit the rate at which IPv6 ICMP error messages are sent. A
token bucket algorithm is used with one token representing one IPv6 ICMP error
message. Tokens are placed in the virtual bucket at a specified interval until the
maximum number of tokens allowed in the bucket is reached.
The milliseconds argument specifies the time interval between tokens arriving in
the bucket. The optional bucketsize argument is used to define the maximum
number of tokens allowed in the bucket. Tokens are removed from the bucket
when IPv6 ICMP error messages are sent, which means that if the bucketsize is
set to 20, a rapid succession of 20 IPv6 ICMP error messages can be sent. When
the bucket is empty of tokens, IPv6 ICMP error messages are not sent until a new
token is placed in the bucket.
Example
567 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Syntax
Parameters
• interface-id—Specifies the interface that is used as the egress interface for
packets sent without a specified IPv6Z interface identifier or with the
default 0 identifier.
Default
Command Mode
Example
To reset the interval to the default value, use the no form of this command.
Syntax
ipv6 nd advertisement-interval
no ipv6 nd advertisement-interval
Parameters
N/A.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 568
28 IPv6 Commands
Default Configuration
Command Mode
User Guidelines
Example
switchxxxxxx(config-if)# exit
To return the number of messages to the default value, use the no form of this
command.
Syntax
Parameters
• value—The number of neighbor solicitation messages. The acceptable
range is from 0 to 600. Configuring a value of 0 disables duplicate address
569 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
detection processing on the specified interface; a value of 1 configures a
single transmission without follow-up transmissions.
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 570
28 IPv6 Commands
When duplicate address detection identifies a duplicate address, the state of the
address is set to DUPLICATE and the address is not used. If the duplicate address
is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface and an error SYSLOG message is issued.
If the duplicate address is a global address of the interface, the address is not
used and an error SYSLOG message is issued.
Note. Since DAD is not supported on NBMA interfaces the command is allowed
but does not impact on an IPv6 tunnel interface of the ISATAP type it does not
impact. The configuration is saved and will impacted when the interface type is
changed on another type on which DAD is supported (for example, to the IPv6
manual tunnel).
Example
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
To return the hop limit to its default value, use the no form of this command.
571 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Syntax
Parameters
• value—Maximum number of hops. The acceptable range is from 1 to 255.
Default Configuration
The default value is defined by the ipv6 hop-limit command, or is set to 64 hops, if
the command was not configured.
Command Mode
User Guidelines
Use this command if you want to change the default value. The default value is
defined by the ipv6 hop-limit command.
Example
switchxxxxxx(config-if)# exit
To clear the flag from IPv6 router advertisements, use the no form of this
command.
Syntax
ipv6 nd managed-config-flag
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 572
28 IPv6 Commands
no ipv6 nd managed-config-flag
Parameters
N/A.
Default Configuration
The “managed address configuration flag” flag is not set in IPv6 router
advertisements.
Command Mode
User Guidelines
Example
The following example configures the Managed Address Configuration flag in IPv6
router advertisements on VLAN 1:
switchxxxxxx(config-if)# exit
573 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Syntax
Parameters
• milliseconds—Interval between IPv6 neighbor solicit transmissions. The
acceptable range is from 1000 to 3600000 milliseconds.
Default Configuration
0 seconds (unspecified) is advertised in router advertisements and the value 1000
milliseconds is used for the neighbor discovery activity of the router itself.
Command Mode
User Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Very short intervals are not recommended in normal IPv6 operation. When a
non-default value is configured, the configured time is both advertised and used
by the router itself.
Example
The following example configures an IPv6 neighbor solicit transmission interval of
9000 milliseconds for VLAN 1:
switchxxxxxx(config-if)# exit
To clear the flag from IPv6 router advertisements, use the no form of this
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 574
28 IPv6 Commands
Syntax
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
Parameters
N/A.
Default Configuration
The Other Stateful configuration flag is not set in IPv6 router advertisements.
Command Mode
Interface Configuration mode
User Guidelines
The setting of the Other Stateful configuration flag in IPv6 router advertisements
indicates to attached hosts how they can obtain autoconfiguration information
other than addresses. If the flag is set, the attached hosts should use stateful
autoconfiguration to obtain the other (nonaddress) information.
Note. If the Managed Address Configuration flag is set using the ipv6 nd
managed-config-flag command, then an attached host can use stateful
autoconfiguration to obtain the other (nonaddress) information regardless of the
setting of the Other Stateful configuration flag.
Example
The following example configures the Other Stateful configuration flag in IPv6
router advertisements on VLAN 1:
switchxxxxxx(config-if)# exit
575 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
To remove the prefixes, use the no form of this command.
Syntax
Parameters
• ipv6-prefix—IPv6 network number to include in router advertisements. This
argument must be in the form documented in RFC4293, where the address
is specified in hexadecimal using 16-bit values between colons.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 576
28 IPv6 Commands
Default Configuration
All prefixes configured on interfaces that originate IPv6 router advertisements are
advertised with a valid lifetime of 2,592,000 seconds (30 days) and a preferred
lifetime of 604,800 seconds (7 days).
• All prefixes are advertised as on-link (for example, the L-bit is set in the
advertisement)
Command Mode
User Guidelines
This command enables control over the individual parameters per prefix, including
whether the prefix should be advertised.
Use the ipv6 nd prefix ipv6-prefix/prefix-length command to add the prefix to the
Prefix table.
Note. The no ipv6 nd prefix command does not return the default values to the
original default values.
577 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
• Advertise all prefixes configured by the ipv6 nd prefix command without
the no-advertise keyword.
Default Keyword
The default keyword can be used to set default values for automatic advertised
prefixes configured as addresses on the interface using the ipv6 address
command.
Note. These default values are not used as the default values in the ipv6 nd prefix
command.
Use the no ipv6 nd prefix default command to return the default values to the
original default values.
On-Link
When on-link is “on” (by default), the specified prefix is assigned to the link. Nodes
sending traffic to such addresses that contain the specified prefix consider the
destination to be locally reachable on the link. An on-link prefix is inserted into the
routing table as a Connected prefix.
Auto-configuration
When auto-configuration is on (by default), it indicates to hosts on the local link that
the specified prefix can be used for IPv6 auto-configuration.
The configuration options affect the L-bit and A-bit settings associated with the
prefix in the IPv6 ND Router Advertisement, and presence of the prefix in the
routing table, as follows:
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 578
28 IPv6 Commands
switchxxxxxx(config-if)# exit
Example 2. The following example advertises the prefix with the L-bit clear:
switchxxxxxx(config-if)# exit
Syntax
ipv6 nd ra interval maximum-secs [minimum-secs]
no ipv6 nd ra interval
Parameters
Default Configuration
Command Mode
579 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
User Guidelines
The interval between transmissions should be less than or equal to the IPv6 router
advertisement lifetime if you configure the route as a default router by using this
command. To prevent synchronization with other IPv6 nodes, the actual interval
used is randomly selected from a value between the minimum and maximum
values.
The minimum RA interval may never be more than 75% of the maximum RA
interval and never less than 3 seconds.
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
no ipv6 nd ra lifetime
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 580
28 IPv6 Commands
Parameters
Default Configuration
Command Mode
Interface Configuration mode
User Guidelines
The Router Lifetime value is included in all IPv6 router advertisements sent out the
interface. The value indicates the usefulness of the router as a default router on
this interface. Setting the value to 0 indicates that the router should not be
considered a default router on this interface. The Router Lifetime value can be set
to a non-zero value to indicate that it should be considered a default router on this
interface. The non-zero value for the Router Lifetime value should not be less than
the router advertisement interval.
Example
switchxxxxxx(config-if)# exit
581 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Syntax
ipv6 nd ra suppress
no ipv6 nd ra suppress
Parameters
N/A.
Default Configuration
Command Mode
User Guidelines
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router
advertisement transmissions on a Point-to-Point interface (for example, manual
tunnel).
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router
advertisement transmissions on a NBMA interface (for example, ISATAP tunnel).
Examples
Example 1. The following example suppresses IPv6 router advertisements on vlan
1:
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 582
28 IPv6 Commands
switchxxxxxx(config-if)# exit
Syntax
no ipv6 nd reachable-time
Parameters
Default Configuration
Command Mode
User Guidelines
The configured time enables the router to detect unavailable neighbors. Shorter
configured times enable the router to detect unavailable neighbors more quickly;
however, shorter times consume more IPv6 network bandwidth and processing
resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.
583 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Example
switchxxxxxx(config-if)# exit
Syntax
ipv6 nd router-preference {high | medium | low}
no ipv6 nd router-preference
Parameters
Default Configuration
Command Mode
User Guidelines
RA messages are sent with the DRP configured by the this command. If no DRP is
configured, RAs are sent with a medium preference.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 584
28 IPv6 Commands
A DRP is useful when, for example, two routers on a link may provide equivalent,
but not equal-cost, routing, and policy may dictate that hosts should prefer one of
the routers.
Example
The following example configures a DRP of high for the router on VLAN 1:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
585 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
User Guidelines
If the specified IPv6 address is a global IPv6 address it must belong to one of
static on-link prefixes defined in the interface. When a static on-link prefix is
deleted all static entries in the IPv6 neighbor discovery cache corresponding the
prefix is deleted to.
If an entry for the specified IPv6 address already exists in the neighbor discovery
cache, learned through the IPv6 neighbor discovery process, the entry is
automatically converted to a static entry.
Static entries in the IPv6 neighbor discovery cache are not modified by the
neighbor discovery process.
Use the no ipv6 neighbor ipv6-address interface-id command to remove the one
given static entry on the given interface. The command does not remove the entry
from the cache, if it is a dynamic entry, learned from the IPv6 neighbor discovery
process.
Use the no ipv6 neighbor interface-id command to delete the all static entries on
the given interface.
Use the no ipv6 neighbor command to remove the all static entries on all
interfaces.
Use the show ipv6 neighbors command to view static entries in the IPv6 neighbor
discovery cache. A static entry in the IPv6 neighbor discovery cache can have one
of the following states:
• NCMP (Incomplete)—The interface for this entry is down.
Note. Reachability detection is not applied to static entries in the IPv6 neighbor
discovery cache; therefore, the descriptions for the INCMP and REACH states are
different for dynamic and static cache entries.
Examples
Example 1. The following example configures a static entry in the IPv6 neighbor
discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and
link-layer address 0002.7D1A.9472 on VLAN 1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 586
28 IPv6 Commands
Example 2. The following example deletes the static entry in the IPv6 neighbor
discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and
link-layer address 0002.7D1A.9472 on VLAN 1:
Example 3. The following example deletes all static entries in the IPv6 neighbor
discovery cache on VLAN 1:
Example 4. The following example deletes all static entries in the IPv6 neighbor
discovery cache on all interfaces:
Syntax
Parameters
• map-tag—Name of the route map to use for policy routing. The name must
match a map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
587 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Command Mode
User Guidelines
Use the ipv6 policy route-map command to enable IPv6 policy routing.
Use the ipv6 policy route-map command to enable policy routing on an interface.
The actual policy routing will take a place if an IPv6 is enabled on the interface.
The IPv6 packets matched to the route-map conditions specified by the route map
with the map-tag name will take a route depended on the action of the matched
ACL:
• Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
The not matched IPv6 packets will be forwarded using the obvious shortest path.
IPv6 policy routing on a Layer 2 interface is performed only when IPv6 interface is
defined, its status is UP, and the next hop is reachable. If the IPv6 policy routing is
not applied then the matched IPv6 packets will be forwarded using the obvious
shortest path.
Note. Of course, like in the case of regular IPv6 Routing Policy Based IPv6 Router
routes only MAC "tome" IPv6 frames.
• VLAN ACL
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 588
28 IPv6 Commands
switchxxxxxx(config-if)# exit
To disable the sending of redirect messages, use the no form of this command.
Syntax
ipv6 redirects
no ipv6 redirects
Parameters
N/A.
Default Configuration
Command Mode
589 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Example
The following example disables the sending of ICMP IPv6 redirect messages on
VLAN 100 and re-enables the messages on VLAN 2:
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
ipv6 route ipv6-prefix/prefix-length {next--ipv6-address | interface-id} [metric]
Parameters
• ipv6-prefix—IPv6 network that is the destination of the static route. Can also
be a host name when static host routes are configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 590
28 IPv6 Commands
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
User Guidelines
If the next IPv6 address is a global IPv6 address, it should belong to a static on-link
prefix. When an on-link prefix is removed or is changed to non on-link prefix, the
static routes with next hop belonging to the prefix are removed from the
configuration.
Examples
Example 1. The following example defines a static route with a global next hop:
Example 2. The following example defines a static route with a link-local next hop:
switchxxxxxx(config)# ipv6 route 2001:DB8:2222::/48
FE80::260:3EFF:FE11:6770%vlan1 12
591 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
28.28 ipv6 unicast-routing
Use the ipv6 unicast-routing command in Global Configuration mode to enable the
forwarding of IPv6 Unicast datagrams.
To disable the forwarding of IPv6 Unicast datagrams, use the no form of this
command.
Syntax
ipv6 unicast-routing
no ipv6 unicast-routing
Parameters
N/A.
Default Configuration
Command Mode
Example
Syntax
ipv6 unreachables
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 592
28 IPv6 Commands
no ipv6 unreachables
Parameters
N/A.
Default Configuration
Command Mode
User Guidelines
If the switch receives a Unicast packet destined for itself that uses a protocol it
does not recognize, it sends an ICMPv6 unreachable message to the source.
If the switch receives a datagram that it cannot deliver to its ultimate destination
because it knows of no route to the destination address, it replies to the originator
of that datagram with an ICMP host unreachable message.
Example
switchxxxxxx(config-if)# exit
Syntax
593 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Parameters
Default Configuration
Command Mode
User EXEC mode
User Guidelines
Use this command to validate the IPv6 status of an interface and its configured
addresses. This command also displays the parameters that IPv6 uses for
operation on this interface and any configured features.
If the interface’s hardware is usable, the interface is marked up.
Examples
Example 1. The show ipv6 interface command displays information about the
specified interface:
VLAN 1 is up/up
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 594
28 IPv6 Commands
2000:0DB8::2/64 Manual
2000:1DB8::2011/64 Manual
FF02::1
FF02::2
FF02::1:FF11:6770
MLD Version is 2
Field Descriptions:
• IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked Enabled. If duplicate
address detection processing identified the link-local address of the
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked Stalled. If IPv6 is not
enabled, the interface is marked Disabled.
595 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
• Global unicast address(es):—Displays the global Unicast addresses
assigned to the interface. The type is manual or autoconfig.
Example 2. The show ipv6 interface command displays information about the
specified manual Ipv6 tunnel:
Tunnel 2 is up/up
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 596
28 IPv6 Commands
2000:0DB8::2/64 Manual
2000:1DB8::2011/64 Manual
FF02::1
FF02::2
FF02::1:FF11:6770
MLD Version is 2
Field Descriptions:
• IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked “enabled.” If duplicate
address detection processing identified the link-local address of the
597 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked “stalled.” If IPv6 is not
enabled, the interface is marked “disabled.”
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 598
28 IPv6 Commands
• Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and
have one of the following formats:
- ipv4-address
- ipv4-address (auto)
- ipv4-address (interface-id)
• Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
Example 3. The show ipv6 interface command displays information about the
specified ISATAP tunnel:
Tunnel 1 is up/up
2000:0DB8::2/64 Manual
2000:1DB8::2011/64 Manual
FF02::1
FF02::2
FF02::1:FF11:6770
is 1500 bytes
599 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
ND router advertisements are sent every 200 seconds
MLD Version is 2
Field Descriptions:
• IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked “enabled.” If duplicate
address detection processing identified the link-local address of the
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked “stalled.” If IPv6 is not
enabled, the interface is marked “disabled.”
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 600
28 IPv6 Commands
• Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and
have one of the following formats:
- ipv4-address
- ipv4-address (auto)
- ipv4-address (interface-id)
• Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
• ISATAP Router DNS name is—The DNS name of the ISATAP Router
Example 4. The following command with the brief keyword displays information
about all interfaces that IPv6 is defined on:
601 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
switchxxxxxx# show ipv6 interface brief
Example 5. This sample output shows the characteristics of VLAN 1 that has
generated a prefix from a local IPv6 prefix pool:
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 602
28 IPv6 Commands
Syntax
Command Mode
Examples
Example 1. The following example displays the default zone when it is defined:
Example 2. The following example displays the default zone when it is not defined:
603 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
28.32 show ipv6 nd prefix
Use the show ipv6 nd prefix command in user EXEC or privileged EXEC mode to
display IPv6 prefixes included in IPv6 Neighbor Discovery (ND) router
advertisements.
Syntax
show ipv6 nd prefix [interface-id]
Parameters
• interface-id—Specified interface identifier on which prefixes are
advertised.
Default Configuration
Command Mode
User Guidelines
Use the how ipv6 nd prefix command with the interface-id argument to display
prefixes advertised on a single interface.
Example
vlan 100
default
on-link
auto-config
prefix 2001::1/64
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 604
28 IPv6 Commands
prefix 2001:2:12/64
no advertise
prefix 2002::1/64
on-link
prefix 2011::1/64
off-link
auto-config
Syntax
Parameters
Default Configuration
605 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Command Mode
User Guidelines
When the interface-id argument is not specified, cache information for all IPv6
neighbors is displayed. Specifying the interface-id argument displays only cache
information about the specified interface.
Examples
Example 1. The following is sample output from the show ipv6 neighbors
command when entered with an interface-id:
Example 2. The following is sample output from the show ipv6 neighbors
command when entered with an IPv6 address:
Field Descriptions:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 606
28 IPv6 Commands
Syntax
show ipv6 route [ipv6-address | ipv6-prefix/prefix-length | protocol | interface
interface-id]
Parameters
Default Configuration
All IPv6 routing information for all active routing tables is displayed.
Command Mode
User EXEC mode
607 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
User Guidelines
This command provides output similar to the show ip route command, except that
the information is IPv6-specific.
Examples
Example 1. The following is sample output from the show ipv6 route command
when IPv6 Routing is not enabled and the command is entered without an IPv6
address or prefix specified:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 608
28 IPv6 Commands
Example 2. The following is sample output from the show ipv6 route command
when IPv6 Routing is enabled and the command is entered without an IPv6
address or prefix specified and IPv6 Routing is enabled:
S - Static, C - Connected,
VLAN 1
Status: Active
VLAN 100
VLAN 110
609 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
ACL Name: ACLTCPHTTP
VLAN 200
Status: Active
Syntax
Parameters
N/A.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 610
28 IPv6 Commands
Example
The following is sample output from the show ipv6 route summary command:
Number of prefixes:
Syntax
Parameters
• detail—Specifies for invalid routes, the reason why the route is not valid.
611 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
Default Configuration
All IPv6 static routing information for all active routing tables is displayed.
Command Mode
User Guidelines
When the detail keyword is specified, the reason why the route is not valid is
displayed for invalid direct or fully specified routes.
Examples
Example 1. The following is sample output from the show ipv6 static command
without specified options:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 612
28 IPv6 Commands
Example 2. The following is sample output from the show ipv6 route command
when entered with the IPv6 prefix 2001:200::/35:
Example 3. The following is sample output from the show ipv6 route command
when entered with the interface VLAN 1:
Example 4. The following is sample output from the show ipv6 route command
with the detail keyword:
Interface is down
613 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Commands 28
* 6000::/16, via nexthop 2007::1, metric 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 614
29
IPv6 First Hop Security
29.0
Policies
Policies contain the rules of verification that will be performed on input packets.
They can be attached to VLANs and/or port (Ethernet port or port channel).
The final set of rules that is applied to an input packet on a port is built in the
following way:
1. The rules configured in policies attached to the port on the VLAN on which the
packet arrived are added to the set.
1. The rules configured in the policy attached to the VLAN are added to the set if they have not been
added at the port level.
2. The global rules are added to the set if they have not been added at the VLAN or port level.
Rules defined at the port level override the rules set at the VLAN level. Rules
defined at the VLAN level override the globally-configured rules. The
globally-configured rules override the system defaults.
You can attach multiple policies (for a specific sub-feature) to a port if they specify
different VLANs.
A sub-feature policy does not take effect until:
Default Policies
Empty default polices exist for each sub-feature and are by default attached to all
VLANs and ports. The default policies are named: "vlan_default" and "port_default":
Rules can be added to these default policies. You do not have to manually attach
default policies to ports. They are attached by default.
When a user-defined policy is attached to a port the default policy for that port is
detached. If the user-define policy is detached from the port, the default policy is
reattached.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 615
IPv6 First Hop Security 29
Default policies can never be deleted. You can only delete the user-added
configuration.
Lists of Commands
29.1 address-config
To specify allowed configuration methods of global IPv6 addresses within an IPv6
Neighbor Binding policy, use the address-config command in Neighbor Binding
Policy Configuration mode. To return to the default, use the no form of this
command.
Syntax
no address-config
Parameters
• any—All configuration methods for global IPv6 bound from NDP messages
(stateless and manual) are allowed. If no keyword is defined the any
keyword is applied.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 616
29 IPv6 First Hop Security
Example
The following example shows how to change the global configuration to allow only
DHCP address configuration method:
switchxxxxxx(config-nbr-binding)# exit
29.2 address-prefix-validation
To define the bound address prefix validation within an IPv6 Neighbor Binding
policy, use the address-prefix-validation command in Neighbor Binding Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
Parameters
• enable—Enables bound address prefix validation. If no keyword is
configured, this keyword is applied by default.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
617 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
Example
The following example shows how to define policy1 that changes the global
bound address verification in Neighbor Binding:
switchxxxxxx(config-nbr-binding)# exit
Syntax
Parameters
Command Mode
User Guidelines
This command clears port counters about packets handled by IPv6 First Hop
Security.
Use the interface keyword to clear all counters for the specific port.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 618
29 IPv6 First Hop Security
Example
The following example clears IPv6 First Hop Security counters on port te1/0/1
Syntax
clear ipv6 first hop security error counters
Parameters
N/A
Command Mode
User Guidelines
This command clears global error counters.
Example
The following example clears IPv6 First Hop Security error counters:
619 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Syntax
Parameters
• vlan-id—Clear the dynamic prefixes that match the specified VLAN.
• prefix-address/prefix-length—Clear the specific dynamic prefix.
Command Mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Prefix table.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id
prefix-address/prefix-length command to delete one specific entry.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id command to delete
the dynamic entries that match the specified VLAN.
Use the clear ipv6 neighbor binding prefix table command to delete all dynamic
entries.
Examples
Example 2. The following example clears all dynamic prefixes that match VLAN
100:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 620
29 IPv6 First Hop Security
Syntax
clear ipv6 neighbor binding table [vlan vlan-id] [interface interface-id] [ipv6
ipv6-address] [mac mac-address] [ndp | dhcp]
Parameters
• vlan vlan-id—Clear the dynamic entries that match the specified VLAN.
• ndp—Clear the dynamic entries that are bound from NDP messages.
• dhcp—Clear the dynamic entries that are bound from DHCPv6 messages.
Command Mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Binding table.
The dynamic entries to be deleted can be specified by the vlan-id argument, the
interface-id argument, IPv6 address, MAC address, or by type of message from
which they were bound.
If the ndp keyword and the dhcp keyword is not defined, the entries are removed
regardless their origin.
621 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
The following example clears all dynamic entries that exist on VLAN 100 & port
te1/0/1:
switchxxxxxx# clear ipv6 neighbor binding table vlan 100 interface te1/0/1
Syntax
Parameters
• client—Sets the role of the device to DHCPv6 client.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
IPv6 DHCP Guard discards the following DHCPv6 messages sent by DHCPv6
servers/relays and received on ports configured as client:
• ADVERTISE
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 622
29 IPv6 First Hop Security
• REPLY
• RECONFIGURE
• RELAY-REPL
• LEASEQUERY-REPLY
Example
The following example defines an IPv6 DHCP Guard policy named policy 1 and
configures the port role as the server:
switchxxxxxx(config-dhcp-guard)# exit
Syntax
no device-role
Parameters
Default Configuration
Policy attached to port or port channel: Value configured in the policy attached to
the VLAN.
623 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
A dynamic IPv6 address bound to a port is deleted when its role is changed from
perimetrical to internal. A static IPv6 address is kept.
Example
The following example defines a Neighbor Binding policy named policy 1 and
configures the port role as an internal port:
switchxxxxxx(config-nbr-binding)# exit
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 624
29 IPv6 First Hop Security
no device-role
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example defines an ND Inspection policy named policy 1 and
configures the port role as router:
switchxxxxxx(config-nd-inspection)# exit
625 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
29.10 device-role (RA Guard Policy)
To specify the role of the device attached to the port within an IPv6 RA Guard
policy, use the device-role command in RA Guard Policy Configuration mode. To
returned to the default, use the no form of this command.
Syntax
device-role {host | router}
no device-role
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
RA Guard discards input RA, CPA, and ICMPv6 Redirect messages received on
ports configured as host.
Example
The following example defines an RA Guard policy named policy 1 and configures
the port role as router:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 626
29 IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# exit
29.11 drop-unsecure
To enable dropping messages with no or invalid options or an invalid signature
within an IPv6 ND Inspection policy, use the drop-unsecure command in ND
Inspection Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
no drop-unsecure
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
627 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
The following example defines an ND Inspection policy named policy1, places the
switch in ND Inspection Policy Configuration mode, and enables the switch to drop
messages with no or invalid options or an invalid signature:
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
29.12 hop-limit
To enable the verification of the advertised Cur Hop Limit value in RA messages
within an IPv6 RA Guard policy, use the hop-limit command in RA Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
Parameters
• maximum value—Verifies that the hop-count limit is less than or equal to the
value argument. Range 1-255. The value of the high boundary must be
equal or greater than the value of the low boundary.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 628
29 IPv6 First Hop Security
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Use the disable keyword to disable verification regardless of the global or VLAN
configuration.
Examples
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config-ra-guard)# exit
Syntax
629 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
no ipv6 dhcp guard
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if-range)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 630
29 IPv6 First Hop Security
Syntax
ipv6 dhcp guard attach-policy policy-name [vlan vlan-list]
Parameters
Default Configuration
Command Mode
User Guidelines
Each time the command is used, it overrides the previous command within the
same policy.
The set of rules that is applied to an input packet is built in the following way:
• The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
631 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
• The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
• The global rules are added to the set if they have not been added.
Use no ipv6 dhcp guard attach-policy to detach all user-defined DHCP Guard
policies attached to the port.
Use no ipv6 dhcp guard attach-policy policy-name to detach the specific policy
from the port.
Examples
Example 1—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and the default policy port_default is detached:
switchxxxxxx(config-if)# exit
Example 2—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config-if)# exit
Example 3—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and the DHCPv6 Guard
policy policy2 is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 632
29 IPv6 First Hop Security
Example 4—In the following example DHCPv6 Guard detaches policy1 from the
te1/0/1 port:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
The DHCPv6 Guard default policy is applied.
Command Mode
User Guidelines
633 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
In the following example, the DHCPv6 Guard policy policy1 is attached to VLAN
100:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command defines the DHCPv6 Guard policy name, and places the router in
DHCPv6 Guard Policy Configuration mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 634
29 IPv6 First Hop Security
• match reply
• preference
Each policy of the same type (for example, DHCPv6 Guard policies) must have a
unique name. Policies of different types can have the same policy name.
The switch supports two predefined, default DHCPv6 Guard policies named:
"vlan_default" and "port_default":
ipv6 dhcp guard policy vlan_default
exit
exit
The default policies are empty and cannot be removed, but can be changed. The
no ipv6 dhcp guard policy does not remove the default policies, it only removes
the policy configuration defined by the user.
The default policies cannot be attached by the ipv6 dhcp guard attach-policy
(port mode) or ipv6 dhcp guard attach-policy (VLAN mode) command. The
vlan_default policy is attached by default to a VLAN, if no other policy is attached
to the VLAN. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
You can define a policy using the ipv6 dhcp guard policy command multiple times.
Examples
switchxxxxxx(config-dhcp-guard)# exit
635 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example 2—The following example defines a DHCPv6 Guard named policy1 by
multiple steps:
switchxxxxxx(config-dhcp-guard)# exit
switchxxxxxx(config-dhcp-guard)# exit
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 636
29 IPv6 First Hop Security
Default Configuration
Verification is disabled.
Command Mode
User Guidelines
This command enables verification that the preference value in messages sent by
DHCPv6 servers messages (see RFC3315) is greater than or less than the value
argument.
Note. When DHCPv6 Guard receives a RELAY-REPL message, it takes it from the
encapsulated message.
Configuring the minimum value keyword and argument specifies the minimum
allowed value. The received DHCPv6 reply message with a preference value less
than a value specified by the value argument is dropped.
Configuring the maximum value keyword and argument specifies the maximum
allowed value. The received DHCPv6 reply message with a preference value
greater than the value specified by the value argument is dropped.
Use no ipv6 dhcp guard preference to disable verification of the advertised
preference value in DHCPv6 reply messages.
Use the no ipv6 dhcp guard preference minimum command to disable verification
of the minimum boundary of the value of the advertised preference value in
DHCPv6 messages.
Examples
637 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example 2—The following example defines a global minimum preference value of
10 and a global maximum preference value of 102 using a single command:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
Use the ipv6 first hop security command to enable IPv6 First Hop Security on a
VLAN.
Examples
Example 1—The following example enables IPv6 First Hop Security on VLAN 100:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 638
29 IPv6 First Hop Security
switchxxxxxx(config-if)# exit
Example 2—The following example enables IPv6 First Hop Security on VLANs
100-107:
switchxxxxxx(config-if-range)# exit
Syntax
Parameters
Default Configuration
Command Mode
639 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
Use this command to attach an IPv6 First Hop Security policy to a port.
Each succeeding usage of this command overrides the previous usage of the
command with the same policy.
Each time the command is used, it overrides the previous command within the
same policy.
The set of rules that is applied to an input packet is built in the following way:
• The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
• The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
• The global rules are added to the set if they have not been added.
Use the no ipv6 first hop security attach-policy command to detach all
user-defined policies attached to the port. The default policy is reattached.
Use the no ipv6 first hop security attach-policy policy-name command to detach
the specific policy from the port.
Examples
Example 1—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Example 2—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 640
29 IPv6 First Hop Security
switchxxxxxx(config-if)# exit
Example 3—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and the IPv6 First Hop
Security policy policy2 is attached to the te1/0/1 port and applied to VLANs
12-20:
switchxxxxxx(config-if)# exit
Example 4—In the following example IPv6 First Hop Security detaches policy
policy1 detached to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Syntax
641 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Parameters
Default Configuration
Command Mode
User Guidelines
Use this command to attach an IPv6 First Hop Security policy to a VLAN.
Use the no form of the command to return to detach the current policy and to
reattach the default policy. The no form of the command does not have an effect if
the default policy was attached.
Example
In the following example, the IPv6 First Hop Security policy policy1 is attached to
VLAN 100:
switchxxxxxx(config-if)# exit
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 642
29 IPv6 First Hop Security
Parameters
N/A
Default Configuration
Logging is disabled.
Command Mode
User Guidelines
Use this command to log packets that are dropped. If logging is enabled, the
switch sends a rate-limited SYSLOG message every time it drops a message.
Example
The following example shows how to enable logging of dropped packets by the
IPv6 first-hop security feature:
Syntax
ipv6 first hop security policy policy-name
Parameters
643 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Default Configuration
Command Mode
User Guidelines
This command defines an IPv6 First Hop Security policy, and places the switch in
IPv6 First Hop Security Policy Configuration mode
The following command can be configured in IPv6 First Hop Security Policy
Configuration mode:
• logging packet drop
Each policy of the same type (for example, IPv6 First Hop Security policies) must
have a unique name. Policies of different types can have the same policy name.
The switch supports two predefined, empty, default IPv6 First Hop Security
policies named: "vlan_default" and "port_default":
ipv6 first hop security policy vlan_default
exit
exit
These policies cannot be removed but they can be changed. The no ipv6 first hop
security policy does not remove these policies, it only removes the policy
configurations defined by the user.
The default policies do not need to be attached by the ipv6 first hop security
attach-policy (port mode) or ipv6 first hop security attach-policy (VLAN mode)
command. The vlan_default policy is attached by default to a VLAN, if no other
policy is attached to the VLAN. The port_default policy is attached by default to a
port, if no other policy is attached to the port.
You can define a policy using the ipv6 first hop security policy command multiple
times.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 644
29 IPv6 First Hop Security
Examples
Example 1—The following example defines the IPv6 First Hop Security policy
named policy1, places the switch in IPv6 First Hop Security Policy Configuration
mode, and enables logging of dropped packets:
switchxxxxxx(config)# exit
Example 2—The following example removes an attached IPv6 First Hop Security
policy:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
ipv6 nd inspection
no ipv6 nd inspection
Parameters
N/A
Default Configuration
645 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Command Mode
User Guidelines
ND Inspection bridges NDP messages to all ports excluding the source port within
the VLAN with the following exception: RS and CPS messages are not bridged to
ports configured as host (see the device-role command).
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if-range)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 646
29 IPv6 First Hop Security
Syntax
Parameters
• policy-name—The ND Inspection policy name (up to 32 characters).
• vlan vlan-list—Specifies that the ND Inspection policy is to be attached to
the VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which ND Inspection is enabled.
Default Configuration
Command Mode
User Guidelines
Use the ipv6 nd inspection attach-policy command to attach an ND Inspection
policy to a port.
Use the ipv6 nd inspection command to activate the attached policy on required
VLANs.
Each time the command is used, it overrides the previous command within the
same policy.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
• The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
• The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
• The global rules are added to the set if they have not been added.
647 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Use the no ipv6 nd inspection attach-policy command to detach all user-defined
policies attached to the port.
Use the no ipv6 nd inspection attach-policy policy-name command to detach the
specific policy from the port.
Examples
Example 1—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Example 2—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config-if)# exit
Example 3—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port and applied to VLANs 1-10 and the ND Inspection policy policy2
is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config-if)# exit
Example 4—In the following example, ND Inspection detaches policy policy1 from
the te1/0/1 port:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 648
29 IPv6 First Hop Security
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
If the policy specified by the policy-name argument is not defined, the command
is rejected.
Use the no form of the command to detach the current policy and to reattach the
default policy. The no form of the command does not have an effect if the default
policy was attached.
Example
649 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# exit
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
This command drops NDP messages if they do not contain CGA and RSA
Signature options.
If this command is not configured, then the sec-level minimum command does not
have an effect.
If this command is configured, then only the sec-level minimum command has an
effect and all other configured ND Inspection policy commands are ignored.
Example
The following example enables the switch to drop messages with no or invalid
options or an invalid signature:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 650
29 IPv6 First Hop Security
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command defines the ND Inspection policy name, and places the router in ND
Inspection Policy Configuration mode.
• drop-unsecure
• sec-level minimum
• validate source-mac
Each policy of the same type (for example, ND Inspection policies) must have a
unique name. Policies of different types can have a same policy name.
651 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
ipv6 nd inspection policy vlan_default
exit
exit
These policies cannot be removed, but they can be changed. The no ipv6 nd
inspection policy does not remove these policies, it only removes the policy
configuration defined by the user.
Examples
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 652
29 IPv6 First Hop Security
switchxxxxxx(config-nd-inspection)# exit
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
Parameters
• value—Sets the minimum security level. Range: 0–7.
Default Configuration
Command Mode
User Guidelines
This command specifies the minimum security level parameter value when the
drop-unsecured feature is configured.
653 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
The following example enables the switch to specify 2 as the minimum CGA
security level:
Syntax
ipv6 nd inspection validate source-mac
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
When the switch receives an NDP message, which contains a link-layer address in
the source/target link layer option, the source MAC address is checked against
the link-layer address. Use this command to drop the packet if the link-layer
address and the MAC addresses are different from each other.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 654
29 IPv6 First Hop Security
Example
The following example enables the switch to drop an NDP message whose
link-layer address in the source/target link-layer option does not match the MAC
address:
Syntax
ipv6 nd raguard
no ipv6 nd raguard
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
RA Guard discards RA, CPA, and ICMP Redirect messages received on ports that
are not configured as router (see the device-role command).
655 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if-range)# exit
Syntax
Parameters
• policy-name—The RA Guard policy name (up to 32 characters).
• vlan vlan-list—Specifies that the RA Guard policy is to be attached to the
VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which RA Guard policy is enabled.
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 656
29 IPv6 First Hop Security
Command Mode
User Guidelines
Each time the command is used, it overrides the previous command within the
same policy.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
• The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
• The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
• The global rules are added to the set if they have not been added.
Examples
Example 1—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port:
switchxxxxxx(config-if)# exit
Example 2—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port and applied to VLANs 1-10 and 12-20:
657 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1 vlan 1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port and applied to VLANs 1-10 and the RA Guard policy policy2 is
attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config-if)# exit
Example 4—In the following example RA Guard detaches policy policy1 from the
te1/0/1 port:
switchxxxxxx(config-if)# exit
Syntax
Parameters
• policy-name—The RA Guard policy name (up to 32 characters).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 658
29 IPv6 First Hop Security
Default Configuration
Command Mode
User Guidelines
Use the no form of the command to rdetach the current policy and toreattach the
default policy. The no form of the command has no effect if the default policy was
attached.
Example
In the following example, the RA Guard policy policy1 is attached to VLAN 100:
switchxxxxxx(config-if)# exit
Syntax
Parameters
659 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
• minimum value—Verifies that the hop-count limit is greater than or equal to
the value argument. Range 1-255.
Default Configuration
Command Mode
User Guidelines
This command enables verification that the advertised Cur Hop Limit value in an
RA message (see RFC4861) is greater than or less than the value set by the value
argument.
Configuring the minimum value keyword and argument can prevent an attacker
from setting a low Cur Hop Limit value on the hosts to block them from generating
traffic to remote destinations; that is, beyond their default router. If the advertised
Cur Hop Limit value is unspecified (which is the same as setting a value of 0), the
packet is dropped.
Configuring the maximum value keyword and argument enables verification that
the advertised Cur Hop Limit value is less than or equal to the value set by the
value argument. If the advertised Cur Hop Limit value is unspecified (which is the
same as setting a value of 0), the packet is dropped.
Use the no ipv6 nd raguard hop-limit maximum command to disable verification of
the maximum boundary of the advertised Cur Hop Limit value in an RA message.
Examples
Example 1—The following example defines a minimum Cur Hop Limit value of 3
and a maximum Cur Hop Limit value of 100 using two commands:
Example 2—The following example defines a minimum Cur Hop Limit value of 3
and a maximum Cur Hop Limit value of 100 using a single command:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 660
29 IPv6 First Hop Security
Syntax
Parameters
Default Configuration
Verification is disabled.
Command Mode
User Guidelines
Example
The following example enables M flag verification that checks if the value of the
flag is 0:
661 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
29.35 ipv6 nd raguard other-config-flag
To globally enable verification of the advertised “Other Configuration” flag in RA
messages, use the ipv6 nd raguard other-config-flag command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ipv6 nd raguard other-config-flag {on | off}
Parameters
Default Configuration
Verification is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification of the advertised “Other Configuration” flag (or
"O" flag) in an RA message (see RFC4861). This flag could be set by an attacker to
force hosts to retrieve other configuration information through a DHCPv6 server
that might not be trustworthy.
Example
The following example shows how the command enables O flag verification that
checks if the value of the flag is 0:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 662
29 IPv6 First Hop Security
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command defines the RA Guard policy name, and places the switch in IPv6
RA Guard Policy Configuration mode.
Each policy of the same type (for example, RA Guard policies) must have a unique
name. Policies of different types can have a same policy name.
The switch supports two predefined RA Guard policies, named: "vlan_default" and
"port_default":
ipv6 nd raguard policy vlan_default
exit
exit
The policies cannot be removed, but they can be changed. The no ipv6 nd raguard
policy does not remove these policies, it only removes the policy configuration
defined by the user.
663 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
The policies cannot be attached by the ipv6 nd raguard attach-policy (port mode)
or ipv6 nd raguard attach-policy (VLAN mode) command. The vlan_default policy
is attached by default to a VLAN, if no other policy is attached to the VLAN. The
port_default policy is attached by default to a port, if no other policy is attached to
the port.
You can define a policy using the ipv6 nd raguard policy command multiple times.
• hop-limit
• managed-config-flag
• match ra addresshop-limit
• match ra prefixes
• other-config-flag
• router-preference
Examples
switchxxxxxx(config-ra-guard)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 664
29 IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config-ra-guard)# exit
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
Parameters
Default Configuration
Verification is disabled.
665 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Command Mode
User Guidelines
Configuring the minimum value keyword and argument specifies the minimum
allowed value. Received RA messages with a Default Router Preference value less
than the value argument are dropped.
Configuring the maximum value keyword and argument specifies the maximum
allowed value. Received RA messages with a Default Router Preference value
greater than the value argument are dropped.
Examples
Example 1—The following example defines that only a value of medium is
acceptable using two commands:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 666
29 IPv6 First Hop Security
Syntax
ipv6 neighbor binding
Parameters
N/A
Default Configuration
NB integrity on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
NB integrity establishes binding for neighbors connected to the perimetrical ports
(see the device-role (Neighbor Binding) command) belonging to the VLANs on
which the feature is enabled.
Examples
switchxxxxxx(config-if)# exit
667 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx(config-if-range)# exit
Syntax
ipv6 neighbor binding address-config [stateless | any] [dhcp]
Parameters
• stateless—Only auto configuration is allowed for global IPv6 bound from
NDP messages.
• any—All configuration methods for global IPv6 bound from NDP messages
(stateless and manual) are allowed. If no keyword is defined the any
keyword is applied.
Default Configuration
Command Mode
User Guidelines
This command defines allowed IPv6 address configuration methods for global
IPv6 addresses.
• Global IPv6 addresses are bound from NDP messages. If none of these
keywords are configured, only link-local addresses are bound from NDP
messages.
• How global IPv6 addresses, bound from NDP messages, are checked
against the Neighbor Prefix table, if prefix validation is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 668
29 IPv6 First Hop Security
- any—IPv6 addresses are bound from NDP messages and only global
addresses belonging to prefixes in NPT are allowed.
Use the dhcp keyword, to allow binding from DHCPv6 message. IPv6 addresses
bound from DHCPv6 messages are never verified against the Neighbor Prefix
table. IPv6 addresses bound from DHCPv6 messages override IPv6 addresses
bound from NDP messages.
Note. If the dhcp keyword is not configured, the switch will bind IPv6 addresses
assigned by DHCPv6 from NDP messages, because a host must execute the DAD
process for these addresses.
Examples
Example 1. The following example specifies that any global IPv6 address
configuration method can be applied and there will be no binding from DHCPv6
messages:
Example 2. The following example specifies that any global IPv6 address binding
from NDP and global IPv6 address binding from DHCPv6 messages can be
applied:
Example 3. The following example specifies that only stateless global IPv6
address binding from NDP can be applied
669 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx(config)# ipv6 neighbor binding address-config stateless
Example 4. The following example specifies that only the stateless IPv6 address
configuration and assignment by DHCPv6 methods can be applied and binding
only from NDP messages is supported:
Example 5. The following example specifies that global IPv6 addresses can be
assigned only by DHCPv6:
Syntax
Parameters
• ipv6-prefix/prefix-length—IPv6 prefix.
• vlan vlan-id—ID of the specified VLAN.
Default Configuration
No static prefix
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 670
29 IPv6 First Hop Security
Command Mode
User Guidelines
Use the ipv6 neighbor binding address-prefix command to add a static prefix to
the Neighbor Prefix table.
Use the no ipv6 neighbor binding address-prefix vlan vlan-id command to remove
all static entries from the Neighbor Prefix table defined on the given VLAN.
Use the no ipv6 neighbor binding address-prefix command to remove all static
entries from the Neighbor Prefix table.
Examples
Example 1. The following example adds two static entries. The second one can be
used for stateless configuration.
Example 3. The following example deletes all static entries defined on the
specified VLAN:
671 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example 4. The following example deletes all static entries:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
This command enables bound address prefix validation. If the Neighbor Binding
feature is enabled, the switch checks if a bound address belongs to one of the
prefixes of the Neighbor Prefix table or to a manually-configured prefix list by the
ipv6 neighbor binding address-prefix command in the Neighbor Binding
configuration mode. If an address does not belong, it is not bound.
Example
The following example shows how to enable bound address validation against the
Neighbor Prefix table:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 672
29 IPv6 First Hop Security
Syntax
ipv6 neighbor binding attach-policy policy-name [vlan vlan-list]
Parameters
Default Configuration
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Each time the command is used, it overrides the previous command within the
same policy.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
• The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
673 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
• The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
• The global rules are added to the set if they have not been added.
Examples
Example 1—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Example 2—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config-if)# exit
Example 3—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10, and the Neighbor Binding
policy policy2 is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 674
29 IPv6 First Hop Security
Example 4—In the following example, Neighbor Binding Integrity detaches policy
policy1 detached to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
The Neighbor Binding default policy is applied.
Command Mode
User Guidelines
675 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
In the following example, the Neighbor Binding policy policy1 is attached to VLAN
100:
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
5 minutes
Command Mode
User Guidelines
Use the ipv6 neighbor binding lifetime command to change the default lifetime.
Example
The following example changes the lifetime for binding entries to 10 minutes:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 676
29 IPv6 First Hop Security
Syntax
ipv6 neighbor binding logging
Parameters
N/A
Default Configuration
Binding table events are not logged.
Command Mode
Global Configuration mode
User Guidelines
This command enables the logging of the following Binding table events:
• A Binding table entry was not inserted into the Binding table, possibly
because the maximum number of entries has been reached or because of
Binding table overflow.
Example
The following example shows how to enable Binding table event logging:
677 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
29.46 ipv6 neighbor binding max-entries
To globally specify the maximum number of dynamic entries that are allowed to be
inserted in the Binding table cache, use the ipv6 neighbor binding max-entries
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command is used to control the contents of the Binding table. This command
specifies the maximum number of dynamic entries that can be inserted in the
Binding table cache. After this limit is reached, new entries are refused, and a
Neighbor Discovery Protocol (NDP) traffic source with a new entry is dropped.
If the maximum number of entries specified is lower than the current number of
entries in the database, no entries are cleared, and the new threshold is reached
after normal cache attrition.
Example
The following example shows how to specify globally the maximum number of
entries that can be inserted into the cache per MAC:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 678
29 IPv6 First Hop Security
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command defines a Neighbor Binding policy name, and places the router in
Neighbor Binding Policy Configuration mode so that additional commands can be
added to the policy.
exit
exit
The policies cannot be removed, but they can be changed. The no ipv6 neighbor
binding policy does not remove these policies, it only removes the policy
configuration defined by the user.
679 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
The policies cannot be attached by the ipv6 neighbor binding attach-policy (port
mode) or ipv6 neighbor binding attach-policy (VLAN mode) command. The
vlan_default policy is attached by default to a VLAN, if no other policy is attached
to the VLAN. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
You can define a policy using the ipv6 neighbor binding policy command multiple
times.
The following commands can be configured into IPv6 Neighbor Binding Policy
Configuration mode:
• logging binding
• max-entries
• address-config
• address-prefix-validation
Examples
switchxxxxxx(config-nbr-binding)# exit
switchxxxxxx(config-nbr-binding)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 680
29 IPv6 First Hop Security
logging binding
switchxxxxxx(config-nbr-binding)# exit
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
ipv6 neighbor binding static ipv6 ipv6-address vlan vlan-id interface interface-id
mac mac-address
Parameters
Default Configuration
No static entry.
Command Mode
681 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
This command is used to add static entries to the Neighbor Binding table. Static
entries can be configured regardless the port role.
If the entry (dynamic or static) already exists, the new static entry overrides the
existing one.
If the Neighbor Binding table overflows, the static entry is not added.
Example
The following example adds a static entry:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
IPv6 Source Guard blocks an IPv6 data message arriving on a port if its source
IPv6 address is bound to another port, or it is unknown.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 682
29 IPv6 First Hop Security
Examples
Example 1—The following example enables IPv6 Source Guard on VLAN 100:
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if-range)# exit
Syntax
Parameters
Default Configuration
Command Mode
683 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
IPv6 Source guard policies can be used to block forwarding IPv6 data messages
with unknown source IPv6 addresses or with source IPv6 addresses bound to a
port differing from the input one.
The set of rules that is applied to an input packet is built in the following way:
• The global rules are added to the set if they have not been added.
Use the no ipv6 source guard attach-policy command to detach the user defined policy
attached to the port and to reattach the default policy with name "port_default".
Examples
Example 1—In the following example, the IPv6 Source Guard policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config-if)# exit
Example 2—In the following example IPv6 Source Guard detaches policy1 from
the te1/0/1 port:
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 684
29 IPv6 First Hop Security
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command defines the IPv6 Source Guard policy name, and places the router
in IPv6 Source Guard Policy Configuration mode.
Each policy of the same type (for example, IPv6 Source Guard policies) must have
a unique name. Policies of different types can have the same policy name.
The switch supports one predefined IPv6 Source Guard policy named:
"port_default":
ipv6 source guard policy port_default
exit
The policy cannot be removed, but it can be changed. The no ipv6 source guard
policy does not remove the policy, it only removes any policy configurations
defined by the user.
685 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
The policy can be attached by the ipv6 source guard attach-policy (port mode)
command. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
Examples
Example 1—The following example defines the IPv6 Source Guard policy named
policy1, places the router in IPv6 Source Guard Policy Configuration mode, and
configures the port as trusted:
switchxxxxxx(config-ipv6-srcguard)# trusted-port
switchxxxxxx(config)# exit
Example 2—The following example removes the attached IPv6 Source Guard
policy:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
Syntax
no logging binding
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 686
29 IPv6 First Hop Security
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables logging of Binding table main events within the
IPv6 Neighbor Binding policy named policy1:
switchxxxxxx(config-nbr-binding)# exit
Syntax
687 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
IPv6 First Hop Security Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables logging of dropped messaged with the IPv6 First
Hop Security Policy named policy1:
switchxxxxxx(config-ipv6-fhs)# exit
29.54 managed-config-flag
To enable verification of the advertised Managed Address Configuration flag
within an IPv6 RA Guard policy, use the managed-config-flag command in RA
Guard Policy Configuration mode. To return to the default, use the no form of this
command.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 688
29 IPv6 First Hop Security
no managed-config-flag
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard managed-config-flag command on the port on which this policy applies.
Use the disable keyword to disable the flag validation in both global or the VLAN
configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and enables M flag verification that
checks if the value of the flag is 0:
switchxxxxxx(config-ra-guard)# exit
689 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Syntax
Parameters
• prefix-list ipv6-prefix-list-name—The IPv6 prefix list to be matched.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
Use the disable keyword to disable verification of the router’s IPv6 address
regardless of the VLAN configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, matches the router addresses to
the prefix list named list1, and defines the prefix list named list1 authorizing the
router with link-local address FE80::A8BB:CCFF:FE01:F700 only:
switchxxxxxx(config-ra-guard)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 690
29 IPv6 First Hop Security
Syntax
match ra prefixes {prefix-list ipv6-prefix-list-name} | disable
no match ra prefixes
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard configuration mode, matches the prefixes to the prefix list
named list1, and the 2001:101::/64 prefixes and denies 2001:100::/64 prefixes:
691 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx(config-ra-guard)# match ra prefixes prefix-list list1
switchxxxxxx(config-ra-guard)# exit
Syntax
match reply {prefix-list ipv6-prefix-list-name} | disable
no match reply
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: advertised prefixes are not verified.
Command Mode
User Guidelines
IPv6 DHCP Guard verifies the assigned IPv6 addresses to the configure prefix list
passed in the IA_NA and IA_TA options of the following DHCPv6 messages sent
by DHCPv6 servers/relays:
• ADVERTISE
• REPLY
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 692
29 IPv6 First Hop Security
• RELAY-REPL
Note 1. Assigned addresses are not verified if a value of the Status Code option (if
it presents) differs from the following ones:
• Success
• UseMulticast
Use the disable keyword to disable verification of the assigned IPv6 addresses in
replies.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard policy configuration mode, matches the assigned
addresses to the prefix list named list1: all assigned IPv6 addresses must belong
to 2001:0DB8:100:200/64 or to 2001:0DB8:100::/48. The "ge 128" parameter must
be configured for each prefix of the prefix-list with prefix length less than
128.
switchxxxxxx(config-dhcp-guard)# exit
Syntax
match server address {prefix-list ipv6-prefix-list-name} | disable
693 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
no match server address
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
User Guidelines
This command enables verification of the source IPv6 address in messages sent
by DHCPv6 servers and DHCPv6 Relays to a configured prefix list. If the source
IPv6 address does not match the configured prefix list, or if the prefix list is not
configured, the DHCPv6 reply is dropped.
IPv6 DHCP Guard verifies the source IPv6 address in the following DHCPv6
messages sent by DHCPv6 servers/relays:
• ADVERTISE
• REPLY
• RECONFIGURE
• RELAY-REPL
• LEASEQUERY-REPLY
Use the disable keyword to disable verification of the DHCP server's and relay’s
IPv6 address.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard Policy Configuration mode, matches the server or relay
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 694
29 IPv6 First Hop Security
addresses to the prefix list named list1, and defines the prefix list named list1
authorizing the server with link-local address FE80::A8BB:CCFF:FE01:F700 only:
switchxxxxxx(config-dhcp-guard)# exit
29.59 max-entries
To define the maximum number of dynamic entries that can be inserted in the
Binding table cache within an IPv6 Neighbor Binding policy, use the max-entries
command in Neighbor Binding Policy Configuration mode.To return to the default,
use the no form of this command.
Syntax
Parameters
• vlan-limit number—Specifies a neighbor binding limit per VLANs. The
parameter is ignored in a policy attached to port.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
695 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Examples
switchxxxxxx(config)# exit
switchxxxxxx(config-ra-guard)# exit
29.60 other-config-flag
To enable the verification of the advertised the Other Configuration flag in RA
messages within an IPv6 RA Guard policy, use the other-config-flag command in
RA Guard Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
other-config-flag {on | off | disable}
no other-config-flag
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 696
29 IPv6 First Hop Security
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard other-config-flag command on the port on which this policy applies.
Use the disable keyword to disable flag validation in both global or VLAN
configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and enables O flag verification that
checks if the value of the flag is 0:
switchxxxxxx(config-ra-guard)# exit
29.61 preference
To enable verification of the preference in messages sent by DHCPv6 servers
within a DHCPv6 Guard policy, use the preference command in DHCPv6 Guard
Policy Configuration mode. To return to the default, use the no form of this
command.
697 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Syntax
Parameters
• maximum value—Advertised preference value is lower or equal than that
set by the value argument. Range 0-255. A value of the high boundary must
be equal to or greater than a value of the low boundary.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 dhcp
guard preference command on the port to which this policy applies.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard Policy Configuration mode, and defines a minimum
preference value of 10:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 698
29 IPv6 First Hop Security
switchxxxxxx(config-dhcp-guard)# exit
29.62 router-preference
To enable verification of advertised Default Router Preference value in RA
messages within an IPv6 RA Guard policy, use the router-preference command in
RA Guard Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
699 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard router-preference command on the port on which this policy applies.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and defines a minimum Default
Router Preference value of medium:
switchxxxxxx(config-ra-guard)# exit
Syntax
no sec-level minimum
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 700
29 IPv6 First Hop Security
Command Mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example defines an NDP Inspection policy named policy1, places
the switch in ND Inspection Policy Configuration mode, and specifies 2 as the
minimum CGA security level:
switchxxxxxx(config-nd-inspection)# exit
Syntax
Parameters
N/A
Command Mode
User Guidelines
The show ipv6 dhcp guard command displays DHCPv6 Guard global
configuration.
701 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Example
The following example gives an example of the output of the show ipv6 dhcp
guard command:
Default Preference
minimum: 10
maximum: 100
Syntax
Parameters
• policy-name—Displays the DHCPv6 guard policy with the given name.
• active—Displays the attached DHCPv6 guard policies.
Command Mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the
DHCPv6 guard feature.
Examples
Example 1—The following example displays the Policy Configuration for a policy
named policy1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 702
29 IPv6 First Hop Security
device-role: server
preference
minimum: 1
maximum: 200
Attached to ports:
Ports VLANs
te1/0/1-2 1-58,68-4094
te1/0/3-4 1-4094
Po1-4 1-4094
Attached to VLAN:
policy2 200-300
vlan-default 1-199,301-4094
Attached to ports:
te1/0/3-4 1-1094
703 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx# show ipv6 dhcp guard policy
policy1
policy2
Syntax
show ipv6 first hop security
Parameters
N/A
Command Mode
User Guidelines
This command displays all IPv6 First Hop Security global configuration.
Example
The following example gives an example of the show ipv6 first hop security
command:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 704
29 IPv6 First Hop Security
Syntax
show ipv6 first hop security active policies interface interface-id vlan vlan-id
Parameters
• interface interface-id—Port Identifier (Ethernet port or port channel).
Command Mode
User Guidelines
This command displays policies applied to frames arriving on given port and
belonging to the given VLAN. The policies are calculated automatically by using
the policies attached to the port, VLAN, and the global configuration
Example
The following example displays the active attached policies on te1/0/1 and VLAN
100:
switchxxxxxx# show ipv6 first hop security active policies interface te1/0/1
vlan 100
705 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
IPv6 First Hop Security Policy:
reply prefix list name: list10 (from policy2 attached to the VLAN)
server address prefix list name: list22 (from policy2 attached to the VLAN)
preference
ND Inspection Policy:
maximum entries
RA Guard Policy:
hop-limit:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 706
29 IPv6 First Hop Security
router-preference:
Syntax
show ipv6 first hop security attached policies interface interface-id vlan vlan-id
Parameters
Command Mode
User Guidelines
This command displays policies of all IPv6 First Hop Security attached to a VLAN
specified by the vlan-id argument and displays all policies attached to a port and
to VLAN specified by the interface-id and vlan-id arguments.
Examples
The following example displays the attached policy on te1/0/1 and VLAN 100:
switchxxxxxx# show ipv6 first hop security attached policies interface te1/0/1
vlan 100
707 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Attached to VLAN 100
Syntax
Parameters
Command Mode
User Guidelines
This command displays packets handled by the switch that are being counted in
port counters. The switch counts packets captured per port and records whether
the packet was received, bridged, or dropped. If a packet is dropped, the reason
for the drop and the feature that caused the drop are both also provided.
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 708
29 IPv6 First Hop Security
709 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
29.70 show ipv6 first hop security error
counters
To display global error counters, use the show ipv6 first hop security error
counters command in privileged EXEC mode.
Syntax
Parameters
N/A
Command Mode
User Guidelines
Examples
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 710
29 IPv6 First Hop Security
Parameters
• policy-name—Displays the IPv6 First Hop policy with the given name.
• active—Displays the attached Ipv6 First Hop Security policies.
Command Mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the
IPv6 First Hop feature.
Examples
Example 1—The following example displays the Policy Configuration for a policy
named policy1:
Attached to ports:
Ports VLANs
te1/0/1-2 1-58,68-4094
te1/0/3-4 1-4094
Po1-4 1-4094
Attached to VLAN:
policy2 200-300
vlan-default 1-199,301-4094
711 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Attached to ports:
te1/0/3-4 1-1094
policy1
policy2
Syntax
Parameters
N/A
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 712
29 IPv6 First Hop Security
Example
The following example gives an example of the show ipv6 nd snooping command
output:
Syntax
Parameters
Command Mode
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
device-role: router
drop-unsecure: enabled
713 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports VLANs
te1/0/1-2 1-58,68-4094
te1/0/3-4 1-4094
Po1 1-4094
Attached to VLANs:
vlan-default 1-4094
Attached to ports:
te1/0/3-4 1-1094
policy1
policy2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 714
29 IPv6 First Hop Security
Syntax
Parameters
N/A
Command Mode
Example
The following example gives an example of the show ipv6 nd raguard command
output:
Hop Limit:
minimum: 10
maximum: 100
minimum: 1
maximum: 1
Syntax
715 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Parameters
Command Mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the RA
guard feature.
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
device-role: router
Attached to ports:
Ports VLANs
te1/0/1-2 1-58,68-4094
te1/0/3-4 1-4094
Po1-4 1-4094
Attached to VLANs:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 716
29 IPv6 First Hop Security
vlan-default 1-4094
Attached to ports:
policy1
policy2
Syntax
Parameters
N/A
Command Mode
User Guidelines
Example
The following example gives an example of the show ipv6 neighbor binding
command output:
717 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
switchxxxxxx# show ipv6 neighbor binding
Maximum entries
VLAN: unlimited
Port: 1
MAC: 1
Syntax
Parameters
Command Mode
User Guidelines
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 718
29 IPv6 First Hop Security
device-role: perimiter
max-entries
VLAN: unlimited
Port: 10
MAC: 2
Attached to ports:
Ports VLANs
te1/0/1-2 1-58,68-4094
te1/0/3-4 1-4094
Po1-4 1-4094
Attached to VLAN:
policy2 200-300
vlan-default 1-199,301-4094
719 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
Attached to ports:
policy1
policy2
Syntax
Parameters
• vlan vlan-id—Displays the prefixes that match the specified VLAN.
Command Mode
User Guidelines
This command displays the Neighbor Prefix table. The display output can be
limited to the specified VLAN. If no VLAN is configured, all prefixes are displayed.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 720
29 IPv6 First Hop Security
7 2004:1::/64 static A
7 2008:1::/64 static
Syntax
show ipv6 neighbor binding table [vlan vlan-id] [interface interface-id] [ipv6
ipv6-address] [mac mac-address]
Parameters
• vlan vlan-id—Displays the Binding table entries that match the specified
VLAN.
Command Mode
721 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
This displays the contents of the Binding table. The display output can be
specified by the specified VLAN, port, IPv6 address, or MAC address. If no
keywords or arguments are entered, all Binding table contents are displayed.
Example
VLAN IPv6 address Inter MAC address Origin State Expir TCAM
Time Ovrfl
Field Descriptions:
• State—Entry’s state:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 722
29 IPv6 First Hop Security
• Expir. Time—Left time in seconds until the entry will be removed, if it is not
confirmed.
Syntax
show ipv6 source guard
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This displays IPv6 Source Guard global configuration.
Example
The following example gives an example of the show ipv6 source guard command
output:
723 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
29.81 show ipv6 source guard policy
To display IPv6 Source Guard policies, use the show ipv6 source guard policy
command in Privilege EXEC configuration mode.
Syntax
Parameters
Command Mode
User Guidelines
This command displays all configured IPv6 Source Guard policies, the given one
or all attached IPv6 Source Guard policies.
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
Attached to ports:
Ports
te1/0/1-2
te1/0/4
Po1-4
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 724
29 IPv6 First Hop Security
Attached to VLAN:
Attached to ports:
policy1 te1/0/1-2
port-default te1/0/1-2
te1/0/3
policy1
policy2
Syntax
trusted-port
no trusted-port
Parameters
N/A
Default Configuration
not trusted.
Command Mode
725 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 First Hop Security 29
User Guidelines
IPv6 data messages bridged from trusted ports are not validated by IPv6 Source
Guard.
Example
switchxxxxxx(config-ipv6-srcguard)# trusted-port
switchxxxxxx(config-ipv6-srcguard)# exit
Syntax
validate source-mac [enable | disable]
no validate source-mac
Parameters
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 726
29 IPv6 First Hop Security
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables the router to drop an NDP message whose
link-layer address does not match the MAC address:
switchxxxxxx(config-nd-inspection)# exit
727 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
IPv6 IPM Router Commands
30.0
Syntax
no ipv6 multicast-routing
Parameters
Default Configuration
Command Mode
User Guidelines
Use the ipv6 multicast-routing command with parameter to specify the needed
IPv6 Multicast Routing Protocol.
Example
The following example enables IPv6 Multicast routing using MLD Proxy:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 728
30 IPv6 IPM Router Commands
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Multicast packets with a hop value less than the threshold will not be forwarded on
the interface.
The default value of 0 means all Multicast packets are forwarded on the interface.
A value of 256 means that no Multicast packets are forwarded on the interface.
You should configure the hop threshold only on border routers. Conversely, routers
on which you configure a hop threshold value automatically become border
routers.
Example
The following example sets the Hop Limit threshold on a border router to 200:
729 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 IPM Router Commands 30
switchxxxxxx(config-if)# exit
Syntax
Parameters
Command Mode
User Guidelines
Use the show ip mroute command to display information about Mroute entries in
the mroute table. The switch populates the Multicast routing table by creating (S,
G) entries from (*, G) entries. The asterisk (*) refers to all source addresses, the “S”
refers to a single source address, and the “G” is the destination Multicast group
address. In creating (S, G) entries, the switch uses the best path to that destination
group found in the Unicast routing table (that is, through Reverse Path Forwarding
[RPF]).
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 730
30 IPv6 IPM Router Commands
(*, FF07::1) and (FF07::1/128, FF07::1)—Entry in the IPv6 Multicast routing table. The
entry consists of the IP address of the source router followed by the IP address of
the Multicast group. An asterisk (*) in place of the source router indicates all
sources.
Entries in the first format are referred to as (*, G) or “star comma G” entries. Entries
in the second format are referred to as (S, G) or “S comma G” entries. (*, G) entries
are used to build (S, G) entries.
Incoming interface: —Expected interface for a Multicast packet from the source. If
the packet is not received on this interface, it is discarded.
Outgoing Interface List (OIF):—Interfaces through which packets will be forwarded.
Example 1. The following is sample output from the show ipv6 mroute command
with the summary keyword:
Timers: Uptime/Expires
Example 2. The following is sample output from the show ipv6 mroute command:
Timers: Uptime/Expires
vlan40, 00:04:45/00:02:47
731 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 IPM Router Commands 30
(2001:0DB8:999::99, FF07::1), 00:02:06/00:01:23
vlan40, 00:02:06/00:03:27
Syntax
Parameters
Command Mode
User Guidelines
Use the show ipv6 multicast command without the interface keyword to display
general information about the state of IPv6 Multicast on the router.
Use the show ipv6 multicast command with the interface keyword to display the
IPv6 Multicast information about the specified interface.
Examples
Example 1. The following is sample output from the show ipv6 multicast command
without the interface keyword when no IPv6 Multicast Routing protocol is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 732
30 IPv6 IPM Router Commands
Example 2. The following is sample output from the show ipv6 multicast command
without the interface keyword when MLD Proxy is enabled:
Example 3. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is enabled on the interface and the interface
is an MLD Proxy Upstream interface:
vlan 200
hop-threshold: 0
Example 4. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is enabled on the interface and the interface
is an MLD Proxy Downlink interface:
733 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 IPM Router Commands 30
IPv6 Multicast Protocol: PIM
vlan 200
hop-threshold: 0
Example 5. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is disabled on the interface:
vlan 200
hop-threshold: 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 734
31
IPv6 Prefix List Commands
31.0
Syntax
Parameters
• prefix-list-name—The name of the prefix list from which the hit count is to
be cleared.
Default Configuration
The hit count is automatically cleared for all IPv6 prefix lists.
Command Mode
User Guidelines
The hit count is a value indicating the number of matches to a specific prefix list
entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 735
IPv6 Prefix List Commands 31
Example
The following example clears the hit count from the prefix list entries for the prefix
list named first_list that match the network mask 2001:0DB8::/35:
Syntax
Parameters
• list-name—Name of the prefix list. The name may contain up to 32
characters.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 736
31 IPv6 Prefix List Commands
Default Configuration
No prefix list is created.
Command Mode
User Guidelines
This command without the seq keyword adds the new entry after the last entry of
the prefix list with the sequence number equals to the last number plus 5. For
example, if the last configured sequence number is 43, the new entry will have the
sequence number of 48. If the list is empty, the first prefix-list entry is assigned the
number 5 and subsequent prefix list entries increment by 5.
This command with the seq keyword puts the new entry into the place specified
by the parameter, if an entry with the number exists it is replaced by the new one.
This command without the seq keyword removes the prefix list.
The no version of this command with the seq keyword removes the specified
entry.
The sequence number of a prefix list entry determines the order of the entries in
the list. The router compares network addresses to the prefix list entries. The
router begins the comparison at the top of the prefix list, with the entry having the
lowest sequence number.
If multiple entries of a prefix list match a prefix, the entry with the lowest sequence
number is considered the real match. Once a match or deny occurs, the router
does not go through the rest of the prefix list. For efficiency, you might want to put
the most common permits or denies near the top of the list, using the seq-number
argument.
The show ipv6 prefix-list command displays the sequence numbers of entries.
IPv6 prefix lists are used to specify certain prefixes or a range of prefixes that
must be matched before a permit or deny statement can be applied. Two operand
keywords can be used to designate a range of prefix lengths to be matched. A
prefix length of less than, or equal to, a value is configured with the le keyword. A
737 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Prefix List Commands 31
prefix length greater than, or equal to, a value is specified using the ge keyword.
The ge and le keywords can be used to specify the range of the prefix length to be
matched in more detail than the usual ipv6-prefix/prefix-length argument.
For a candidate prefix to match against a prefix list entry the following conditions
must exist:
• The candidate prefix must match the specified prefix list and prefix length
entry
• The value of the optional le keyword specifies the range of allowed prefix
lengths from 0 up to the value of the le-length argument, and including, this
value.
• The value of the optional ge keyword specifies the range of allowed prefix
lengths from the value of the ge-length argument up to, and including, 128.
Note that the first condition must match before the other conditions take effect.
An exact match is assumed when the ge or le keywords are not specified. If only
one keyword operand is specified then the condition for that keyword is applied,
and the other condition is not applied. The prefix-length value must be less than
the ge value. The ge value must be less than, or equal to, the le value. The le value
must be less than or equal to 128.
Every IPv6 prefix list, including prefix lists that do not have permit and deny
condition statements, has an implicit deny any any statement as its last match
condition.
Formal Specification
• L - prefix length
• ge - is not defined
• le - is not defined
• P - prefix address
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 738
31 IPv6 Prefix List Commands
• L - prefix length
• ge - is defined
• le - is not defined
The prefix cP/cL matches the prefix-list entry if PrefixIsEqual(cP,P,L) && cL >= ge
• L - prefix length
• ge - is not defined
• le - is defined
The prefix cP/cL matches to the prefix-list entry if PrefixIsEqual(cP,P,L) && cL <= le
• L - prefix length
• ge - is defined
• le - is defined
The prefix cP/cL matches the prefix-list entry if PrefixIsEqual(cP,P,L) && ge <= cL <=
le
Examples
Example 1. The following example denies all routes with a prefix of ::/0:
739 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Prefix List Commands 31
switchxxxxxx(config)# ipv6 prefix-list abc permit 5F00::/48 le 64
Example 4. The following example denies prefix lengths greater than 64 bits in
routes that have the prefix 2001:0DB8::/64:
Example 5. The following example permits mask lengths from 32 to 64 bits in all
address space:
Example 6. The following example denies mask lengths greater than 32 bits in all
address space:
Example 7. The following example denies all routes with a prefix of 2002::/128:
Example 8. The following example permits all routes with a prefix of ::/0:
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 740
31 IPv6 Prefix List Commands
Parameters
• longer—Displays all entries of an IPv6 prefix list that are more specific than
the given ipv6-prefix/prefix-length values.
• first-match—Displays the entry of an IPv6 prefix list that matches the given
ipv6-prefix/prefix-length values.
Command Mode
User Guidelines
If the detail and summary keywords are omitted, the detail option is applied.
If the longer and first-match keywords are omitted, all entries of the specified
prefix list that matches the given network/length are displayed.
Examples
Example 1. The following example shows the output of this command with the
detail keyword:
741 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Prefix List Commands 31
count: 1, range entries: 0
Field Descriptions
• description—Comment.
Example 2. The following example shows the output of the show ipv6 prefix-list command with the
summary keyword:
Example 3. The following example shows the output of the show ipv6 prefix-list command with the seq
keyword:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 742
31 IPv6 Prefix List Commands
743 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
32
iSCSI QoS Commands
32.0
Syntax
iscsi enable
no iscsi enable
Parameters
This command has no arguments or keywords
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
Use the iscsi enable command to enable the iSCSI QoS.
If an ACL is bounded on an interface and a frame matches both to the iSCLI and
the ACL rules then only the iSCSI rules are applied to this frame.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 744
32 iSCSI QoS Commands
Example
The following example enables iSCSI QoS globally:
Syntax
iscsi flow default | {tcp-port [ip-address]}
Parameters
• default—Restores the default IPv4 flows.
Default Configuration
Two iSCSI IPv4 flows with well-known TCP ports 3260 and 860.
Command Mode
Global Configuration mode
User Guidelines
Each iscsi flow command defines an iSCSI flow including the following two
sub-flows:
745 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
iSCSI QoS Commands 32
• From initiator to target sub-flow—The sub-flow is classified by the
Destination TCP port defined by the tcp-port argument and by the
configured Destination IP address, if the ip-address argument is configured.
Use the iscsi flow default command, to restore the iSCSI default configuration.
For the same TCP port you can use either the iscsi flow tcp-port command or a
few iscsi flow tcp-port ip-address commands with different IP addresses.
Use the no iscsi flow tcp-port ip-address command, to delete the iSCSI flows
defined by the iscsi target port tcp-port ip-address command.
Use the no iscsi flow tcp-port command, to delete the iSCSI flows defined by the
iscsi flow tcp-port command.
To delete a default iSCSI flow, use the no iscsi flow tcp-port command.
To delete all default iSCSI flows, use the no iscsi flow default command.
To delete all iSCSI flows (including the default ones), use the no iscsi flow
command.
Example
The following example defines four pair of iSCSI flows:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 746
32 iSCSI QoS Commands
Syntax
iscsi qos {[vpt vpt] [dscp dscp] [queue queue]}
no iscsi qos
Parameters
• vpt vpt—Specifies a value of the VLAN Priority Tag (VPT) that iSCSI tagged
frames are assigned (Range: 0–7).
• queue queue—Specify the outgoing queue that iSCSI frames are sent
(Range: 1–8).
Default Configuration
• VPT is not changed.
• Queue—7
Command Mode
Global Configuration mode
User Guidelines
Use the iscsi qos command, to change the default quality of service profile
applying to iSCSI flows.
Note. At least one parameter is mandatory
Example
The following example configures the default quality of service profile applying to
iSCSI flows:
747 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
iSCSI QoS Commands 32
32.4 show iscsi
To display the iSCSI configuration, use the show iscsi command in User EXEC
mode.
Syntax
show iscsi
Parameters
This command has no arguments or keywords
Default Configuration
This command has no default settings.
Command Mode
User EXEC mode
Example
This example shows how to display the iSCSI configuration:
iSCSI is enabled
iSCSI DSCP is 18
iSCSI Flows:
TCP Target IP
Port Address
--------- ---------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 748
32 iSCSI QoS Commands
9876 0.0.0.0
20002 192.111.220.110
20002 192.1.3.230
25555 0.0.0.0
749 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
33
IPv6 Tunnel Commands
33.0
Syntax
Parameters
Default Configuration
N/A
Command Mode
Example
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 750
33 IPv6 Tunnel Commands
Syntax
tunnel destination {host-name | ip-address}
no tunnel destination
Parameters
Default Configuration
No tunnel interface destination is specified.
Command Mode
Interface (Tunnel) Configuration mode
User Guidelines
You cannot configure two tunnels to use the same encapsulation mode with
exactly the same source and destination address.
Example
The following example shows how to configure the tunnel destination address for
Manual IPv6 tunnel:
switchxxxxxx(config-if)# exit
751 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
switchxxxxxx(config-if)# tunnel mode ipv6ip
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
Example
The following example sets the time interval between ISATAP router solicitation
messages to 30 seconds.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 752
33 IPv6 Tunnel Commands
Syntax
tunnel isatap robustness number
Parameters
Default Configuration
The default number of router solicitation refresh messages that the device sends
is 3.
Command Mode
User Guidelines
The router solicitation interval (when there is an active ISATAP router) is the
minimum-router-lifetime that is received from the ISATAP router, divided by
(Robustness + 1).
Example
The following example sets the number of router solicitation refresh messages
that the device sends to 5.
753 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
Configuration mode. To remove this router name and restore the default
configuration, use the no form of this command.
Syntax
Parameters
• router-name—Specifies the router’s domain name.
Default Configuration
Command Mode
User Guidelines
This command determines the string that the host uses for automatic tunnel router
lookup in the IPv4 DNS procedure. By default, the string ISATAP is used for the
corresponding automatic tunnel types.
Only one string can represent the automatic tunnel router name per tunnel. Using
this command, therefore, overwrites the existing entry.
Example
The following example configures the global string ISATAP2 as the automatic
tunnel router domain name.
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 754
33 IPv6 Tunnel Commands
Syntax
tunnel mode ipv6ip [6to4 | isatap]
Parameters
Default Configuration
Command Mode
User Guidelines
IPv6 tunneling consists of encapsulating IPv6 packets within IPv4 packets for
transmission across an IPv4 routing infrastructure.
When the IPv6 tunnel mode is changed the IPv6 interface on the tunnel is
re-enabled that causes removing static IPv6 configuration on the tunnel (for
example, global IPv6 addresses, static IPv6 routes via the tunnel, etc.).
The IPv6 interface on an IPv6 tunnel is disabled if the tunnel stops to be an IPv6
tunnel or the tunnel local IPv4 address is removed and the new IPv4 cannot be
chosen.
755 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
Manually Configured Tunnels
6to4 Tunnels
Using this command with the 6to4 keyword specifies automatic 6to4 tunneling
where only the local tunnel endpoint is determined by manually configured unique
IPv4 address.
During the 6to4 tunnel creation the switch automatically creates on the 6to4 tunnel:
• IPv6 interface
The unique IPv4 address is used as the network-layer address in the 6to4 address
prefix. A unicast global 64-bits 6to4 IPv6 prefix (RFC 3056)
2002:WWXX:YYZZ:SSI::/64 (SSI - 16 bits of Site Subnet Identifier.) can be used for
definition unicast global 6to4 IPv6 addresses on native IPv6 the in-band interfaces
on switch.
ISATAP Tunnels
Using this command with the isatap keyword specifies an automatic ISATAP
tunnel. ISATAP tunnels enable transport of IPv6 packets within network
boundaries. ISATAP tunnels allow individual IPv4/IPv6 dual-stack hosts within a
site to connect to an IPv6 network using the IPv4 infrastructure.
ISATAP IPv6 addresses can use any initial Unicast /48 prefix. The final 64 bits are
an interface identifier. Of these, the leading 32 bits are the fixed pattern 0000:5EFE;
the last 32 bits carry the tunnel endpoint IPv4 address.
Only the ipv6 address eui-64 command can be used to configured a global unicast
IPv6 on an ISATAP tunnel.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 756
33 IPv6 Tunnel Commands
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
757 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
switchxxxxxx(config-if)# ipv6 address 2002:c0a8:6301:1::/64 eui-64
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
no tunnel source
Parameters
• auto—The system minimum IPv4 address is used as the local IPv4 address
(IPv4 address of the local tunnel endpoint).
Default
Command Mode
User Guidelines
If the auto or interface-id option is configured once time chosen IPv4 is used as the
tunnel local IPv4 address until it is defined. A new IPv4 interface is only chosen in
the following cases:
• After reboot.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 758
33 IPv6 Tunnel Commands
When the tunnel local IPv4 address is changed the IPv6 interface on the tunnel is
re-enabled that causes removing static IPv6 configuration on the tunnel (for
example, global IPv6 addresses, static IPv6 routes via the tunnel, etc.).
If the auto option is configured then the IP addresses defined on OOB do not take
part in the choosing of the minimal IPv4 address.
If the ip4-address option is configured then the IPv4 addresses defined on OOB
cannot be configured.
If the interface-id option is configured then OOB cannot be configured.
Example
switchxxxxxx(config-if)# exit
Syntax
Parameters
Command Mode
759 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
Examples
Example 1. The following example displays information on the ISATAP tunnel, when
the all keyword is not configured:
Tunnel 1
Tunnel status : UP
Tunnel 2
Tunnel status : UP
1.1.1.1 Detected
100.1.1.1 Detected
Robustness : 2
Tunnel 3
Tunnel status : UP
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 760
33 IPv6 Tunnel Commands
Example 2. The following example displays information when the all keyword is
configured:
Tunnel 1
Tunnel status : UP
Manual parameters
ISATAP Parameters
Robustness : 2
Tunnel 2
Manual parameters
ISATAP Parameters
Robustness : 2
Tunnel 3
Tunnel status : UP
Manual parameters
761 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IPv6 Tunnel Commands 33
Tunnel Remote Ipv4 address : 0.0.0.0
ISATAP Parameters
1.1.1.1 Detected
100.1.1.1 Detected
Robustness : 2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 762
34
Line Commands
0
34.1 autobaud
To configure the line for automatic baud rate detection (autobaud), use the
autobaud command in Line Configuration mode.
Use the no form of this command to disable automatic baud rate detection.
Syntax
autobaud
no autobaud
Parameters
Default Configuration
Command Mode
User Guidelines
Note that if characters other than Enter are typed, wrong speed might be
detected.
Example
The following example enables autobaud.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 763
Line Commands 34
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# autobaud
34.2 exec-timeout
To set the session idle time interval, during which the system waits for user input
before automatic logoff, use the exec-timeout Line Configuration mode command.
To restore the default configuration, use the no form of this command.
Syntax
Parameters
Default Configuration
Command Mode
Example
The following example sets the telnet session idle time interval before automatic
logoff to 20 minutes and 10 seconds.
switchxxxxxx(config-line)# exec-timeout 20 10
34.3 line
To identify a specific line for configuration and enter the Line Configuration
command mode, use the line Global Configuration mode command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 764
34 Line Commands
Syntax
Parameters
Command Mode
Example
The following example configures the device as a virtual terminal for remote
(Telnet) access.
switchxxxxxx(config-line)#
34.4 speed
To set the line baud rate, use the speed command in Line Configuration mode.
Syntax
speed bps
no speed
Parameters
bps—Specifies the baud rate in bits per second (bps). Possible values are 9600,
19200, 38400, 57600, and 115200.
765 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Line Commands 34
Default Configuration
Command Mode
User Guidelines
Example
The following example configures the line baud rate as 9600 bits per second.
Syntax
show line [console | telnet | ssh]
Parameters
• console—(Optional) Displays the console configuration.
Default Configuration
If the line is not specified, all line configuration parameters are displayed.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 766
34 Line Commands
Example
Console configuration:
History: 10
Baudrate: 9600
Databits: 8
Parity: none
Stopbits: 1
Telnet configuration:
Telnet is enabled.
History: 10
SSH configuration:
SSH is enabled.
History: 10
767 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
35
Link Aggregation Control Protocol (LACP)
Commands
1
Syntax
no lacp port-priority
Parameters
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 768
35 Link Aggregation Control Protocol (LACP) Commands
Syntax
Parameters
value—Specifies the system priority value. (Range: 1–65535)
Default Configuration
Command Mode
Example
Syntax
Parameters
• long—Specifies the long timeout value.
769 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Aggregation Control Protocol (LACP) Commands 35
• short—Specifies the short timeout value.
Default Configuration
Command Mode
Example
Syntax
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 770
35 Link Aggregation Control Protocol (LACP) Commands
Example
771 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Aggregation Control Protocol (LACP) Commands 35
Port te1/0/1 LACP Statistics:
LACP PDUs sent: 2
LACP PDUs received: 2
Syntax
Parameters
Command Mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 772
35 Link Aggregation Control Protocol (LACP) Commands
Example
Partner
System 0
Priority:
00:00:00:00:00:00
MAC Address:
14
Oper Key:
773 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
36
Link Layer Discovery Protocol (LLDP)
Commands
36.0
Syntax
Parameters
Default Configuration
If no interface is specified, the default is to clear the LLDP table for all ports.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 774
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
Parameters
• mac-address—Specifies the chassis ID to use the device MAC address.
Default Configuration
MAC address.
Command Mode
User Guidelines
If the chassis ID configured to be used in LLDP packets is empty, LLDP uses the
default chassis ID (specified above).
Example
The following example configures the chassis ID to be the MAC address.
Syntax
no lldp hold-multiplier
775 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Parameters
Default Configuration
The default LLDP hold multiplier is 4.
Command Mode
User Guidelines
The actual Time-To-Live (TTL) value of LLDP frames is calculated by the following
formula:
For example, if the value of the LLDP timer is 30 seconds, and the value of the
LLDP hold multiplier is 4, then the value 120 is encoded in the TTL field of the
LLDP header.
Example
The following example sets the LLDP packet hold time interval to 90 seconds.
Syntax
no lldp lldpdu
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 776
36 Link Layer Discovery Protocol (LLDP) Commands
Parameters
Default Configuration
LLDP packets are filtered when LLDP is globally disabled.
Command Mode
User Guidelines
If the STP mode is MSTP, the LLDP packet handling mode cannot be set to
flooding and vice versa.
If LLDP is globally disabled, and the LLDP packet handling mode is flooding, LLDP
packets are treated as data packets with the following exceptions:
• VLAN ingress rules are not applied to LLDP packets. The LLDP packets are
trapped on all ports for which the STP state is Forwarding.
• VLAN egress rules are not applied to LLDP packets. The LLDP packets are
flooded to all ports for which the STP state is Forwarding.
Example
The following example sets the LLDP packet handling mode to Flooding when
LLDP is globally disabled.
777 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
36.5 lldp management-address
To specify the management address advertised by an interface, use the lldp
management-address Interface (Ethernet) Configuration mode command. To stop
advertising management address information, use the no form of this command.
Syntax
lldp management-address {ip-address | none | automatic [interface-id]}
no lldp management-address
Parameters
Default Configuration
No IP address is advertised.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 778
36 Link Layer Discovery Protocol (LLDP) Commands
User Guidelines
Example
The following example sets the LLDP management address advertisement mode
to automatic on te1/0/2.
Syntax
no lldp med
Parameters
Default Configuration
Command Mode
779 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Example
The following example enables LLDP MED with the location TLV on te1/0/3.
Syntax
lldp med notifications topology-change {enable | disable}
Parameters
Default Configuration
Command Mode
Example
The following example enables sending LLDP MED topology change notifications
on te1/0/2.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 780
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
Parameters
Default Configuration
Command Mode
Global Configuration mode
Example
Syntax
781 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Parameters
Default Configuration
Command Mode
Example
The following example configures the LLDP MED location information on te1/0/2 as
a civic address.
The lldp med network-policy command creates the network policy, which is
attached to a port by lldp med network-policy (interface).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 782
36 Link Layer Discovery Protocol (LLDP) Commands
To remove LLDP MED network policy, use the no form of this command.
Syntax
Parameters
• number—Network policy sequential number. The range is 1-32.
- voice
- voice-signaling
- guest-voice
- guest-voice-signaling
- softphone-voice
- video-conferencing
- streaming-video
- video-signaling.
Default Configuration
Command Mode
783 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
User Guidelines
Example
This example creates a network policy for the voice-signal application and
attaches it to port 1. LLDP packets sent on port 1 will contain the information
defined in the network policy.
To remove all the LLDP MED network policies from the port, use the no form of this
command.
Syntax
Parameters
• add/remove number—Attaches/removes the specified network policy to
the interface.
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 784
36 Link Layer Discovery Protocol (LLDP) Commands
Command Mode
User Guidelines
For each port, only one network policy per application (voice, voice-signaling, etc.)
can be defined.
Example
This example creates a network policy for the voice-signally application and
attaches it to port 1. LLDP packets sent on port 1 will contain the information
defined in the network policy.
This command generates an LLDP MED network policy for voice, if the voice VLAN
operation mode is auto voice VLAN. The voice VLAN, 802.1p priority, and the
DSCP of the voice VLAN are used in the policy.
Syntax
785 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Parameters
Default Configuration
None
Command Mode
User Guidelines
In Auto mode, the Voice VLAN feature determines on which interfaces to advertise
the network policy TLV with application type voice, and controls the parameters of
that TLV.
To enable the auto generation of a network policy based on the auto voice VLAN,
there must be no manually pre-configured network policies for the voice
application
In Auto mode, you cannot manually define a network policy for the voice
application using the lldp med network-policy (global) command.
Example
Syntax
Parameters
• enable—Enables sending LLDP notifications.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 786
36 Link Layer Discovery Protocol (LLDP) Commands
Default Configuration
Disabled.
Command Mode
Example
Syntax
Parameters
interval seconds—The device does not send more than a single notification in the
indicated period (range: 5–3600).
Default Configuration
5 seconds
Command Mode
Example
787 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
36.15 lldp optional-tlv
To specify which optional TLVs are transmitted, use the lldp optional-tlv Interface
(Ethernet) Configuration mode command. To restore the default configuration, use
the no form of this command.
Syntax
lldp optional-tlv tlv [tlv2 … tlv5 | none]
Parameters
• tlv—Specifies the TLVs to be included. Available optional TLVs are:
port-desc, sys-name, sys-desc, sys-cap, 802.3-mac-phy, 802.3-lag,
802.3-max-frame-size, Power-via-MDI , 4-wirePower-via-MDI.
Default Configuration
• sys-name
• sys-cap
Command Mode
Example
The following example specifies that the port description TLV is transmitted on
te1/0/2.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 788
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
lldp optional-tlv 802.1 pvid {enable | disable} - The PVID is advertised or not
advertised.
no lldp optional-tlv 802.1 pvid - The PVID advertise state is returned to default.
lldp optional-tlv 802.1 ppvid add ppvid - The Protocol Port VLAN ID (PPVID) is
advertised. The PPVID is the PVID that is used depending on the packet’s protocol.
lldp optional-tlv 802.1 ppvid remove ppvid - The PPVID is not advertised.
lldp optional-tlv 802.1 protocol add {stp | rstp | mstp | pause | 802.1x | lacp | gvrp} -
The protocols selected are advertised.
lldp optional-tlv 802.1 protocol remove {stp | rstp | mstp | pause | 802.1x | lacp | gvrp}
- The protocols selected are not advertised.
Parameters
Default Configuration
789 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Command Mode
Example
Syntax
lldp run
no lldp run
Parameters
Default Configuration
Enabled
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 790
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
lldp receive
no lldp receive
Parameters
Default Configuration
Enabled
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
LLDP manages LAG ports individually. LLDP data received through LAG ports is
stored individually per port.
LLDP operation on a port is not dependent on the STP state of a port. I.e. LLDP
frames are received on blocked ports.
If a port is controlled by 802.1x, LLDP operates only if the port is authorized.
Example
Syntax
791 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Parameters
reinit seconds—Specifies the minimum time in seconds an LLDP port waits before
reinitializing LLDP transmission.(Range: 1–10)
Default Configuration
2 seconds
Command Mode
Example
Syntax
Parameters
timer seconds—Specifies, in seconds, how often the software sends LLDP
updates (range: 5-32768 seconds).
Default Configuration
30 seconds.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 792
36 Link Layer Discovery Protocol (LLDP) Commands
Example
The following example sets the interval for sending LLDP updates to 60 seconds.
Syntax
lldp transmit
no lldp transmit
Parameters
Default Configuration
Enabled
Command Mode
User Guidelines
LLDP manages LAG ports individually. LLDP sends separate advertisements on
each port in a LAG.
LLDP operation on a port is not dependent on the STP state of a port. I.e. LLDP
frames are sent on blocked ports.
Example
793 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
switchxxxxxx(config-if)# lldp transmit
Syntax
no lldp tx-delay
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
It is recommended that the tx-delay be less than 25% of the LLDP timer interval.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 794
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
Parameters
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Examples
Example 1 - Display LLDP configuration for all ports.
State: Enabled
Timer: 30 Seconds
Hold multiplier: 4
Tx delay: 2 Seconds
795 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
te1/0/2 TX PD, SN 172.16.1.1 Disabled
State: Enabled
Timer: 30 Seconds
Hold multiplier: 4
Tx delay: 2 Seconds
PVID: Enabled
PPVIDs: 0, 1, 92
VLANs: 1, 92
Protocols: 802.1x
The following table describes the significant fields shown in the display:
Field Description
Timer The time interval between LLDP updates.
Hold multiplier The amount of time (as a multiple of the timer interval)
that the receiving device holds a LLDP packet before
discarding it.
Reinit timer The minimum time interval an LLDP port waits before
re-initializing an LLDP transmission.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 796
36 Link Layer Discovery Protocol (LLDP) Commands
Field Description
Tx delay The delay between successive LLDP frame
transmissions initiated by value/status changes in the
LLDP local systems MIB.
Port The port number.
State The port’s LLDP state.
Optional TLVs Optional TLVs that are advertised. Possible values are:
PD - Port description
SN - System name
SD - System description
SC - System capabilities
Syntax
Parameters
Default Configuration
Command Mode
797 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Example
The following examples display LLDP information that is advertised from te1/0/1
and 2.
Capabilities: Bridge
System description:
Port description:
802.3 EEE
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 798
36 Link Layer Discovery Protocol (LLDP) Commands
802.1 PVID: 1
802.1 Protocol: 88 8E 01
VLAN ID: 2
Layer 2 priority: 0
DSCP: 0
LLDP-MED Location
Coordinates: 54:53:c1:f7:51:57:50:ba:5b:97:27:80:00:00:67:01
Hardware Revision: B1
Firmware Revision: A1
799 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
LLDP is disabled.
Syntax
show lldp local tlvs-overloading [interface-id]
Parameters
Default Configuration
Command Mode
User EXEC mode
User Guidelines
The command calculates the overloading status of the current LLDP configuration,
and not for the last LLDP packet that was sent.
Example
Mandatory 31 Transmitted
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 800
36 Link Layer Discovery Protocol (LLDP) Commands
Syntax
show lldp med configuration [interface-id | detailed]
Parameters
• interface-id—(Optional) Specifies the port ID.
Default Configuration
If no port ID is entered, the command displays information for all ports. If detailed is
not used, only present ports are displayed.
Command Mode
Examples
Example 1 - The following example displays the LLDP MED configuration for all
interfaces.
Network policy 1
-------------------
Layer 2 priority: 0
DSCP: 0
801 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Port Capabilities Network Policy Location Notifications Inventory
te1/0/3 No No No Enabled No
Example 2 - The following example displays the LLDP MED configuration for
te1/0/1.
Network policies:
Location:
Civic-address: 61:62:63:64:65:66
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 802
36 Link Layer Discovery Protocol (LLDP) Commands
User Guidelines
Examples
Capabilities: B
System description:
Port description:
803 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Management address: 172.16.1.1
802.3 EEE
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 804
36 Link Layer Discovery Protocol (LLDP) Commands
802.1 PVID: 1
802.1 Protocol: 88 8E 01
VLAN ID: 0
Layer 2 priority: 0
DSCP: 0
Manufacturer name: VP
Asset ID: 9
LLDP-MED Location
Coordinates: 54:53:c1:f7:51:57:50:ba:5b:97:27:80:00:00:67:01
805 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
The following table describes significant LLDP fields shown in the display::
Field Description
Port The port number.
Device ID The neighbor device’s configured ID (name)
or MAC address.
Port ID The neighbor device’s port ID.
System name The neighbor device’s administratively
assigned name.
Capabilities The capabilities discovered on the neighbor
device. Possible values are:
B - Bridge
R - Router
T - Telephone
H - Host
r - Repeater
O - Other
System description The neighbor device’s system description.
Port description The neighbor device’s port description.
Management The neighbor device’s management address.
address
Auto-negotiation The auto-negotiation support status on the
support port. (supported or not supported)
Auto-negotiation The active status of auto-negotiation on the
status port. (enabled or disabled)
Auto-negotiation The port speed/duplex/flow-control
Advertised capabilities advertised by the
Capabilities auto-negotiation.
Operational MAU The port MAU type.
type
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 806
36 Link Layer Discovery Protocol (LLDP) Commands
Field Description
Power Source The power source utilized by a PSE or PD
device. A PSE device advertises its power
capability. The possible values are: Primary
power source, Backup power source.
Unknown Power source, PSE and local
power source, Local Only power source and
PSE only power source.
LLDP MED
Capabilities The sender's LLDP-MED capabilities.
Device type The device type. Indicates whether the
sender is a Network Connectivity Device or
Endpoint Device, and if an Endpoint, to which
Endpoint Class it belongs.
LLDP MED - Network Policy
Application type The primary function of the application
defined for this network policy.
Flags Flags. The possible values are:
807 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Field Description
Power priority The PD device priority. A PSE device
advertises the power priority configured for
the port. A PD device advertises the power
priority configured for the device. The
possible values are: Critical, High and Low.
Power value The total power in watts required by a PD
device from a PSE device, or the total power
a PSE device is capable of sourcing over a
maximum length cable based on its current
configuration.
LLDP MED - Location
Coordinates, Civic The location information raw data.
address, ECS ELIN.
To display LLDP statistics on all ports or a specific port, use the show lldp
statistics EXEC mode command.
Syntax
Parameters
Default Configuration
If no port ID is entered, the command displays information for all ports. If detailed is
not used, only present ports are displayed.
Command Mode
Example
Tables Inserts: 26
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 808
36 Link Layer Discovery Protocol (LLDP) Commands
Tables Deletes: 2
Tables Dropped: 0
Tables Ageouts: 1
te1/0/2 0 0 0 0 0 0 0
te1/0/3 730 0 0 0 0 0 0
te1/0/4 0 0 0 0 0 0 0
The following table describes significant LLDP fields shown in the display:
Field Description
Port The port number.
Device ID The neighbor device’s configured ID (name) or MAC
address.
Port ID The neighbor device’s port ID.
System name The neighbor device’s administratively assigned
name.
Capabilities The capabilities discovered on the neighbor device.
Possible values are:
B - Bridge
R - Router
T - Telephone
H - Host
r - Repeater
O - Other
System description The neighbor device’s system description.
Port description The neighbor device’s port description.
Management The neighbor device’s management address.
address
809 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Link Layer Discovery Protocol (LLDP) Commands 36
Field Description
Auto-negotiation The auto-negotiation support status on the port.
support (Supported or Not Supported)
Auto-negotiation The active status of auto-negotiation on the port.
status (Enabled or Disabled)
Auto-negotiation The port speed/duplex/flow-control capabilities
Advertised advertised by the auto-negotiation.
Capabilities
Operational MAU The port MAU type.
type
LLDP MED
Capabilities The sender's LLDP-MED capabilities.
Device type The device type. Indicates whether the sender is a
Network Connectivity Device or Endpoint Device,
and if an Endpoint, to which Endpoint Class it
belongs.
LLDP MED - Network Policy
Application type The primary function of the application defined for
this network policy.
Flags Flags. The possible values are:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 810
36 Link Layer Discovery Protocol (LLDP) Commands
Field Description
Power priority The PD device priority. A PSE device advertises the
power priority configured for the port. A PD device
advertises the power priority configured for the
device. The possible values are: Critical, High and
Low.
Power value The total power in watts required by a PD device
from a PSE device, or the total power a PSE device
is capable of sourcing over a maximum length cable
based on its current configuration.
LLDP MED - Location
Coordinates, Civic The location information raw data.
address, ECS ELIN.
811 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
37
Loopback Detection Commands
37.0
Syntax
loopback-detection enable
no loopback-detection enable
Parameters
Default Configuration
Command Mode
User Guidelines
This command enables the Loopback Detection feature globally. Use the
loopback-detection enable Interface Configuration mode command to enable
Loopback Detection on an interface.
Example
The following example enables the Loopback Detection feature on the device.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 812
37 Loopback Detection Commands
Syntax
loopback-detection enable
no loopback-detection enable
Parameters
Default Configuration
Command Mode
User Guidelines
Example
The following example enables the Loopback Detection feature on port te1/0/4.
813 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Loopback Detection Commands 37
Syntax
Parameters
Default Configuration
Command Mode
Example
The following example sets the time interval between LBD packets to 45 seconds.
Syntax
Parameters
Default Configuration
All ports are displayed. If detailed is not used, only present ports are displayed.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 814
37 Loopback Detection Commands
Command Mode
User Guidelines
User Guidelines
Example
815 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
38
Macro Commands
38.0
• Global macros define a group of CLI commands that can be run at any time.
If a macro with this name already exists, it overrides the previously-defined one.
Use the no form of this command to delete the macro definition.
Syntax
macro name macro-name
Parameters
Default Configuration
N/A
Command Mode
User Guidelines
A macro is a script that contains CLI commands and is assigned a name by the
user. It can contain up to 3000 characters and 200 lines.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 816
38 Macro Commands
Keywords
• Applying a macro with keywords does not change the state of the original
macro definition.
User Feedback
The behavior of a macro command requiring user feedback is the same as if the
command is entered from terminal: it sends its prompt to the terminal and accepts
the user reply.
Creating a Macro
817 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
command creates a CLI help string with the keywords for the macro. The
help string will be displayed if help on the macro is requested from the
macro and macro global commands. The GUI also uses the keywords
specified in the command as the parameter names for the macro. See
Example 2 and 3 below for a description of how this command is used in
the CLI.
Editing a Macro
Macros cannot be edited. Modify a macro by creating a new macro with the same
name as the existing macro. The newer macro overwrites the existing macro.
The exceptions to this are the built-in macros and corresponding anti-macros for
the Smartport feature. You cannot override a Smartport macro. To change a
Smartport macro, create a new macro (my_macro) and an anti macro
(no_my_macro) and associate it with the Smartport type using the macro auto user
smartport macro command.
Scope of Macro
Examples
Example 1 -The following example shows how to create a macro that configures
the duplex mode of a port.
Enter macro commands one per line. End with the character ‘@’.
duplex full
negotiation
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 818
38 Macro Commands
Example 2 -The following example shows how to create a macro with the
parameters: DUPLEX and SPEED. When the macro is run, the values of DUPLEX
and SPEED must be provided by the user. The #macro keywords command
enables the user to receive help for the macro as shown in Example 3.
switchxxxxxx(config)# macro name duplex
Enter macro commands one per line. End with the character ‘@’.
duplex $DUPLEX
no negotiation
speed $SPEED
Example 3 -The following example shows how to display the keywords using the
help character ? (as defined by the #macro keywords command above) and then
run the macro on the port. The #macro keywords command entered in the macro
definition enables the user to receive help for the macro, as shown after the words
e.g. below.
switchxxxxxx(config)# interface te1/0/1
<cr>
<cr>
38.2 macro
Use the macro apply/trace Interface Configuration command to either:
819 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
• Apply a macro to an interface without displaying the actions being
performed
Syntax
Parameters
• apply—Apply a macro to the specific interface.
Default Configuration
Command Mode
User Guidelines
The macro apply command hides the commands of the macro from the user while
it is being run. The macro trace command displays the commands along with any
errors which are generated by them as they are executed. This is used to debug
the macro and find syntax or configuration errors.
When you run a macro, if a line in it fails because of a syntax or configuration error,
the macro continues to apply the remaining commands to the interface.
If you apply a macro that contains parameters in its commands, the command fails
if you do not provide the values for the parameters. You can use the macro apply
macro-name with a '?' to display the help string for the macro keywords (if you
have defined these with the #macro keywords preprocessor command).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 820
38 Macro Commands
A macro applied to an interface range behaves the same way as a macro applied
to a single interface. When a macro is applied to an interface range, it is applied
sequentially to each interface within the range. If a macro command fails on one
interface, it is nonetheless attempted to be applied and may fail or succeed on the
remaining interfaces.
Examples
switchxxxxxx(config-if)#
switchxxxxxx(config-if)#
821 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
% bad parameter value
switchxxxxxx(config-if)#
Syntax
no macro description
Parameters
• text—Description text. The text can contain up to 160 characters. The text
must be double quoted if it contains multiple words.
Default Configuration
Command Mode
User Guidelines
When multiple macros are applied on a single interface, the description text is a
concatenation of texts from a number of previously-applied macros.
To verify the settings created by this command, run the show parser macro
command.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 822
38 Macro Commands
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# end
switchxxxxxx(config)# exit
Global Macro(s):
------------ --------------------------------------------------
te1/0/2 dup
--------------------------------------------------------------
switchxxxxxx# configure
switchxxxxxx(config-if)# end
switchxxxxxx(config)# exit
Global Macro(s):
--------- -----------------------------------------------------
--------------------------------------------------------------
823 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
Syntax
Parameters
• apply—Apply a macro to the switch.
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
If you apply a macro that contains keywords in its commands, the command fails if
you do not specify the proper values for the keywords when you apply the macro.
You can use this command with a '?' to display the help string for the macro
keywords. You define the keywords in the help string using the preprocessor
command #macro keywords when you define a macro.
When you apply a macro in Global Configuration mode, the switch automatically
generates a global macro description command with the macro name. As a result,
the macro name is appended to the global macro history. Use show parser macro
to display the global macro history.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 824
38 Macro Commands
Example.
The following is an example of a macro being defined and then applied to the
switch with the trace option.
switchxxxxxx(config)# macro name console-timeout
Enter macro commands one per line. End with the character ‘@’.
line console
exec-timeout $timeout-interval
Syntax
Parameters
Default Configuration
Command Mode
825 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
User Guidelines
When multiple global macros are applied to a switch, the global description text is
a concatenation of texts from a number of previously applied macros.
You can verify your settings by entering the show parser macro command with the
description keyword.
Examples
Syntax
Parameters
Default Configuration
If the detailed keyword is not used, only present ports are displayed.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 826
38 Macro Commands
Examples
Example 1 - This is a partial output example from the show parser macro
command.
--------------------------------------------------------------
# failures
--------------------------------------------------------------
Example 2 - This is an example of output from the show parser macro name
command.
827 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Macro Commands 38
channel-protocol pagp
Example 3 - This is an example of output from the show parser macro brief
command.
customizable : snmp
Example 4 - This is an example of output from the show parser macro description
command.
Example 5 - This is an example of output from the show parser macro description
interface command.
--------------------------------------------------------------
--------------------------------------------------------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 828
39
Management ACL Commands
0
Syntax
Parameters
Default Configuration
No rules are configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 829
Management ACL Commands 39
Command Mode
User Guidelines
Rules with ethernet, VLAN, and port-channel parameters are valid only if an IP
address is defined on the appropriate interface.
Example
The following example denies all ports in the ACL called mlist.
switchxxxxxx(config-macl)# deny
Syntax
Parameters
• mask mask — Specifies the source IPv4 address network mask. This
parameter is relevant only to IPv4 addresses.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 830
39 Management ACL Commands
• mask prefix-length — Specifies the number of bits that comprise the source
IPv4 address prefix. The prefix length must be preceded by a forward slash
(/). This parameter is relevant only to IPv4 addresses. (Range: 0–32)
Default Configuration
No rules are configured.
Command Mode
User Guidelines
Rules with Ethernet, VLAN, and port-channel parameters are valid only if an IP
address is defined on the appropriate interface.
Example
The following example permits all ports in the ACL called mlist
switchxxxxxx(config-macl)# permit
Syntax
Parameters
Default Configuration
N/A
831 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Management ACL Commands 39
Command Mode
User Guidelines
Use this command to configure a management access list. This command enters
the Management Access-list Configuration mode, where the denied or permitted
access conditions are defined with the deny and permit commands.
Use the management access-class command to select the active access list.
The active management list cannot be updated or removed.
For IPv6 management traffic that is tunneled in IPv4 packets, the management ACL
is applied first on the external IPv4 header (rules with the service field are
ignored), and then again on the inner IPv6 header.
Examples
Example 1 - The following example creates a management access list called mlist,
configures management te1/0/1 and te1/0/9, and makes the new access list the
active list.
switchxxxxxx(config-macl)# exit
switchxxxxxx(config)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 832
39 Management ACL Commands
switchxxxxxx(config-macl)# permit
switchxxxxxx(config-macl)# exit
switchxxxxxx(config)#
Syntax
no management access-class
Parameters
Default Configuration
Command Mode
Example
The following example defines an access list called mlist as the active
management access list.
833 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Management ACL Commands 39
39.5 show management access-list
To display management access lists (ACLs), use the show management
access-list Privileged EXEC mode command.
Syntax
Parameters
Default Configuration
Command Mode
Example
m1
--
console(config-macl)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 834
39 Management ACL Commands
Syntax
Parameters
Command Mode
Example
835 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
40
MLD Commands
40.0
Syntax
Parameters
• interface-id—(Optional) Interface Identifier.
Command Mode
User Guidelines
Use the clear ipv6 mld counters command to clear the MLD counters, which keep
track of the number of joins and leaves received. If you omit the optional
interface-id argument, the clear ipv6 mld counters command clears the counters
on all interfaces.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 836
40 MLD Commands
Syntax
ipv6 mld last-member-query-count count
Parameters
Default Configuration
Command Mode
User Guidelines
Use the ipv6 mld robustness command to change the MLD last member query
counter.
Example
The following example changes a value of the MLD last member query counter to
3:
837 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Commands 40
40.3 ipv6 mld last-member-query-interval
To configure the Multicast Listener Discovery (MLD) last member query interval,
use the ipv6 mld last-member-query-interval command in Interface Configuration
mode. To restore the default MLD query interval, use the no form of this command.
Syntax
ipv6 mld last-member-query-interval milliseconds
Parameters
Default Configuration
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 mld last-member-query-interval command to configure the MLD last
member query interval on an interface.
Example
The following example shows how to increase the MLD last member query
interval to 1500 milliseconds:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 838
40 MLD Commands
Interface Configuration mode. To return to the default frequency, use the no form of
this command.
Syntax
Parameters
• seconds—Frequency, in seconds, at which the switch sends MLD query
messages from the interface. The range is from 30 to 18000.
Default Configuration
The default MLD query interval is 125 seconds.
Command Mode
User Guidelines
Use the ipv6 mld query-interval command to configure the frequency at which the
MLD querier sends MLD host-query messages from an interface. The MLD querier
sends query-host messages to discover which multicast groups have members
on the attached networks of the router.
The query interval must be bigger than the maximum query response time.
Example
The following example shows how to increase the frequency at which the MLD
querier sends MLD host-query messages to 180 seconds:
839 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Commands 40
Interface Configuration mode. To restore the default value, use the no form of this
command.
Syntax
Parameters
• seconds—Maximum response time, in seconds, advertised in MLD queries.
(Range: 5–20)
Default Configuration
10 seconds.
Command Mode
User Guidelines
This command controls the period during which the responder can respond to an
MLD query message before the router deletes the group.
This command controls how much time the hosts have to answer an MLD query
message before the router deletes their group. Configuring a value of fewer than
10 seconds enables the router to prune groups faster.
The maximum query response time must be less than the query interval.
Note. If the hosts do not respond fast enough, they might be pruned inadvertently.
Therefore, the hosts must know to respond faster than 10 seconds (or the value
you configure).
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 840
40 MLD Commands
Syntax
ipv6 mld robustness count
Parameters
Default Configuration
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 mld robustness command to change the MLD robustness variable.
Example
841 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Commands 40
Syntax
Parameters
• 1—MLD Version 1.
• 2—MLD Version 2.
Default Configuration
Command Mode
User Guidelines
Example
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 842
40 MLD Commands
Command Mode
User Guidelines
Use the show ipv6 mld counters command to check if the expected number of
MLD protocol messages have been received and sent.
If you omit the optional interface-id argument, the show ipv6 mld counters
command displays counters of all interfaces.
Example
The following example displays the MLD protocol messages received and sent:
VLAN 100
Syntax
843 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Commands 40
Parameters
Command Mode
User Guidelines
Use the show ipv6 mld groups [detail] command to display all directly connected
groups.
Use the show ipv6 mld groups link-local [detail] command to display all directly
connected link-local groups.
Use the show ipv6 mld groups [group-name | group-address] [detail] command to
display one given directly connected group.
Use the show ipv6 mld groups interface-id [detail] command to display all groups
directly connected to the given interface.
Examples
Example 1. The following is sample output from the show ipv6 mld groups
command. It shows all of the groups joined by VLAN 100:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 844
40 MLD Commands
Example 2. The following is sample output from the show ipv6 mld groups
command using the detail keyword:
Group: FF33::1:1:1
2004:4::6 00:00:11
2004:4::16 00:08:11
Group: FF33::1:1:2
2004:5::1 00:04:08
2004:3::1 00:04:08
2004:7::10 00:00:00
2004:50::1 00:00:00
845 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Commands 40
Syntax
Parameters
Command Mode
User Guidelines
The show ipv6 mld groups summary command displays the number of directly
connected multicast groups (including link-local groups).
Example
The following is sample output from the show ipv6 mld groups summary
command:
Field Descriptions:
No. of (*,G) routes = 5—Displays the number of groups present in the MLD cache.
No. of (S,G) routes = 0—Displays the number of include and exclude mode sources present in the MLD
cache.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 846
40 MLD Commands
Syntax
Parameters
• interface-id—Interface identifier.
Command Mode
User Guidelines
If you omit the optional interface-id argument, the show ipv6 mld interface
command displays information about all interfaces.
Example
The following is sample output from the show ipv6 mld interface command for
Ethernet interface 2/1/1:
VLAN 100 is up
847 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
41
MLD Proxy Commands
41.0
Syntax
no ipv6 mld-proxy
Parameters
Default Configuration
Command Mode
User Guidelines
Use the ipv6 mld-proxy command to add a downstream interface to a MLD proxy
tree. If the proxy tree does not exist it is created.
Use the no format of the command to remove the downstream interface. When the
last downstream interface is removed from the proxy tree it is deleted too.
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 848
41 MLD Proxy Commands
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Use the pv6 mld-proxy downstream protected command to block forwarding from
downstream interfaces.
849 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Proxy Commands 41
Example
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 850
41 MLD Proxy Commands
Example
The following example prohibits forwarding from downstream interface vlan 100:
switchxxxxxx(config-if)# exit
Syntax
Parameters
range access-list—Specifies the standard IPv6 access list name defining the SSM
range.
Default Configuration
Command Mode
User Guidelines
A new ipv6 mld-proxyssm command overrides the previous ipv6 mld-proxy ssm
command.
851 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Proxy Commands 41
Use the no ipv6 mld-proxy ssm command to remove all defined ranges.
Example
The following example shows how to configure SSM service for the default IPv6
address range and the IPv6 address ranges defined by access lists list1:
Syntax
Parameters
Command Mode
User Guidelines
The show ipv6 mld-proxy interface command is used to display all interfaces
where the MLD Proxy is enabled or to display the MLD Proxy configuration for a
given interface.
Examples
Example 1. The following example displays MLD Proxy status on all interfaces
where the MLD Proxy is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 852
41 MLD Proxy Commands
Example 2. The following is sample output from the show ipv6 mld-proxy interface
command for given upstream interface:
Downstream interfaces:
853 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Proxy Commands 41
Example 3. The following is sample output from the show ipv6 mld-proxy interface
command for given downstream interface:
Example 4. The following is sample output from the show ipv6 mld-proxy interface
command for an interface on which IGMP Proxy is disabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 854
42
MLD Snooping Commands
42.0
Syntax
ipv6 mld snooping
Parameters
N/A
Default Configuration
IPv6 MLD snooping is disabled.
Command Mode
Global Configuration mode
Example
The following example enables IPv6 MLD snooping.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 855
MLD Snooping Commands 42
Syntax
ipv6 mld snooping vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
MLD snooping can only be enabled on static VLANs.
To activate MLD snooping, bridge multicast filtering must be enabled by the bridge
multicast filtering command.
The user guidelines of the bridge multicast mode command describe the
configuration that can be written into the FDB as a function of the FDB mode, and
the MLD version that is used in the network.
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 856
42 MLD Snooping Commands
Parameters
N/A
Default Configuration
Enabled
Command Mode
User Guidelines
To run the MLD Snooping querier on a VLAN, you have enable it globally and on the
VLAN.
Example
Syntax
Parameters
Default Configuration
Disabled
857 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
Command Mode
User Guidelines
The MLD Snooping querier can be enabled on a VLAN only if MLD Snooping is
enabled for that VLAN.
Example
Syntax
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Enabled
Command Mode
User Guidelines
Use the no form of the ipv6 mld snooping vlan querier election command to
disable MLD Querier election mechanism on a VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 858
42 MLD Snooping Commands
If the MLD Querier election mechanism is enabled, the MLD Snooping querier
supports the standard MLD Querier election mechanism specified in RFC2710
and RFC3810.
Example
Syntax
Parameters
859 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
Default Configuration
MLDv1.
Command Mode
Example
he following example sets the version of the MLD Snooping Querier VLAN 1 to 2:
Syntax
ipv6 mld snooping vlan vlan-id mrouter learn pim-dvmrp
Parameters
• vlan-id—Specifies the VLAN.
• pim-dvmrp—Learn Multicast router port by PIM, DVMRP and MLD
messages.
Default Configuration
Learning pim-dvmrp is enabled.
Command Mode
Global Configuration mode
User Guidelines
Multicast router ports can be configured statically with the bridge multicast
forward-all command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 860
42 MLD Snooping Commands
Example
Syntax
ipv6 mld snooping vlan vlan-id mrouter interface interface-list
Parameters
• vlan-id—Specifies the VLAN.
• interface-list—Specifies a list of interfaces. The interfaces can be from one
of the following types: port or port-channel.
Default Configuration
No ports defined
Command Mode
Global Configuration mode
User Guidelines
This command may be used in conjunction with the bridge multicast forward-all
command, which is used in older versions to statically configure a port as a
Multicast router.
A port that is defined as a Multicast router port receives all MLD packets (reports
and queries) as well as all Multicast data.
You can execute the command before the VLAN is created and for a range of ports
as shown in the example.
Example
861 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
switchxxxxxx(config-if)# ipv6 mld snooping vlan 1 mrouter interface
te1/0/1-4
Syntax
ipv6 mld snooping vlan vlan-id forbidden mrouter interface interface-list
Parameters
• vlan-id—Specifies the VLAN.
• interface-list—Specifies list of interfaces. The interfaces can be of one of
the following types: Ethernet port or Port-channel.
Default Configuration
No forbidden ports by default
Command Mode
Global Configuration mode
User Guidelines
A port that is forbidden to be defined as a Multicast router port (mrouter port)
cannot be learned dynamically or assigned statically.
The bridge multicast forward-all command was used in older versions to forbid
dynamic learning of Multicast router ports.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 862
42 MLD Snooping Commands
Syntax
ipv6 mld snooping vlan vlan-id static ipv6-address [interface interface-list]
Parameters
• vlan-id—Specifies the VLAN.
• ipv6-address—Specifies the IP multicast address
• interface interface-list—(Optional) Specifies list of interfaces. The
interfaces can be from one of the following types: Ethernet port or
Port-channel.
Default Configuration
No Multicast addresses are defined.
Command Mode
Global Configuration mode
User Guidelines
Static multicast addresses can only be defined on static VLANs.
Example
863 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
42.11 ipv6 mld snooping vlan immediate-leave
To enable MLD Snooping Immediate-Leave processing on a VLAN, use the ipv6
mld snooping vlan immediate-leave command in Global Configuration mode. To
return to the default, use the no form of this command.
Syntax
ipv6 mld snooping vlan vlan-id immediate-leave
Parameters
vlan-id—Specifies the VLAN ID value. (Range: 1–4094)
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
When an MLD Leave Group message is received from a host, the system removes
the host port from the table entry. After it relays the MLD queries from the
Multicast router, it deletes entries periodically if it does not receive any MLD
membership reports from the Multicast clients.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 864
42 MLD Snooping Commands
Syntax
show ipv6 mld snooping groups [vlan vlan-id] [address ipv6-multicast-address]
[source ipv6-address]
Parameters
• vlan vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
User EXEC mode
Default Configuration
Display information for all VLANs and addresses defined on them.
User Guidelines
To see the full multicast address table (including static addresses), use the show
bridge multicast address-table command.
The Include list contains the ports which are in a forwarding state for this group
according to the snooping database. In general, the Exclude list contains the ports
which have issued an explicit Exclude for that specific source in a multicast group.
The Reporters That Are Forbidden Statically list contains the list of ports which
have asked to receive a multicast flow but were defined as forbidden for that
multicast group in a multicast bridge.
Note: Under certain circumstances, the Exclude list may not contain accurate
information; for example, in the case when two Exclude reports were received on
the same port for the same group but for different sources, the port will not be in
the Exclude list but rather in the Include list
865 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
Example
The following example shows the output for show ipv6 mld snooping groups.
VLAN Group Address Source Address Include Ports Exclude Ports Compatibility
Mode
---- -------- --------------------- ----------- ----------
-------------
1 FF12::3 FE80::201:C9FF:FE40:8001 te1/0/1
1
1 FF12::3 FE80::201:C9FF:FE40:8002 te1/0/2
1
19 FF12::8 FE80::201:C9FF:FE40:8003 te1/0/4
2
19 FF12::8 FE80::201:C9FF:FE40:8004 te1/0/1 te1/0/2
2
19 FF12::8 FE80::201:C9FF:FE40:8005 te1/0/10-11 te1/0/3
2
Syntax
show ipv6 mld snooping interface vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
Default Configuration
Display information for all VLANs.
Command Mode
User EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 866
42 MLD Snooping Commands
Example
The following example displays the MLD snooping configuration for VLAN 1000.
FF12::3, FF12::8
Syntax
show ipv6 mld snooping mrouter [interface vlan-id]
Parameters
• interface vlan-id—(Optional) Specifies the VLAN ID.
867 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
MLD Snooping Commands 42
Default Configuration
Display information for all VLANs.
Command Mode
User EXEC mode
Example
The following example displays information on dynamically learned Multicast
router interfaces for VLAN 1000:
switchxxxxxx# show ipv6 mld snooping mrouter interface 1000
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 868
43
Network Management Protocol (SNMP)
Commands
43.0
To remove the specified community string, use the no form of this command.
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 869
Network Management Protocol (SNMP) Commands 43
• prefix-length—(Optional) Specifies the number of bits that comprise the
IPv4 address prefix. If unspecified, it defaults to 32. The command returns
an error if the prefix-length is specified without an IPv4 address.
Default Configuration
No community is defined
Command Mode
User Guidelines
The logical key of the command is the pair (community, ip-address). If ip-address
is omitted, the key is (community, All-IPs). This means that there cannot be two
commands with the same community, ip address pair.
The view-name is used to restrict the access rights of a community string. When a
view-name is specified, the software:
• Maps the internal security-name for SNMPv1 and SNMPv2 security models
to an internal group-name.
• Maps the internal group-name for SNMPv1 and SNMPv2 security models to
view-name (read-view and notify-view always, and for rw for write-view
also),
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 870
43 Network Management Protocol (SNMP) Commands
Syntax
snmp-server community-group community-string group-name [ip-address |
ipv6-address] [mask mask | prefix prefix-length] [type {router | oob}]
Parameters
Default Configuration
No community is defined
Command Mode
871 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
User Guidelines
The group-name is used to restrict the access rights of a community string. When
a group-name is specified, the software:
• Maps the internal security-name for SNMPv1 and SNMPv2 security models
to the group-name.
Example
Defines a password tom for the group abcd that enables this group to access the
management station 1.1.1.121 with prefix 8.
switchxxxxxx(config)# snmp-server community-group tom abcd 1.1.1.122 prefix 8
Syntax
snmp-server server
no snmp-server server
Parameters
Default Configuration
Enabled
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 872
43 Network Management Protocol (SNMP) Commands
Syntax
Parameters
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the source interface is applied.
873 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Use the no snmp-server source-interface informs command to remove the source
interface for SNMP informs.
Use the no snmp-server source-interface command to remove the source
interface for SNMP traps and informs.
Example
The following example configures the VLAN 10 as the source interface for traps.
Syntax
Parameters
Default Configuration
The IPv6 source address is the IPv6 address of the outgoing interface and
selected in accordance with RFC6724.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 874
43 Network Management Protocol (SNMP) Commands
User Guidelines
If the source interface is the outgoing interface, the IPv6 address defined on the
interfaces is selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the minimal IPv6 address
defined on the source interface with the scope of the destination IPv6 address is
applied.
Example
Syntax
Parameters
875 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
• excluded—Specifies that the view type is excluded.
Default Configuration
Command Mode
User Guidelines
This command can be entered multiple times for the same view.
The command’s logical key is the pair (view-name, oid-tree). Therefore there
cannot be two commands with the same view-name and oid-tree.
Default and DefaultSuper views are reserved for internal software use and cannot
be deleted or modified.
Example
The following example creates a view that includes all objects in the MIB-II system
group except for sysServices (System 7) and all objects for interface 1 in the
MIB-II interface group (this format is specified on the parameters specified in
ifEntry).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 876
43 Network Management Protocol (SNMP) Commands
Syntax
snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv} [notify notifyview]}
[read readview] [write writeview]
no snmp-server group groupname {v1 | v2 | v3 [noauth | auth | priv]}
Parameters
Default Configuration
877 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
If notifyview is not specified, the notify view is not defined.
If readview is not specified, all objects except for the community-table and
SNMPv3 user and access tables are available for retrieval.
Command Mode
User Guidelines
The group defined in this command is used in the snmp-server user command to
map users to the group. These users are then automatically mapped to the views
defined in this command.
Example
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 878
43 Network Management Protocol (SNMP) Commands
Default Configuration
Command Mode
Example
Syntax
Parameters
groupname—(Optional) Specifies the group name. (Length: 1–30 characters)
Default Configuration
Command Mode
Privileged EXEC mode
879 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Example
Field Description
Name Group name.
Security Model SNMP model in use (v1, v2 or v3).
Security Level Packet security. Applicable to SNMP v3
security only
Syntax
snmp-server user username groupname {v1 | v2c | [remote host] v3[auth {md5 | sha}
auth-password [priv priv-password] ]}
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 880
43 Network Management Protocol (SNMP) Commands
encrypted snmp-server user username groupname {v1 | v2c | [remote host] v3[auth
{md5 | sha} encrypted-auth-password [priv encrypted-priv-password]]}
no snmp-server user username {v1 | v2c | [remote host] v3[auth {md5 | sha}
Parameters
• username—Define the name of the user on the host that connects to the
agent. (Range: Up to 20 characters).
• groupname—The name of the group to which the user belongs. The group
should be configured using the command snmp-server group with v1 or v2c
parameters (no specific order of the 2 command configurations is imposed
on the user). (Range: Up to 30 characters)
Default Configuration
881 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Command Mode
User Guidelines
For SNMP v1 and v2, this command performs the same actions as snmp-server
community-group, except that snmp-server community-group configures both v1 and v2 at the
same time. With this command, you must perform it once for v1 and once for v2.
When you enter the show running-config command, you do not see a line for the
SNMP user defined by this command. To see if this user has been added to the
configuration, type the show snmp user command.
A local SNMP EngineID must be defined in order to add SNMPv3 users to the
device (use the snmp-server engineID remote command). For remote hosts users
a remote SNMP EngineID is also required (use the snmp-server engineID remote
command).
To configure a remote user, specify the IP address for the remote SNMP agent of
the device where the user resides. Also, before you configure remote users for a
particular agent, configure the SNMP engine ID, using the snmp-server engineID
remote command. The remote agent's SNMP engine ID is needed when
computing the authentication and privacy digests from the password. If the
remote engine ID is not configured first, the configuration command fails.
Since the same group may be defined several times, each time with different version or
different access level (noauth, auth or auth & priv), when defining a user it is not sufficient to
specify the group name, rather you must specify group name, version and access level for
complete determination of how to handle packets from this user.
Example
This example assigns user tom to group abcd using SNMP v1 and v2c. The default
is assigned as the engineID. User tom is assigned to group abcd using SNMP v1
and v2c
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 882
43 Network Management Protocol (SNMP) Commands
Syntax
Parameters
Default Configuration
Command Mode
Privileged EXEC mode
Example
Remote :11223344556677
Auth Password :
Priv Password :
883 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Authentication Algorithm : MD5
Remote :
Priv Password :
Remote :
qMlrnpWuHraRlZj
1tbTRSz2H4c4Q4o
Remote :
Remote :
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 884
43 Network Management Protocol (SNMP) Commands
Syntax
snmp-server filter filter-name oid-tree {included | excluded}
Parameters
• filter-name—Specifies the label for the filter record that is being updated or
created. The name is used to reference the filter in other commands.
(Length: 1–30 characters)
Default Configuration
Command Mode
User Guidelines
This command can be entered multiple times for the same filter. If an object
identifier is included in two or more lines, later lines take precedence. The
command's logical key is the pair (filter-name, oid-tree).
885 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Example
The following example creates a filter that includes all objects in the MIB-II system
group except for sysServices (System 7) and all objects for interface 1 in the
MIB-II interfaces group (this format depends on the parameters define din ifEntry).
Syntax
Parameters
filtername—Specifies the filter name. (Length: 1–30 characters)
Default Configuration
Command Mode
Privileged EXEC mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 886
43 Network Management Protocol (SNMP) Commands
Syntax
snmp-server host {host-ip | hostname} [traps | informs] [version {1 | 2c | 3 [auth |
noauth | priv]}] community-string [udp-port port] [filter filtername] [timeout
seconds] [retries retries]
no snmp-server host {ip-address | hostname} [traps | informs] [version {1 | 2c | 3}]
Parameters
• host-ip—IP address of the host (the targeted recipient). The default is all IP
addresses. This can be an IPv4 address, IPv6 or IPv6z address. See IPv6z
Address Conventions.
887 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
• udp-port port—(Optional) UDP port of the host to use. The default is 162.
(Range: 1–65535)
Default Configuration
Version: SNMP V1
udp-port: 162
Timeout: 15
Command Mode
User Guidelines
For SNMPv3 the software does not automatically create a user or a notify view.
, use the commands snmp-server user (ISCLI) and snmp-server group to create a
user or a group.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 888
43 Network Management Protocol (SNMP) Commands
Syntax
Parameters
Default Configuration
• First 4 octets: First bit = 1, the rest is IANA Enterprise number = 674.
Command Mode
User Guidelines
To use SNMPv3, an engine ID must be specified for the device. Any ID can be
specified or the default string, which is generated using the device MAC address,
can be used.
889 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
As the engineID should be unique within an administrative domain, the following
guidelines are recommended:
• Configure a non-default EngineID, and verify that it is unique within the
administrative domain.
Example
The following example enables SNMPv3 on the device and sets the device local
engine ID to the default value.
Syntax
Parameters
• ip-address —IPv4, IPv6 or IPv6z address of the remote device. See IPv6z
Address Conventions.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 890
43 Network Management Protocol (SNMP) Commands
Default Configuration
Command Mode
User Guidelines
Example
Syntax
Parameters
Default Configuration
None
Command Mode
891 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Example
Syntax
Default Configuration
Command Mode
User Guidelines
If no snmp-server enable traps has been entered, you can enable failure traps by
using snmp-server trap authentication as shown in the example.
Example
The following example enables SNMP traps except for SNMP failure traps.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 892
43 Network Management Protocol (SNMP) Commands
Syntax
snmp-server trap authentication
Parameters
Default Configuration
SNMP failed authentication traps are enabled.
Command Mode
Global Configuration mode
User Guidelines
The command snmp-server enable traps enables all traps including failure traps.
Therefore, if that command is enabled (it is enabled by default), this command is
not necessary.
Example
The following example disables all SNMP traps and enables only failed
authentication traps.
893 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Syntax
Parameters
Default Configuration
None
Command Mode
Example
Syntax
Parameters
Default Configuration
None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 894
43 Network Management Protocol (SNMP) Commands
Command Mode
Example
Syntax
Parameters
• name value—Specifies a list of names and value pairs. Each name and
value must be a valid string. In the case of scalar MIBs, there is only a single
name-value pair. In the case of an entry in a table, there is at least one
name-value pair, followed by one or more fields.
Default Configuration
None
Command Mode
User Guidelines
Although the CLI can set any required configuration, there might be a situation
where an SNMP user sets a MIB variable that does not have an equivalent CLI
command. To generate configuration files that support those situations, the system
uses snmp-server set. This command is not intended for the end user.
895 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Example
The following example configures the scalar MIB sysName with the value
TechSupp.
Syntax
Parameters
Default Configuration
Generation of SNMP link-status traps is enabled
Command Mode
Interface Configuration mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 896
43 Network Management Protocol (SNMP) Commands
Syntax
show snmp
Parameters
Default Configuration
None
Command Mode
Example
897 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Network Management Protocol (SNMP) Commands 43
Target Address Type Community Version UDP Filter TO Retries
Port Name Sec
----------- ---- -------- ------- ---- ------ --- -------
192.122.173.42 Trap public 2 162 15 3
192.122.173.42 Inform public 2 162 15 3
Version 3 notifications
Target Address Type Username Security UDP Filter TO Retries
Level Port name Sec
----------- ---- -------- ------- ---- ----- --- -------
192.122.173.42 Inform Bob Priv 162 15 3
The following table describes the significant fields shown in the display.
Field Description
Community-string The community access string permitting
access to SNMP.
Community-access The permitted access type—read-only,
read-write, super access.
IP Address The management station IP Address.
Target Address The IP address of the targeted recipient.
Version The SNMP version for the sent trap.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 898
44
PHY Diagnostics Commands
1
Syntax
Parameters
Command Mode
User Guidelines
This command does not work on fiber ports (if they exist on the device). The port
to be tested should be shut down during the test, unless it is a combination port
with fiber port active. In this case, it does not need to be shut down, because the
test does not work on fiber ports.
The maximum length of cable for the TDR test is 120 meters.
Examples
Example 1 - Test the copper cables attached to port te1/0/1 (a copper port).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 899
PHY Diagnostics Commands 44
Example 2 - Test the copper cables attached to port 2 (a combo port with fiber
active).
Syntax
Parameters
Command Mode
Privileged EXEC mode
User Guidelines
The maximum length of cable for the TDR test is 120 meters.
Example
The following example displays information on the last TDR test performed on all
copper ports.
---- --------
[meters] ------------------
------------
te1/0/1 OK
te1/0/2 Short 50 13:32:00 23 July 2010
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 900
44 PHY Diagnostics Commands
Syntax
Parameters
Command Mode
User Guidelines
Example
The following example displays the estimated copper cable length attached to all
ports.
---- -----------------
te1/0/1 < 50
te1/0/3 110-140
901 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
PHY Diagnostics Commands 44
44.4 show fiber-ports optical-transceiver
To display the optical transceiver diagnostics, use the show fiber-ports
optical-transceiver Privileged EXEC mode command.
Syntax
Parameters
Default Configuration
All ports are displayed. If detailed is not used, only present ports are displayed.
Command Mode
Example
ss
[mWatt] [mWatt]
te1/0/1 Copper
te1/0/2 Copper
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 902
44 PHY Diagnostics Commands
903 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
45
Power over Ethernet (PoE) Commands
45.0
Syntax
Parameters
• never—Turns off the device discovery protocol and stops supplying power
to the device.
Default Configuration
Command Mode
User Guidelines
The never parameter cannot be used with a time range.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 904
45 Power over Ethernet (PoE) Commands
Example
Syntax
Parameters
N/A.
Default Configuration
Command Mode
Example
905 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
45.3 power inline legacy support disable
To disable the legacy PDs support, use the power inline legacy support disable
Global Configuration mode command. To enable the legacy support, use the no
form of this command.
Syntax
power inline legacy support disable
Parameters
N/A.
Default Configuration
Legacy support is enabled.
Command Mode
Global Configuration mode
Example
The following example disables legacy PDs support.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 906
45 Power over Ethernet (PoE) Commands
Parameters
Default Configuration
There is no description.
Command Mode
Example
The following example adds the description ‘ip phone’ to the device connected to
port 4.
Syntax
Parameters
Default Configuration
907 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Command Mode
Example
The following example sets the inline power management priority of port te1/0/4
to High.
Syntax
Parameters
percent—Specifies the threshold in percent to compare to the measured power.
(Range: 1–99)
Default Configuration
Command Mode
Example
The following example configures the threshold for initiating inline power usage
alarms to 90 percent.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 908
45 Power over Ethernet (PoE) Commands
Syntax
Default Configuration
Command Mode
Example
Syntax
Parameters
Default Configuration
909 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Command Mode
The operational power limit is the minimum of the configured power limit value
and the maximum power capability on port. For example, if the configured value is
higher than 15.4W on a PoE port, the operational power limit is 15.4W.
Example
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 910
45 Power over Ethernet (PoE) Commands
User Guidelines
Changing the PoE limit mode of the system will turn the power OFF and ON for all
PoE ports.
Example
"Changing the PoE limit mode of the system will turn the power OFF and ON for all
PoE ports. Are you sure? [y/n]"
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command should only be used for ports that are connected to devices that do
not support the CDP/LLDP protocol or the new 4-wire power via MDI TLV (like
UPOE splitter).
The command is used to force the spare pair to supply power, this allows the
usage of 60 Watts PoE.
911 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
This force command overrides any port mode or port limit configuration.
Example
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Examples
Example 1—The following example displays information about the inline power for
all ports (port power based).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 912
45 Power over Ethernet (PoE) Commands
Trap: Enabled
Example 2—The following example displays information about the inline power for
a specific port.
913 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Port status: Port is on - Valid PD resistor signature detected
Time range:
Current (mA): 81
Voltage(V): 50.8
verload Counter: 5
Short Counter: 0
Denied Counter: 2
Absent Counter: 0
Field Description
Power Inline power sourcing equipment operational
status.
Nominal Power Inline power sourcing equipment nominal
power in Watts.
Consumed Measured usage power in Watts.
Power
Usage Threshold Usage threshold expressed in percent for
comparing the measured power and initiating
an alarm if threshold is exceeded.
Traps Indicates if inline power traps are enabled.
Port Ethernet port number.
device Description of the device type.
State Indicates if the port is enabled to provide
power. The possible values are Auto or Never.
Priority Port inline power management priority. The
possible values are Critical, High or Low.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 914
45 Power over Ethernet (PoE) Commands
Field Description
Status Power operational state. The possible values
are On, Off, Test-Fail, Testing, Searching or Fault.
Class Power consumption classification of the
device.
Overload Counts the number of overload conditions
Counter detected.
Short Counter Counts the number of short conditions
detected.
Denied Counter Counts the number of times power was denied.
Absent Counter Counts the number of times power was
removed because device dropout was
detected.
Invalid Signature Counts the number of times an invalid signature
Counter of a device was detected.
Inrush Test Displays whether the inrush test is enabled or
disabled.
Field Description
Port limit mode Enabled for port limit and Disable for class limit.
Legacy Mode Enabled of Disabled legacy device support.
Inrush Test Displays whether the inrush test is enabled or
disabled.
SW version The POE firmware version.
Usage Threshold Usage threshold expressed in percent for
comparing the measured power and initiating
an alarm if threshold is exceeded.
Traps Indicates if inline power traps are enabled.
Module The module name.
Available Power Inline power sourcing equipment nominal
power in Watts.
Consumed Measured usage power in Watts.
Power
Temp Show the POE device temperature.
Interface Ethernet port number.
Admin Indicates if the port is enabled to provide
power. The possible values are Auto or Never.
915 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Field Description
Oper Power operational state. The possible values
are On, Off, Test-Fail, Testing, Searching or Fault.
Power Power consumed in watts.
Class Power consumption classification of the device
(0-4).
Device Description of the device type set by the user.
Priority Port inline power management priority. The
possible values are Critical, High or Low.
Port status The port status on/off with detailed reason (see
bellow for details).
Port standard 802.3AF /802.3AT /60W POE.
Admin power Port limit in watts used when the Port limit
limit mode is Enabled.
Time Range The name of the time range associated with the
interface.
Link partner 802.3AF/802.3AT/60W POE.
standard
Operational Port actual power limit in watts.
Power Limit
Current (mA) Port current in Milli-Ampere.
Voltage (V) Port voltage in volts.
Overload Counts the number of overload conditions
Counter detected.
Short Counter Counts the number of short conditions
detected.
Denied Counter Counts the number of times power was denied.
Absent Counter Counts the number of times power was
removed because device dropout was
detected.
Invalid Signature Counts the number of times an invalid signature
Counter of a device was detected.
Port is on - 4 pairs.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 916
45 Power over Ethernet (PoE) Commands
Syntax
Parameters
NA
917 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Default Configuration
NA.
Command Mode
User Guidelines
Use the show power inline savings command to display the total power saved by
using the PoE time range feature which shuts down PoE to ports in specific times.
Examples
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 918
45 Power over Ethernet (PoE) Commands
Default Configuration
Command Mode
User Guidelines
The clear power inline counters command is used to reset power inline interface
counters: Overload, Short, Denied, Absent and Invalid Signature .
Example
The following example clears the power inline counters for te1/0/2.
Syntax
Parameters
Default Configuration
Command Mode
919 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
Example
Syntax
Parameters
• Unit unit-id - Total PoE consumption info for specified unit ID will be
displayed
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 920
45 Power over Ethernet (PoE) Commands
Default Configuration
Command Mode
User Guidelines
The show power inline monitor is used to show average power consumption for
specified time frame.
Examples
Example 1:
The following example displays the average hourly power consumption for the
past day gathered for interface te1/0/1.
Sample Consumption
Time (W)
---------- -------------
03:00:00 7.1
02:00:00 7.1
01:00:00(~) 8.5
00:00:00 9.0
Example 2:
The following example displays the average weekly power consumption for the
past 52 weeks gathered for unit 1 .
921 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Power over Ethernet (PoE) Commands 45
unit 1
Sample Consumption
Time (W)
--------------------------- -------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 922
46
Port Channel Commands
1
46.1 channel-group
To associate a port with a port-channel, use the channel-group Interface (Ethernet)
Configuration mode command. To remove a port from a port-channel, use the no
form of this command.
Syntax
no channel-group
Parameters
• mode—Specifies the mode of joining the port channel. The possible values
are:
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 923
Port Channel Commands 46
When the auto mode is configured and there are not received LACP messages on
all port-candidates then one of candidates is joined. When the first LACP message
is received the port is disjoined and LACP starts to manage port joining.
Example
The following example forces port te1/0/1 to join port-channel 1 without an LACP
operation.
Syntax
Parameters
• src-dst-mac—Port channel load balancing is based on the source and
destination MAC addresses.
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 924
46 Port Channel Commands
Syntax
Parameters
Command Mode
Examples
Gathering information...
Channel Ports
------- -----
925 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
47
Quality of Service (QoS) Commands
47.0
47.1 qos
Use the qos Global Configuration mode command to enable QoS on the device
and set its mode. Use the no form of this command to disable QoS on the device.
Syntax
no qos
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 926
47 Quality of Service (QoS) Commands
Examples
switchxxxxxx(config)# no qos
Example 2—The following example enables QoS advanced mode on the device
with the ports-not-trusted option.
Syntax
Parameters
• cos—Classifies ingress packets with the packet CoS values. For untagged
packets, the port default CoS is used.
Default Configuration
cos-dscp
Command Mode
927 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
User Guidelines
• ports-trusted mode: For packets that are not classified by to any QoS action
or classified to the QoS action trust.
Example
The following example sets cos as the trust mode for QoS on the device.
Syntax
show qos
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 928
47 Quality of Service (QoS) Commands
Qos: Disabled
47.4 class-map
Use the class-map Global Configuration mode command to create or modify a
class map and enter the Class-map Configuration mode (only possible when QoS
is in the advanced mode). Use the no form of this command to delete a class map.
Syntax
no class-map class-map-name
Parameters
Default Configuration
No class map.
Command Mode
929 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
User Guidelines
The class-map command and its subcommands are used to define packet
classification, marking, and aggregate policing as part of a globally-named service
policy applied on a per-interface basis.
A class map consists of one or more ACLs. It defines a traffic flow by determining
which packets match some or all of the criteria specified in the ACLs.
All class map commands are only available when QoS is in advanced mode.
When using a few match commands, each must point to a different type of ACL,
such as: one IP ACL, one IPv6 ACL, and one MAC ACL. The classification is by first
match, therefore, the order of the ACLs is important.
Example
The following example creates a class map called Class1 and configures it to
check that packets match all classification criteria in the ACL specified.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 930
47 Quality of Service (QoS) Commands
Syntax
Parameters
Command Mode
Example
The following example displays the class map for Class1.
47.6 match
Use the match Class-map Configuration mode. command to bind the ACLs that
belong to the class-map being configured. Use the no form of this command to
delete the ACLs.
Syntax
Parameters
acl-name—Specifies the MAC, IP ACL name, or IPv6 ACL name. (Length: 1–32
characters)
Default Configuration
931 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
User Guidelines
This command is available only when the device is in QoS advanced mode.
Command Mode
Example
The following example defines a class map called Class1. Class1 contains an ACL
called enterprise. Only traffic matching all criteria in enterprise belong to the class
map.
47.7 policy-map
Use the policy-map Global Configuration mode command to creates a policy map
and enter the Policy-map Configuration mode. Use the no form of this command to
delete a policy map.
Syntax
policy-map policy-map-name
no policy-map policy-map-name
Parameters
Default Configuration
N/A
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 932
47 Quality of Service (QoS) Commands
Use the policy-map Global Configuration mode command to specify the name of
the policy map to be created, added to, or modified before configuring policies for
classes whose match criteria are defined in a class map.
A policy map contains one or more class maps and an action that is taken if the
packet matches the class map. Policy maps may be bound to ports/port-channels.
The match criteria is for a class map. Only one policy map per interface is
supported. The same policy map can be applied to multiple interfaces and
directions.
Example
The following example creates a policy map called Policy1 and enters the
Policy-map Configuration mode.
switchxxxxxx(config-pmap)#
47.8 class
Use the class Policy-map Configuration mode. command after the policy-map
command to attach ACLs to a policy-map. Use the no form of this command to
detach a class map from a policy map.
Syntax
no class class-map-name
Parameters
933 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
• access-group acl-name—Specifies the name of an IP, IPv6, or MAC Access
Control List (ACL). (Length: 1–32 characters)
Default Configuration
Command Mode
User Guidelines
This is the same as creating a class map and then binding it to the policy map.
You can specify an existing class map in this command, or you can use the
access-group parameter to create a new class map.
Example
The following example defines a traffic classification (class map) called class1
containing an ACL called enterprise. The class is in a policy map called policy1.
The policy-map policy1 now contains the ACL enterprise.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 934
47 Quality of Service (QoS) Commands
Parameters
Default Configuration
Command Mode
Example
class class1
set dscp 7
class class 2
class class2
redirect te1/0/2
class class 3
47.10 trust
Use the trust Policy-map Class Configuration mode. command to configure the
trust state. Use the no form of this command to return to the default trust state.
Syntax
trust
no trust
935 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Parameters
N/A
Default Configuration
The default state is according to the mode selected in the qos command
(advanced mode). The type of trust is determined in qos advanced-mode trust.
Command Mode
User Guidelines
This command is relevant only when QoS is in advanced, ports-not-trusted mode.
Trust indicates that traffic is sent to the queue according to the packet’s QoS
parameters (UP or DSCP).
Use this command to distinguish the QoS trust behavior for certain traffic from
others. For example, incoming traffic with certain DSCP values can be trusted. A
class map can be configured to match and trust the DSCP values in the incoming
traffic.
The type of trust is determined in qos advanced-mode trust.
Trust values set with this command supersede trust values set on specific
interfaces with the qos trust (Interface) Interface Configuration mode command.
The trust and set commands are mutually exclusive within the same policy map.
If specifying trust cos, QoS maps a packet to a queue, the received or default port
CoS value, and the CoS-to-queue map.
Example
The following example creates an ACL, places it into a class map, places the class
map into a policy map and configures the trust state.
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# class-map c1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 936
47 Quality of Service (QoS) Commands
switchxxxxxx(config-cmap)# exit
switchxxxxxx(config)# policy-map p1
switchxxxxxx(config-pmap)# class c1
switchxxxxxx(config-pmap-c)# trust
47.11 set
Use the set Policy-map Class Configuration mode. command to select the value
that QoS uses as the DSCP value, the egress queue or to set user priority values.
Syntax
no set
Parameters
• dscp new-dscp—Specifies the new DSCP value for the classified traffic.
(Range: 0–63)
Command Mode
User Guidelines
The set and trust commands are mutually exclusive within the same policy map.
To return to the Configuration mode, use the exit command. To return to the
Privileged EXEC mode, use the end command.
The queue keyword is not supported into egress policies.
937 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Example
The following example creates an ACL, places it into a class map, places the class
map into a policy map and sets the DSCP value in the packet to 56 for classes in
the policy map called p1.
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# class-map c1
switchxxxxxx(config-cmap)# exit
switchxxxxxx(config)# policy-map p1
switchxxxxxx(config-pmap)# class c1
47.12 redirect
Use the redirect Policy-map Class Configuration mode. command to redirect a
traffic flow to a given Ethernet port or port channel.
Syntax
redirect interface-id
no redirect
Parameters
Command Mode
User Guidelines
Use the redirect command to redirect a frame into the VLAN the frame was
assigned to.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 938
47 Quality of Service (QoS) Commands
Example
The following example creates an ACL, places it into a class map, places the class
map into a policy map and redirects the flow to Ethernet port te1/0/2:
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# class-map c1
switchxxxxxx(config-cmap)# exit
switchxxxxxx(config)# policy-map p1
switchxxxxxx(config-pmap)# class c1
switchxxxxxx(config-pmap-c)# exit
switchxxxxxx(config-pmap)# exit
switchxxxxxx(config)#
47.13 mirror
Use the mirror Policy-map Class Configuration mode. command to mirror a traffic
flow to an analyzer Ethernet port.
Syntax
mirror session_number
no mirror
Parameters
939 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Command Mode
User Guidelines
A frame is mirrored in the same format if it matches to one of the class ACLs
regardless the command of this ACL: permit or deny.
Only one source session from VLAN and flow mirroring is supported.
The analyzer Ethernet port is configured by the monitor session destination
command with the same session number.
Example
The following example creates an ACL, places it into a class map, places the class
map into a policy map and mirrors the flow to an analyzer Ethernet port defined by
session 2:
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# class-map c1
switchxxxxxx(config-cmap)# exit
switchxxxxxx(config)# policy-map p1
switchxxxxxx(config-pmap)# class c1
switchxxxxxx(config-pmap-c)# mirror 2
switchxxxxxx(config-pmap-c)# exit
switchxxxxxx(config-pmap)# exit
switchxxxxxx(config)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 940
47 Quality of Service (QoS) Commands
47.14 police
Use the police Policy-map Class Configuration mode. command to define the
policer for classified traffic. This defines another group of actions for the policy
map (per class map). Use the no form of this command to remove a policer.
Syntax
police committed-rate-kbps committed-burst-byte [exceed-action action] [peak
peak-rate-kbps peak-burst-byte [violate-action action]]
no police
Parameters
941 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
keyword for the exceed action. DSCP remarking will have effect only if
the mode is trust dscp.
Default Usage
No policer
Command Mode
User Guidelines
Examples
Example 1. The following example defines a policer for classified traffic. When the
traffic rate exceeds 124,000 kbps and the normal burst size exceeds 9600 bytes,
the packet is dropped. The class is called class1 and is in a policy map called
policy1.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 942
47 Quality of Service (QoS) Commands
47.15 service-policy
Use the service-policy Interface (Ethernet, Port Channel) Configuration mode
mode command to bind a policy map to an interface. Use the no form of this
command to detach a policy map from an interface.
Syntax
service-policy {input | output} policy-map-name [default-action {permit-any |
deny-any}]
Parameters
• deny-any—Deny all the packets (which were ingress of the port) that do not
meet the rules in a policy.
• permit-any—Forward all the packets (which were ingress of the port) that
do not meet the rules in a policy.
Command Mode
Default
Policy map is not bound.
User Guidelines
943 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
If the policy map includes the police command a separate copy of the policy map
rules is created in TCAM for each Ethernet port.
An egress policy cannot support the following actions:
• trust
• redirect
• mirror
• police
The service-policy output command fails if the bound policy contains actions not
supported by egress policies.
A policy map cannot be bound as input and output at the same time.
Example
The following example attaches a policy map called Policy1 to the input interface.
The following example attaches a policy map called Policy1 to the input interface
and forwards all packets that do not meet the rules of the policy.
The following example attaches a policy map called Policy2 to the output
interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 944
47 Quality of Service (QoS) Commands
Syntax
Parameters
945 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Default Configuration
Command Mode
User Guidelines
Traffic from two different ports on the same device can be aggregated for policing
purposes.
An aggregate policer can be applied to multiple classes in the same policy map.
Policing uses a token bucket algorithm. CIR represents the speed with which the
token is added to the bucket. CBS represents the depth of the bucket.
Examples
Example 1. The following example defines the parameters of a policer called
policer1 that can be applied to multiple classes in the same policy map. When the
average traffic rate exceeds 124,000 kbps or the normal burst size exceeds 9600
bytes, the packet is dropped.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 946
47 Quality of Service (QoS) Commands
traffic rate exceeds 200,000 kbps or the normal burst size exceeds 9600 bytes,
the packet is dropped.
Syntax
Parameters
Default Configuration
All policers are displayed.
Command Mode
Examples
947 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Example 2. The following example displays the parameters of the aggregate
Two-rate Three-color policer called Policer1.
Syntax
Parameters
Command Mode
User Guidelines
An aggregate policer can be applied to multiple classes in the same policy map.
An aggregate policer cannot be applied across multiple policy maps or interfaces.
Use the exit command to return to the Configuration mode. Use the end command
to return to the Privileged EXEC mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 948
47 Quality of Service (QoS) Commands
Example
The following example applies the aggregate policer called Policer1 to a class
called class1 in a policy map called policy1 and class2 in policy map policy2.
switchxxxxxx(config-pmap-c)# exit
switchxxxxxx(config-pmap)# exit
Syntax
Parameters
Default Configuration
949 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
CoS value 0 is mapped to queue 1.
Command Mode
User Guidelines
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 950
47 Quality of Service (QoS) Commands
Parameters
weight1 weight1... weighting the ratio of bandwidth assigned by the WRR packet
scheduler to the packet queues. See explanation in the User Guidelines. Separate
each value by a space. (Range for each weight: 0–255)
Default Configuration
Command Mode
User Guidelines
The ratio for each queue is defined as the queue weight divided by the sum of all
queue weights (the normalized weight). This sets the bandwidth allocation of each
queue.
A weight of 0 indicates that no bandwidth is allocated for the same queue, and the
shared bandwidth is divided among the remaining queues. It is not recommended
to set the weight of a queue to a 0 as it might stop transmission of
control-protocols packets generated by the device.
All queues participate in the WRR, excluding the expedite queues, whose
corresponding weight is not used in the ratio calculation.
An expedite queue is a priority queue, which is serviced until empty before the
other queues are serviced. The expedite queues are designated by the
priority-queue out num-of-queues command.
Example
951 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Syntax
Parameters
• number-of-queues—Specifies the number of expedite (strict priority)
queues. Expedite queues are assigned to the queues with the higher
indexes. (Range: 0–8 .There must be either 0 wrr queues or more than one.
Default Configuration
Command Mode
User Guidelines
An expedite queue is a strict priority queue, which is serviced until empty before
the other lower priority queues are serviced.
the weighted round robin (WRR) weight ratios are affected by the number of
expedited queues, because there are fewer queues participating in WRR. This
indicates that the corresponding weight in the wrr-queue bandwidth Interface
Configuration mode command is ignored (not used in the ratio calculation).
Example
47.22 traffic-shape
Use the traffic-shape Interface (Ethernet, Port Channel) Configuration mode
command to configure the egress port shaper. Use the no form of this command to
disable the shaper.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 952
47 Quality of Service (QoS) Commands
Syntax
Parameters
• committed-rate—Specifies the maximum average traffic rate (CIR) in kbits
per second (kbps). (Range: – ,10GE: 64Kbps–maximum port speed))
Default Configuration
Command Mode
User Guidelines
The egress port shaper controls the traffic transmit rate (Tx rate) on a port.
Example
The following example sets a traffic shaper on te1/0/1 when the average traffic
rate exceeds 64 kbps or the normal burst size exceeds 4096 bytes.
Syntax
953 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
no traffic-shape queue queue-id
Parameters
Default Configuration
The shaper is disabled.
Command Mode
User Guidelines
The egress port shaper controls the traffic transmit rate (Tx rate) on a queue on a
port.
Example
The following example sets a shaper on queue 1 on te1/0/1 when the average
traffic rate exceeds 124000 kbps or the normal burst size exceeds 9600 bytes.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 954
47 Quality of Service (QoS) Commands
Parameters
N/A
Default
Disabled
Command Mode
User Guidelines
Example
Syntax
Parameters
N/A
Default Configuration
N/A
955 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Command Mode
Example
Syntax
Parameters
• queueing—Displays the queue's strategy (WRR or EF), the weight for WRR
queues, the CoS to queue map and the EF priority.
• shapers—Displays the shaper of the specified interface and the shaper for
the queue on the specified interface.
Default Configuration
N/A
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 956
47 Quality of Service (QoS) Commands
User Guidelines
If no parameter is specified with the show qos interface command, the port QoS
mode (DSCP trusted, CoS trusted, untrusted, and so on), default CoS value,
DSCP-to-DSCP- map (if any) attached to the port, and policy map (if any) attached
to the interface are displayed. If a specific interface is not specified, the
information for all interfaces is displayed.
In case of Policers, Shapers and Rate Limit - only the ports which are not in the
default configuration will be showed.
Examples
Example 1—The following is an example of the output from the show qos interface
command.
Ethernet te1/0/0/1
Default CoS: 0
Example 2—The following is an example of the output from the show qos interface
queueing command for 4 queues.
Ethernet te1/0/0/1
qid-weights Ef - Priority
1 - N/A ena- 1
2 - N/A ena- 2
3 - N/A ena- 3
4 - N/A ena- 4
957 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Cos-queue map:
cos-qid
0 - 1
1 - 1
2 - 2
3 - 3
4 - 3
5 - 4
6 - 4
7 - 4
Example 3 —The following an example of the output from the show qos interface
buffers command for 8 queues
Notify Q depth:
buffers te1/0/1
Ethernet te1/0/1
qid thresh0 thresh1 thresh2
1 100 100 80
2 100 100 80
3 100 100 80
4 100 100 80
5 100 100 80
6 100 100 80
7 100 100 80
8 100 100 80
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 958
47 Quality of Service (QoS) Commands
Example 4—This is an example of the output from the show qos interface shapers
command.
1 Enable 64 17000
959 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Example 5—This is an example of the output from show qos interface policer
Syntax
Parameters
• violation—Specifies the DSCP remapping in the violate action. If the
keyword is not configured the the command specifies the DSCP remapping
in the exceed action.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 960
47 Quality of Service (QoS) Commands
Default Configuration
The default map is the Null map, which means that each incoming DSCP value is
mapped to the same DSCP value.
Command Mode
User Guidelines
The original DSCP value and policed-DSCP value must be mapped to the same
queue in order to prevent reordering.
Example
The following example marks incoming DSCP value 3 as DSCP value 5 on the
policed-DSCP map.
Syntax
Parameters
• dscp-list—Specifies up to 8 DSCP values, separated by spaces. (Range: 0–
63)
961 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
• queue-id—Specifies the queue number to which the DSCP values are
mapped.
Default Configuration
Command Mode
Example
Syntax
Parameters
• cos— Specifies that ingress packets are classified with packet CoS values.
Untagged packets are classified with the default port CoS value.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 962
47 Quality of Service (QoS) Commands
Default Configuration
dscp
Command Mode
User Guidelines
Packets entering a QoS domain are classified at its edge. When the packets are
classified at the edge, the switch port within the QoS domain can be configured to
one of the trusted states because there is no need to classify the packets at every
switch within the domain.
Use this command to specify whether the port is trusted and which fields of the
packet to use to classify traffic.
When the system is configured with trust DSCP, the traffic is mapped to the queue
by the DSCP-queue map.
When the system is configured with trust CoS, the traffic is mapped to the queue
by the CoS-queue map.
For an inter-QoS domain boundary, configure the port to the DSCP-trusted state
and apply the DSCP-to-DSCP-mutation map if the DSCP values are different in the
QoS domains.
Example
The following example configures the system to the DSCP trust state.
Syntax
qos trust
963 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
no qos trust
Parameters
N/A
Default Configuration
Command Mode
Example
Syntax
Parameters
default-cos—Specifies the default CoS value (VPT value) of the port. If the port is
trusted and the packet is untagged, then the default CoS value become the CoS
value. (Range: 0–7)
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 964
47 Quality of Service (QoS) Commands
Command Mode
User Guidelines
Use the default CoS value to assign a CoS value to all untagged packets entering
the interface.
Example
The following example defines the port te1/0/1 default CoS value as 3.
Syntax
qos dscp-mutation
no qos dscp-mutation
Parameters
N/A
Default Configuration
Disabled
Command Mode
User Guidelines
965 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
definitions, use the DSCP-to-DSCP-mutation map to translate a set of DSCP
values to match the definition of another domain. Apply the map to ingress and to
DSCP-trusted ports only. Applying this map to a port causes IP packets to be
rewritten with newly mapped DSCP values at the ingress ports. If applying the
DSCP mutation map to an untrusted port, to class of service (CoS), or to an
IP-precedence trusted port.
Global trust mode must be DSCP or CoS-DSCP. In advanced CoS mode, ports
must be trusted.
Example
The following example applies the DSCP Mutation map to system DSCP trusted
ports.
Syntax
Parameters
• in-dscp—Specifies up to 8 DSCP values to map, separated by spaces.
(Range: 0–63)
Default Configuration
The default map is the Null map, which means that each incoming DSCP value is
mapped to the same DSCP value.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 966
47 Quality of Service (QoS) Commands
Command Mode
User Guidelines
This is the only map that is not globally configured. It is possible to have several
maps and assign each one to a different port.
Example
Syntax
Parameters
Default Configuration
Command Mode
967 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
Examples
Dscp-queue map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
------------------------------------
0 : 01 01 01 01 01 01 01 01 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 02 02 02 02 02 02
3 : 02 02 03 03 03 03 03 03 03 03
4 : 03 03 03 03 03 03 03 03 04 04
5 : 04 04 04 04 04 04 04 04 04 04
6 : 04 04 04 04
d1 : d2 0 1 2 3 4 5 6 7 8 9
------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 21 21 21
d1 : d2 0 1 2 3 4 5 6 7 8 9
------------------------------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 968
47 Quality of Service (QoS) Commands
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 11 11 11
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
969 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
47.36 qos statistics policer
Use the qos statistics policer Interface (Ethernet, Port Channel) Configuration
mode mode command to enable counting in-profile and out-of-profile. Use the no
form of this command to disable counting.
Syntax
Parameters
Default Configuration
Counting in-profile and out-of-profile is disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 970
47 Quality of Service (QoS) Commands
Syntax
Parameters
Default Configuration
Command Mode
Example
The following example enables counting in-profile and out-of-profile on the
interface.
Syntax
qos statistics queues set {queue | all} {dp | all} {interface | all}
Parameters
971 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
• dp—Specifies the drop precedence. The available values are: high, low.
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
If the queue parameter is all, traffic in stacking and cascading ports is also
counted.
Example
The following example enables QoS statistics for output queues for counter set 1.
Syntax
Parameters
N/A
Default Configuration
N/A
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 972
47 Quality of Service (QoS) Commands
User Guidelines
Use the qos statistics queues Global Configuration mode command to enable
QoS statistics for output queues.
Example
The following example displays Quality of Service statistical information.
---------
Aggregate Policers
-------------------
Output Queues
973 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Quality of Service (QoS) Commands 47
-------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 974
48
RADIUS Commands
48.0
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 975
RADIUS Commands 48
• retransmit retries—Specifies the number of retry retransmissions (Range:
1–15)
• usage {login | dot1.x | all}—Specifies the RADIUS server usage type. The
possible values are:
Default Configuration
If timeout is not specified, the global value (set in the radius-server timeout
command) is used.
If retransmit is not specified, the global value (set in the radius-server retransmit
command) is used.
If key-string is not specified, the global value (set in the radius-server key
command) is used.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 976
48 RADIUS Commands
User Guidelines
Example
Syntax
Parameters
• key-string—Specifies the authentication and encryption key for all RADIUS
communications between the device and the RADIUS server. This key must
match the encryption used on the RADIUS daemon. (Range: 0–128
characters)
Default Configuration
Command Mode
977 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RADIUS Commands 48
Example
The following example defines the authentication key for all RADIUS
communications between the device and the RADIUS daemon.
Syntax
Parameters
• retransmit retries—Specifies the number of retry retransmissions (Range:
1–15).
Default Configuration
Command Mode
Global Configuration mode
Example
The following example configures the number of times the software searches all
RADIUS server hosts as 5.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 978
48 RADIUS Commands
Syntax
Parameters
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the source interface is applied.
Example
The following example configures the VLAN 10 as the source interface.
979 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RADIUS Commands 48
48.5 radius-server host source-interface-ipv6
Use the radius-server host source-interface-ipv6 Global Configuration mode
command to specify the source interface whose IPv6 address will be used as the
source IPv6 address for communication with IPv6 RADIUS servers. Use the no
form of this command to restore the default configuration.
Syntax
Parameters
Default Configuration
The IPv6 source address is the IPv6 address defined on the outgoing interface
and selected in accordance with RFC6724.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the source IPv6 address is an IPv6
address defined on the interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the source IPv6 address is the
minimal IPv6 address defined on the source interface and matched to the scope
of the destination IPv6 address is applied.
Example
The following example configures the VLAN 10 as the source interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 980
48 RADIUS Commands
Syntax
radius-server timeout timeout-seconds
no radius-server timeout
Parameters
Default Configuration
Command Mode
Global Configuration mode
Example
The following example sets the timeout interval on all RADIUS servers to 5
seconds.
Syntax
981 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RADIUS Commands 48
no radius-server deadtime
Parameters
Default Configuration
Command Mode
Example
Syntax
show radius-servers
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 982
48 RADIUS Commands
Global values
--------------
TimeOut: 3
Retransmit: 3
Deadtime: 0
Source IPv4 interface: vlan 120
Source IPv6 interface: vlan 10
Syntax
Command Mode
Example
983 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
49
Radius Server Commands
49.0
49.1 allowed-time-range
To define the time user can connect, use the allowed-time-range command in
Radius Server Group Configuration mode. To restore the default configuration, use
the no form of this command.
Syntax
allowed-time-range time-range-name
no allowed-time-range
Parameters
Command Mode
User Guidelines
Use the allowed-time-range command, to define the time users can connect.
Example
switchxxxxxx(config-time-range)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 984
49 Radius Server Commands
switchxxxxxx(config-radser-group)# exit
switchxxxxxx(config)#
Syntax
clear radius server accounting
Parameters
N/A
Command Mode
User Guidelines
Use the clear radius server accounting command, to clear the Radius Accounting
cache.
Example
Syntax
985 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Parameters
N/A
Command Mode
User Guidelines
Use the clear radius server rejected users command, to clear the Radius Rejected
Users cache.
Example
The following example clears the Radius Rejected Users cache:
Syntax
Parameters
• ip-address—Specifies the RADIUS client host IP address. The IP address
can be an IPv4, IPv6 or IPv6z address.
Command Mode
User Guidelines
Use the clear radius server statistics command without parameter to clear the all
counters.
Use the clear radius server statistics command with parameter to clear the
counters of a given NAS.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 986
49 Radius Server Commands
Example
49.5 privilege-level
To define the user privilege level, use the privilege-level command in Radius
Server Group Configuration mode. To restore the default configuration, use the no
form of this command.
Syntax
privilege-level level
no privilege-level
Parameters
Default Configuration
Command Mode
User Guidelines
Use the privilege-level command, to define the privilege level of users of the given
group.
987 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Example
The following example specified privilege level 15 for users of the developers
group:
switchxxxxxx(config-radser-group)# privilege-level 15
switchxxxxxx(config-radser-group)# exit
switchxxxxxx(config)#
Syntax
Parameters
• udp-port—Specifies the UDP port number for accounting requests. (Range:
1–65535)
Default Configuration
1813
Command Mode
Global Configuration mode
User Guidelines
Use the radius server accounting-port command, to define an UDP port for
accounting requests.
Use the no radius server accounting-port command, to restore the default UDP
accounting port.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 988
49 Radius Server Commands
Example
Syntax
Parameters
Default Configuration
1812
Command Mode
User Guidelines
Use the radius server authentication-port command, to define an UDP port for
authentication requests.
Use the no radius server authentication-port command, to restore the default UDP
authentication port.
Example
989 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
49.8 radius server enable
To enable Embedded Radius server, use the radius server enable command in
Global Configuration mode. To restore the default configuration, use the no form of
this command.
Syntax
radius server enable
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
Use the radius server enable command, to enable Embedded Radius server.
Use the no radius server enable command, to disable Embedded Radius server.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 990
49 Radius Server Commands
Syntax
Parameters
• group-name—Specifies a name of the group. (Length: 1–32 characters)
Default Configuration
Command Mode
User Guidelines
Use the radius server group command, to enter into the Radius Server Group
Configuration mode. If this group does not exist it is created automatically.
Use the no radius server group group-name command, to delete one group.
Use the no radius server group command, to delete all groups.
Example
The following example creates group developers, if it does not exist, and enters
into its context:
switchxxxxxx(config-radser-group)#
991 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Syntax
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
Use the radius server nas secret key key default command, to defines a key that
will be applied to communicate with NASs that do not have a private key.
Use the radius server nas secret key key ip-address command, to defines a key
that will be applied to communicate with the specified NAS.
Use the radius server nas secret ip-address command, to defines that the default
secret key will be applied to communicate with the specified NAS.
If a NAS is not defined by this command all messages received from this NAS will
be dropped.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 992
49 Radius Server Commands
Use the no radius server nas secret ip-address command, to remove the given
NAS and its secret key.
Use the no radius server nas secret command, to delete all NASs and all secret
keys.
Examples
Example 3. The following example defines a NAS using the default secret key:
Syntax
Parameters
N/A
Default Configuration
993 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Command Mode
User Guidelines
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending accounting traps:
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 994
49 Radius Server Commands
Example
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a user is successfully
authorized:
995 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
49.14 radius server user
To create a user, use the radius server user command in Global Configuration
mode. To restore the default configuration, use the no form of this command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Use the no radius server user username user-name command to delete one user.
Use the no radius server user group group-name command to delete users of the
given group.
Use the no radius server user command to delete all users.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 996
49 Radius Server Commands
Example
The following example creates a new user with name bob of group developer with
password Aerv#136dSsT:
Syntax
Parameters
Command Mode
User Guidelines
The Radius server saves the last 1000 accounting logs in a cycle file on FLASH.
Use the show radius server accounting username user-name command, to display
accounting information of one user.
Examples
Example 1. The following example displays accounting information of all users:
User: Bob
997 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Accounting Session Time: 6 hours,15 minutes
User: Alisa
NAS Port: 10
User: Alisa
User: Bob
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 998
49 Radius Server Commands
User: Bob
User: Bob
Syntax
Parameters
N/A
Command Mode
User Guidelines
Use the show radius server configuration command, to display Radius server
global configuration.
999 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Example
Syntax
Parameters
• group-name—Specifies a name of the group. (Length: 1–32 characters)
Command Mode
User Guidelines
Use the show radius server group group-name command, to display one group.
Use the show radius server group command, to display all groups.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1000
49 Radius Server Commands
Group gr1
VLAN: 124
Privilege Level: 15
Group gr2
Syntax
Parameters
• user-name—Specifies the user name. (Length: 1–32 characters)
Command Mode
User Guidelines
The Radius server saves the last 1000 rejected authentication requests in a cycle
file on FLASH.
The Radius server saves the last 1000 accounting logs in a cycle file on FLASH.
Use the show radius server rejected users user-name command, to display one
rejected user.
Use the show radius server rejected users command, to display all rejected users.
1001 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Examples
30-Jun-14 16:44
30-Jun-14 16:04
20-Feb-08 16:24
NAS Port: 2
20-Feb-08 14:14
NAS Port: 2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1002
49 Radius Server Commands
Syntax
Parameters
Command Mode
User Guidelines
Use the show radius server nas secret default command, to display the default
secret key.
1003 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Use the show radius server nas secret ip-address command, to display the given
NAS secret key.
Use the show radius server nas secret command, to display all secret keys.
Examples
------------------------- --------------------------------
10.1.35.3 1238af77aaca17568f1298cced165fec
10.2.37.6 default
3000:1231:1230:9cab:1384 1238af77aaca17568f12988601fcabed
3001:ab11::9cda:0981 1238af77aaca17568f1298bc5476ddad
Example 3. The following example displays the secret key of one given NAS:
------------------------- --------------------------------
10.1.35.3 1238af77aaca17568f1298cced165fec
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1004
49 Radius Server Commands
Syntax
Parameters
Command Mode
User Guidelines
Use the show radius server statistics command to display the Radius server
counters defined in RFC4669 and RFC4671.
Use the show radius server statistics command without parameter to display the
global counters.
Use the show radius server statistics command with parameter to display the
counters of the given NAS.
Examples
Example 1. The following example displays the Radius server global counters:
1005 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Number of incoming Authentication-Requests with Bad Authenticator: 0
Example 2. The following example displays the Radius server counters of the
given SNA: secret keys:
NAS: 1.1.1.1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1006
49 Radius Server Commands
Syntax
Parameters
Command Mode
User Guidelines
Use the show radius server user username user-name command, to display one
user.
Use the show radius server user group group-name command, to display all users
of the given group.
Use the show radius server user command, to display all users.
Examples
User bob
1007 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Radius Server Commands 49
Group: developers
49.22 vlan
To define Radius Assigned VLAN, use the vlan command in Radius Server Group
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Use the vlan command, to assign the VLAN to a radius client. This Radius Assigned
VLAN is passed to a Radius client in the Access-Accept message in the following
attributes:
• Tunnel-Type(64)
• Tunnel-Medium-Type(65)
• Tunnel-Private-Group-ID(81)
If a VLAN is not assigned these attributes are not included in the Access-Accept
message.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1008
49 Radius Server Commands
Example
The following example assigns VLAN 100 to users of the developers group and
VLAN with name management of users of the managers group:
switchxxxxxx(config-radser-group)# exit
switchxxxxxx(config-radser-group)# exit
switchxxxxxx(config)#
1009 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
50
Rate Limit and Storm Control Commands
50.0
Syntax
clear storm-control counters [broadcast | multicast | unicast] [interface interface-id]
Parameters
• broadcast—(Optional) Clear Broadcast storm control counters.
Command Mode
Privileged EXEC mode
User Guidelines
The switch clears the port counter of a given traffic type when storm control for
this traffic type on this port is enabled.
Use this command to clear the storm control counters when storm control is
running.
Use the clear storm-control counters command to clear all the storm control
counters of all Ethernet ports.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1010
50 Rate Limit and Storm Control Commands
Use the clear storm-control counters interface interface-id command to clear all
the storm control counters of a given port.
Use the clear storm-control counters broadcast | multicast | unicast command to
clear all storm control counters of a given traffic type of all Ethernet ports.
Example
Example 1. The following example clears all storm control counters of all ports:
Example 2. The following example clears all storm control counters of port te1/0/1:
Example 3. The following example clears broadcast storm control counter of all
ports:
Example 4. The following example clears multicast storm control counter of port
te1/0/1:
1011 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Rate Limit and Storm Control Commands 50
Syntax
no rate-limit
Parameters
Default Configuration
Command Mode
User Guidelines
The Rate Limit does not calculate traffic controlled by Storm control. The real
allowed rate will be sum of the rate specified by the command and the rates
specified by the Storm control commands for particular traffic types.
Example
The following example limits the incoming traffic rate on te1/0/1 to 150,000 kbps.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1012
50 Rate Limit and Storm Control Commands
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
packet is subject to traffic policing in a policy map and is associated with a VLAN
that is rate limited, the packet is counted only in the traffic policing of the policy
map.
Example
The following example limits the rate on VLAN 11 to 150000 kbps or the normal
burst size to 9600 bytes.
1013 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Rate Limit and Storm Control Commands 50
50.4 storm-control
To enable broadcast, multicast, or unicast storm control on a port, use the
storm-control command in Interface (Ethernet) Configuration mode. To return to
default, use the no form of this command.
Syntax
storm-control broadcast {level level | kbps kbps} [trap] [shutdown]
no storm-control broadcast
no storm-control multicast
no storm-control unicast
no storm-control
Parameters
• broadcast—Enables broadcast storm control on the port.
Default Configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1014
50 Rate Limit and Storm Control Commands
Command Mode
User Guidelines
The rate limit on a port does not calculate traffic controlled by storm control on this
port.
Use the no storm-control command to disable storm control of all traffic type on
the port.
You can use the following commands to reset an interface shut down by Storm
Control:
Example
The following example enables broadcast, multicast, and unicast unknown storm
control on port te1/0/1 and multicast unregistered and unicast unknown on port
te1/0/2:
Enable group 1 for registered and unregistered multicast traffic on interface
te1/0/1. Extra traffic is discarded.
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
1015 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Rate Limit and Storm Control Commands 50
50.5 show rate-limit interface
To display rate limit configuration on an interface, use the show rate-limit interface
command in Privileged EXEC mode.
Syntax
Parameters
Default Configuration
N/A
Command Mode
Examples
The following is an example of the output from the show rate-limit interface:
100000 1024
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1016
50 Rate Limit and Storm Control Commands
Syntax
Parameters
Default Configuration
N/A
Command Mode
Examples
The following is an example of the output from the show rate-limit vlan:
Syntax
Parameters
1017 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Rate Limit and Storm Control Commands 50
Default Configuration
N/A
Command Mode
Examples
The following is an example of the output from the show storm-control interface:
te1/0/1
Broadacst
Rate: 5%
Action: Shutdown
Multicast
Unicast
Rate: 10%
Action: drop
te1/0/2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1018
50 Rate Limit and Storm Control Commands
Broadacst
Rate: 5%
Action: Shutdown
Multicast Unregistred
Rate: 5%
Action: Shutdown
Traffic Type:Broadcast
1019 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
51
Remote Network Monitoring (RMON)
Commands
1
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1020
51 Remote Network Monitoring (RMON) Commands
- rising—Specifies that if the first sample (after this entry becomes valid)
is greater than or equal to rising-threshold, a single rising alarm is
generated.
- falling —Specifies that if the first sample (after this entry becomes valid)
is less than or equal to falling-threshold, a single falling alarm is
generated.
Default Configuration
Command Mode
Example
The following example configures an alarm with index 1000, MIB object ID D-Link,
sampling interval 360000 seconds (100 hours), rising threshold value 1000000,
1021 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
falling threshold value 1000000, rising threshold event index 10, falling threshold
event index 10, absolute method type and rising-falling alarm.
Syntax
Parameters
This command has no arguments or keywords.
Command Mode
Example
The following example displays the alarms table.
1 1.3.6.1.2.1.2.2.1.10.1 CLI
2 1.3.6.1.2.1.2.2.1.10.1 Manager
3 1.3.6.1.2.1.2.2.1.10.9 CLI
The following table describes the significant fields shown in the display:
Field Description
Index An index that uniquely identifies the entry.
OID Monitored variable OID.
Owner The entity that configured this entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1022
51 Remote Network Monitoring (RMON) Commands
Syntax
Parameters
Command Mode
Example
Alarm 1
-------
OID: 1.3.6.1.2.1.2.2.1.10.1
Interval: 30
Falling Threshold: 78
Rising Event: 1
Falling Event: 1
Owner: CLI
1023 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
The following table describes the significant fields shown in the display:
Field Description
Alarm Alarm index.
OID Monitored variable OID.
Last Sample Value of the statistic during the last sampling period. For
Value example, if the sample type is delta, this value is the
difference between the samples at the beginning and end of
the period. If the sample type is absolute, this value is the
sampled value at the end of the period.
Interval Interval in seconds over which the data is sampled and
compared with the rising and falling thresholds.
Sample Type Method of sampling the variable and calculating the value
compared against the thresholds. If the value is absolute, the
variable value is compared directly with the thresholds at the
end of the sampling interval. If the value is delta, the variable
value at the last sample is subtracted from the current value,
and the difference is compared with the thresholds.
Startup Alarm Alarm that is sent when this entry is first set. If the first sample
is greater than or equal to the rising threshold, and startup
alarm is equal to rising or rising-falling, then a single rising
alarm is generated. If the first sample is less than or equal to
the falling threshold, and startup alarm is equal falling or
rising-falling, then a single falling alarm is generated.
Rising Sampled statistic rising threshold. When the current sampled
Threshold value is greater than or equal to this threshold, and the value
at the last sampling interval is less than this threshold, a single
event is generated.
Falling Sampled statistic falling threshold. When the current sampled
Threshold value is less than or equal to this threshold, and the value at
the last sampling interval is greater than this threshold, a
single event is generated.
Rising Event Event index used when a rising threshold is crossed.
Falling Event Event index used when a falling threshold is crossed.
Owner Entity that configured this entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1024
51 Remote Network Monitoring (RMON) Commands
Syntax
rmon event index {none | log | trap | log-trap} [community text] [description text]
[owner name]
no rmon event index
Parameters
Default Configuration
Command Mode
Example
The following example configures an event identified as index 10, for which the
device generates a notification in the log table.
1025 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
switchxxxxxx(config)# rmon event 10 log
Syntax
Parameters
Command Mode
Example
Field Description
Index Unique index that identifies this event.
Description Comment describing this event.
Type Type of notification that the device generates about this event.
Can have the following values: none, log, trap, log-trap. In the
case of log, an entry is made in the log table for each event. In
the case of trap, an SNMP trap is sent to one or more
management stations.
Community If an SNMP trap is to be sent, it is sent with the SNMP community
string specified by this octet string.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1026
51 Remote Network Monitoring (RMON) Commands
Field Description
Owner The entity that configured this event.
Last time The time this entry last generated an event. If this entry has not
sent generated any events, this value is zero.
Syntax
Parameters
Command Mode
Example
1027 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
51.7 rmon table-size
To configure the maximum size of RMON tables, use the rmon table-size Global
Configuration modecommand. To return to the default size, use the no form of this
command.
Syntax
rmon table-size {history entries | log entries}
Parameters
Default Configuration
Command Mode
User Guidelines
The configured table size takes effect after the device is rebooted.
Example
The following example configures the maximum size of RMON history tables to
100 entries.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1028
51 Remote Network Monitoring (RMON) Commands
Syntax
Parameters
Command Mode
Example
The following example displays RMON Ethernet statistics for port te1/0/1.
Port te1/0/1
Dropped: 0
Octets: 0 Packets: 0
Broadcast: 0 Multicast: 0
Fragments: 0 Jabbers: 0
1029 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
The following table describes the significant fields displayed.
Field Description
Dropped Total number of events in which packets were dropped by the
probe due to lack of resources. Note that this number is not
necessarily the number of packets dropped. It is the number of
times this condition was detected.
Octets Total number of octets of data (including those in bad packets)
received on the network (excluding framing bits but including FCS
octets).
Packets Total number of packets (including bad packets, broadcast
packets, and multicast packets) received.
Broadcast Total number of good packets received and directed to the
broadcast address. This does not include multicast packets.
Multicast Total number of good packets received and directed to a multicast
address. This number does not include packets directed to the
broadcast address.
CRC Align Total number of packets received with a length (excluding framing
Errors bits, but including FCS octets) of between 64 and 1518 octets,
inclusive, but with either a bad Frame Check Sequence (FCS) with
an integral number of octets (FCS Error) or a bad FCS with a
non-integral number of octets (Alignment Error).
Collisions Best estimate of the total number of collisions on this Ethernet
segment.
Undersize Total number of packets received, less than 64 octets long
Pkts (excluding framing bits, but including FCS octets) and otherwise
well formed.
Oversize Pkts Total number of packets received, longer than 1518 octets
(excluding framing bits, but including FCS octets) and otherwise
well formed.
Fragments Total number of packets received, less than 64 octets in length
(excluding framing bits but including FCS octets) and either a bad
Frame Check Sequence (FCS) with an integral number of octets
(FCS Error) or a bad FCS with a non-integral number of octets
(Alignment Error).
Jabbers Total number of packets received, longer than 1518 octets
(excluding framing bits, but including FCS octets), and either a bad
Frame Check Sequence (FCS) with an integral number of octets
(FCS Error) or a bad FCS with a non-integral number of octets
(Alignment Error).
64 Octets Total number of packets (including bad packets) received that are
64 octets in length (excluding framing bits but including FCS
octets).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1030
51 Remote Network Monitoring (RMON) Commands
Field Description
65 to 127 Total number of packets (including bad packets) received that are
Octets between 65 and 127 octets in length inclusive (excluding framing
bits but including FCS octets).
128 to 255 Total number of packets (including bad packets) received that are
Octets between 128 and 255 octets in length inclusive (excluding framing
bits but including FCS octets).
256 to 511 Total number of packets (including bad packets) received that are
Octets between 256 and 511 octets in length inclusive (excluding framing
bits but including FCS octets).
512 to 1023 Total number of packets (including bad packets) received that
Octets were between 512 and 1023 octets in length inclusive (excluding
framing bits but including FCS octets).
1024 to max Total number of packets (including bad packets) received that
were between 1024 octets and the maximum frame size in length
inclusive (excluding framing bits but including FCS octets).
Syntax
Parameters
1031 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
Command Mode
Syntax
Parameters
Command Mode
Example
Samples Samples
1 te1/0/1 30 50 50 CLI
The following table describes the significant fields shown in the display.
Field Description
Index An index that uniquely identifies the entry.
Interface The sampled Ethernet interface.
Interval The interval in seconds between samples.
Requested Samples The requested number of samples to be
saved.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1032
51 Remote Network Monitoring (RMON) Commands
Field Description
Granted Samples The granted number of samples to be saved.
Owner The entity that configured this entry.
Syntax
Parameters
Command Mode
Example
The following examples display RMON Ethernet history statistics for index 1:
1033 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Remote Network Monitoring (RMON) Commands 51
------------
Align size Oversize Fragments Jabbers
------- -----
Jan 18 2005 -------- --------- ----
21:57:00 1 1 0 49 0
Jan 18 2005 1 1 0 27 0
21:57:30
Field Description
Time Date and Time the entry is recorded.
Octets Total number of octets of data (including those in bad packets and
excluding framing bits but including FCS octets) received on the
network.
Packets Number of packets (including bad packets) received during this
sampling interval.
Broadcast Number of good packets received during this sampling interval that
were directed to the broadcast address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1034
51 Remote Network Monitoring (RMON) Commands
Field Description
Multicast Number of good packets received during this sampling interval that
were directed to a multicast address. This number does not include
packets addressed to the broadcast address.
Utilization Best estimate of the mean physical layer network utilization on this
interface during this sampling interval, in hundredths of a percent.
CRC Align Number of packets received during this sampling interval that had a
length (excluding framing bits but including FCS octets) between 64
and 1518 octets, inclusive, but had either a bad Frame Check
Sequence (FCS) with an integral number of octets (FCS Error) or a
bad FCS with a non-integral number of octets (Alignment Error).
Undersize Number of packets received during this sampling interval that were
less than 64 octets long (excluding framing bits but including FCS
octets) and were otherwise well formed.
Oversize Number of packets received during this sampling interval that were
longer than 1518 octets (excluding framing bits but including FCS
octets) but were otherwise well formed.
Fragments Total number of packets received during this sampling interval that
were less than 64 octets in length (excluding framing bits but
including FCS octets) and had either a bad Frame Check Sequence
(FCS) with an integral number of octets (FCS Error), or a bad FCS
with a non-integral number of octets (Alignment Error). It is normal for
etherHistoryFragments to increment because it counts both runts
(which are normal occurrences due to collisions) and noise hits.
Jabbers Number of packets received during this sampling interval that were
longer than 1518 octets (excluding framing bits but including FCS
octets), and had either a bad Frame Check Sequence (FCS) with an
integral number of octets (FCS Error) or a bad FCS with a
non-integral number of octets (Alignment Error).
Dropped Total number of events in which packets were dropped by the probe
due to lack of resources during this sampling interval. This number is
not necessarily the number of packets dropped, it is the number of
times this condition has been detected.
Collisions Best estimate of the total number of collisions on this Ethernet
segment during this sampling interval.
1035 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
52
Router Resources Commands
52.0
Syntax
Parameters
Default Configuration
• ip-entries— 3072.
• ipv6-entries— 3072.
• ipm-entries— 512.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1036
52 Router Resources Commands
• ipmv6-entries— 512.
• policy-ip-entries— 48.
• policy-ipv6-entries— 48.
Command Mode
User Guidelines
Use the system router resources command to enter new settings for routing
entries. After entering the command, the current routing entries configuration will
be displayed, and the user will be required to confirm saving the new setting to the
startup-configuration and to reboot the system.
Data Validation:
If the new settings exceed the maximum number of routing entries, the command
is rejected and a message is displayed to the user.
If the new settings are fewer than the currently in-use routing entries, a
confirmation message is displayed to the user (before the save confirmation
message).
Use the no system router resources command to restore the default settings.
1037 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Router Resources Commands 52
Examples
Example 1
The following example defines the supported number of IPv4 routing entries.
The maximal number of IPv4 and IPv6 Routing Entries is 3072. The number is Non-IP
Entries is 3096.
Number of Routes 20
Number of Neighbors 12
Number of Routes 20
Number of Neighbors 12
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1038
52 Router Resources Commands
Non-IP Entries:
Example 2
The following example defines the supported number of IPv4 and IPv6 routing
entries. In the example, the configured router entries are less than the router
entries which are currently in use. Using this configurations means that the system
will not have enough resources for the running again in the existing network:
The maximal number of IPv4 Routing entries and IPv6 Routing Entries is 3072. The
number is Non-IP Entries is 3096.
Number of Routes 20
Number of Neighbors 12
Number of Routes 20
Number of Neighbors 12
1039 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Router Resources Commands 52
Non-IP Entries:
The new configuration of route entries is less than the route entries which are
currently in use by the system, do you want to continue (note that setting the new
configuration of route entries requires saving the running-configuration file to
startup-configuration file and rebooting the system)? (Y/N) [N] Y
Syntax
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1040
52 Router Resources Commands
In-Use Reserved
------ --------
Number of Routes 20
Number of Neighbors 12
Number of Routes 20
Number of Neighbors 12
On-Link Prefixes 1
Non-IP Entries:
1041 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
53
Route Map Commands
53.0
Syntax
Parameters
Default Configuration
No the command is configured.
Command Mode
Route Map Configuration Mode
User Guidelines
The match ip address command allows you to policy route IP packets based on
criteria that can be matched with an extended IP access list; for example, a
protocol, protocol service, and source or destination IP address.
• time-range
• disable-port
• log-input
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1042
53 Route Map Commands
Example
The example below gives how IPv4 Policy Base Routing is configured:
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config-route-map)# exit
Syntax
Parameters
Default Configuration
Command Mode
1043 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Route Map Commands 53
User Guidelines
The match ipv6 address command allows you to policy route IPv6 packets based
on criteria that can be matched with an extended access list; for example, a
protocol, protocol service, and source or destination IPv6 address.
• time-range
• disable-port
• log-input
Example
The example below gives how IPv4 Policy Base Routing is configured:
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config-ip-al)# exit
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1044
53 Route Map Commands
Parameters
• map-tag—A meaningful name for the route map. The redistribute router
configuration command uses this name to reference this route map. Multiple
route maps may share the same map tag name.
Default Configuration
Conditions for policy routing is not configured.
Command Mode
User Guidelines
Use the route-map command to enter route-map configuration mode. The purpose
of the route map command is to define policy routing. Use the ip policy route-map
or ipv6 policy route-map command, in addition to the route-map command, and
the match and set commands to define the conditions and next hops for policy
routing packets.
The match commands specify the conditions under which policy routing occurs
and the set commands specify the routing actions to perform if the criteria
enforced by the match commands are met:
• If a outed packet matches to an ACL with the permit action the packet is
forwarded by the set command (policy based routing).
• If a outed packet matches to an ACL with the deny action the frame is
forwarded by the Forwarding table (regular routing).
Only the following combinations of the match and set commands are allowed in
one section:
1045 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Route Map Commands 53
• IPv4 policy routing:
- set ip next-hop
Examples
Example 1. The following example gives an example of a route map with one
section. TCP packet sent to subnet 156.12.5.0/24 are passed to the next hop
56.1.1.1.
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config-if)# exit
Example 2. The following example gives an example of a route map with two
sections. TCP packet sent to subnet 156.12.5.0/24 are passed to the next hop
56.1.1.1 and CP packet sent to subnet 156.122.5.0/24 are passed to the next hop
50.1.1.1.
switchxxxxxx(config-ip-al)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1046
53 Route Map Commands
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config-if)# exit
Syntax
Parameters
• next-hop—IPv4 address of the next hop router.
Default Configuration
Command Mode
1047 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Route Map Commands 53
User Guidelines
Use the set ip next-hop command to set the IP address of the next hop policy
routing.
Example
In the following example sets IP address 192.168.30.1 as the next hop IP address:
switchxxxxxx(config-route-map)# exit
Syntax
Parameters
• next-hop—IPv6 address of the next hop router or outgoing interface ID for a
point-to-point outgping interfaces.
Default Configuration
Command Mode
Route Map Configuration Mode
User Guidelines
Use the set ip next-hop command to set the IPv6 address of the next hop policy
routing.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1048
53 Route Map Commands
Examples
Example 1. In the following example sets IPv76 address 3003:17ac::20 as the next hop IPv6
address:
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config-ip-al)# exit
Example 2. In the following example sets interface tunnel1 as the next hop:
switchxxxxxx(config-if)# exit
switchxxxxxx(config-route-map)# exit
Syntax
Parameters
1049 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Route Map Commands 53
Default Configuration
Command Mode
User Guidelines
Use the show route-map map-name command, to display one given route map.
Use the show route-map command, to display all configured route maps.
Example
Match clauses:
Set clauses:
ip next-hop: 192.12.34.5
Match clauses:
Set clauses:
ip next-hop: 192.122.23.15
Match clauses:
Set clauses:
Match clauses:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1050
53 Route Map Commands
Set clauses:
1051 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
54
RSA and Certificate Commands
54.0
Running Config Keys are not displayed. All keys (default and
user-defined)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1052
54 RSA and Certificate Commands
The following table describes how keys/certificates can be copied from one type
of configuration file to another (using the copy command)..
* If the Running Configuration file on the device contains default keys (not
user-defined ones), the same default keys remain after reboot.
Lists of Commands
Syntax
1053 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
DSA keys are generated in pairs - one public DSA key and one private DSA key.
If the device already has DSA keys default or user defined, a warning is displayed
with a prompt to replace the existing keys with new keys.
Example
The following example generates a DSA key pair.
..........
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1054
54 RSA and Certificate Commands
Syntax
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
RSA keys are generated in pairs - one public RSA key and one private RSA key.
If the device already has RSA keys, a warning is displayed with a prompt to
replace the existing keys with new keys.
See Keys and Certificates for information on how to display and copy this key pair.
Example
The following example generates RSA key pairs where a RSA key already exists.
switchxxxxxx(config)#
Use the no form of the command to remove the user key and generate a new
default in its place.
Syntax
1055 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
encrypted crypto key import {dsa | rsa}
Parameters
N/A
Default Configuration
Command Mode
User Guidelines
DSA/RSA keys are imported in pairs - one public DSA/RSA key and one private
DSA/RSA key.
If the device already has DSA/RSA keys, a warning is displayed with a prompt to
replace the existing keys with new keys.
Example
84et9C2XUfcRlpemuGINAygnLwfkKJcDM6m2OReALHScqqLhi0wMSSYNlT1IWFZP1kEVHH
Fpt1aECZi7HfGLcp1pMZwjn1+HaXBtQjPDiEtbpScXqrg6ml1/OEnwpFK2TrmUy0Iifwk8
E/mMfX3i/2rRZLkEBea5jrA6Q62gl5naRw1ZkOges+GNeibtvZYSk1jzr56LUr6fT7Xu5i
KMcU2b2NsuSD5yW8R/x0CW2elqDDz/biA2gSgd6FfnW2HV48bTC55eCKrsId2MmjbExUdz
+RQRhzjcGMBYp6HzkD66z8HmShOU+hKd7M1K9U4Sr+Pr1vyWUJlEkOgz9O6aZoIGp4tgm4
VDy/K/G/sI5nVL0+bR8LFUXUO/U5hohBcyRUFO2fHYKZrhTiPT5Rw+PHt6/+EXKG9E+TRs
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1056
54 RSA and Certificate Commands
lUADMltCRvs+lsB33IBdvoRDdl98YaA2htZay1TkbMqCUBdfl0+74UOqa/b+bp67wCYKe9
yen418MaYKtcHJBQmF7sUQZQGP34VPmOMyZzon68S/ZoT77cy0ihRZx9wcI1yYhJnDiYxP
dgXHYhW6kCTcTj6LrUSQuxCJ9su89ZIWNn5OwdgonLSpvfnabv2GHmmelaveL7JJ/7UcfO
61q5D4PJ67Vk2xL7PqyHXN931rseTzPuJplkSLCFZ5uqTMbWWyQEKmHDlOx35vlGou5tky
9LgIwG4d+9edctZZaggeq5cgjnsZWJgUoB4Bn4hIreyOdHDiFUPPRxkoyhGOGnJuvxC9T9
K6BF1wBTdDQS+Gu47/0/gRoD/50q4sGkzqHsRJJ53WOT0Q1bHMTMLPpwn2nXzvfGxWL/bu
QhZZSqRonG6MX1cP7KT7i4TPq2w2k3TGtNBnVYHx6OoNcaTHmg1N2s5OgRsyXD9tF++6nY
RfMN8CsV+9jQKQP7ZaGc8Ju+d72jvSwppSr032HY+IpzZ4ujkK+/X5oawZL5NnkaEQTQKX
RSL55S4O5NPOjS/pC9hg7GaVjoY2mQ7HDpSUBeTIDTlvOwC2kskA9C6aF/Axj2dXLweQd5
lxk7m0/mMNaiJsNk6y33LcuKjIxpNNjK9n9KzRPkGNMFObprfenWKteDftjQ==
AAAAB3NzaC1yc2EAAAABIwAAAIEAvRHsKry6NKMKymb+yWEp9042vupLvYVq3ngt1sB9JH
OcdK/2nw7lCQguy1mLsX8/bKMXYSk/3aBEvaoJQ82+r/nRf0y3HTy4Wp9zV0SiVC8jLD+7
7t0aHejzfUhr0FRhWWcLnvYwr+nmrYDpS6FADMC2hVA85KZRye9ifxT7otE=
Syntax
Parameters
• mypubkey—Displays only the public key.
• rsa—Displays the RSA key.
1057 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
Default Configuration
N/A
Command Mode
User Guidelines
See Keys and Certificates for information on how to display and copy this key pair.
Example
The following example displays the SSH public DSA keys on the device.
AAAAB3NzaC1yc2EAAAABIwAAAIEAzN31fu56KSEOZdrGVPIJHpAs8G8NDIkB
dqZ2q0QPiKCnLPw0Xsk9tTVKaHZQ5jJbXn81QZpolaPLJIIH3B1cc96D7IFf
VkbPbMRbz24dpuWmPVVLUlQy5nCKdDCui5KKVD6zj3gpuhLhMJor7AjAAu5e
BrIi2IuwMVJuak5M098=
Syntax
crypto certificate number generate [key-generate [length]] [cn common- name] [ou
organization-unit] [or organization] [loc location] [st state] [cu country] [duration
days]
Parameters
• number—Specifies the certificate number. (Range: 1–2)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1058
54 RSA and Certificate Commands
The following elements can be associated with the key. When the key is
displayed, they are also displayed.
Default Configuration
Command Mode
User Guidelines
If the RSA key does not exist, you must use the parameter key-generate.
If both certificates 1 and 2 have been generated, use the ip https certificate
command to activate one of them.
1059 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
See Keys and Certificates for information on how to display and copy this key pair.
Example
Syntax
crypto certificate number request [cn common- name] [ou organization-unit] [or
organization] [loc location] [st state] [cu country]
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1060
54 RSA and Certificate Commands
Default Configuration
Command Mode
User Guidelines
Example
MIwTCCASoCAQAwYjELMAkGA1UEBhMCUFAxCzAJBgNVBAgTAkNDMQswCQYDVQQH
EwRDEMMAoGA1UEChMDZGxkMQwwCgYDVQQLEwNkbGQxCzAJBgNVBAMTAmxkMRAw
DgKoZIhvcNAQkBFgFsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ecwQ
HdML0831i0fh/F0MV/Kib6Sz5p+3nUUenbfHp/igVPmFM+1nbqTDekb2ymCu6K
aKvEbVLF9F2LmM7VPjDBb9bb4jnxkvwW/wzDLvW2rsy5NPmH1QVl+8Ubx3GyCm
/oW93BSOFwxwEsP58kf+sPYPy+/8wwmoNtDwIDAQABoB8wHQYJKoZIhvcNAQkH
MRDjEyMwgICCAgICAICAgIMA0GCSqGSIb3DQEBBAUAA4GBAGb8UgIx7rB05m+2
m5ZZPhIwl8ARSPXwhVdJexFjbnmvcacqjPG8pIiRV6LkxryGF2bVU3jKEipcZa
g+uNpyTkDt3ZVU72pjz/fa8TF0n3
1061 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
-----END CERTIFICATE REQUEST-----
Use the no form of the command to delete the user-defined keys and certificate.
Syntax
Parameters
Default Configuration
N/A
Command Mode
Global Configuration mode
User Guidelines
To end the session (return to the command line to enter the next command), enter a
blank line.
If only the certificate is imported, and the public key found in the certificate does
not match the device's SSL RSA key, the command fails. If both the public key and
the certificate are imported, and the public key found in the certificate does not
match the imported RSA key, the command fails.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1062
54 RSA and Certificate Commands
See Keys and Certificates for information on how to display and copy this key pair.
Examples
Please paste the input now, add a period (.) on a separate line after the
input,and press Enter.
-----BEGIN CERTIFICATE-----
MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB
IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY
OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38
7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA
6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI
XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7
Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW
WVZd0n1fXhMacoflgnnEmweIzmrqXBs=
-----END CERTIFICATE-----
1063 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
Please paste the input now, add a period (.) on a separate line after the
input,and press Enter.
-----BEGIN RSA PRIVATE KEY-----
ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh
2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H
TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C
11EoqzpCq5mT7+VOFhPSO4dUU+NwLv1YCb1Fb7MFoAa0N+y+2NwoGp0pxOvDA9ENYl7qsZ
MWmCfXu52/IxC7fD8FWxEBtks4V81Xqa7K6ET657xS7m8yTJFLZJyVawGXKnIUs6uTzhhW
dKWWc0e/vwMgPtLlWyxWynnaP0fAJ+PawOAdsK75bo79NBim3HcNVXhWNzqfg2s3AYCRBx
WuGoazpxHZ0s4+7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl+XI
B3u4EEcEngYMewy5obn1vnFSot+d5JHuRwzEaRAIKfbHa34alVJaN+2AMCb0hpI3IkreYo
A8Lk6UMOuIQaMnhYf+RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5+eIYPhve5jYaEn
UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb/mVt8+zpqcCU9HCWQqsMrNFOFrSpcbHu5V4
ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC
ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4=
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2
Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a+7043wfVmH+QOXf
TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0/nwsXDAgEj
-----END RSA PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIBkzCB/QIBADBUMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB
IDEVMBMGA1UEAxMMMTAuNS4yMzQuMjA5MQowCAYDVQQKEwEgMQowCAYDVQQLEwEg
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK+beogIcke73sBSL7tC2DMZrY
OOg9XM1AxfOiqLlQJHd4xP+BHGZWwfkjKjUDBpZn52LxdDu1KrpB/h0+TZP0Fv38
7mIDqtnoF1NLsWxkVKRM5LPka0L/ha1pYxp7EWAt5iDBzSw5sO4lv0bSN7oaGjFA
6t4SW2rrnDy8JbwjWQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAuqYQiNJst6hI
XFDxe7I8Od3Uyt3Dmf7KE/AmUV0Pif2yUluy/RuxRwKhDp/lGrK12tzLQz+s5Ox7
Klft/IcjzbBYXLvih45ASWG3TRv2WVKyWs89rPPXu5hKxggEeTvWqpuS+gXrIqjW
WVZd0n1fXhMacoflgnnEmweIzmrqXBs=
-----END CERTIFICATE-----
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1064
54 RSA and Certificate Commands
wJIjj/tFEI/Z3GFkTl5C+SFOeSyTxnSsfssNo9CoHJ6X9Jg1SukjtXU49kaUbTjoQVQatZ
AdQwgWM5mnjUhUaJ1MM3WfrApY7HaBL3iSXS9jDVrf++Q/KKhVH6Pxlv6cKvYYzHg43Unm
CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoVQwD7RqKpL9wo3+YVFVS6XCB7pDb7iPePefa6
GD/crN28vTLGf/NpyKoOhdAMRuwEQoapMo0Py2Cvy+sqLiv4ZKck1FPlsVFV7X7sh+zVa3
We84pmzyjGiY9S0tPdBSGhJ2xDNcqTyvUpffFEJJYrdGKGybqD0o3tD/ioUQ3UJgxDbGYw
aLlLoavSjMYiWkdPjfcbn5MVRdU5iApCQJXWv3MYC8GQ4HDa6UDN6aoUBalUhqjT+REwWO
DXpJmvmX4T/u5W4DPvELqTHyETxgQKNErlO7gRi2yyLcybUokh+SP+XuRkG4IKnn8KyHtz
XeoDojSe6OYOQww2R0nAqnZsZPgrDzj0zTDL8qvykurfW4jWa4cv1Sc1hDEFtHH7NdDLjQ
FkPFNAKvFMcYimidapG+Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP
CZM927oxkb41g+U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB+4PW
Qmy4fTF4wQdvCLy+WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q
zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA
J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz+LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF
+yAI5xABZdTPqz0l7FNMzhIrXvCqcCCCx+JbgP1PwYTDyD+m2H5v8Yv6sT3y7fZC9+5/Sn
Vf8jpTLMWFgVF9U1Qw9bA8HA7K42XE3R5Zr1doOeUrXQUkuRxLAHkifD7ZHrE7udOmTiP9
W3PqtJzbtjjvMjm5/C+hoC6oLNP6qp0TEn78EdfaHpMMutMF0leKuzizenZQ==
MIGJAoGBAMoCaK+b9hTgrzEeWjdz55FoWwV8s54k5VpuRtv1e5r1zp7kzIL6mvCCXk6J9c
kkr+TMfX63b9t5RgwGPgWeDHw3q5QkaqInzz1h7j2+A++mwCsHui1BhpFNFY/gmENiGq9f
puukcnoTvBNvz7z3VOxv6hw1UHMTOeO+QSbe7WwVAgMBAAE=
-----BEGIN CERTIFICATE-----
MIICHDCCAYUCEFCcI4/dhLsUhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG
A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w
LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw
1065 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB
IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl
Wm5G2/V7mvXOnuTMgvqa8IJeTon1ySSv5Mx9frdv23lGDAY+BZ4MfDerlCRqoifP
PWHuPb4D76bAKwe6LUGGkU0Vj+CYQ2Iar1+m66RyehO8E2/PvPdU7G/qHDVQcxM5
475BJt7tbBUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBOknTzas7HniIHMPeC5yC0
2rd7c+zqQOe1e4CpEvV1OC0QGvPa72pz+m/zvoFmAC5WjQngQMMwH8rNdvrfaSyE
dkB/761PpeKkUtgyPHfTzfSMcJdBOPPnpQcqbxCFh9QSNa4ENSXqC5pND02RHXFx
wS1XJGrhMUoNGz1BY5DJWw==
-----END CERTIFICATE-----
wJIjj/tFEI/Z3GFkTl5C+SFOeSyTxnSsfssNo9CoHJ6X9Jg1SukjtXU49kaUbTjoQVQatZ
AdQwgWM5mnjUhUaJ1MM3WfrApY7HaBL3iSXS9jDVrf++Q/KKhVH6Pxlv6cKvYYzHg43Unm
CNI2n5zf9oisMH0U6gsIDs4ysWVD1zNgoVQwD7RqKpL9wo3+YVFVS6XCB7pDb7iPePefa6
GD/crN28vTLGf/NpyKoOhdAMRuwEQoapMo0Py2Cvy+sqLiv4ZKck1FPlsVFV7X7sh+zVa3
We84pmzyjGiY9S0tPdBSGhJ2xDNcqTyvUpffFEJJYrdGKGybqD0o3tD/ioUQ3UJgxDbGYw
aLlLoavSjMYiWkdPjfcbn5MVRdU5iApCQJXWv3MYC8GQ4HDa6UDN6aoUBalUhqjT+REwWO
DXpJmvmX4T/u5W4DPvELqTHyETxgQKNErlO7gRi2yyLcybUokh+SP+XuRkG4IKnn8KyHtz
XeoDojSe6OYOQww2R0nAqnZsZPgrDzj0zTDL8qvykurfW4jWa4cv1Sc1hDEFtHH7NdDLjQ
FkPFNAKvFMcYimidapG+Rwc0m3lKBLcEpNXpFEE3v1mCeyN1pPe6eSqMcBXa2VmbInutuP
CZM927oxkb41g+U5oYQxGhMK7OEzTmfS1FdLOmfqv0DHZNR4lt4KgqcSjSWPQeYSzB+4PW
Qmy4fTF4wQdvCLy+WlvEP1jWPbrdCNxIS13RWucNekrm9uf5Zuhd1FA9wf8XwSRJWuAq8q
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1066
54 RSA and Certificate Commands
zZFRmDMHPtey9ALO2alpwjpHOPbJKiCMdjHT94ugkF30eyeni9sGN6Y063IvuKBy0nbWsA
J0sxrvt3q6cbKJYozMQE5LsgxLNvQIH4BhPtUz+LNgYWb3V5SI8D8kRejqBM9eaCyJsvLF
+yAI5xABZdTPqz0l7FNMzhIrXvCqcCCCx+JbgP1PwYTDyD+m2H5v8Yv6sT3y7fZC9+5/Sn
Vf8jpTLMWFgVF9U1Qw9bA8HA7K42XE3R5Zr1doOeUrXQUkuRxLAHkifD7ZHrE7udOmTiP9
W3PqtJzbtjjvMjm5/C+hoC6oLNP6qp0TEn78EdfaHpMMutMF0leKuzizenZQ==
MIGJAoGBAMoCaK+b9hTgrzEeWjdz55FoWwV8s54k5VpuRtv1e5r1zp7kzIL6mvCCXk6J9c
kkr+TMfX63b9t5RgwGPgWeDHw3q5QkaqInzz1h7j2+A++mwCsHui1BhpFNFY/gmENiGq9f
puukcnoTvBNvz7z3VOxv6hw1UHMTOeO+QSbe7WwVAgMBAAE=
-----BEGIN CERTIFICATE-----
MIICHDCCAYUCEFCcI4/dhLsUhTWxOwbzngMwDQYJKoZIhvcNAQEEBQAwTzELMAkG
A1UEBhMCICAxCjAIBgNVBAgTASAxCjAIBgNVBAcTASAxEDAOBgNVBAMTBzAuMC4w
LjAxCjAIBgNVBAoTASAxCjAIBgNVBAsTASAwHhcNMTIwNTIxMTI1NzE2WhcNMTMw
NTIxMTI1NzE2WjBPMQswCQYDVQQGEwIgIDEKMAgGA1UECBMBIDEKMAgGA1UEBxMB
IDEQMA4GA1UEAxMHMC4wLjAuMDEKMAgGA1UEChMBIDEKMAgGA1UECxMBIDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAygJor5v2FOCvMR5aN3PnkWhbBXyzniTl
Wm5G2/V7mvXOnuTMgvqa8IJeTon1ySSv5Mx9frdv23lGDAY+BZ4MfDerlCRqoifP
PWHuPb4D76bAKwe6LUGGkU0Vj+CYQ2Iar1+m66RyehO8E2/PvPdU7G/qHDVQcxM5
475BJt7tbBUCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBOknTzas7HniIHMPeC5yC0
2rd7c+zqQOe1e4CpEvV1OC0QGvPa72pz+m/zvoFmAC5WjQngQMMwH8rNdvrfaSyE
dkB/761PpeKkUtgyPHfTzfSMcJdBOPPnpQcqbxCFh9QSNa4ENSXqC5pND02RHXFx
wS1XJGrhMUoNGz1BY5DJWw==
-----END CERTIFICATE-----
1067 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
RSA and Certificate Commands 54
SHA1 Finger print: DC789788 DC88A988 127897BC BB789788
Syntax
Parameters
Default Configuration
Certificate number 1.
Command Mode
Examples
The following example displays SSL certificate # 1 present on the device and the
key-pair.
Certificate 1:
-----BEGIN CERTIFICATE-----
dHmUgUm9vdCBDZXJ0aWZpZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAp4HS
nnH/xQSGA2ffkRBwU2XIxb7n8VPsTm1xyJ1t11a1GaqchfMqqe0kmfhcoHSWr
yf1FpD0MWOTgDAwIDAQABo4IBojCCAZ4wEwYJKwYBBAGCNxQCBAYeBABDAEEw
CwR0PBAQDAgFGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAf4MT9BRD47
ZvKBAEL9Ggp+6MIIBNgYDVR0fBIIBLTCCASkwgdKggc+ggcyGgclsZGFwOi8v
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1068
54 RSA and Certificate Commands
L0VByb3h5JTIwU29mdHdhcmUlMjBSb290JTIwQ2VydGlmaWVyLENOPXNlcnZl
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
ACnrqImEGlXkwxBuZUlAO9nHq9IGJsnkf7/MauGPVqxt5vfDf77uQ5CPf49JWQhu07cVXh
2OwrBhJgB69vLUlJujM9p1IXFpMk8qR3NS7JzlInYAWjHKKbEZBMsKSA6+t/UzVxevKK6H
TGB7vMxi+hv1bL9zygvmQ6+/6QfqA51c4nP/8a6NjO/ZOAgvNAMKNr2Wa+tGUOoAgL0b/C
11EoqzpCq5mT7+VOFhPSO4dUU+NwLv1YCb1Fb7MFoAa0N+y+2NwoGp0pxOvDA9ENYl7qsZ
MWmCfXu52/IxC7fD8FWxEBtks4V81Xqa7K6ET657xS7m8yTJFLZJyVawGXKnIUs6uTzhhW
dKWWc0e/vwMgPtLlWyxWynnaP0fAJ+PawOAdsK75bo79NBim3HcNVXhWNzqfg2s3AYCRBx
WuGoazpxHZ0s4+7swmNZtS0xI4ek43d7RaoedGKljhPqLHuzXHUon7Zx15CUtP3sbHl+XI
B3u4EEcEngYMewy5obn1vnFSot+d5JHuRwzEaRAIKfbHa34alVJaN+2AMCb0hpI3IkreYo
A8Lk6UMOuIQaMnhYf+RyPXhPOQs01PpIPHKBGTi6pj39XMviyRXvSpn5+eIYPhve5jYaEn
UeOnVZRhNCVnruJAYXSLhjApf5iIQr1JiJb/mVt8+zpqcCU9HCWQqsMrNFOFrSpcbHu5V4
ZX4jmd9tTJ2mhekoQf1dwUZbfYkRYsK70ps8u7BtgpRfSRUr7g0LfzhzMuswoDSnB65pkC
ql7yZnBeRS0zrUDgHLLRfzwjwmxjmwObxYfRGMLp4=
-----END RSA PRIVATE KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIGHAoGBAMVuFgfJYLbUzmbm6UoLD3ewHYd1ZMXY4A3KLF2SXUd1TIXq84aME8DIitSfB2
Cqy4QB5InhgAobBKC96VRsUe2rzoNG4QDkj2L9ukQOvoFBYNmbzHc7a+7043wfVmH+QOXf
TbnRDhIMVrZJGbzl1c9IzGky1l21Xmicy0/nwsXDAgEj
-----END RSA PUBLIC KEY-----
1069 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
55
Smartport Commands
55.0
Syntax
no macro auto
Parameters
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
Regardless of the status of Auto Smartport, you can always manually apply a
Smartport macro to its associated Smartport type. A Smartport macro is either a
built-in macro or a user-defined macro. You can define and apply a macro using
the CLI commands presented in the Macro Commands section.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1070
55 Smartport Commands
• Auto Smartport Operational state is enabled when the Auto Voice VLAN is
enabled.
A user cannot enable Auto Smartport globally if the OUI Voice VLAN is enabled.
Example
This example shows an attempt to enable the Auto Smartport feature globally in
the controlled mode. This is not possible because the OUI voice feature is
enabled. The voice VLAN state is then disabled, after which Auto Smartports can
be enabled. The appropriate VLANs are automatically enabled because the ports
are configured for Auto Smartports on these VLANs.
switchxxxxxx(config)#
1071 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
Syntax
Parameters
Default Configuration
For other parameters, the default value is the parameter’s default value. For
instance, if the parameter is the native VLAN, the default value is the default native
VLAN.
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1072
55 Smartport Commands
Syntax
macro auto persistent
Parameters
Default Configuration
Persistent is set.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
A Smartport’s persistent interface retains its dynamic configuration in the
following cases: link down/up, the attaching device ages out, and reboot. Note that
for persistence and the Smartport configuration to be effective across reboot, the
Running Configuration file must be saved to the Startup Configuration file.
Example
The example establishes two port ranges and makes one persistent and the other
not.
switchxxxxxx(config-if-range)# exit
1073 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
55.4 macro auto processing cdp
The macro auto processing cdp Global Configuration mode command enables
using CDP capability information to identify the type of an attached device.
When Auto Smartport is enabled on an interface and this command is run, the
switch automatically applies the corresponding Smartport type to the interface
based on the CDP capabilities advertised by the attaching device(s).
Syntax
macro auto processing cdp
Parameters
Default Configuration
Enabled
Command Mode
Global Configuration mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1074
55 Smartport Commands
Syntax
Parameters
Default Configuration
Enabled
Command Mode
Example
Syntax
Parameters
1075 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
Default Configuration
Command Mode
Example
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1076
55 Smartport Commands
Default Configuration
None
Command Mode
User Guidelines
When a Smartport macro fails at an interface, the Smartport type of the interface
becomes Unknown. You must diagnose the reason for the failure on the interface
and/or Smartport macro, and correct the error. Before you or Auto Smartport are
allowed to reapply the desired Smartport macro, you must reset the interface
using the macro auto built-in parameters command, which changes the Smartport
type of the interface to default.
Example
Changes the Smartport type from unknown to default and resumes the Smartport
feature on port 1.
Syntax
Parameters
Default Configuration
Enabled.
1077 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
Command Mode
User Guidelines
Example
Syntax
Parameters
• smartport-type—Smartport type.
• parameter-name value—Specifies the parameter name and its value
(Range: printer, desktop, guest, server, host, ip_camera, ip_phone,
ip_phone_desktop, switch, router or wireless access point (ap)).
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1078
55 Smartport Commands
User Guidelines
Example
This example shows an attempt to set the Smartport type of port 1 to printer
(statically). The macro fails at line 10. The show parser macro command is run to
display the contents of the macro printer in order to see which line failed.
switchxxxxxx(config-if)# exit
3. #
4. #macro key description: $native_vlan: The untag VLAN which will be configu
7. #
9. #
12. #
1079 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
16. port security discard trap 60
17. #
switchxxxxxx(config)#
Syntax
Parameters
• smartport-type—Smartport type (switch, router, wireless access point (ap))
• interface-id—Interface Identifier (port or port channel).
Default Configuration
See User Guidelines.
Command Mode
User Guidelines
The macro auto smartport command becomes effective only when the Auto
Smartport is globally enabled.
If both smartport-type and interface-id are defined, the attached Smartport macro
is executed on the interface if it has the given Smartport type.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1080
55 Smartport Commands
Example
Adds the ports of Smartport type switch to all existing VLANs by running the
associated Smartport macros.
Syntax
Parameters
1081 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
The scope of each parameter is the macro in which it is defined, with the
exception of the parameter $voice_vlan, which is a global parameter and its value
is specified by the switch and cannot be defined in a macro.
The macros must be defined before linking them in this command.
To associate a Smartport type with a user-defined macros, you must have defined
a pair of macros: one to apply the configuration, and the other (anti macro) to
remove the configuration. The macros are paired by their name. The name of the
anti macro is the concatenation of no_ with the name of the corresponding macro.
Please refer to the Macro Command section for details about defining macro.
Example
To link the user-defined macro: my_ip_phone_desktop to the Smartport type:
ip_phone_desktop and provide values for its two parameters:
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1082
55 Smartport Commands
Parameters
Default Configuration
Command Mode
Examples
Example 1—Note that Smartport on switch and phone types was configured
automatically. Smartport on routers was configured statically. Auto smartports are
enabled globally.
switchxxxxxx# show macro auto ports
Smartport is enabled
Example 2—Note that Smartport on switch and phone types was configured
automatically. Smartport on routers was configured statically. Auto smartports are
enabled globally.
1083 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
switchxxxxxx# show macro auto ports
Smartport is enabled
switchxxxxxx(config-if)# end
SmartPort is Enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1084
55 Smartport Commands
switchxxxxxx(config-if)# end
SmartPort is Enabled
Syntax
Parameters
This command has no parameters or keywords.
Default Configuration
None
Command Mode
Example
CDB: enabled
LLDP: enabled
host :disabled
1085 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
ip_phone :enabled
ip_phone_desktop:enabled
switch :enabled
router :disabled
ap :enabled
Syntax
Parameters
Default Configuration
None
Command Mode
Example
switchxxxxxx# show macro auto smart-macros
Parameters : $native_vlan=1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1086
55 Smartport Commands
Parameters : $native_vlan=1
Parameters : $native_vlan=1
SmartPort type : ap
SG300-52-R#
1087 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Smartport Commands 55
55.15 smartport storm-control
To enable broadcast, multicast, or unicast storm control on an interface, use the
storm-control command in Interface (Ethernet, Port Channel) Configuration mode.
To return to default, use the no form of this command.
Syntax
smartport storm-control broadcast {level level | kbps kbps} [trap] [shutdown]
no smartport storm-control
Parameters
• broadcast—Enables broadcast storm control on the port.
Default Configuration
Storm control is disabled.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1088
55 Smartport Commands
Command Mode
Examples
Example 1 - Set the maximum number of kilobits per second of Broadcast traffic
on port 1 to 10000.
1089 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
56
sFlow Commands
56.0
Syntax
Parameters
Default
No receiver is defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1090
56 sFlow Commands
Command Mode
If the IP address of the sFlow receiver is set to 0.0.0.0, no sFlow datagrams are
sent.
Syntax
sflow flow-sampling rate receiver-index [max-header-size bytes]
no sflow flow-sampling
Parameters
Default
Disabled
Command Mode
User Guidelines
1091 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
sFlow Commands 56
56.3 sflow counters-sampling
To enable sFlow Counters sampling and to configure the maximum interval of a
specific port, use the sflow counters-sampling Interface Configuration mode
command . To disable sFlow Counters sampling, use the no form of this command.
Syntax
sflow counters-sampling interval receiver-index
no sflow counters-sampling
Parameters
Default
Disabled
Command Mode
Syntax
Parameters
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1092
56 sFlow Commands
User Guidelines
If no interface is specified by the user, the command clears all the sFlow statistics
counters (including datagrams sent). If an interface is specified by the user, the
command clears only the counter of the specific interface.
Syntax
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID must be an
Ethernet port.
Command Mode
Example
switchxxxxxx# show sflow configuration
Receivers
1093 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
sFlow Commands 56
Interfaces
Global values
--------------
Source IPv4 interface: vlan 120
Source IPv6 interface: vlan 10
Syntax
Parameters
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1094
56 sFlow Commands
Syntax
Parameters
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the source interface is applied.
1095 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
sFlow Commands 56
If there is no available IPv4 source address, a SYSLOG message is issued when
attempting to communicate with an IPv4 sFlow server.
Example
Syntax
Parameters
Default Configuration
The IPv6 source address is the IPv6 address defined on the outgoing interface
and selected in accordance with RFC6724.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the source IPv6 address is an IPv6
address defined on the interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the source IPv6 address is the
minimal IPv6 address defined on the source interface and matched to the scope
of the destination IPv6 address is applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1096
56 sFlow Commands
Example
1097 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
57
SPAN and RSPAN Commands
57.0
Syntax
monitor session session_number destination {{interface interface-id [network]} |
{remote vlan vlan-id reflector-port interface-id} network}
Parameters
• session_number—Specify the session number identified with the SPAN,
RSPAN or flow mirror session. The range is 1 to 7.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1098
57 SPAN and RSPAN Commands
Default Configuration
No SPAN and RSPAN sessions are configured.
Command Mode
Global Configuration mode
User Guidelines
Use the monitor session session_number destination interface interface-id, to
create a SPAN, local flow mirror, final RSPAN or final remote flow mirror destination
session to copy traffic to a destination port.
Use the monitor session session_number destination remote vlan vlan-id
reflector-port interface-id command, to create a start RSPAN destination session
to copy traffic to a RSPAN VLAN via a reflector port. The remote VLAN must be
configured by the remote-span command before this command.
If the network keyword is not defined only mirrored traffic sent on a destination
port and all input traffic is discard and a value of DOWN is advertised as its
operational status to all applications running on it.
A destination port configured without the network keyword has the following
limitations:
A port cannot be configured as destination port with the network keyword if one
the following conditions is true:
Only in the final switch the remote VLAN can be configured as a source remote
VLAN
1099 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
Mirrored traffic is sent to queue number 1 of the destination port.
Example
Example 1. The following example configures a SPAN session consisting from 3
source and one destination session. The first source session copies traffic for both
directions from the source port te1/0/2, the second source session copies
bridges traffic from VLAN 100, and the third source session copies traffic for
received on the source port te1/0/3. The destination session defines port te1/0/1
as the destination port.
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# class-map c1
switchxxxxxx(config-cmap)# exit
switchxxxxxx(config)# policy-map p1
switchxxxxxx(config-pmap)# class c1
switchxxxxxx(config-pmap-c)# mirror 1
switchxxxxxx(config-pmap-c)# exit
switchxxxxxx(config-pmap)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1100
57 SPAN and RSPAN Commands
for both directions from the source port te1/0/2 and the second session copies
traffic from VLAN 100. The destination session defines VLAN 2 as the RSPAN
VLAN and port te1/0/1 as the reflector port
Example 4. The following example configures a final RSPAN session that copies
traffic from a RSPAN VLAN 2 to destination port te1/0/1:
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
Syntax
monitor session session_number source {interface interface-id [both | rx | tx]} | {vlan
vlan-id} | {remote vlan vlan-id}
no monitor session [session_number] source [{interface interface-id} | {vlan vlan-id}
| {remote vlan vlan-id}]
Parameters
• session_number—Specify the session number identified with the SPAN or
RSPAN session. The range is 1 to 7.
1101 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
• interface interface-id—Specify the source interface for a SPAN or RSPAN
session (Ethernet port).
• both, rx, tx—Specify the traffic direction to monitor. If you do not specify a
traffic direction, the source interface sends both transmitted and received
traffic.
• vlan vlan-id—Specify the SPAN source interface as a VLAN ID. In this case
only a value of 1 is allowed for the session_number argument.
• remote vlan vlan-id—Specify the source RSPAN source VLAN ID. The VLAN
must be defined as a RSPAN transit VLAN in the source, intermediate and
final switches by the remote-span command.
Default Configuration
No SPAN and RSPAN sessions are configured.
Command Mode
Global Configuration mode
User Guidelines
Use the monitor session session_number source interface interface-id [both | rx |
tx] command, to create a SPAN or RSPAN start source session to monitor traffic
that enters or leaves a source port.
Use the monitor session session_number source vlan vlan-id command, to create
a SPAN or start RSPAN source session to monitor traffic that bridged into a source
VLAN.
Use the monitor session session_number source remote vlan vlan-id command, to
create a final RSPAN source session to monitor traffic that passed via a RSPAN
VLAN.
A SPAN or RSPAN session consists from up to 8 sources and one destination with
the same session number.
Each monitor session source command defines one source port or VLAN. Different
monitor session source commands must define different sources. A new
command with the same session number and the same source overrides the
previous defined one.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1102
57 SPAN and RSPAN Commands
All definitions of different source ports for the same source session must be of the
same type: SPAN, start RSPAN start, or RSPAN final.
The source interface in a RSPAN source switch can not be a membership of the
remote VLAN.
Example
Example 1. The following example configures a SPAN session consisting from 3
source and one destination session. The first source session copies traffic for both
directions from the source port te1/0/2, the second source session copies
bridges traffic from VLAN 100, and the third source session copies traffic for
received on the source port te1/0/3. The destination session defines port te1/0/1
as the destination port.
1103 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
switchxxxxxx(config)# monitor session 1 destination remote vlan 2 reflector-port
te1/0/1
Example 3. The following example configures a final RSPAN session that copies
traffic from a RSPAN VLAN 2 to destination port te1/0/1:
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
57.3 remote-span
To configure a virtual local area network (VLAN) as a RSPAN remote VLAN, use the
remote-span command in VLAN Configuration mode. To return to default, use the
no form of this command.
Syntax
remote-span
no remote-span
Parameters
This command has no arguments or keywords.
Default Configuration
A VLAN is not a RSPAN remote VLAN.
Command Mode
VLAN Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1104
57 SPAN and RSPAN Commands
User Guidelines
Use the remote-span command to define a VLAN as a RSPAN remote VLAN.
All traffic into a RSPLAN VLAN is tagged and MAC learning is disabled in a RSPAN
VLAN.
The remote-span command verifies that all ports of the configured VLAN are
egress tagged ports and disables MAC learning. The no remote-span command
resets MAC learning.
Example
Example 1. The following example shows how to configure a RSPAN remote VLAN
in a source switch:
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
1105 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
Example 2. The following example shows how to configure a RSPAN remote VLAN
in a final switch:
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
Example 3. The following example shows how to configure a RSPAN remote VLAN
in an intermediate switch:
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# vlan 2
switchxxxxxx(config-vlan)# remote-span
switchxxxxxx(config-vlan)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1106
57 SPAN and RSPAN Commands
Syntax
show monitor session [session_number]
Parameters
• session_number—Specify the session number identified with the SPAN or
RSPAN session. The range is 1 to 7. If the argument is not defined
information about all sessions are displayed.
Default Configuration
This command has no default settings.
Command Mode
User EXEC mode
User Guidelines
Use the show monitor session session_number command to display information
about one session.
Use the show monitor session command to display information about all sessions
Example
Example 1. The following example displays information about all SPAN sessions
defined into the switch:
Session 1
Type: SPAN
1107 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
Example 2. The following example displays information about all start RSPAN
sessions defined into the switch:
Session 1
Example 3. The following example displays information about all final RSPAN
sessions defined into the switch:
Session 1
Destination: te1/0/1
Field Definitions:
• Type—The type of the session.
The Source is a RSPAN VLAN (in the RSPAN session final switch).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1108
57 SPAN and RSPAN Commands
- Destination: interface-id
The switch is the first switch in the RSPAN session, regular forwarding on
the interface is not supported.
The switch is the first switch in the RSPAN session, regular forwarding on
the interface is supported.
Syntax
show vlan remote-span
Parameters
This command has no arguments or keywords
Default Configuration
This command has no default settings.
1109 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SPAN and RSPAN Commands 57
Command Mode
User EXEC mode
Example
Example. This example shows how to display a list of remote SPAN VLANs:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1110
58
Spanning-Tree Commands
58.0
58.1 spanning-tree
Use the spanning-tree Global Configuration mode command to enable
spanning-tree functionality. Use the no form of this command to disable the
spanning-tree functionality.
Syntax
spanning-tree
no spanning-tree
Parameters
N/A
Default Configuration
Spanning-tree is enabled.
Command Mode
Example
switchxxxxxx(config)# spanning-tree
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1111
Spanning-Tree Commands 58
58.2 spanning-tree mode
Use the spanning-tree mode Global Configuration mode command to select
which Spanning Tree Protocol (STP) protocol to run. Use the no form of this
command to restore the default configuration.
Syntax
spanning-tree mode {stp| rstp | mst}
no spanning-tree mode
Parameters
Default Configuration
Command Mode
User Guidelines
In RSTP mode, the device uses STP when the neighbor device uses STP.
In MSTP mode, the device uses RSTP when the neighbor device uses RSTP, and
uses STP when the neighbor device uses STP.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1112
58 Spanning-Tree Commands
Syntax
no spanning-tree forward-time
Parameters
Default Configuration
15 seconds.
Command Mode
User Guidelines
Example
The following example configures the spanning tree bridge forwarding time to 25
seconds.
1113 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
58.4 spanning-tree hello-time
Use the spanning-tree hello-time Global Configuration mode command to
configure how often the device broadcasts Hello messages to other devices. Use
the no form of this command to restore the default configuration.
Syntax
spanning-tree hello-time seconds
no spanning-tree hello-time
Parameters
Default Configuration
2 seconds.
Command Mode
User Guidelines
When configuring the Hello time, the following relationship should be maintained:
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1114
58 Spanning-Tree Commands
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
When configuring the maximum age, the following relationships should be
maintained:
Example
Syntax
1115 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
no spanning-tree priority
Parameters
Default Configuration
Command Mode
User Guidelines
The switch with the lowest priority is the root of the spanning tree. When more
than one switch has the lowest priority, the switch with the lowest MAC address is
selected as the root.
Example
Syntax
spanning-tree disable
no spanning-tree disable
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1116
58 Spanning-Tree Commands
Default Configuration
Command Mode
Example
Syntax
no spanning-tree cost
Parameters
Default Configuration
Default path cost is determined by port speed and path cost method (long or short
)as shown below
1117 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Command Mode
Example
Syntax
no spanning-tree port-priority
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1118
58 Spanning-Tree Commands
Default Configuration
Command Mode
User Guidelines
Example
Syntax
Parameters
auto—Specifies that the software waits for 3 seconds (with no Bridge Protocol
Data Units (BPDUs) received on the interface) before putting the interface into the
PortFast mode.
Default Configuration
1119 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Command Mode
Example
Syntax
Parameters
Default Configuration
The device derives the port link type from the duplex mode. A full-duplex port is
considered a point-to-point link and a half-duplex port is considered a shared link.
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1120
58 Spanning-Tree Commands
Syntax
Parameters
• long—Specifies that the default port path costs are within the range: 1–
200,000,000.
• short—Specifies that the default port path costs are within the range: 1–
200,000,000.
Default Configuration
Command Mode
Global Configuration mode
User Guidelines
This command applies to all the spanning tree instances on the switch.
• If the short method is selected, the switch calculates the default cost as
100.
• If the long method is selected, the switch calculates the default cost as
20000.
1121 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Example
The following example sets the default path cost method to Long.
Syntax
Parameters
• filtering—Specifies that BPDU packets are filtered when the spanning tree
is disabled on an interface.
Default Configuration
Command Mode
User Guidelines
The filtering and flooding modes are relevant when the spanning tree is disabled
globally or on a single interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1122
58 Spanning-Tree Commands
Example
The following example defines the BPDU packet handling mode as flooding when
the spanning tree is disabled on an interface.
Syntax
Parameters
• filtering—Specifies that BPDU packets are filtered when the spanning tree
is disabled on an interface.
Default Configuration
Command Mode
Example
The following example defines the BPDU packet as flooding when the spanning
tree is disabled on te1/0/3.
1123 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
switchxxxxxx(config-if)# spanning-tree bpdu flooding
Syntax
Default Configuration
Command Mode
User Guidelines
Root Guard can be enabled when the device operates in any mode (STP, RSTP
and MSTP).
When Root Guard is enabled, the port changes to the alternate state if the
spanning-tree calculations select the port as the root port.
Example
The following example prevents te1/0/1 from being the root port of the device.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1124
58 Spanning-Tree Commands
Syntax
spanning-tree bpduguard {enable | disable}
no spanning-tree bpduguard
Parameters
Default Configuration
Command Mode
User Guidelines
The command can be enabled when the spanning tree is enabled (useful when the
port is in the PortFast mode) or disabled.
Example
1125 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Syntax
Parameters
Default Configuration
All interfaces.
Command Mode
User Guidelines
This feature can only be used when working in RSTP or MSTP mode.
Example
Syntax
Parameters
• instance-id—Specifies the spanning-tree instance ID. (Range:1–7)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1126
58 Spanning-Tree Commands
as the root switch. A lower value increases the probability that the switch is
selected as the root switch. (Range: 0–61440)
Default Configuration
Command Mode
User Guidelines
The switch with the lowest priority is the root of the spanning tree.
Example
The following example configures the spanning tree priority of instance 1 to 4096.
Syntax
Parameters
Default Configuration
1127 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Command Mode
Example
The following example configures the maximum number of hops that a packet
travels in an MST region before it is discarded to 10.
Syntax
Parameters
• instance-id—Specifies the spanning tree instance ID. (Range: 1–15)
Default Configuration
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1128
58 Spanning-Tree Commands
Example
Syntax
Default Configuration
N/A
Parameters
• instance-id—Specifies the spanning-tree instance ID. (Range: 1–15)
Default Configuration
Default path cost is determined by the port speed and path cost method (long or
short) as shown below:
1129 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Command Mode
Example
The following example configures the MSTP instance 1 path cost for port te1/0/9
to 4.
Syntax
Command Mode
Global Configuration mode
User Guidelines
For two or more switches to be in the same MST region, they must contain the
same VLAN mapping, the same configuration revision number, and the same
name.
Example
switchxxxxxx(config-mst)# revision 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1130
58 Spanning-Tree Commands
Syntax
Parameters
• instance-id—MST instance (Range: 1–7)
Default Configuration
All VLANs are mapped to the common and internal spanning tree (CIST) instance
(instance 0).
Command Mode
User Guidelines
All VLANs that are not explicitly mapped to an MST instance are mapped to the
common and internal spanning tree (CIST) instance (instance 0) and cannot be
unmapped from the CIST.
For two or more devices to be in the same MST region, they must have the same
VLAN mapping, the same configuration revision number, and the same name.
Example
1131 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
58.24 name (MST)
Use the name MST Configuration mode command to define the MST instance
name. Use the no form of this command to restore the default setting.
Syntax
name string
no name
Parameters
string—Specifies the MST instance name. (Length: 1–32 characters)
Default Configuration
Command Mode
Example
Syntax
revision value
no revision
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1132
58 Spanning-Tree Commands
Parameters
Default Configuration
Command Mode
Example
switchxxxxxx(config-mst) # revision 1
Syntax
Parameters
Default Configuration
N/A
Command Mode
1133 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Example
Name: Region1
Revision: 1
0 1-4094 Disabled
switchxxxxxx(config-mst)#
Syntax
exit
Parameters
N/A
Default Configuration
N/A
Command Mode
Example
The following example exits the MST Configuration mode and saves changes.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1134
58 Spanning-Tree Commands
switchxxxxxx(config-mst)# exit
switchxxxxxx(config)#
Syntax
abort
Parameters
N/A
Default Configuration
N/A
Command Mode
MST Configuration mode
Example
The following example exits the MST Configuration mode without saving changes.
switchxxxxxx(config-mst)# abort
Syntax
1135 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
show spanning-tree mst-configuration
Parameters
Default Configuration
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1136
58 Spanning-Tree Commands
1137 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Bridge ID Priority 36864
Address 00:02:4b:29:7a:00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interfaces
Name State Prio.Nb Cost Sts Role PortFast Type
--------- -------- ------- ----- --- ---- -------- ----------
te1/0/1 Enabled 128.1 20000 - - - -
te1/0/2 Enabled 128.2 20000 - - - -
te1/0/3 Disabled 128.3 20000 - - - -
te1/0/4 Enabled 128.4 20000 - - - -
te1/0/5 Enabled 128.5 20000 - - - -
-
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1138
58 Spanning-Tree Commands
Interfaces
Name State Prio.Nbr Cost Sts Role PortFast Type
--------- ------- ------ ----- --- ---- -------- ----------
te1/0/4 Enabled 128.4 19 BLK Altn No Shared (STP)
1139 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Number of topology changes 2 last change occurred 2d18h ago
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1140
58 Spanning-Tree Commands
1141 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
switchxxxxxx# show spanning-tree
Spanning tree enabled mode MSTP
Default port cost method: long
###### MST 0 Vlans Mapped: 1-9
CST Root ID Priority 32768
Address 00:01:42:97:e0:00
Path Cost 20000
Root Port te1/0/1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Interfaces
Name State Prio.Nbr Cost Sts Role PortFast Type
---- ------- -------- ----- --- ---- -------- -------------
te1/0/1 Enabled 128.1 20000 FRW Root No P2p Bound
te1/0/2 Enabled 128.2 20000 FRW Desg No (RSTP)
te1/0/3 Enabled 128.3 20000 FRW Desg No Shared Bound
te1/0/4 Enabled 128.4 20000 FRW Desg No (STP)
P2p
P2p
###### MST 1 Vlans Mapped: 10-20
Root ID Priority 24576
Address 00:02:4b:29:89:76
Path Cost 20000
Root Port te1/0/4
Rem hops 19
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1142
58 Spanning-Tree Commands
Interfaces
Name State Prio.Nbr Cost Sts Role PortFast Type
---- ------- -------- ----- --- ---- -------- -------------
te1/0/1 Enabled 128.1 20000 FRW Boun No P2p Bound
te1/0/2 Enabled 128.2 20000 FRW Boun No (RSTP)
te1/0/3 Enabled 128.3 20000 BLK Altn No Shared Bound
te1/0/4 Enabled 128.4 20000 FRW Root No (STP)
P2p
P2p
1143 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1144
58 Spanning-Tree Commands
1145 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
Port 4 (te1/0/4) enabled
State: Forwarding Role: Designated
Port id: 128.4 Port cost: 20000
Type: Shared (configured: auto) Internal Port Fast: No (configured:no)
Designated bridge Priority: 32768 Address: 00:02:4b:29:7a:00
Designated port id: 128.2 Designated path cost: 20000
Number of transitions to forwarding state: 1
BPDU: sent 2, received 170638
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1146
58 Spanning-Tree Commands
Syntax
Parameters
Default Configuration
Show information for all interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
User EXEC mode
Example
1147 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Spanning-Tree Commands 58
The following is the output if both the global BPDU
handling command and the per-interface BPDU handling
command are supported.
Global: Flooding
Syntax
spanning-tree loopback-guard
no spanning-tree loopback-guard
Parameters
N/A
Default Configuration
N/A
Command Mode
Global
User Guidelines
This enables shutting down all interfaces if a loopback BPDU is received on it.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1148
58 Spanning-Tree Commands
Example
1149 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
59
SSH Client Commands
59.0
Syntax
Parameters
• password—Username and password are used for authentication.
• public-key rsa—Username and RSA public key are used for authentication.
• public-key dsa—Username and DSA public key are used for authentication.
Default Configuration
Username and password are used for authentication by the local SSH clients.
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1150
59 SSH Client Commands
Example
The following example specifies that, username and public key are used for
authentication:
Syntax
Parameters
Default Configuration
None
Command Mode
User Guidelines
Use the command to change a password on a remote SSH server. Use the ip
ssh-client password command to change the SSH client password of the switch’s
SSH client so that it matches the new password set on the remote SSH server.
1151 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
Example
Syntax
Parameters
• dsa—DSA key type.
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1152
59 SSH Client Commands
User Guidelines
When using the keyword generate, a private key and a public key of the given type
(RSA/DSA) are generated for the SSH client. Downloading a configuration file with
a Key Generating command is not allowed, and such download will fail.
When using the keyword key-pair, the user can import a key-pair created by
another device. In this case, the keys must follow the format specified by RFC
4716.
If the specified key already exists, a warning will be issued before replacing the
existing key with a new key.
Use the no ip ssh-client key command to remove a key pair. Use this command
without specifying a key-type to remove both key pairs.
Table 3 describes the expected behavior of keys, default and users within the
various operations.
Running Keys are not All keys (default N/A Only user Same as user
Config displayed. and user) defined. configuration
Text-based As it was N/A All keys (default Only user As a text file.
CLI copied. and user) defined.
(TFTP/Backup
)
If no keys are included in text-based configuration file, the device generates it’s
own keys during initialization. If the Running Configuration contains default keys
(not user-defined), the same default keys remain.
Examples
Example 1 - In the following example, a key pair of the RSA type is created:
1153 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
This may take a few minutes, depending on the key size.
Example 2 - In the following example, both public and private keys of the RSA
type are imported (private key as plaintext):
Please paste the input now, add a period (.) on a separate line after the input
MIICXAIBAAKBgQDH6CU/2KYRl8rYrK5+TIvwS4zvhBmiC4I31m9cR/1iRTFViMRuJ++TEr
p9ssqWyI1Ti9d0jzmG0N3jHzp2je5/DUTHZXvYaUzchBDnsPTJo8dyiBl4YBqYHQgCjUhk
tXqvloy+1uxRJTAaLVXCBAmuIU/kMLoEox8/zwjB/jsF9wIBIwKBgC2xZ5mQmvy0+yo2GU
FwlQO5f0yweuM11J8McTmqDgfVTRrdbroXwbs3exVqsfaUPY9wa8Le6JPX+DPp4XovEfC/
iglZBSC8SeDmI2U7D6HrkAyD9HHf/r32jukB+5Z7BlHPz2Xczs2clOOwrnToy+YTzjLUxy
WS7V/IxbBllipLAkEA/QluVSCfFmdMlZxaEfJVzqPO1cF8guovsWLteBf/gqHuvbHuNy0t
OWEpObKZs1m/mtCWppkgcqgrB0oJaYbUFQJBAMo/cCrkyhsiV/+ZsryeD26NbPEKiak16V
Tz2ayDstidGuuvcvm2YF7DjM6n6NYz3+/ZLyc5n82okbld1NhDONsCQQCmSAas+C4HaHQn
zSU+/lWlDI88As4qJN2DMmGJbtsbVHhQxWIHAG4tBVWa8bV12+RPyuan/jnk8irniGyVza
FPAkEAiq8oV+1XYxA8V39V/a42d7FvRjMckUmKDl4Rmt32+u9i6sFzaWcdgs87+2vS3AZQ
afQDE5U6YSMiGLVewC4YWwJBAOFZmhO+dIlxT8Irzf2cUZGggopfnX6Y+L+Yl09MuZHbwH
tXaBGj6ayMYvXnloONecnApBjGEm37YVwKjO2DV2w=
MIGHAoGBAMfoJT/YphGXytisrn5Mi/BLjO+EGaILgjfWb1xH/WJFMVWIxG4n75MSun2yyp
bIjVOL13SPOYbQ3eMfOnaN7n8NRMdle9hpTNyEEOew9Mmjx3KIGXhgGpgdCAKNSGS1eq+W
jL7W7FElMBotVcIECa4hT+QwugSjHz/PCMH+OwX3AgEj
Example 3 - In the following example, both public and private keys of the DSA
type are imported (private key as encrypted):
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1154
59 SSH Client Commands
gxeOjs6OzGRtL4qstmQg1B/4gexQblfa56RdjgHAMejvUT02elYmNi+m4aTu6mlyXPHmYP
lXlXny7jZkHRvgg8EzcppEB0O3yQzq3kNi756cMg4Oqbkm7TUOtdqYFEz/h8rJJ0QvUFfh
BsEQ3e16E/OPitWgK43WTzedsuyFeOoMXR9BCuxPUJc2UeqQVM2IJt5OM0FbVt0S6oqXhG
sEEdoTlhlDwHWg97FcV7x+bEnPfzFGrmbrUxcxOxlkFsuCNo3/94PHK8zEXyWtrx2KoCDQ
qFRuM8uecpjmDh6MO2GURUVstctohEWEIVCIOr5SBCbciaxv5oS0jIzXMrJA==
MIGHAoGBALLOeh3css8tBL8ujFt3trcX0XJyJLlxxt4sGp8Q3ExlSRN25+Mcac6togpIEg
tIzk6t1IEJscuAih9Brwh1ovgMLRaMe25j5YjO4xG6Fp42nhHiRcie+YTS1o309EdZkiXa
QeJtLdnYL/r3uTIRVGbXI5nxwtfWpwEgxxDwfqzHAgEj
Example 5 - In the following example, all key pairs (RSA and DSA types) are
removed.
Syntax
no ip ssh-client password
1155 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
Parameters
Default Configuration
Command Mode
User Guidelines
If the encrypted keyword is used, the password must be in the encrypted form.
Use the command ip ssh-client change server password to change the password
on the remote SSH server so that it will match the new password of the SSH
client.
Example
The following example specifies a plaintext password for the local SSH clients:
To disable remote SSH server authentication, use the no form of the command.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1156
59 SSH Client Commands
Parameters
Default Configuration
Command Mode
User Guidelines
When remote SSH server authentication is disabled, any remote SSH server is
accepted (even if there is no entry for the remote SSH server in the SSH Trusted
Remote Server table).
When remote SSH server authentication is enabled, only trusted SSH servers are
accepted. Use the ip ssh-client server fingerprint command to configure trusted
SSH servers.
Example
The following example enables SSH server authentication:
Syntax
Parameters
1157 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
• ip-address—Specifies the address of an SSH server. The IP address can
be an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions.
Default Configuration
Command Mode
User Guidelines
Fingerprints are created by applying a cryptographic hash function to a public key.
Fingerprints are shorter than the keys they refer to, making it simpler to use (easier
to manually input than the original key). Whenever the switch is required to
authenticate an SSH server’s public key, it calculates the received key’s fingerprint
and compares it to the previously-configured fingerprint.
The fingerprint can be obtained from the SSH server (the fingerprint is calculated
when the public key is generated on the SSH server).
The no ip ssh-client server fingerprint command removes all entries from the
Trusted Remote SSH Server table.
Example
In the following example, a trusted server is added to the Trusted Servers table
(with and without a separator ":"):
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1158
59 SSH Client Commands
Syntax
Parameters
• interface-id—Specifies the source interface.
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface then the interface IP address
belonging to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface then the minimal IPv4 address
defined on the source interface is applied.
Example
The following example configures the VLAN 10 as the source interface.
1159 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
Syntax
Parameters
• interface-id—(Optional) Specifies the source interface.
Default Configuration
The IPv6 source address is the IPv6 address defined of the outgoing interface and
selected in accordance with RFC6724.
Command Mode
User Guidelines
If the source interface is the outgoing interface then the IPv6 address defined on
the interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface then the minimal IPv4 address
defined on the source interface and with the scope of the destination IPv6
address is applied.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1160
59 SSH Client Commands
Syntax
Parameters
• string—Username of the SSH client.The length is 1 - 70 characters. The
username cannot include the characters "@" and ":".
Default Configuration
The default username is anonymous
Command Mode
User Guidelines
The configured username is used when SSH client authentication is done both by
password or by key.
Example
Syntax
show ip ssh-client
Parameters
1161 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
• rsa—Specifies displaying the RSA key type.
Command Mode
User Guidelines
Use the command with a specific key-type to display the SSH client key; You can
either specify display of public key or private key, or with no parameter to display
both private and public keys. The keys are displayed in the format specified by
RFC 4716.
Examples
Example 1. The following example displays the authentication method and the
RSA public key:
Username: john
AAAAB3NzaC1yc2EAAAABIwAAAIEAudGEIaPARsKoVJVjs8XALAKqBN1WmXnY
kUf5oZjGY3QoMGDvNipQvdN3YmwLUBiKk31WvVwFB3N2K5a7fUBjoblkdjns
QKTKZiu4V+IL5rds/bD6LOEkJbjUzOjmp9hlIkh9uc0ceZ3ZxMtKhnORLrXL
aRyxYszO5FuirTo6xW8=
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1162
59 SSH Client Commands
Example 2. The following example displays the authentication method and DSA
private key in encrypted format:
Username: john
AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET
W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH
YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c
vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf
J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA
vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB
AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS
n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5
sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET
W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH
YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c
vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf
J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA
vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB
AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS
1163 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5
sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
Example 3. The following example displays the SSH client authentication method,
the username and the password:
password(Encrypted): KzGgzpYa7GzCHhaveSJDehGJ6L3Yf9ZBAU5nsxSxwic=
Syntax
Parameters
• host—(Optional) DNS name of an SSH server.
• ip-address—(Optional) IP Address of an SSH server. The IP address can be
an IPv4, IPv6 or IPv6z address. See IPv6z Address Conventions.
Default Configuration
None
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1164
59 SSH Client Commands
User Guidelines
If a specific SSH server is specified, only the fingerprint of this SSH server is
displayed. Otherwise, all known servers are displayed.
Examples
Example 2 - The following example displays the authentication method and DSA
private key in encrypted format:
Username: john
AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET
W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH
YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c
vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf
J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA
1165 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSH Client Commands 59
vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB
AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS
n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5
sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET
W6ToHv8D1UJ/z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH
YI14Om1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5c
vwHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9vGf
J0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA
vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB
AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS
n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5
sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
Example 3 - The following example displays the SSH client authentication method,
the username and the password:
password(Encrypted): KzGgzpYa7GzCHhaveSJDehGJ6L3Yf9ZBAU5
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1166
60
SSD Commands
60.0
Syntax
ssd config
Parameters
Command Mode
User Guidelines
Only users with sufficient permission can use this command, which edits and
displays the SSD configuration. See ssd rule for a description of these
permissions.
Example
switchxxxxxx(config)# ssd config
switchxxxxxx(config-ssd)#
60.2 passphrase
To change the passphrase in the system, use passphrase in SSD Configuration
mode. A device protects its sensitive data by encrypting them using the key
generated from the passphrase.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1167
SSD Commands 60
To reset the passphrase to the default passphrase, use the no passphrase.
Syntax
passphrase {passphrase}
Parameters
• passphrase—New system passphrase.
Default Usage
Command Mode
User Guidelines
Encrypted passphrase is allowed only in the SSD Control Block of a source file
that is being copied to the startup configuration file (user cannot manually enter
this command).
When generating a passphrase, the user must use 4 different character classes
(similar to strong password/passwords complexity). These can be: uppercase
letters, lowercase letters, numbers, and special characters available on a standard
keyboard.
Example
switchxxxxxx(config-ssd)# passphrase
This operation will change the system SSD passphrase. Are you sure? (Y/N)[N] Y
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1168
60 SSD Commands
To delete user-defined rules and restore default rules, use no ssd rule.
Syntax
Command Mode
SSD Configuration mode.
Default Rules
1169 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSD Commands 60
User Guidelines
Use no ssd rule to delete a user-defined rule or to restore the default of a modified
default rule.
Use no ssd rule (without parameters) to remove all SSD rules and restore the
default SSD rules. A confirmation message will be displayed asking permission to
do this.
To delete specific rules (applicable for the user defined), provide parameters
specifying the user and security of the channel.
encrypted SSD rule is used to copy an SSD rule from one device to another in a
secure manner.
You can modify but cannot delete the default SSD rules.
The following is the order in which SSD rules are applied:
Examples
Example 1 - The following example modifies a rule.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1170
60 SSD Commands
This operation will delete all user-defined rules and retrieve the default rules
instead.
Syntax
Parameters
Command Mode
1171 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSD Commands 60
SSD Configuration mode
Default Configuration
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1172
60 SSD Commands
Syntax
Parameters
1173 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSD Commands 60
Command Mode
Default
The command itself does not have a default. However, note that the read mode of
the session itself, defaults to the default read mode of the SSD rule that the device
uses to grant SSD permission to the user of the session.
User Guidelines
Use no ssd session read to restore the default read option of the SSD rules. This
configuration will be allowed only if the user of the current session has sufficient
read permissions; otherwise, the command will fail and an error will be displayed.
The setting will take effect immediately and will terminate when the user restores
the settings or exits the session.
Example
Syntax
Command Mode
Default
None
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1174
60 SSD Commands
Syntax
ssd file passphrase control {restricted | unrestricted}
Parameters
Default
Command Mode
User Guidelines
To revert to the default state, use the no ssd file passphrase control command.
Note that after a device is reset to the factory default, its local passphrase is set to
the default passphrase. As a result, the device will not be able to decrypted
sensitive data encrypted with a user-defined passphrase key in its own
configuration files until the device is manually configured with the
user-passphrase again or the files are created in unrestricted mode.
1175 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SSD Commands 60
If a user-defined passphrase in Unrestricted mode are configured, it is highly
recommended to enable SSD File Integrity Control. Enabling SSD File Integrity
Control protects configuration files from tampering.
Examples
Syntax
Parameters
• enabled—Enable file integrity control to protect newly-generated
configuration files from tampering.
Default
Command Mode
SSD Configuration mode.
User Guidelines
TA user can protect a configuration file from being tampered by creating the file
with File Integrity Control enabled. It is recommended that File Integrity Control be
enabled when a devices users a user-defined passphrase with Unrestricted
Configuration File Passphrase Control.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1176
60 SSD Commands
Examples
When File Integrity is enabled, an internal digest command is added to the end of
the entire configuration file. This is used in downloading the configuration file to
the startup configuration.
config-file-digest 0AC78001122334400AC780011223344
1177 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
61
Stack Commands
0
Parameters
• uplink uplink-type - The type of uplink ports of the unit. Supported values
are:
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1178
61 Stack Commands
User Guidelines
Use the set stack tack unit-type command to define the type of "not-present" stack
units (see below). The type of unit in stack defines the type of interface naming for
this unit and determines which interface level commands can be applied.
If a unit is present or inserted in a stack, the unit type is automatically set by the
software to the type of unit identified. If unit that was present is subsequently
removed from stack the unit will become "not-present" but retain the existing unit
type. If a unit is "not-present", and there is no previous type identified (unit did not
exist previously in stack), its unit type is automatically set to the same unit type as
the master unit.
• if network port type is set to te, uplink port type must be set to none.
• if network port type is set to fa or gi, uplink port type must be set to te.
• The unit-type of each unit is saved across reboots and displayed as part of
configuration file header in the following format: "unit-type unit X network
network-type uplink uplink-type"
Examples
To place the user in the context of the specified stack unit or all stack units, use the
stack unit Global Configuration command.
Syntax
1179 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Stack Commands 61
Parameters
• unit-id— Select a specific unit. All commands after this command refer to
this unit. Unit must be member in the stack. (Range: 1–4).
Default Configuration
None
Command Mode
Examples
Example 1—The following example sets the unit context to 2, all following stack
command will apply to unit 2.
Example 2—The following example sets the unit context to all units in the stack, all
following stack command will apply to all the units.
Syntax
no stack configuration
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1180
61 Stack Commands
• unit-id— Select the unit id to be used after reload. (Range: 1–4). Use auto to
enable stack auto numbering feature.
Default Configuration
None
Command Mode
Global Configuration mode
User Guidelines
• Running the command in stack unit all context and configuration of the
unit-id parameter not to auto generate an error (to avoid setting several
units to the same Id).
•
• Setting the unit-id not to auto require the links to configured to a non empty
port list.
Examples
Example 1—The following example sets the master unit to stack factory default.
Example 2—The following example sets the unit 3 to have stack links (ports) te3-4
with unit ID auto.
1181 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Stack Commands 61
Syntax
Parameters
N/A
Default Configuration
N/A.
Command Mode
Examples
U n i t Id Stack Links
------------ ------------ ------------------------
1 1 te1-2
2 auto te3-4
3 4 te1-2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1182
61 Stack Commands
Syntax
show stack
Parameters
N/A
Default Configuration
N/A.
Command Mode
User EXEC mode
Examples
Display the stack information for an entire stack.
U ni t Id MAC Address R ol e N e tw o r k U pl in k
Po rt P o rt
Ty p e Ty p e
--------------- --------------------------- ----------- ----------- -----------
1 00:00:b0:00:10:00 Master te none
2 00:00:b0:00:20:00 Backup gi te
3 00:00:b0:00:30:00 Slave gi te
1183 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Stack Commands 61
61.6 show stack links
To display the stack links operational status, use the show stack links EXEC mode
command.
Syntax
Parameters
N/A
Default Configuration
N/A.
Command Mode
Examples
U n it I d A c t iv e L i nk s N e ig h bo r L in k s O pe r a tio n a l D ow n/ S ta n db y
Link Speed L in k s
----------- ---------------------- ------------------------------- ----------------------- -------------------------
1 te1/1-2 te3/4,te2/1 10G te1/3,te1/4
2 te2/1-2 te1/2,te3/3 10G
3 te3/3-4 te2/2,te1/1 10G
Example 2—Display the stack links information for an entire stack with details.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1184
61 Stack Commands
Topology is Ring
U ni t Id L in k St at us S pe e d N e i gh b o r N e i gh b or N e i g hb o r
Un it I d Li n k Mac Address
------------- ----------- ------------ ------------ ---------------- ----------------- -------------------------
1 te1 Active 10G 2 te2 00:00:b0:00:20:00
1 te2 Down NA NA NA NA
2 te1 Down NA NA NA NA
2 te2 Active 10G 1 te1 00:00:b0:00:10:00
1185 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
62
SYSLOG Commands
62.0
Syntax
Parameters
Default Configuration
Enabled.
Command Mode
User Guidelines
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1186
62 SYSLOG Commands
Syntax
clear logging
Parameters
Default Configuration
None
Command Mode
Example
The following example clears messages from the internal logging buffer.
Syntax
Parameters
1187 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
Default Configuration
None
Command Mode
Example
Syntax
Parameters
• copy—Specifies logging messages related to file copy operations.
Default Configuration
Enabled.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1188
62 SYSLOG Commands
Example
The following example enables logging messages related to file copy operations.
Syntax
Parameters
• buffer-size—(Optional) Specifies the maximum number of messages stored
in buffer. (Range: 20–1000)
Default Configuration
Command Mode
1189 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
User Guidelines
All the SYSLOG messages are logged to the internal buffer. This command limits
the messages displayed to the user.
Example
The following example shows two ways of limiting the SYSLOG message display
from an internal buffer to messages with severity level debugging. In the second
example, the buffer size is set to 100 and severity level informational.
Syntax
no logging console
Parameters
Default Configuration
Informational.
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1190
62 SYSLOG Commands
Example
Syntax
Parameters
level—Specifies the severity level of SYSLOG messages sent to the logging file.
The possible values are: emergencies, alerts, critical, errors, warnings,
notifications, informational and debugging.
Default Configuration
Command Mode
Example
The following example limits SYSLOG messages sent to the logging file to
messages with severity level alerts.
1191 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
62.8 logging host
To log messages to the specified SYSLOG server, use the logging host Global
Configuration command. To delete the SYSLOG server with the specified address
from the list of SYSLOG servers, use the no form of this command.
Syntax
logging host {ip-address | ipv6-address | hostname} [port port] [severity level]
[facility facility] [description text]
Parameters
Default Configuration
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1192
62 SYSLOG Commands
User Guidelines
Examples
62.9 logging on
To enable message logging, use the logging on Global Configuration mode
command. This command sends debug or error messages asynchronously to
designated locations. To disable the logging, use the no form of this command.
Syntax
logging on
no logging on
Parameters
Default Configuration
Command Mode
User Guidelines
1193 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
Example
switchxxxxxx(config)# logging on
Syntax
Parameters
interface-id—Specifies the source interface.
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to the next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the lowest IPv4 address
defined on the source interface is applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1194
62 SYSLOG Commands
Example
Syntax
Parameters
interface-id—Specifies the source interface.
Default Configuration
The IPv6 source address is the defined IPv6 address of the outgoing interface and
selected in accordance with RFC6724.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the IPv6 address defined on the
interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the minimal IPv6 address
defined on the source interface with the scope of the destination IPv6 address is
applied.
1195 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
Example
Syntax
logging aggregation on
no logging aggregation on
Parameters
Default Configuration
Disabled
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1196
62 SYSLOG Commands
Syntax
Parameters
Default Configuration
300 seconds.
Command Mode
Global Configuration mode
Example
Syntax
no logging origin-id
1197 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
Parameters
• IP—IP address of the sending interface that is used as the message origin
identifier.
Default Configuration
Command Mode
Example
Syntax
show logging
Parameters
Default Configuration
None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1198
62 SYSLOG Commands
Command Mode
Example
The following example displays the logging status and the SYSLOG messages
stored in the internal buffer.
Logging is enabled.
Buffer Logging: Level info. Buffer Messages: 61 Logged, 61 Displayed, 200 Max.
Aggregation: Disabled.
1199 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
62.16 show logging file
To display the logging status and the SYSLOG messages stored in the logging file,
use the show logging file Privileged EXEC mode command.
Syntax
Parameters
Default Configuration
None
Command Mode
Example
The following example displays the logging status and the SYSLOG messages
stored in the logging file.
Logging is enabled.
Buffer Logging: Level info. Buffer Messages: 61 Logged, 61 Displayed, 200 Max.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1200
62 SYSLOG Commands
Aggregation: Disabled.
z6NHgZwKI5xKqF7cBtdl1xmFgSEWuDhho5UedydAjVkKS5XR2... failed
console#
Syntax
show syslog-servers
Parameters
Default Configuration
None
Command Mode
1201 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
SYSLOG Commands 62
Example
Device Configuration
--------------------
----------------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1202
63
System Management Commands
63.0
To set the LEDs of all the ports on the device to their current operational status of
the port, use the no disable ports leds command.
Syntax
Parameters
This command has no arguments or keywords.
Default Configuration
The default is no disable port leds; that is the LEDs of all the ports reflect their
current status.
Command Mode
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1203
System Management Commands 63
63.2 hostname
To specify or modify the device host name, use the hostname Global
Configuration mode command. To remove the existing host name, use the no form
of the command.
Syntax
hostname name
no hostname
Parameters
Name—Specifies the device host name. (Length: 1-58 characters). The hostname
must start with a letter, end with a letter or digit, and have as interior characters
only letters, digits, and hyphens.
Default Configuration
No host name is defined.
Command Mode
Example
enterprise(config)#
63.3 reload
To reload the operating system at a user-specified time, use the reload Privileged
EXEC mode command.
Syntax
reload [in [hhh:mm | mmm] | at hh:mm [day month]] | cancel] [slot unit-id]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1204
63 System Management Commands
Parameters
Default Usage
None
Command Mode
User Guidelines
The at keyword can be used only if the system clock has been set on the device.
To schedule reloads across several devices to occur simultaneously, synchronize
the time on each device with SNTP.
When you specify the reload time using the at keyword, if you specify the month
and day, the reload takes place at the specified time and date. If you do not
specify the month and day, the reload takes place at the specified time on the
current day (if the specified time is later than the current time), or on the next day (if
the specified time is earlier than the current time). Specifying 00:00 schedules the
reload for midnight. The reload must take place within 24 days.
To display information about a scheduled reload, use the show reload command.
1205 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Examples
Example 1: The following example reloads the operating system on all units of a
stack system or on the single unit of a standalone system.
switchxxxxxx> reload
This command will reset the whole system and disconnect your current session.
Do you want to continue? (y/n) [Y]
switchxxxxxx> reload in 10
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 11:57:08 UTC Fri Apr 21 2012 (in 10 minutes). Do you
want to continue? (y/n) [Y]
Example 3: The following example reloads the operating system at 13:00 on all on
all units of a stack system or on the single unit of a standalone system.
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 13:00:00 UTC Fri Apr 21 2012 (in 1 hour and 3
minutes). Do you want to continue? (y/n) [Y]
Reload cancelled.
63.4 resume
To enable switching to another open Telnet session, use the resume EXEC mode
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1206
63 System Management Commands
Syntax
resume [connection]
Parameters
Default Configuration
Command Mode
Privileged EXEC mode
Example
switchxxxxxx> resume 1
Syntax
service cpu-utilization
no service cpu-utilization
Parameters
Default Configuration
1207 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Command Mode
User Guidelines
Example
Syntax
Parameters
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1208
63 System Management Commands
Syntax
Parameters
Default Usage
None
Command Mode
User Guidelines
Example
CPU utilization
--------------------------------------------------
1209 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Syntax
Parameters
Command Mode
User Guidelines
The fan and temperature status parameters are available only on devices on which
FAN and/or temperature sensor are installed.
• Fans OK, redundant fan Active - One of the fans failed and is backed-up by
the redundant fan.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1210
63 System Management Commands
• NA - No sensor is installed.
Examples
Example 2 - The following example displays the general FAN status of a device or
a stack.
switchxxxxxx> show environment fan
TEMPERATURE is Warning
1211 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Unit FAN
Status
--- ---------
2 Fail
4 NA
Status
1 OK OK
2 Failure
3 NA
Syntax
show inventory [entity]
Parameters
Command Mode
Examples
Example 1 - The following example displays all the entities in a standalone system.
switchxxxxxx> show inventory
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1212
63 System Management Commands
Example 3 - The following example displays all the entities in a stacking system
with two units.
switchxxxxxx> show inventory
Example 4 - The following example displays information for unit 1 of the stack.
switchxxxxxx> show inventory 1
NAME: "1" DESCR: "48-Port Gigabit with 4-Port 10-Gigabit PoE Stackable Managed
Switch"
Syntax
show reload
1213 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Parameters
Default Usage
None
Command Mode
User Guidelines
You can use this command to display a pending software reload. To cancel a
pending reload, use this command with the cancel parameter.
Example
The following example displays that reboot is scheduled for 00:00 on Saturday,
April-20.
Reload scheduled for 00:00:00 UTC Sat April 20 (in 3 hours and 12 minutes)
Syntax
show sessions
Parameters
Default Usage
None
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1214
63 System Management Commands
User Guidelines
The show sessions command displays Telnet sessions to remote hosts opened by
the current Telnet session to the local device. It does not display Telnet sessions to
remote hosts opened by other Telnet sessions to the local device.
Example
2 172.16.1.2 172.16.1.2 23 8
Field Description
Connection The connection number.
Host The remote host to which the device is connected
through a Telnet session.
Address The remote host IP address.
Port The Telnet TCP port number.
Byte The number of unread bytes for the user to see on
the connection.
Syntax
Parameters
1215 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Command Mode
Example
switchxxxxxx> show system
System Contact:
System Location:
Unit Type
---- -----------------
1 SG350XG-24
---- -----------------
1 OK
1 OK Ready
1 42 OK
System Contact:
System Name:
System Location:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1216
63 System Management Commands
---- -----------------
2 OK
1 OK Ready
2 42 OK
Syntax
Parameters
Default Usage
None
Command Mode
Example
The following example displays the languages configured on the device. Number
of Sections indicates the number of languages permitted on the device.
1217 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
switchxxxxxx> show system languages
Syntax
show system tcam utilization [unit unit-id]
Default Usage
None
Command Mode
Example
The following example displays TCAM utilization information.
System: 75%
Unit TCAM utilization [%]
---- --------------------
1 58
2 57
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1218
63 System Management Commands
Syntax
Parameters
Command Mode
User Guidelines
The output does not show sessions where the device is a TCP/UDP client.
Examples
fe80::200:b0ff:fe00:0-8999 ESTABLISHED
1219 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Syntax
Parameters
Default Configuration
Command Types
Switch command.
Command Mode
User EXEC mode
User Guidelines
Caution: Avoid running multiple show tech-support commands on a switch or
multiple switches on the network segment. Doing so may cause starvation of
some time sensitive protocols, like STP.
The show tech-support command may time out if the configuration file output
takes longer to display than the configured session time out time. If this happens,
enter a set logout timeout value of 0 to disable automatic disconnection of idle
sessions or enter a longer timeout value.
The show tech-support command output is continuous, meaning that it does not
display one screen at a time. To interrupt the output, press Esc.
If the user specifies the memory keyword, the show tech-support command
displays the following output:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1220
63 System Management Commands
Syntax
Parameters
Command Mode
Examples
(RPM)
1221 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
63.18 show system sensors
To view the temperature sensor status, use the show system sensors EXEC mode
command.
Syntax
Parameters
Default Usage
None
Command Mode
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1222
63 System Management Commands
Syntax
Parameters
Default Usage
None
Command Mode
User Guidelines
Power supply supported:
When the power supply changes to Main power supply, the following syslog
message is created: Power supply source changed to Main Power Supply.
Examples
switchxxxxxx> show system power-supply
1223 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
To display the system identity information, use the show system id EXEC mode
command.
Syntax
Parameters
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1224
63 System Management Commands
Syntax
Parameters
Command Mode
Examples
Example 1: The following example displays the status of the port’s LEDs when they
are turned on.
Example 2: The following example displays the status of the port LEDs when they
are turned off.
Syntax
show users
1225 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Parameters
Default Usage
None
Command Mode
Example
Bob Serial
Syntax
Parameters
• unit—(Optional) Specifies the unit number. (Range: 1 – 4 )
Default Usage
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1226
63 System Management Commands
Command Mode
Example
HW Version
Syntax
Parameters
Default Usage
Command Mode
1227 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
System Management Commands 63
Example
Unit HW Version
---- ------------
1 1.0.0
2 1.0.0.
Syntax
system recovery
no system recovery
Parameters
Default Configuration
Command Mode
Example
c
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1228
64
TACACS+ Commands
64
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1229
TACACS+ Commands 64
• key key-string—(Optional) Specifies the authentication and encryption key
for all TACACS+ communications between the device and the TACACS+
server. This key must match the encryption used on the TACACS+ daemon.
To specify an empty string, enter "". (Length: 0-128 characters). If this
parameter is omitted, the globally-defined key (set in the tacacs-server key
command tacacs-server host source-interface command) will be used.
Default Configuration
If timeout is not specified, the global value (set in the tacacs-server timeout
command) is used.
If key-string is not specified, the global value (set in the tacacs-server key
command) is used.
Command Mode
Global Configuration mode
User Guidelines
Multiple tacacs-server host commands can be used to specify multiple hosts.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1230
64 TACACS+ Commands
Syntax
Parameters
• interface-id—Specifies the source interface.
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the source interface is applied.
Example
1231 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
TACACS+ Commands 64
Syntax
Parameters
• interface-id—Specifies the source interface.
Default Configuration
The IPv6 source address is the IPv6 address defined on the outgoing interface
and selected in accordance with RFC6724.
Command Mode
User Guidelines
If the source interface is the outgoing interface, the source IPv6 address is an IPv6
address defined on the interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the source IPv6 address is the
minimal IPv6 address defined on the source interface and matched to the scope
of the destination IPv6 address is applied.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1232
64 TACACS+ Commands
Syntax
no tacacs-server key
Parameters
Default Configuration
Command Mode
Example
The following example sets Enterprise as the authentication key for all TACACS+
servers.
Syntax
no tacacs-server timeout
1233 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
TACACS+ Commands 64
Parameters
Default Configuration
Command Mode
Example
The following example sets the timeout value to 30 for all TACACS+ servers.
Syntax
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1234
64 TACACS+ Commands
Example
The following example displays configuration and statistical information for all
TACACS+ servers
Connection Out
Syntax
Parameters
Default Configuration
Command Mode
1235 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
TACACS+ Commands 64
Example
The following example displays configuration and statistical information for all
TACACS+ servers
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1236
65
Telnet, Secure Shell (SSH) and Secure Login
(Slogin) Commands
65.0
Use the no form of this command to disable the Telnet server functionality on the
device.
Syntax
ip telnet server
no ip telnet server
Default Configuration
Disabled
Command Mode
User Guidelines
The device can be enabled to accept connection requests from both remote SSH
and Telnet clients. It is recommended that the remote client connects to the device
using SSH (as opposed to Telnet), since SSH is a secure protocol and Telnet is not.
To enable the device to be an SSH server, use the ip ssh server command.
Example
The following example enables the device to be configured from a Telnet server.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1237
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 65
65.2 ip ssh server
The ip ssh server Global Configuration mode command enables the device to be
an SSH server and so to accept connection requests from remote SSH clients.
Remote SSH clients can manage the device through the SSH connection.
Use the no form of this command to disable the SSH server functionality from the
device.
Syntax
ip ssh server
no ip ssh server
Default Configuration
Command Mode
User Guidelines
To generate new SSH server keys, use the crypto key generate dsa and crypto
key generate rsa commands.
Example
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1238
65 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands
no ip ssh port
Parameters
Default Configuration
Command Mode
Example
The following example specifies that TCP port number 8080 is used by the SSH
server.
Syntax
ip ssh password-auth
no ip ssh password-auth
Default Configuration
Command Mode
1239 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 65
User Guidelines
After a remote SSH client is successfully authenticated by public key, the client
must still be AAA-authenticated to gain management access to the device.
Example
Syntax
no ip ssh pubkey-auth
Parameters
Default Configuration
Command Mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1240
65 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands
User Guidelines
This command enables public key authentication by a local SSH server of remote
SSH clients.
The local SSH server advertises all enabled SSH authentication methods and
remote SSH clients are responsible for choosing one of them.
After a remote SSH client is successfully authenticated by public key, the client
must still be AAA-authenticated to gain management access to the device, except
if the auto-login parameter was specified.
Example
Syntax
1241 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 65
Default Configuration
Command Mode
User Guidelines
Use this command when you want to manually specify SSH client’s public keys.
Example
The following example enters the SSH Public Key-chain Configuration mode and
manually configures the RSA key pair for SSH public key-chain to the user ‘bob’.
switchxxxxxx(config-keychain-key)# key-string
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl
Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+
ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+
Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g
kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq
muSn/Wd05iDX2IExQWu08licglk02LYciz
+Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY
0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA
6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+
Rmt5nhhqdAtN/4oJfce166DqVX1gWmN
zNR4DYDvSzg0lDnwCAC8Qh
Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9
65.7 user-key
The user-key SSH Public Key-string Configuration mode command associates a
username with a manually-configured SSH public key.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1242
65 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands
Use the no user-key command to remove an SSH user and the associated public
key.
Syntax
no user-key username
Parameters
Default Configuration
Command Mode
User Guidelines
After entering this command, the existing key, if any, associated with the user will be deleted.
You must follow this command with the key-string command to configure the key to the user.
Example
The following example enables manually configuring an SSH public key for SSH
public key-chain bob.
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl
1243 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 65
65.8 key-string
The key-string SSH Public Key-string Configuration mode command manually
specifies an SSH public key.
Syntax
Parameters
• row—Specifies the SSH public key row by row. The maximum length of a
row is 160 characters.
Default Configuration
Command Mode
User Guidelines
Use the key-string SSH Public Key-string Configuration mode command without
the row parameter to specify which SSH public key is to be interactively
configured next. Enter a row with no characters to complete the command.
Use the key-string row SSH Public Key-string Configuration mode command to
specify the SSH public key, row by row. Each row must begin with a key-string
row command.
The UU-encoded DER format is the same format as in the authorized_keys file
used by OpenSSH.
Example
The following example enters public key strings for SSH public key client ‘bob’.
switchxxxxxx(config-keychain-key)# key-string
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1244
65 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands
AAAAB3NzaC1yc2EAAAADAQABAAABAQCvTnRwPWl
Al4kpqIw9GBRonZQZxjHKcqKL6rMlQ+
ZNXfZSkvHG+QusIZ/76ILmFT34v7u7ChFAE+
Vu4GRfpSwoQUvV35LqJJk67IOU/zfwOl1g
kTwml75QR9gHujS6KwGN2QWXgh3ub8gDjTSq
muSn/Wd05iDX2IExQWu08licglk02LYciz
+Z4TrEU/9FJxwPiVQOjc+KBXuR0juNg5nFYsY
0ZCk0N/W9a/tnkm1shRE7Di71+w3fNiOA
6w9o44t6+AINEICBCCA4YcF6zMzaT1wefWwX6f+
Rmt5nhhqdAtN/4oJfce166DqVX1gWmN
zNR4DYDvSzg0lDnwCAC8Qh
Fingerprint: a4:16:46:23:5a:8d:1d:b5:37:59:eb:44:13:b9:33:e9
Syntax
show ip ssh
Command Mode
1245 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands 65
Example
The following table describes the significant fields shown in the display.
Field Description
IP Address The client address
SSH Username The user name
Version The SSH version number
Cipher The encryption type (3DES, Blowfish, RC4)
Auth Code The authentication Code (HMAC-MD5,
HMAC-SHA1) or Password
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1246
65 Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands
Parameters
Default Configuration
Command Mode
Example
The following examples display SSH public keys stored on the device.
Username Fingerprint
----------- ----------------------------------------------------------
bob 9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86
john 98:F7:6E:28:F2:79:87:C8:18:F8:88:CC:F8:89:87:C8
Username Fingerprint
----------- ----------------------------------------------------------
bob 9A:CC:01:C5:78:39:27:86:79:CC:23:C5:98:59:F1:86
1247 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
66
UDLD Commands
66.0
Syntax
Parameters
• interface-id—Interface identifier of an Ethernet port.
• neighbors—Displays neighbor information only.
Command Mode
Privileged EXEC mode
User Guidelines
If you do not enter an interface ID value, the administrative and operational UDLD
status for all interfaces on which UDLD is enabled are displayed.
Examples
Example 1—This example shows how to display the UDLD state for all interfaces.
Most of the fields shown in the display are self-explanatory. Those that are not
self-explanatory are defined below.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1248
66 UDLD Commands
Field Descriptions:
1249 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
UDLD Commands 66
• Port UDLD mode—The interface UDLD mode (normal or aggressive).
• Neighbor Port ID—The device port ID of the neighbor on which the recent
UDLD message was sent.
Example 2—This example shows how to display the UDLD state for one given
interface:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1250
66 UDLD Commands
Example 4—This example shows how to display neighbor information only for a
single interface:
1251 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
UDLD Commands 66
66.2 udld
Use the udld command in Global Configuration mode to globally enable the
UniDirectional Link Detection (UDLD) protocol. To disable UDLD, use the no form of
this command.
Syntax
udld aggressive | normal
no udld
Parameters
Default Configuration
Command Mode
User Guidelines
This command affects fiber interfaces only. Use the udld port command in
Interface Configuration mode to enable UDLD on other interface types.
Use the no form of this command to disable UDLD on all fiber ports.
UDLD supports two modes of operation: normal and aggressive. In the aggressive
mode the device shuts down a port if it cannot explicitly detect that the link is
bidirectional. In the normal mode the device shuts down an interface if it explicitly
detect that the link is unidirectional. A unidirectional link occurs whenever traffic
sent by a local device is received by its neighbor but traffic from the neighbor is
not received by the local device.
You can use the following commands to reset an interface shut down by UDLD:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1252
66 UDLD Commands
• The errdisable recover reset command with the udld parameter to reset all
interfaces shut down by UDLD.
Example
Syntax
Parameters
seconds—Interval between two sent probe messages. The valid values are from
1 to 90 seconds.
Default Configuration
15 seconds.
Command Mode
User Guidelines
Use this command to change the default value of the message interval - the
interval between two sequential sent probe messages.
1253 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
UDLD Commands 66
Example
Syntax
no udld port
Parameters
Default Configuration
Command Mode
User Guidelines
Use this command on fiber ports to override the setting of the global udld
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1254
66 UDLD Commands
If the port changes from fiber to non-fiber or vice versa, all configurations are
maintained because the platform software detects a change of module or a
Gigabit Interface Converter (GBIC) change.
Examples
Example 1—This example shows how to enable UDLD in normal mode on an
Ethernet port regardless of the current global udld setting:
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
switchxxxxxx(config-if)# exit
1255 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
67
User Interface Commands
67.0
Syntax
no banner exec
Parameters
Default Configuration
Disabled (no EXEC banner is displayed).
Command Mode
User Guidelines
Follow this command with one or more blank spaces and a delimiting character of
your choice. Then enter one or more lines of text, terminating the message with
the second occurrence of the delimiting character.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1256
67 User Interface Commands
Use tokens in the form of $(token) in the message text to customize the banner. The
tokens are described in the table below:
Use the no banner exec Line Configuration command to disable the Exec banner
on a particular line or lines.
Example
The following example sets an EXEC banner that uses tokens. The percent sign
(%) is used as a delimiting character. Note that the $(token) syntax is replaced by
the corresponding configuration variable.
1257 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Syntax
Parameters
• d—Delimiting character of user’s choice—a pound sign (#), for example.
You cannot use the delimiting character in the banner message.
Default Configuration
Command Mode
User Guidelines
Follow this command with one or more blank spaces and a delimiting character of
your choice. Then enter one or more lines of text, terminating the message with
the second occurrence of the delimiting character.
Use tokens in the form of $(token) in the message text to customize the banner. The
tokens are described in the table below:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1258
67 User Interface Commands
Use the no banner login Line Configuration command to disable the Login banner
on a particular line or lines.
Example
The following example sets a Login banner that uses tokens. The percent sign (%)
is used as a delimiting character. Note that the $(token) syntax is replaced by the
corresponding configuration variable.
When the login banner is executed, the user will see the following banner:
67.3 configure
To enter the Global Configuration mode, use the configure Privileged EXEC mode
command.
Syntax
configure [terminal]
Parameters
Command Mode
1259 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Example
switchxxxxxx# configure
switchxxxxxx(config)#
67.4 disable
To leave the Privileged EXEC mode and return to the User EXEC mode, use the
disable Privileged EXEC mode command.
Syntax
disable [privilege-level]
Parameters
Default Configuration
Command Mode
Example
switchxxxxxx# disable 1
switchxxxxxx#
67.5 do
To execute an EXEC-level command from Global Configuration mode or any
configuration submode, use the do command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1260
67 User Interface Commands
Syntax
do command
Parameters
Command Mode
Example
The following example executes the show vlan Privileged EXEC mode command
from Global Configuration mode.
Example
switchxxxxxx(config)#
67.6 enable
To enter the Privileged EXEC mode, use the enable User EXEC mode command.
1261 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Syntax
enable [privilege-level]
Parameters
Default Configuration
Command Mode
Example
The following example enters privilege level 7.
switchxxxxxx# enable 7
enter password:**********
switchxxxxxx# Accepted
switchxxxxxx# enable
enter password:**********
switchxxxxxx# Accepted
67.7 end
To end the current configuration session and return to the Privileged EXEC mode,
use the end command.
Syntax
end
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1262
67 User Interface Commands
Parameters
Default Configuration
None
Command Mode
Example
The following example ends the Global Configuration mode session and returns to
the Privileged EXEC mode.
switchxxxxxx(config)# end
switchxxxxxx#
Syntax
exit
Parameters
Default Configuration
None
Command Mode
1263 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Examples
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# exit
Syntax
exit
Parameters
Default Configuration
None
Command Mode
Example
switchxxxxxx# exit
67.10 help
To display a brief description of the Help system, use the help command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1264
67 User Interface Commands
Syntax
help
Parameters
Default Configuration
None
Command Mode
Example
switchxxxxxx# help
67.11 history
To enable saving commands that have been entered, use the history Line
Configuration Mode command. To disable the command, use the no form of this
command.
1265 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Syntax
history
no history
Parameters
Default Configuration
Enabled.
Command Mode
Line Configuration Mode
User Guidelines
This command enables saving user-entered commands for a specified line. You
can return to previous lines by using the up or down arrows.
It is effective from the next time that the user logs in via console/telnet/ssh.
• Use the history size Line Configuration Mode command to set the size of
the command history buffer.
Example
switchxxxxxx(config-line)# history
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1266
67 User Interface Commands
To reset the command history buffer size to the default value, use the no form of
this command.
Syntax
Parameters
Default Configuration
Command Mode
User Guidelines
This command configures the command history buffer size for a particular line. It is
effective from the next time that the user logs in via console/telnet/ssh.
Use the terminal history size User EXEC mode command to configure the
command history buffer size for the current terminal session.
The allocated command history buffer is per terminal user, and is taken from a
shared buffer. If there is not enough space available in the shared buffer, the
command history buffer size cannot be increased above the default size.
Example
The following example changes the command history buffer size to 100 entries for
Telnet.
1267 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
67.13 login
To enable changing the user that is logged in, use the login User EXEC mode
command. When this command is logged in, the user is prompted for a
username/password.
Syntax
login
Parameters
Default Configuration
None
Command Mode
Example
The following example enters Privileged EXEC mode and logs in with the required
username ‘bob’.
switchxxxxxx# login
User Name:bob
Password:*****
switchxxxxxx#
Syntax
terminal datadump
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1268
67 User Interface Commands
terminal no datadump
Parameters
Default Configuration
Command Mode
User Guidelines
By default, a More prompt is displayed when the output contains more than 24
lines. Pressing the Enter key displays the next line; pressing the Spacebar displays
the next screen of output.
The terminal datadump command enables dumping all output immediately after
entering the show command by removing the pause.
The width is not limited, and the width of the line being printed on the terminal is
based on the terminal itself.
Example
The following example dumps all output immediately after entering a show
command.
Syntax
terminal history
1269 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
terminal no history
Parameters
Default Configuration
The default configuration for all terminal sessions is defined by the history Line
Configuration Mode command.
Command Mode
User Guidelines
The command enables the command history for the current session. The default is
determined by the history Line Configuration Mode command.
Example
The following example disables the command history function for the current
terminal session.
Syntax
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1270
67 User Interface Commands
Parameters
Default Configuration
The default configuration for all terminal sessions is defined by the history size
Line Configuration Mode command.
Command Mode
User Guidelines
The terminal history size EXEC command changes the command history buffer
size for the current terminal session. Use the history Line Configuration Mode
command to change the default history buffer size.
The maximum number of commands in all buffers is 207.
Example
The following example sets the command history buffer size to 20 commands for
the current terminal session.
The command is per session and will not be saved in the configuration database.
Syntax
terminal prompt
terminal no prompt
Parameters
1271 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
Default Configuration
Command Mode
Example
The command is per session and will not be saved in the configuration database.
Syntax
Parameters
number-of-characters - Specifies the number of characters to be displayed for the
echo output of the CLI commands and the configuration file,'0' means endless
number of characters on a screen line. (Range: 0, 70-512)
Default Configuration
Command Mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1272
67 User Interface Commands
Syntax
Parameters
Command Mode
Examples
switchxxxxxx# show banner login
-------------------------------------------------------------
Banner: Login
Banner: EXEC
1273 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
User Interface Commands 67
67.20 show history
To list the commands entered in the current session, use the show history User
EXEC mode command.
Syntax
show history
Parameters
Default Configuration
None
Command Mode
User Guidelines
Commands are listed from the first to the most recent command.
The buffer remains unchanged when entering into and returning from configuration
modes.
Example
The following example displays all the commands entered while in the current
Privileged EXEC mode.
HW version 1.0.0
show version
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1274
67 User Interface Commands
show clock
show history
3 commands were logged (buffer size is 10)
Syntax
show privilege
Parameters
This command has no arguments or keywords
Default Configuration
None
Command Mode
User EXEC mode
Example
The following example displays the privilege level for the user logged on.
1275 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
68
Virtual Local Area Network (VLAN)
Commands
68.0
Syntax
vlan database
Parameters
N/A
Default Configuration
VLAN 1 exists by default.
Command Mode
Global Configuration mode
Example
The following example enters the VLAN Configuration mode, creates VLAN 1972
and exits VLAN Configuration mode.
switchxxxxxx(config-vlan)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1276
68 Virtual Local Area Network (VLAN) Commands
68.2 vlan
Use the vlan VLAN Configuration mode or Global Configuration mode command to
create a VLAN and assign it a name (if only a single VLAN is being created). Use
the no form of this command to delete the VLAN(s).
Syntax
vlan vlan-range | {vlan-id [name vlan-name]} [media ethernet] [state active]
no vlan vlan-range
Parameters
• vlan-range—Specifies a list of VLAN IDs. Separate nonconsecutive VLAN
IDs with a comma and no spaces. Use a hyphen to designate a range of IDs
(range: 2-4094).
• state—Specifies whether the state of the VLAN. Valid values are active.
Default Configuration
VLAN 1 exists by default.
Command Mode
Global Configuration mode
User Guidelines
If the VLAN does not exist, it is created. If the VLAN cannot be created then the
command is finished with error and the current context is not changed.
Example
The following example creates a few VLANs. VLAN 1972 is assigned the name
Marketing.
1277 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
switchxxxxxx(config-vlan)# vlan 100
switchxxxxxx(config-vlan)# exit
Syntax
show vlan [tag vlan-id | name vlan-name]
Parameters
• tag vlan-id—Specifies a VLAN ID.
Default Configuration
All VLANs are displayed.
Command Mode
Privileged EXEC mode
Examples
Example 1—The following example displays information for all VLANs:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1278
68 Virtual Local Area Network (VLAN) Commands
92 11 te1/0/3-4 G
93 11 te1/0/3-4 GR
Syntax
interface vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN to be configured.
Default Configuration
N/A
Command Mode
Global Configuration mode
User Guidelines
If the VLAN does not exist, the VLAN is created. If the VLAN cannot be created, this
command is finished with an error and the current context is not changed.
Example
The following example configures VLAN 1 with IP address 131.108.1.27 and
subnet mask 255.255.255.0.
1279 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Syntax
interface range vlan vlan-range
Parameters
• vlan-range—Specifies a list of VLANs. Separate nonconsecutive VLANs
with a comma and no spaces. Use a hyphen to designate a range of VLANs.
Default Configuration
N/A
Command Mode
Global Configuration mode
User Guidelines
Commands under the interface VLAN range context are executed independently
on each VLAN in the range. If the command returns an error on one of the VLANs,
an error message is displayed, and the system attempts to configure the
remaining VLANs.
Example
The following example groups VLANs 221 through 228 and 889 to receive the
same command(s).
68.6 name
Use the name Interface Configuration (VLAN) mode command to name a VLAN.
Use the no form of this command to remove the VLAN name.
Syntax
name string
no name
Parameters
• string—Specifies a unique name associated with this VLAN. (Length: 1–32
characters).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1280
68 Virtual Local Area Network (VLAN) Commands
Default Configuration
No name is defined.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
The VLAN name must be unique.
Example
The following example assigns VLAN 19 the name Marketing.
Syntax
switchport protected-port
no switchport protected-port
Parameters
N/A
Default Configuration
Unprotected
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Note that packets are subject to all filtering rules and Filtering Database (FDB)
decisions.
1281 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Use this command to isolate Unicast, Multicast, and Broadcast traffic at Layer 2
from other protected ports (that are not associated with the same community as
the ingress interface) on the same switch. Please note that the packet is still
subject to FDB decision and to all filtering rules.
Example
Syntax
show interfaces protected-ports [interface-id | detailed]
Parameters
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
Default Configuration
Show all protected interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
User EXEC mode
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1282
68 Virtual Local Area Network (VLAN) Commands
Interface State
--------- -------------
te1/0/1 Protected
te1/0/2 Protected
te1/0/3 Unprotected
te1/0/4 Unprotected
68.9 switchport
Use the switchport Interface Configuration mode command to put an interface
that is in Layer 3 mode into Layer 2 mode. Use the no form of this command to put
an interface in Layer 3 mode.
Syntax
switchport
no switchport
Parameters
N/A
Default Configuration
Layer 2 mode
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use the no switchport command to set the interface as a Layer 3 interface.
1283 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Examples
Example 1 - The following example puts the port te1/0/1 into Layer 2 mode.
switchxxxxxx(config-if)# switchport
Example 2 - The following example puts the port te1/0/1 into Layer 3 mode.
switchxxxxxx(config-if)# no switchport
Syntax
switchport mode access | trunk | general | private-vlan {promiscuous | host} |
customer
no switchport mode
Parameters
• access—Specifies an untagged layer 2 VLAN port.
Default Configuration
Access mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1284
68 Virtual Local Area Network (VLAN) Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
When the port’s mode is changed, it receives the configuration corresponding to
the mode.
If the port mode is changed to access and the access VLAN does not exist, then
the port does not belong to any VLAN.
• IPv6 routing
• Voice VLAN
IPv4 and IPv6 interfaces cannot be defined on VLANs containing edge interfaces.
The following Layer 2 features are not supported into VLANs containing edge
interfaces:
• IGMP Snooping
• MLD Snooping
• DHCP Snooping
Examples
Example 1 - The following example configures te1/0/1 as an access port
(untagged layer 2) VLAN port.
1285 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Example 2 - The following example puts the port te1/0/2 into private-vlan host
mode.
Syntax
switchport access vlan {vlan-id | none}
no switchport access vlan
Parameters
• vlan-id—Specifies the VLAN to which the port is configured.
• none—Specifies that the access port cannot belong to any VLAN.
Default Configuration
The interface belongs to the Default VLAN.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
When the port is assigned to a different VLAN, it is automatically removed from its
previous VLAN and added it to the new VLAN. If the port is assigned to none, it is
removed from the previous VLAN and not assigned to any other VLAN.
A non-existed VLAN can be assigned as an Access VLAN. If the Access VLAN
does not exist the show interfaces switchport command adds text "(Inactive)" after
VLAN ID.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1286
68 Virtual Local Area Network (VLAN) Commands
Example
The following example assigns access port te1/0/1 to VLAN 2 (and removes it
from its previous VLAN).
Syntax
switchport trunk allowed vlan {all | none | add vlan-list | remove vlan-list | except
vlan-list}
no switchport trunk allowed vlan
Parameters
• all—Specifies all VLANs from 1 to 4094. At any time, the port belongs to all
VLANs existing at the time. (range: 1–4094).
• none—Specifies an empty VLAN list The port does not belong to any
VLAN.
• except vlan-list—List of VLAN IDs including all VLANs from range 1-4094
except VLANs belonging to vlan-list.
Default Configuration
By default, trunk ports belongs to all created VLANs.
1287 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use the switchport trunk allowed vlan command to specify which VLANs the port
belongs to when its mode is configured as trunk.
Example
To add VLANs 2,3 and 100 to trunk ports 1 to 13
switchxxxxxx(config-if)# exit
Syntax
switchport trunk native vlan {vlan-id | none}
Parameters
• vlan-id—Specifies the native VLAN ID.
• none—Specifies the access port cannot belong to any VLAN.
Default Configuration
The default native VLAN is the Default VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1288
68 Virtual Local Area Network (VLAN) Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
A value of the interface PVID is set to this VLAN ID.When the interface belongs to
the Native VLAN it is set as VLAN untagged egress interface.
Examples
The following example defines VLAN 2 as native VLAN for port te1/0/1:
switchxxxxxx(config-if)# exit
Syntax
switchport general allowed vlan add vlan-list [tagged | untagged]
Parameters
• add vlan-list—List of VLAN IDs to add. Separate nonconsecutive VLAN IDs
with a comma and no spaces. Use a hyphen to designate a range of IDs.
(range: 1–4094)
1289 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
• untagged—Specify that packets are transmitted untagged for the
configured VLANs (this is the default)
Default Configuration
The port is not a member of any VLAN.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
If the interface is a forbidden member of an added VLAN, the interface does not
become a member of this specific VLAN. There will be an error message in this
case ("An interface cannot become a a member of a forbidden VLAN. This
message will only be displayed once.") and the command continues to execute in
case if there are more VLANs in the vlan-list.
Example
The example adds te1/0/1 and to VLAN 2 and 3. Packets are tagged on the
egress:
Syntax
switchport general pvid vlan-id
Parameters
• vlan-id—Specifies the Port VLAN ID (PVID).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1290
68 Virtual Local Area Network (VLAN) Commands
Default Configuration
The PVID is the Default VLAN PVID.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Examples
Example 1 - The following example sets the te1/0/2 PVID to 234.
switchxxxxxx(config-if)# exit
Syntax
switchport general ingress-filtering disable
1291 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Parameters
N/A
Default Configuration
Ingress filtering is enabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example disables port ingress filtering on te1/0/1.
Syntax
switchport general acceptable-frame-type {tagged-only | untagged-only | all}
Parameters
• tagged-only—Ignore (discard) untagged packets and priority-tagged
packets.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1292
68 Virtual Local Area Network (VLAN) Commands
Default Configuration
All frame types are accepted at ingress (all).
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example configures port te1/0/3 to be in general mode and to
discard untagged frames at ingress.
Syntax
switchport general forbidden vlan {add vlan-list | remove vlan-list}
Parameters
• add vlan-list—Specifies a list of VLAN IDs to add to interface. Separate
nonconsecutive VLAN IDs with a comma and no spaces. Use a hyphen to
designate a range of IDs.
Default Configuration
All VLANs are allowed.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
1293 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
User Guidelines
The forbidden VLAN cannot be one that does not exist on the system, or one that
is already defined on the port.
Example
The following example define s te1/0/4 as a forbidden membership in VLANs 5-7:
switchxxxxxx(config-if)# exit
Syntax
switchport customer vlan vlan-id
Parameters
• vlan-id—Specifies the customer VLAN.
Default Configuration
No VLAN is configured as customer.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
When a port is in customer mode it is in QinQ mode. This enables the user to use
their own VLAN arrangements (PVID) across a provider network. The switch is in
QinQ mode when it has one or more customer ports.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1294
68 Virtual Local Area Network (VLAN) Commands
Example
The following example defines te1/0/4 as a member of customer VLAN 5.
Syntax
map protocol protocol [encapsulation-value] protocols-group group
Parameters
• protocol—Specifies a 16-bit protocol number or one of the reserved names
listed in the User Guidelines. (range: 0x0600–0xFFFF)
Default Configuration
The default encapsulation value is Ethernet.
Command Mode
VLAN Database Configuration mode
User Guidelines
Forwarding of packets based on their protocol requires setting up groups of
protocols and then mapping these groups to VLANs.
The value 0x8100 is not valid as the protocol number for Ethernet encapsulation.
1295 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
The following protocol names are reserved for Ethernet Encapsulation:
• ip
• arp
• ipv6
• ipx
Example
The following example maps the IP protocol to protocol group number 213.
Syntax
switchport general map protocols-group group vlan vlan-id
Parameters
• group—Specifies the group number as defined in map protocol
protocols-group command (range: 1–65535).
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1296
68 Virtual Local Area Network (VLAN) Commands
User Guidelines
The VLAN classification rule priorities are:
• Protocol-based VLAN
• PVID
Example
The following example forwards packets with protocols belong to protocol-group
1 to VLAN 8.
Syntax
show vlan protocols-groups
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
1297 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Example
The following example displays protocols-groups information.
Ethernet 0x8898 3
Syntax
map mac mac-address {prefix-mask | host} macs-group group
Parameters
• mac-address—Specifies the MAC address to be mapped to the group of
MAC addresses.
Command Mode
VLAN Database Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1298
68 Virtual Local Area Network (VLAN) Commands
User Guidelines
Forwarding of packets based on their MAC address requires setting up groups of
MAC addresses and then mapping these groups to VLANs.
Example
The following example creates two groups of MAC addresses, sets a port to
general mode and maps the groups of MAC addresses to specific VLANs.
switchxxxxxx(config-vlan)# exit
Syntax
switchport general map macs-group group vlan vlan-id
no switchport general map macs-group group
Parameters
• group—Specifies the group number (range: 1–2147483647)
• vlan-id—Defines the VLAN ID associated with the rule.
1299 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Default Configuration
N/A
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
MAC-based VLAN rules cannot contain overlapping ranges on the same interface.
• Protocol-based VLAN
• PVID
User Guidelines
After groups of MAC addresses have been created (see the map mac macs-group
command), they can be mapped to specific VLANs.
Example
The following example creates two groups of MAC addresses, sets a port to
general mode and maps the groups of MAC addresses to specific VLANs.
switchxxxxxx(config-vlan)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1300
68 Virtual Local Area Network (VLAN) Commands
Syntax
show vlan macs-groups
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays defined MAC-based classification rules.
00:12:34:56:78:90 20 22
00:60:70:4c:73:ff 40 1
Syntax
map subnet ip-address prefix-mask subnets-group group
no map subnet ip-address prefix-mask
1301 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Parameters
• ip-address—Specifies the IP address prefix of the subnet to be mapped to
the group.
Command Mode
VLAN Database Configuration mode
User Guidelines
Forwarding of packets based on their IP subnet requires setting up groups of IP subnets and
then mapping these groups to VLANs.
Example
The following example maps an IP subnet to the group of IP subnets 4. It then
maps this group of IP subnets to VLAN 8
Syntax
switchport general map subnets-group group vlan vlan-id
Parameters
• group—Specifies the group number. (range: 1–2147483647)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1302
68 Virtual Local Area Network (VLAN) Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The VLAN classification rule priorities are:
• Protocol-based VLAN
• PVID
Example
The following example maps an IP subnet to the group of IP subnets 4. It then
maps this group of IP subnets to VLAN 8
Syntax
show vlan subnets-groups
Parameters
N/A
Default Configuration
N/A
1303 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Command Mode
User EXEC mode
Example
The following example displays subnets-groups information.
1.1.1.1 32 1
172.16.2.0 24 2
Use the show interfaces switchport Privileged EXEC command to display the
administrative and operational status of all interfaces or a specific interface.
Syntax
show interfaces switchport [interface-id]
Parameters
• Interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
Default
Displays the status of all interfaces.
User Guidelines
Each port mode has its own private configuration. The show interfaces switchport
command displays all these configurations, but only the port mode configuration
that corresponds to the current port mode displayed in "Administrative Mode" is
active.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1304
68 Virtual Local Area Network (VLAN) Commands
Example
switchxxxxxx# show interfaces switchport te1/0/1
Gathering information...
Name: te1/0/1
Switchport: enable
Trunking VLANs: 1
2-4094 (Inactive)
General PVID: 1
Classification rules:
Protocol 1 19
Protocol 1 20
1305 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Protocol 2 72
Subnet 1 15
MAC 1 77
68.30 private-vlan
Syntax
private-vlan {primary | community | isolated}
no private-vlan
Parameters
• primary—Designate the VLAN as a primary VLAN.
Default Configuration
No private VLANs are configured.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
• The VLAN type cannot be changed if there is a private VLAN port that is a
member in the VLAN.
• The VLAN type is not kept as a property of the VLAN when the VLAN is
deleted.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1306
68 Virtual Local Area Network (VLAN) Commands
Example
The following example set vlan 2 to be primary vlan:
Syntax
private-vlan association [add | remove] secondary-vlan-list
no private-vlan association
Parameters
• add secondary-vlan-list—List of VLAN IDs of type secondary to add to a
primary VLAN. Separate nonconsecutive VLAN IDs with a comma and no
spaces. Use a hyphen to designate a range of IDs.This is the default action.
Default Configuration
No private VLANs are configured.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
• The command can only be executed in the context of the primary VLAN.
1307 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
• The association of secondary VLANs with a primary VLAN cannot be
removed if there are private VLAN ports that are members in the secondary
VLAN.
• In MSTP mode, all the VLANs that are associated with a private VLAN must
be mapped to the same instance.
Example
The following example associate secondary VLAN 20,21,22 and 24 to primary
VLAN 2.
Syntax
switchport private-vlan mapping primary-vlan-id [add | remove]
secondary-vlan-list
no switchport private-vlan mapping
Parameters
• primary-vlan-id —The VLAN ID of the primary VLAN.
• add secondary-vlan-list—Specifies one or more secondary VLANs to be
added to the port.
Default Configuration
No VLAN is configured.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1308
68 Virtual Local Area Network (VLAN) Commands
User Guidelines
The secondary VLANs should be associated with the primary VLANs, otherwise
the configuration is not accepted.
Example
The following example add promiscuous port te1/0/4 to primary VLAN 10 and to
secondary VLAN 20.
Syntax
switchport private-vlan host-association primary-vlan-id secondary-vlan-id
no switchport private-vlan host-association
Parameters
• primary-vlan-id—The VLAN ID of the primary VLAN.
• secondary-vlan-id—Specifies the secondary VLAN.
Default Configuration
No association.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The secondary VLAN must be associated with the primary VLAN, otherwise the
configuration is not accepted. See the private-vlan association command.
The port association configuration depends on the type of the secondary VLAN.
1309 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
The port association configuration for a community secondary VLAN includes:
• The port is added as untagged to the primary VLAN and to the secondary
VLAN.
• The port is added as untagged only to the primary VLAN and is not added
to the secondary VLAN.
Example
The following example set port te1/0/4 to secondary VLAN 20 in primary VLAN
10.
Use the show vlan private-vlan EXEC mode command to display private VLAN
information.
Syntax
show vlan private-vlan [tag vlan-id]
Parameters
• tag vlan-id—Primary VLAN that represent the private VLAN to be displayed.
Default Configuration
All private VLANs are displayed.
Command Mode
User EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1310
68 Virtual Local Area Network (VLAN) Commands
User Guidelines
The show vlan private-vlan command does not include non-private VLAN ports
that are members in private VLANs. Tag parameters of non-primary VLAN will
result in an empty show output.
Example
Syntax
switchport access multicast-tv vlan vlan-id
Parameters
• vlan-id—Specifies the Multicast TV VLAN ID.
1311 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Default Configuration
Receiving Multicast transmissions is disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
When the port is assigned to a different Multicast-TV VLAN, it is automatically
removed from its previous VLAN and added it to the new Multicast-TV VLAN.
Example
The following example enables te1/0/4 to receive Multicast transmissions from
VLAN 11.
Syntax
switchport customer multicast-tv vlan {add vlan-list | remove vlan-list}
Parameters
• add vlan-list—Specifies a list of Multicast TV VLANs to add to interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1312
68 Virtual Local Area Network (VLAN) Commands
Default Configuration
The port is not a member in any Multicast TV VLAN.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
When an existed Multicast-TV VLAN is assigned to a customer port, the multicast
messages received on a membership of the Multicast-TV VLAN are forwarded to
the customer port. All messages received on the customer port are not bridged
only into the Multicast-TV VLAN.
To register IGMP reports arriving on the customer port by IGMP Snooping running
on the Multicast-TV VLAN, use the ip igmp snooping map cpe vlan command.
Example
The following example enables te1/0/4 to receive Multicast transmissions from
VLANs 5, 6, 7.
Syntax
show vlan Multicast-tv vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
1313 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays information on the source and receiver ports of
Multicast-TV VLAN 1000.
------------ ----------------------
Syntax
vlan prohibit-internal-usage none | {add | except | remove} vlan-list
Parameters
• none—The Prohibit Internal Usage VLAN list is empty: any VLAN can be
used by the switch as internal.
• except—The Prohibit Internal Usage VLAN list includes all VLANs except
the VLANs specified by the vlan-list argument: only the VLANs specified by
the vlan-list argument can be used by the switch as internal.
• add—Add the given VLANs to the Prohibit Internal Usage VLAN list.
• remove—Remove the given VLANs from the Prohibit Internal Usage VLAN
list.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1314
68 Virtual Local Area Network (VLAN) Commands
Default Configuration
The Prohibit Internal usage VLAN list is empty.
Command Mode
Global Configuration mode
User Guidelines
The switch requires an internal VLAN in the following cases:
When a switch needs an internal VLAN it takes a free VLAN with the highest VLAN
ID.
Use the vlan prohibit-internal-usage command to define a list of VLANs that cannot
be used as internal VLANs after reload.
If a VLAN was chosen by the software for internal usage, but you want to use that
VLAN for a static or dynamic VLAN, do one of the following
Examples
Example 1—The following example specifies that VLANs 4010, 4012, and
4090-4094 cannot be used as internal VLANs:
Example 2—The following specifies that all VLANs except 4000-4107 cannot be
used as internal VLANs:
1315 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Virtual Local Area Network (VLAN) Commands 68
vlan prohibit-internal-usage remove 4000-4107
Example 3—The following specifies that all VLANs except 4000-4107 cannot be
used as internal VLANs:
Syntax
show vlan internal usage
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays VLANs used internally by the switch:
VLAN Usage
---- --------
4089 te1/0/2
4088 te1/0/3
4087 tunnel 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1316
68 Virtual Local Area Network (VLAN) Commands
4086 802.1x
1317 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
69
Voice VLAN Commands
1
Syntax
Parameters
• type oui—(Optional) Common and OUI-voice-VLAN specific parameters are
displayed.
Default Configuration
If the type parameter is omitted the current Voice VLAN type is used.
Command Mode
User Guidelines
Using this command without parameters displays the current voice VLAN type
parameters and local and agreed voice VLAN settings.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1318
69 Voice VLAN Commands
Using this command with the type parameter displays the voice VLAN parameters
relevant to the type selected. The the local and agreed voice VLAN settings are
displayed only if this is the current voice VLAN state.
The interface-id parameter is relevant only for the OUI VLAN type.
Examples
Agreed VPT is 5
Agreed DSCP is 46
switchxxxxxx#
Example 2—Displays the current voice VLAN parameters when the voice VLAN state
is auto-enabled.
switch>show voice vlan
1319 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
Agreed Voice VLAN priority is 0 (active static source)
Agreed VPT is 5
Agreed DSCP is 46
switchxxxxxx#
Example 3—Displays the current voice VLAN parameters when the administrative
voice VLAN state is auto-triggered but voice VLAN has not been triggered.
switch>show voice vlan
Example 4—Displays the current voice VLAN parameters when the administrative
voice VLAN state is auto-triggered and it has been triggered.
switchxxxxxx(config)# voice vlan state auto-triggered
Agreed VPT is 5
Agreed DSCP is 46
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1320
69 Voice VLAN Commands
Example 5—Displays the current voice VLAN parameters when both auto voice VLAN
and OUI are disabled.
switch>show voice vlan
Example 6—Displays the voice VLAN parameters when the voice VLAN operational
state is OUI.
switch>show voice vlan
CoS: 6
Remark: Yes
OUI table
-------------------- ------------------
00:E0:BB 3COM
00:03:6B Cisco
00:E0:75 Veritel
00:D0:1E Pingtel
1321 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
00:01:E3 Simens
00:60:B9 NEC/Philips
00:0F:E2 Huawei-3COM
00:09:6E Avaya
te1/0/3 No No
...
Syntax
Parameters
Default Configuration
None
Command Mode
Examples
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1322
69 Voice VLAN Commands
Example 2—Displays the local voice VLAN configuration when the voice VLAN
state is auto-triggered.
switchxxxxxx# show voice vlan local
Example 3—Displays the local voice VLAN configuration when the voice VLAN
state is OUI.
switchxxxxxx# show voice vlan local
1323 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
10 CDP 00:00:12:ea:87:dc te1/0/1
Syntax
Parameters
Default Configuration
auto-triggered on ipv4
Command Mode
User Guidelines
By factory default, CDP, LLDP, and LLDP-MED are enabled on the switch. In
addition, manual Smartport mode and Basic QoS with trusted DSCP is enabled.
All ports are members of default VLAN 1, which is also the default Voice VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1324
69 Voice VLAN Commands
In addition, dynamic voice VLAN (auto-triggered) mode is the default mode of auto
voice VLAN. In this mode, voice VLAN is enabled by a trigger (advertisement
received by voice device attached to port).
- A static local configured voice VLAN ID, CoS/802.1p, and/or DSCP that
is not factory default is configured.
Notes:
Examples
Example 1 —The following example enables the OUI mode of Voice VLAN. The
first try did not work - it was necessary to first disable voice VLAN.
Disable the voice VLAN before changing the voice VLAN trigger.
1325 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
switchxxxxxx(config)# voice vlan state disabled
<CR>
Example 2 — The following example enables the OUI mode of Voice VLAN. The
first try did not work - it was necessary to first disable voice VLAN.
Disable the voice VLAN before changing the voice VLAN trigger.
<CR>
Example 3 — The following example disables the Voice VLAN state. All auto
Smartport configuration on ports are removed.
All interfaces with Auto Smartport dynamic type will be set to default.
Example 4 —The following example sets the Voice VLAN state to auto-triggered.
The VLANs are re-activated after auto SmartPort state is applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1326
69 Voice VLAN Commands
Example 5 —The following example sets the Voice VLAN state to auto-triggered
on IPv6. The VLANs are re-activated after auto SmartPort state is applied.
Syntax
Parameters
Default Configuration
None
Command Mode
Example
switchxxxxxx(config)#
1327 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
30-Apr-2011 02:01:05 %LINK-W-Down: Vlan 50
Agreed VPT is 5
Agreed DSCP is 46
Syntax
no voice vlan id
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1328
69 Voice VLAN Commands
Default Configuration
VLAN ID 1.
Command Mode
User Guidelines
If the Voice VLAN does not exist, it is created automatically. It will not be removed
automatically by the no version of this command.
Example
The following example enables VLAN 35 as the voice VLAN on the device.
For Auto Voice VLAN, changes in the voice VLAN ID, CoS/802.1p, and/or DSCP will
cause the switch to advertise the administrative voice VLAN as static voice VLAN
which has higher priority than voice VLAN learnt from external sources.
Syntax
Parameters
1329 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
Default Configuration
Command Mode
Example
The following example sets 7 as the voice VLAN VPT. A notification that the new
settings are different than the old ones is displayed.
For Auto Voice VLAN, changes in the voice VLAN ID, CoS/802.1p, and/or DSCPwill
cause the switch to advertise the administrative voice VLAN as static voice
VLANwhich has higher priority than voice VLAN learnt from external sources.
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1330
69 Voice VLAN Commands
Default Configuration
46
Command Mode
Example
For Auto Voice VLAN, changes in the voice VLAN ID, CoS/802.1p, and/or DSCPwill
cause the switch to advertise the administrative voice VLAN as static voice
VLANwhich has higher priority than voice VLAN learnt from external sources.
Syntax
Parameters
1331 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
• text—(Optional) Adds the specified text as a description of the specified
MAC address to the voice VLAN OUI table (length: 1–32 characters).
Default Configuration
OUI Description
00:01:e3 Siemens AG Phone
00:03:6b Cisco Phone
00:09:6e Avaya Phone
00:0f:e2 Huawei-3COM Phone
00:60:b9 NEC/Philips Phone
00:d0:1e Pingtel Phone
00:e0:75 Veritel Polycom Phone
00:e0:bb 3COM Phone
Command Mode
Global Configuration mode
User Guidelines
The classification of a packet from VoIP equipment/phones is based on the
packet’s OUI in the source MAC address. OUIs are globally assigned
(administered) by the IEEE.
In MAC addresses, the first three bytes contain a manufacturer ID
(Organizationally Unique Identifiers (OUI)) and the last three bytes contain a unique
station ID.
Since the number of IP phone manufacturers that dominates the market is limited
and well known, the known OUI values are configured by default and OUIs can be
added/removed by the user when required.
Example
The following example adds an entry to the voice VLAN OUI table.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1332
69 Voice VLAN Commands
Syntax
voice vlan cos mode {src | all }
Parameters
• src—QoS attributes are applied to packets with OUIs in the source MAC
address. See the User Guidelines of voice vlan oui-table.
• all—QoS attributes are applied to packets that are classified to the Voice
VLAN.
Default Configuration
Command Mode
Example
Syntax
1333 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
no voice vlan cos
Parameters
• cos cos—Specifies the voice VLAN Class of Service value. (Range: 0–7)
Default Configuration
The default CoS value is 5.
Command Mode
Example
The following example sets the OUI voice VLAN CoS to 7 and does not do
remarking.
Syntax
Parameters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1334
69 Voice VLAN Commands
Default Configuration
1440 minutes
Command Mode
Example
The following example sets the OUI Voice VLAN aging timeout interval to 12 hours.
Syntax
Parameters
Default Configuration
Disabled
Command Mode
User Guidelines
This command is applicable only if the voice VLAN state is globally configured as
OUI voice VLAN (using show voice vlan).
1335 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Voice VLAN Commands 69
The port is added to the voice VLAN if a packet with a source MAC address OUI
address (defined by voice vlan oui-table) is trapped on the port. Note: The packet
VLAN ID does not have to be the voice VLAN, it can be any VLAN.
If the time since the last MAC address with a source MAC address OUI address
was received on the interface exceeds the timeout limit (configured by voice vlan
aging-timeout), the interface is removed from the voice VLAN.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1336
70
Web Server Commands
1
Syntax
no ip https certificate
Parameters
Default Configuration
Command Mode
User Guidelines
First, use crypto certificate generate to generate one or two HTTPS certificates.
Then use this command to specify which is the active certificate.
Example
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1337
Web Server Commands 70
70.2 ip http port
To specify the TCP port used by the web browser interface, use the ip http port
Global Configuration mode command. To restore the default configuration, use the
no form of this command.
Syntax
ip http port port-number
no ip http port
Parameters
Default Configuration
The default port number is 80.
Command Mode
Example
The following example configures the http port number as 100.
Syntax
ip http server
no ip http server
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1338
70 Web Server Commands
Parameters
Default Configuration
Command Mode
Example
The following example enables configuring the device from a web browser.
Syntax
ip http secure-server
no ip http secure-server
Parameters
Default Configuration
Enabled
Command Mode
1339 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Web Server Commands 70
User Guidelines
After this command is used, you must generate a certificate using crypto
certificate generate. If no certificate is generated, this command has no effect.
Example
Syntax
Parameters
• idle-seconds—Specifies the maximum number of seconds that a
connection is kept open if no data is received or response data cannot be
sent out. (Range: 0–86400)
Default Configuration
600 seconds
Command Mode
User Guidelines
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1340
70 Web Server Commands
Example
Syntax
show ip http
Parameters
This command has no arguments or keywords.
Command Mode
Example
The following example displays the HTTP server configuration.
Port: 80
1341 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Web Server Commands 70
Syntax
show ip https
Parameters
Command Mode
Example
Port: 443
Certificate 1 is active
Certificate 2 is inactive
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide 1342
70 Web Server Commands
1343 SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2016 Cisco Systems, Inc. All rights reserved. SG350XG and Sx350X Ph. 2.2 Devices