Basic commands on Alcatel Omniswitch

Introduction
This page is based on the notes I took when managing Alcatel Omniswitch 6600, 6800
in 2007 and later 6850. Thefull documentationcan be found on Alcatel-Lucent website.

Managing the configuration files

Alcatel Omniswitches can operate in two modes: working and certified (show running-
directory to know in which mode the switch is). In working mode, the configuration can
be modified, while it is not possible in certified mode (well, actually, it is). When
booting, if working and certified configuration files are different, the switch will boot in
certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg
(they can be directly edited with "vi").
•save running -> working:write memory
•save working -> certified:copy working certified [flash-synchro],flash-
syncrowill synchronize the conf across all slots
•save running even in certified mode:configuration snapshot all <file> Then move
this file to working/boot.cfg
•reboot in working mode without rollback: reload working no rollback-timeout
•view running configuration: show configuration snapshot [all|vlan|ip|...] or write
terminal
When modifying the configuration, it can be useful to reload the switch in certified
mode if a configuration error occurs. It is possible to program the switch to reload a few
minutes ahead in case you lose control: reload in <n> where <n> is the number of minutes
to wait before reloading. A reload can be canceled with reload cancel. show reload will
show you when the switch will reboot.

Configure VLANs
A layer 2 VLAN is created with vlan <vlan_number> enable name "vlan name" and
removed with no vlan <vlan_number>. show vlan lists all VLANs, show vlan
<vlan_number> shows details of VLAN <vlan_number>.
Depending on the microcode version (show microcode), a layer 3 VLAN is created
using:
 •ip interface "interface name" vlan <vlan_number> address <address> mask
<netmask>
•vlan router "interface name" vlan <vlan_number> address <address> mask
netmask
and destroyed with:
•no ip interface "interface name"
•no vlan router "interface name"

Port association:
•To associate a port to a specific vlan: vlan <vlan_number> port default
<slot>/<port>
•To list the ports: show vlan port
•To list the ports of a specified VLAN: show vlan <vlan_number> port
•To show a port: show vlan port <slot>/<port> 802.1Q:
•To tag a port:vlan <vlan_number> 802.1Q <slot>/<port> [<"comment">]
•To remove a tag: vlan <vlan_number> no 802.1Q <slot>/<port>

Interfaces
Global status: Show interfaces status
Info about an interface (admin status, MAC, speed, duplex, errors, ...): show interfaces
[port|status|<slot>/<port>|...]
Summary of interface errors: show interface counters errors
To clear counters:interfaces <slot>[/port1-port2] no l2 statistics
To change an interface: interface <slot>/<port> [speed <10_100_1000>|duplex
half_full
To switch from autonegotiation to 100FD, set
•autoneg off
•speed 100 and duplex full
If forced in 100FD while autoneg is on, the port will stay down
To disable an interface:interface <slot>/<port> admin down
Link Aggregation
Dynamic LAG (LACP)
lacp linkagg <id> size <size> admin state enable
lacp linkagg <id> actor admin key <key>
lacp agg <slot/port> actor admin key <key>

Static LAG
static linkaggregation <id> size <size> admin state enable
static linkagg <id> name <name>
static agg <slot/port> agg num <id>

Hardware
When stacking is operational, one switch is primary, one other secondary, the others
idle. If the primary disappears, the secondary becomes primary and the first idle
becomes secondary.
Get info about the chassis: show chassis and about the stack: show stack topology.
To monitor the health of the system: show health all (cpu|memory)
Show CMM (Control Management Module – Alcatel) information: show cmm

System
Uptime
To change:
•name
•system contact <"contact">
•system location <"location">

The default prompt is "->". Session prompt default "sw1->" changes it to "sw1->". You
can get the other session parameters with show session config
When a command outputs to many lines on the screen, it is possible to use 'more' to see
page by page. Use more to activate the mode and more size <size> to set the number of
lines shown. Cancel this mode with no more.
To change the timeout of the telnet/ssh sessions: session timeout cli <timeout>
NTP
Set a server: ntp server <server_ip>. Even if the DNS is configured, you cannot specify.
a name for the NTP server. Then activate NTP: ntp client enable.
Get NTP info:
•show ntp client: indicates whether NTP is on or off, when it was last updated, ...
•show ntp server-list: get the list of servers and with which server the switch is
synchronized

Logs
Show logging conf: show swlog
Get switch logs:
•show log swlog: get all logs
•show log swlog timestamp <month/day/year> <hour:minute>: only logs since
the specified hour
•empty logs:swlog clear

Enable syslog with:swlog output socket <syslog_server_ip>

STP
STP can operate in two modes: flat and 1x1. In flat mode, there is only one instance for
the whole switch whereas in 1x1 mode, there is one instance per VLAN (like pvst on
Cisco switches or vstp on Juniper ones). I recommend the 1x1 mode if you do not want
to go the MSTP way. Change STP mode: bridge mode (flat|1x1)
Get STP configuration: show spanning tree

It is possible to deactivate STP on specified vlans/ports :vlan <vlan_number> stp

(enable|disable)andbridge <vlan_number> <slot>/<port> (enable|disable)
Change STP algorithm: bridge protocol (802.1D|STP|RTSP). (In 2007), I did not
Manage to set RSTP for all VLAN as a global config, I had to set it VLAN per VLAN.
using:bridge 1x1 <vlan_number> protocol (802.1D|STP|RTSP).

DNS
•Name servers:ip name-server <IP1> <IP2>
•Domain name: ip domain-name <domain-name>
 •Activate DNS client: ip domain-lookup

DHCP relay
•ip service udp-relay
•DHCP relay only for specified VLANs: IP helper per-VLAN only
•DHCP server address: ip helper address <dhcp_server> vlan <vlan_number>
•Enable DHCP relay: ip udp relay BOOTP

Services
Activate/deactivate services:[no] ip service (ftp|ssh|telnet|http|secure-http|udp-relay|
snmp|all). List of activated services: show ip service.
For https: ip http ssl

AAA
Authentication can be local or done with a radius.
To activate a service, the authentication has to be set: aaa authentication default
"local", aaa authentication (console|ssh|ftp|802.1X|vlan|...) "local"

ARP
ARP table: show arp
Mac Address table: show mac-address-table
Add a static MAC/IP entry: arp <IP> <MAC>, no arp <IP> to remove it.
Clear dynamic arp entries: clear arp-table
To specify when a dynamic entry times out (default: 300 seconds): mac-address-table
aging-time <seconds> [vlan <vlan_number>]

SNMP
First, you have to create a user and give it the right to do SNMP:
•user <"username"> read-only (all|ip|interface|...) password <password>
•The only way I found to give the user SNMP capabilities is to use the web
interface ..., but you can deactivate it with user <"username"> no snmp
Then configure the SNMP server:
•snmp security no security
 •Associate the community string with the user you created: snmp community map
user username on
•To configure the SNMP trap server: snmp station <server_ip> [<port>] <"user">
(v1|v2c|v3) enable
•SNMP authentication trap (enable|disable)

•To filter the traps sent by the switch: snmp trap filter <server_ip> <filter_code>

Port mirroring
Port mirroring works 12 ports by 12 ports. It is possible to configure multiple sources for
one session and thus see the traffic of multiple ports in one output.
•show port mirroring status
•port mirroring <session> source <slot>/<port> destination <slot>/<port> enable
•no port mirroring <session>

POE
By default, the POE is disabled on all ports.
To enable the POE on a given port: lanpower start <slot>/<port>
To enable it on the whole slot: lanpower start <slot>
To stop the POE, use the symmetric command elanpower stop (<slot>/<port>|<slot>)
Show the POE configuration: show lanpower <slot>
To limit the power available for a given port: lanpower <slot>/<port> power
milliwatts
To limit the power available for a slot:lanpower <slot> maxpower <watts>
A power of 230W is enough for a full slot equipped with IP Phones (note: TBC).
It has been noticed that a switch may prove unstable with POE if too many equipment
are connected and its PSU is not powerful enough.

QOS & ACL

In AOS, ACL and QoS are configured in the same 'qos' section.
Apply QoS when modified: qos apply
Disable QoS (useful for troubleshooting): qos disable
By default, QOS is not trusted in access ports and all tags are set to 0. It is trusted on
trunked ports. To trust everywhere: qos trust ports
To trust on one given port: qos port <slot>/<port> trusted
The rules are a combination of the following elements:
•policy network: define subnets
•define conditions (from subnet1 to subnet2, ...)
•define actions (permit, deny, ...)
•policy rule: apply action to condition (if X then Y)
The syntax for the different blocks is the following:
policy network group <gp_name> <subnet1> mask <mask1> <subnet2> mask
<mask2> ...
policy condition <c_name> source network group <gp_name1> destination
group <gp_name2>
policy action <a_name> disposition <action>
policy rule <r_name> [disable] precedence <p> condition <c_name>
action <a_name>where precedence is the order rules can be applied