This page is based on the notes I took when managing Alcatel Omniswitchs 6600, 6800 in 2007 and later 6850. The full documentation can be found on Alcatel-Lucent website.
Alcatel Omniswitchs can operate in two modes: working and certified (show running-directory to know in which mode the switch is). In working mode, the configuration can be modified, while it is no possible in certified mode (well, actually, it is). When booting, if working and certified configuration files are different, the switch will boot in certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg (they can be directly edited with "vi").
copy working certified [flash-synchro],
flash-synchrowill synchronize the conf accross all slots
configuration snapshot all <file>Then move this file to working/boot.cfg
reload working no rollback-timeout
show configuration snapshot [all|vlan|ip|...]or
When modifying the configuration, it can be useful to reload the switch in certified mode if a configuration error occur. It is possible to program the switch to reload a few minutes ahead in case you lose control:
reload in <n> where
n is the number of minutes to wait before reloading. A reload can be canceled with
show reload will show you when the switch will reboot.
A layer 2 VLAN is created with
vlan <vlan_number> enable name "vlan name" and removed with
no vlan <vlan_number>.
show vlan lists all VLANs,
show vlan <vlan_number> shows vlan <vlan_number> details.
Depending on the microcode version (
show microcode), a layer 3 VLAN is created using:
ip interface "interface name" vlan <vlan_number> address <address> mask <netmask>
vlan router "interface name" vlan <vlan_number> address <address> mask <netmask>
no ip interface "interface name"
no vlan router "interface name"
vlan <vlan_number> port default <slot>/<port>
show vlan port
show vlan <vlan_number> port
show vlan port <slot>/<port>
vlan <vlan_number> 802.1Q <slot>/<port> [<"comment">]
vlan <vlan_number> no 802.1Q <slot>/<port>
Show interfaces status
Info about an interface (admin status, MAC, speed, duplex, errors, ...):
show interfaces [port|status|<slot>/<port>|...]
Summary of interfaces errors:
show interfaces counters errors
To clear counters:
interfaces <slot>[/port1-port2] no l2 statistics
To change an interface:
interface <slot>/<port> [speed <10_100_1000>|duplex <half_full>|autoneg <state>|flood rate <rate>]
To switch from autonegociation to 100FD, set
interface <slot>/<port> admin down
lacp linkagg <id> size <size> admin state enable
lacp linkagg <id> actor admin key <key>
lacp agg <slot/port> actor admin key <key>
static linkagg <id> size <size> admin state enable
static linkagg <id> name <name>
static agg <slot/port> agg num <id>
When stacking is operational, one switch is primary, one other secondary, the others idle. If the primary disappears, the secondary becomes primary and the first idle becomes secondary.
Get info about the chassis:
show chassis and about the stack:
show stack topology.
To monitor the health of the system:
show health all (cpu|memory)
Show CMM (Control Management Module – Alcatel ) information:
Uptime, date, name, contact, location:
system name <"name">
system contact <"contact">
system location <"location">
The default prompt is "->".
session prompt default "sw1->" changes it to "sw1->". You can get the other session parameters with
show session config
When a command outputs to many lines on the screen, it is possible to use "
more" to see page by page. Use
more to activate the mode and
more size <size> to set the number of lines shown. Cancel this mode with
To change the timeout of the telnet/ssh sessions:
session timeout cli <timeout>
Set a server:
ntp server <server_ip>. Even if the DNS is configured, you cannot specify a name for the NTP server. Then activate NTP:
ntp client enable.
Get NTP info:
show ntp client: tells if NTP is on or off, when was the last updated, ...
show ntp server-list: get the list of servers and with which server the swich is synchronized
Show logging conf:
Get switch logs:
show log swlog: get all logs
show log swlog timestamp <mounth/day/year> <hour:minute>: only logs since the specified hour
swlog output socket <syslog_server_ip>
STP can operates in two modes: flat and 1x1. In flat mode, there is only one instance for the whole switch whereas in 1x1 mode, there is one instance per VLAN (like pvst on Cisco switches or vstp on Juniper ones). I recommend the 1x1 mode if you do not want to go the MSTP way. Change STP mode:
bridge mode (flat|1x1)
Get STP conf:
It is possible to deactivate STP on specified vlans/ports :
vlan <vlan_number> stp (enable|disable) and
bridge <vlan_number> <slot>/<port> (enable|disable)
Change STP algorithm:
bridge protocol (802.1D|STP|RTSP). (In 2007), I did not manage to set rstp for all vlan as a global config, I had to set it vlan per vlan using:
bridge 1x1 <vlan_number> protocol (802.1D|STP|RTSP).
ip name-server <IP1> <IP2>
ip domain-name <domain-name>
ip service udp-relay
ip helper per-vlan only
ip helper address <dhcp_server> vlan <vlan_number>
ip udp relay BOOTP
[no] ip service (ftp|ssh|telnet|http|secure-http|udp-relay|snmp|all). List of activated services:
show ip service.
ip http ssl
Authentification can be local or made with a radius
To activate a service, the authentification have to be set:
aaa authentification default "local",
aaa authentification (console|ssh|ftp|802.1X|vlan|...) "local"
Mac Address table:
Add a static MAC/IP entry:
arp <IP> <MAC>,
no arp <IP> to remove it.
Clear dynamic arp entries:
To specify when an dynamic entry timeouts (default: 300seconds):
mac-address-table aging-time <seconds> [vlan <vlan_number>]
First, you have to create a user and give it the right to do SNMP:
user <"username"> read-only (all|ip|interface|...) password <password>
user <"username"> no snmp
Then configure the snmp server:
snmp security no security
snmp community map <"community"> user <"username"> on
snmp station <server_ip> [<port>] <"user"> (v1|v2c|v3) enable
snmp authentification trap (enable|disable)
snmp trap filter <server_ip> <filter_code>
Port mirroring works 12 ports by 12 ports. It is possible to configure multiple sources for one session and thus see the traffic of multiple ports in one output.
show port mirroring status
port mirroring <session> source <slot>/<port> destination <slot>/<port> enable
no port mirroring <session>
By default, the POE is disabled on all ports.
To enable the POE on a given port:
lanpower start <slot>/<port>
To enable it on the whole slot:
lanpower start <slot>
To stop the POE, use the symmetric commande
lanpower stop (<slot>/<port>|<slot>)
Show the POE configuration:
show lanpower <slot>
To limit the power available for a given port:
lanpower <slot>/<port> power <milliwatts>
To limit the power available for a slot:
lanpower <slot> maxpower <watts>
A power of 230W is enough for a full slot equipped with IP Phones (note: TBC).
It has been noticed that a switch may prove instable with POE if too many equipments are connected and its PSU is not enough powerfull.
In AOS, ACL and QoS are configured in the same "qos" section.
Apply QoS when modified:
Disable QoS (useful for troubleshooting):
By default, QOS is not trusted in access ports and all tags are set to 0. It is trusted on trunked ports. To trust everywhere:
qos trust ports
To trust on one given port:
qos port <slot>/<port> trusted
The rules are a combinaison of the following elements:
policy network group <gp_name> <subnet1> mask <mask1> <subnet2> mask <mask2> ...
policy condition <c_name> source network group <gp_name1> destination group <gp_name2>
policy action <a_name> disposition <action>
policy rule <r_name> [disable] precedence <p> condition <c_name> action <a_name>, where precedence is the order rules can be applied
As an example:
policy network group VoIP 192.168.1.0 mask 255.255.255.0 192.168.11.0 mask 255.255.254.0 policy network group Data 172.16.0.0 mask 255.255.255.0 policy condition "VoIP-VoIP" source network group VoIP destination network group VoIP policy condition "VoIP-Data" source network group VoIP destination network group Data policy condition "Data-Data" source network group Data destination network group Data policy condition "Other" source ip any destination ip any policy action Deny disposition deny policy action Permit policy rule "Allow VoIP-VoIP" precedence 200 condition "VoIP-VoIP" action Permit policy rule "Allow VoIP-Data" disable precedence 200 condition "VoIP-Data" action Permit policy rule "Allow Data-Data" precedence 200 condition "Data-Data" action Permit policy rule "Deny Other" precedence 200 condition "Other" action Deny qos port 1/2 trusted qos port 1/3 trusted qos apply
aaa radius-server "radius_srv1" host <IP Addr> key <auth_key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813 aaa radius-server "radius_srv2" host <IP Addr> key <auth_key> retransmit 3 timeout 2 auth-port 1812 acct-port 1813 # Use the radius for vlan assignement aaa authentication vlan single-mode "radius_srv1" "radius_srv2" # use the internal database for authent to the local services aaa authentication default "local" aaa authentication console "local" aaa authentication ftp "local" aaa authentication snmp "local" # 801.1X authentication servers aaa authentication 802.1x radius_srv1 radius_srv2 # MAC base authentication servers (used for devices that can't do 802.1X like IP-Phones) aaa authentication mac radius_srv1 radius_srv2 AVLAN: # Authentication portal in the switch. By default, last IP of the subnet. avlan auth-ip <vlan-ID> <IP address, in same VLAN, different of switch IP address> VLAN definition vlan 5 enable name "VoIP" vlan 10 enable name "Data" vlan 10 authentication enable configuration of interface 1/3 vlan 10 port default 1/3 # enable dynamic vlan assignemt vlan port mobile 1/3 # enable 802.1X vlan port 1/3 802.1x enable # 802.1X # - direction both => control on inbound + outbound traffic # - port-control auto => port initially in unauthorized state, and put in "authorized mode" automatically by the switch upon the exchanged between the switch and the end station # - quiet-period 60 => reject the 802.1X authentications during 60s after an authentication failure # - server-timeout 30 => superseded by the aaa radius-server ... timeout # - re-authperiod 3600 => 3600s=1h before re-authent is required # - no reauthentication => disables the reauthent 802.1x 1/3 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication # length of a captive portal session 802.1x 1/3 captive-portal session-limit 12 retry-count 3 # poll the end device 2 times before stating it is not 802.1X compliant 802.1x 1/3 supp-polling retry 2 # if authentication is successful but returns no VLAN ID ("pass"), use default vlan for the supplicant else ("fail"), block the port 802.1x 1/3 supplicant policy authentication pass group-mobility default-vlan fail block #idem for non supplicant (not 802.1X) devices - authentication by MAC address with a Radius 802.1x 1/3 non-supplicant policy authentication pass group-mobility block fail block # used by supplicant and non supplicant when "captive-portal" is used in the "802.1x supplicant policy" or "802.1x non-supplicant policy" 802.1x 1/3 captive-portal policy authentication pass default-vlan fail block