Samsung iES4028F Management Manual

Table of Contents

Quick Links

iES4028F/4028FP/4024GP

Table of Contents

Summary of Contents for Samsung iES4028F

Page 1 iES4028F/4028FP/4024GP...
Page 2 E082008/ST-R03 149100041800A 149100040200A 149100041700A 149100000020A...
Page 3 COPYRIGHT This manual is proprietary to SAMSUNG Electronics Co., Ltd. and is protected by copyright. No information contained herein may be copied, translated, transcribed or duplicated for any commercial purposes or disclosed to third parties in any form without the prior written consent of SAMSUNG Electronics Co., Ltd.
Page 4 This page is intentionally left blank.
Page 5: About This Guide
This section summarizes the changes in each revision of this guide. August 2008 Revision This is the third revision of this guide. It combines information for the Ubigate iES4028F, iES4028FP and iES4024GP. This guide is valid for software release v1.1.0.14. Other than...
Page 6 This was the second revision of this guide. It combines information for the Ubigate iES4028F and iES4028FP. This guide is valid for software release v1.1.0.13. Other than the addition of information about the iES4028F, it also includes the following updated and additional information in the indicated tables or sections: •...
Page 7 • Command Usage and Command Attributes under “Configuring the DHCP Snooping Information Option” on page 3-118. • Command Usage under “Configuring Ports for DHCP Snooping” on page 3-120. • Command Usage under “IP Source Guard” on page 3-123. • Command Usage under “Configuring Static Binding for IP Source Guard” on page 3-125.
Page 8 • Command Usage and Command Attributes under “Configuring MVR Interface Status” on page 3-270. • Command Usage under “Switch Clustering” on page 3-273. • Introduction under “UPnP” on page 3-277. • Command Usage under “jumbo frame” on page 4-33. • Command Usage under “copy”...
Page 9 • “spanning-tree port-bpdu-flooding” on page 4-240. • Syntax and Default Setting under “spanning-tree mst cost” on page 4-244. • Syntax for “switchport mode” on page 4-257. • Removed note under “switchport ingress-filtering” on page 4-258. • Removed note under “switchport allowed vlan” on page 4-260. •...
Page 10 This page is intentionally left blank.
Page 11: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 12 Contents Managing Firmware 3-21 Downloading System Software from a Server 3-22 Saving or Restoring Configuration Settings 3-23 Downloading Configuration Settings from a Server 3-24 Console Port Settings 3-25 Telnet Settings 3-27 Configuring Event Logging 3-29 System Log Configuration 3-29 Remote Log Configuration 3-30 Displaying Log Messages 3-32...
Page 13 Contents Configuring HTTPS 3-77 Replacing the Default Secure-site Certificate 3-78 Configuring the Secure Shell 3-79 Generating the Host Key Pair 3-82 Importing User Public Keys 3-84 Configuring the SSH Server 3-86 Configuring 802.1X Port Authentication 3-88 Displaying 802.1X Global Settings 3-89 Configuring 802.1X Global Settings 3-90...
Page 14 Contents Creating Trunk Groups 3-134 Statically Configuring a Trunk 3-135 Enabling LACP on Selected Ports 3-136 Configuring Parameters for LACP Group Members 3-138 Configuring Parameters for LACP Groups 3-141 Displaying LACP Port Counters 3-142 Displaying LACP Settings and Status for the Local Side 3-143 Displaying LACP Settings and Status for the Remote Side 3-145...
Page 15 Contents Traffic Segmentation 3-206 Configuring Global Settings for Traffic Segmentation 3-207 Configuring Traffic Segmentation Sessions 3-207 Private VLANs 3-209 Displaying Current Private VLANs 3-209 Configuring Private VLANs 3-210 Associating VLANs 3-211 Displaying Private VLAN Interface Information 3-212 Configuring Private VLAN Interfaces 3-213 Protocol VLANs 3-214...
Page 16 Contents Displaying Port Members of Multicast Services 3-258 Assigning Ports to Multicast Services 3-259 IGMP Filtering and Throttling 3-260 Enabling IGMP Filtering 3-261 Configuring IGMP Filter Profiles 3-262 Configuring IGMP Filtering and Throttling for Interfaces 3-263 Multicast VLAN Registration 3-265 Configuring Global MVR Settings 3-266 Displaying MVR Interface Status...
Page 17 Contents reload 4-13 show reload 4-14 prompt 4-14 4-15 exit 4-15 quit 4-16 System Management Commands 4-16 Device Designation Commands 4-17 hostname 4-17 Banner Information Commands 4-18 banner configure 4-18 banner configure company 4-19 banner configure dc-power-info 4-20 banner configure department 4-21 banner configure equipment-info 4-21...
Page 18 Contents databits 4-46 parity 4-46 speed 4-47 stopbits 4-47 disconnect 4-48 show line 4-48 Event Logging Commands 4-49 logging on 4-49 logging history 4-50 logging host 4-51 logging facility 4-51 logging trap 4-52 clear log 4-53 show logging 4-53 show log 4-55 SMTP Alert Commands 4-56...
Page 19 Contents rcommand 4-76 show cluster 4-76 show cluster members 4-77 show cluster candidates 4-77 UPnP Commands 4-77 upnp device 4-78 upnp device ttl 4-78 upnp device advertise duration 4-79 show upnp 4-79 Debug Commands 4-80 debug dot1x 4-80 debug radius 4-82 debug tacacs 4-84...
Page 20 Contents TACACS+ Client 4-109 tacacs-server host 4-110 tacacs-server port 4-110 tacacs-server key 4-111 tacacs-server retransmit 4-111 tacacs-server timeout 4-112 show tacacs-server 4-113 AAA Commands 4-114 aaa group server 4-114 server 4-115 aaa accounting dot1x 4-116 aaa accounting exec 4-117 aaa accounting commands 4-118 aaa accounting update 4-119...
Page 21 Contents dot1x re-authenticate 4-140 dot1x re-authentication 4-140 dot1x timeout quiet-period 4-141 dot1x timeout re-authperiod 4-141 dot1x timeout tx-period 4-142 dot1x intrusion-action 4-142 show dot1x 4-143 Management IP Filter Commands 4-146 management 4-146 show management 4-147 General Security Measures 4-148 Port Security Commands 4-149 port security 4-149...
Page 22 Contents show ip dhcp snooping 4-171 show ip dhcp snooping binding 4-171 IP Source Guard Commands 4-172 ip source-guard 4-172 ip source-guard binding 4-174 show ip source-guard 4-175 show ip source-guard binding 4-175 Access Control List Commands 4-176 IP ACLs 4-176 access-list ip 4-177...
Page 23 Contents lacp port-priority 4-208 lacp active/passive 4-209 show lacp 4-209 Power over Ethernet Commands 4-213 power mainpower maximum allocation 4-214 power inline compatible 4-214 power inline 4-215 power inline maximum allocation 4-216 power inline priority 4-216 show power inline status 4-217 show power mainpower 4-218...
Page 24 Contents spanning-tree loopback-detection 4-242 spanning-tree loopback-detection release-mode 4-242 spanning-tree loopback-detection trap 4-243 spanning-tree mst cost 4-244 spanning-tree mst port-priority 4-245 spanning-tree protocol-migration 4-245 show spanning-tree 4-246 show spanning-tree mst configuration 4-248 VLAN Commands 4-248 GVRP and Bridge Extension Commands 4-249 bridge-ext gvrp 4-249 show bridge-ext...
Page 25 Contents switchport mode private-vlan 4-273 switchport private-vlan host-association 4-274 switchport private-vlan mapping 4-275 show vlan private-vlan 4-275 Configuring Protocol-based VLANs 4-276 protocol-vlan protocol-group (Configuring Groups) 4-277 protocol-vlan protocol-group (Configuring VLANs) 4-277 show protocol-vlan protocol-group 4-278 show protocol-vlan protocol-group-vid 4-279 Configuring Voice VLANs 4-279 voice vlan 4-280...
Page 26 Contents lldp medtlv med-cap 4-302 lldp medtlv network-policy 4-302 show lldp config 4-303 show lldp info local-device 4-305 show lldp info remote-device 4-306 show lldp info statistics 4-307 Class of Service Commands 4-308 Priority Commands (Layer 2) 4-308 queue mode 4-308 switchport priority default 4-309...
Page 27 Contents Static Multicast Routing Commands 4-333 ip igmp snooping vlan mrouter 4-334 show ip igmp snooping mrouter 4-334 IGMP Filtering and Throttling Commands 4-335 ip igmp filter (Global Configuration) 4-336 ip igmp profile 4-336 permit, deny 4-337 range 4-337 ip igmp filter (Interface Configuration) 4-338 ip igmp max-groups 4-339...
Page 28 Contents This page is intentionally left blank. xxviii...
Page 29 Tables Table 1-1 Differences in Switch Models Table 1-2 Key Features Table 1-3 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-52 Table 3-6 HTTPS System Support 3-77 Table 3-7 802.1X Statistics 3-93...
Page 30 Tables Table 4-21 Switch Cluster Commands 4-73 Table 4-22 Debug Commands 4-80 Table 4-23 SNMP Commands 4-86 Table 4-24 show snmp engine-id - display description 4-94 Table 4-25 show snmp view - display description 4-95 Table 4-26 show snmp group - display description 4-98 Table 4-28 Authentication Commands...
Page 31 Tables Table 4-66 Link Type 4-237 Table 4-66 IEEE 802.1D-1998 4-237 Table 4-66 IEEE 802.1w-2001 4-237 Table 4-67 Default STA Path Costs 4-238 Table 4-68 VLANs 4-248 Table 4-69 GVRP and Bridge Extension Commands 4-249 Table 4-70 Editing VLAN Groups 4-254 Table 4-71 Configuring VLAN Interfaces...
Page 32 Tables This page is intentionally left blank. xxxii...
Page 33 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-13 Figure 3-4 Switch Information 3-14 Figure 3-5 Bridge Extension Configuration 3-16 Figure 3-6 Manual IP Configuration 3-18 Figure 3-7 DHCP IP Configuration 3-19 Figure 3-8 Jumbo Frames Configuration 3-20 Figure 3-9 Copy Firmware...
Page 34 Figures Figure 3-43 AAA Authorization Settings 3-74 Figure 3-44 AAA Authorization Exec Settings 3-75 Figure 3-45 AAA Authorization Summary 3-76 Figure 3-46 HTTPS Settings 3-78 Figure 3-47 HTTPS Settings 3-79 Figure 3-48 SSH Host-Key Settings 3-83 Figure 3-49 SSH User Public-Key Settings 3-85 Figure 3-50 SSH Server Settings...
Page 35 Figures Figure 3-1 Port Multicast Control 3-149 Figure 3-2 Port Unknown Unicast Control 3-150 Figure 3-88 Mirror Port Configuration 3-151 Figure 3-89 Input Rate Limit Port Configuration 3-152 Figure 3-90 Port Statistics 3-156 Figure 3-91 Displaying the Global PoE Status 3-158 Figure 3-92 Setting the Switch Power Budget...
Page 36 Figures Figure 3-131 Port Priority Configuration 3-231 Figure 3-132 Traffic Classes 3-233 Figure 3-133 Queue Mode 3-234 Figure 3-134 Configuring Queue Scheduling 3-235 Figure 3-135 IP DSCP Priority Status 3-236 Figure 3-136 Mapping IP DSCP Priority Values 3-237 Figure 3-137 Configuring Class Maps 3-241 Figure 3-138 Configuring Policy Maps 3-244...
Page 37: Chapter 1: Introduction
IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the connecting Ethernet cable. This guide describes device management for the Ubigate iES4028F, iES4028FP, and iES4024GP. The only significant differences between these switches are listed in the following table.
Page 38: Key Features
Introduction Key Features Table 1-2 Key Features Feature Description Power over Ethernet Powers attached devices using IEEE 802.3af Power over Ethernet (PoE) Configuration Backup and Backup to TFTP server Restore Authentication and Console, Telnet, web – User name / password, RADIUS, TACACS+ Security Measures AAA –...
Page 39: Description Of Software Features
Description of Software Features Table 1-2 Key Features (Continued) Feature Description Tunneling Supports tunneling with IEEE 802.1Q tunneling (QinQ) Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features This switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Page 40 Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the iES4028F/iES4028FP provide 1 Mbits and the iES4024GP provides 1.5 Mbits for frame buffering. This buffer can...
Page 41 Description of Software Features Spanning Tree Algorithm – This switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection and recovery by allowing two or more redundant connections to be created between a pair of LAN segments.
Page 42 Introduction This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame. When these services are enabled, the priorities are mapped to a Class of Service value by this switch, and the traffic then sent to the corresponding output queue.
Page 43: System Defaults
System Defaults System Defaults The system defaults for this switch are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-23). The following table lists some of the basic system defaults. Table 1-3 System Defaults Function Parameter...
Page 44 Introduction Table 1-3 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation Enabled...
Page 45 System Defaults Table 1-3 System Defaults (Continued) Function Parameter Default IP Settings IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Disabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged...
Page 46 Introduction This page is intentionally left blank. 1-10...
Page 47: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options These switches include a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 48: Required Connections
Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 49: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 50: Setting Passwords
Console(config)#username admin password 0 [password] Console(config)# * This manual covers both the Ubigate iES4028F, iES4028FP and iES4024GP switches. Other than the differences listed in Table 1-1, “Differences in Switch Models,” on page 1-1, there are no other significant differences. Therefore all of the screen display examples are based on the iES4024GP.
Page 51: Manual Configuration
Basic Configuration Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 52: Enabling Snmp Management Access
Initial Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. At the interface-configuration mode prompt, use one of the following commands: •...
Page 53: Community Strings (For Snmp Version 1 And 2C Clients)
Basic Configuration Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 54: Configuring Access For Snmp Version 3 Clients
Initial Configuration see “snmp-server host” on page 4-90. The following example creates a trap host for each type of SNMP client. Console(config)#snmp-server host 10.1.19.23 batman 4-90 Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth Console(config)# Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view...
Page 55: Saving Configuration Settings
Managing System Files • Operation Code — System software that is executed after boot-up, also known as run-time or firmware code. This code runs the switch operations and provides the CLI and web management interfaces. See “Managing Firmware” on page 3-21 for more information.
Page 56: Configuring Power Over Ethernet
Initial Configuration To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 57: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 58: Navigating The Web Browser Interface
Note: The examples in this chapter are based on the Ubigate iES4024GP. The key differences between the Ubigate iES4028F, iES4028FP and iES4024GP are described in Table 1-1 on page 1-1. The panel graphics for the various switch types are shown on the following page.
Page 59: Configuration Options
Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-130. iES4028F iES4028FP iES4024GP...
Page 60: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 61: Table 3-2 Main Menu
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page SNMPv3 3-46 Engine ID Sets the SNMP v3 engine ID on this switch 3-46 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-47 Users Configures SNMP v3 users on this switch 3-48 Remote Users Configures SNMP v3 users from a remote device...
Page 62 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Security Configures per port security, including status, response for 3-97 security breach, and maximum allowed MAC addresses 802.1X 3-88 Information Displays global configuration settings for 802.1X Port 3-90 authentication Configuration Configures the global configuration settings...
Page 63 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Port Counters Information Displays statistics for LACP protocol messages 3-142 Port Internal Information Displays settings and operational state for the local side 3-143 Port Neighbors Information Displays settings and operational state for the remote side 3-145 Port Broadcast Control Sets the broadcast storm threshold for each port...
Page 64 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Trunk Information Displays individual trunk settings for STA 3-175 Port Configuration Configures individual port settings for STA 3-178 Trunk Configuration Configures individual trunk settings for STA 3-178 MSTP 3-181 VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-181...
Page 65 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Association Each community VLAN must be associated with a primary VLAN 3-211 Port Information Shows VLAN port type, and associated primary or secondary 3-212 VLANs Port Configuration Sets the private VLAN interface type, and associates the 3-213 interfaces with a private VLAN Trunk Information...
Page 66 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page 3-238 DiffServ 3-238 Class Map Sets Class Maps 3-239 Policy Map Sets Policy Maps 3-242 Service Policy Defines service policy settings for ports 3-245 VoIP Traffic Setting 3-246 Configuration VoIP Traffic Setting Configuration 3-246 Port Configuration...
Page 67 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Trunk Configuration Configures MVR interface type and immediate leave status 3-270 Group Member Configuration Statically assigns MVR multicast streams to an interface 3-271 DHCP Snooping 3-116 Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address 3-117 Verification VLAN Configuration...
Page 68: Basic Configuration
Configuring the Switch Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 69: Figure 3-3 System Information
UART Loopback Test ... PASS POE UART Loopback Test ..PASS DRAM Test ....PASS Switch Int Loopback Test ..PASS Done All Pass. Console# * The iES4028F, iES4028FP, iES4024GP MIB Object Identifiers are 1.3.6.1.4.1.236.4.1.12.1.102, 1.3.6.1.4.1.236.4.1.12.1.101, and 1.3.6.1.4.1.236.4.1.12.1.103 respectively. 3-13...
Page 70: Displaying Switch Hardware/Software Versions
Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 71 Basic Configuration CLI – Use the following command to display version information. Console#show version 4-32 Unit 1 Serial Number: A622016032 Hardware Version: EPLD Version: 0.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version:...
Page 72: Displaying Bridge Extension Capabilities
Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 73: Setting The Switch's Ip Address
Basic Configuration CLI – Enter the following command. Console#show bridge-ext 4-250 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled GMRP:...
Page 74: Manual Configuration
Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 75: Using Dhcp/Bootp
Basic Configuration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 76: Enabling Jumbo Frames
Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Page 77: Managing Firmware
Two copies of runtime code can be stored in the file directory on the iES4028F. This allows this switch to be set to use new firmware without overwriting the previous version.
Page 78: Downloading System Software From A Server
Configuring the Switch Downloading System Software from a Server When downloading runtime code, the new operation code file will overwrite the existing file. Versions of the code prior to 1.1.0.10 require the operation code file being transferred to have the same destination file name as the existing code file for the transfer to succeed.
Page 79: Saving Or Restoring Configuration Settings
Basic Configuration CLI – To download new firmware from a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, and then restart the switch for the new code to take effect.
Page 80: Downloading Configuration Settings From A Server
Configuring the Switch Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it.
Page 81: Console Port Settings
Basic Configuration CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-35 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Page 82: Figure 3-13 Console Port Settings
Configuring the Switch • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud) •...
Page 83: Telnet Settings
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-41 Console(config-line)#login local 4-41 Console(config-line)#password 0 secret 4-42...
Page 84: Figure 3-14 Enabling Telnet
Configuring the Switch • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Page 85: Configuring Event Logging
Basic Configuration Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 86: Remote Log Configuration
Configuring the Switch Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-15 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 87: Figure 3-16 Remote Logs
Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-16 Remote Logs CLI –...
Page 88: Displaying Log Messages
Configuring the Switch Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 89: Figure 3-18 Enabling And Configuring Smtp
Basic Configuration configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.
Page 90: Resetting The System
Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 4-56 Console(config)#logging sendmail level 3 4-57...
Page 91: Setting The System Clock
Basic Configuration Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset.
Page 92: Setting The Time Manually
Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. CLI – This example sets the system clock time and then displays the current time and date Console#calendar set 17 46 00 october 18 2008 4-72 Console#show calendar 4-72...
Page 93: Configuring Ntp
Basic Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-61 Console(config)#sntp poll 60 4-61 Console(config)#sntp client 4-60 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...
Page 94: Figure 3-21 Ntp Client Configuration
Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply. Figure 3-21 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-65 Console(config)#ntp authentication-key 30 md5 ntpkey30...
Page 95: Setting The Time Zone
Basic Configuration Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 96: Simple Network Management Protocol
Configuring the Switch Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 97: Enabling Snmp Agent Status
Simple Network Management Protocol Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview...
Page 98: Setting Community Access Strings
Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Page 99: Specifying Trap Managers And Trap Types
Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 100 Configuring the Switch top of the SNMP Configuration page (for Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) •...
Page 101: Figure 3-25 Configuring Ip Trap Managers
Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Page 102: Configuring Snmpv3 Management Access
Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 103: Specifying A Remote Engine Id
Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 104: Configuring Snmpv3 Users
Configuring the Switch Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...
Page 105: Figure 3-28 Configuring Snmpv3 Users
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 106: Configuring Remote Snmpv3 Users
Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 107: Figure 3-29 Configuring Remote Snmpv3 Users
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 108: Configuring Snmpv3 Groups
Configuring the Switch Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 109 Simple Network Management Protocol Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP linkDown entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 110: Figure 3-30 Configuring Snmpv3 Groups
* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu. † The MIB Object Identifiers for the iES4028F, iES4028FP, and iES4024GP are 1.3.6.1.4.1.236.4.1.12.1.102, 1.3.6.1.4.1.236.4.1.12.1.101, and 1.3.6.1.4.1.236.4.1.12.1.103 respectively. Just note that the iES4028F does not support PoE and therefore does not include these private traps.
Page 111: Setting Snmpv3 Views
Simple Network Management Protocol CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview 4-96 Console(config)#exit Console#show snmp group...
Page 112: Figure 3-31 Configuring Snmpv3 Views
Configuring the Switch Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 113: User Authentication
User Authentication CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-94 Console(config)#exit Console#show snmp view 4-95 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 114: Configuring User Accounts
Configuring the Switch Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.
Page 115: Configuring Local/Remote Logon Authentication
User Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 116 Configuring the Switch multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 117 User Authentication - Accounting Port Number – UDP port on authentication server used for accounting messages. (Range: 1-65535; Default: 1813) - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply –...
Page 118: Figure 3-33 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-62...
Page 119 User Authentication CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-103 Console(config)#radius-server auth-port 181 4-106 Console(config)#radius-server acct-port 183 4-106 Console(config)#radius-server retransmit 5 4-108 Console(config)#radius-server timeout 10 4-108 Console(config)#radius-server 1 host 192.168.1.25 4-105 Console(config)#radius-server attribute 4 192.168.1.1 4-107 Console(config)#end Console#show radius-server...
Page 120: Configuring Encryption Keys
Configuring the Switch Console#configure Console(config)#authentication login tacacs 4-103 Console(config)#tacacs-server 1 host 10.20.30.40 4-110 Console(config)#tacacs-server port 200 4-110 Console(config)#tacacs-server retransmit 5 4-111 Console(config)#tacacs-server timeout 10 4-112 Console(config)#tacacs-server key green 4-111 Console#show tacacs-server 4-113 Remote TACACS+ server configuration: Global Settings: Server Port Number: Retransmit Times Request Times Server 1:...
Page 121: Aaa Authorization And Accounting
User Authentication - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web –...
Page 122: Configuring Aaa Radius Group Settings
Configuring the Switch • Accounting for users that access management interfaces on the switch through the console and Telnet. • Accounting for commands that users enter at specific CLI privilege levels. • Authorization of users that access management interfaces on the switch through the console and Telnet.
Page 123: Configuring Aaa Tacacs+ Group Settings
User Authentication CLI – Specify the group name for a list of RADIUS servers, and then specify the index number of a RADIUS server to add it to the group. Console(config)#aaa group server radius tps 4-114 Console(config-sg-radius)#server 1 4-115 Console(config-sg-radius)#server 2 4-115 Console(config-sg-radius)# Configuring AAA TACACS+ Group Settings...
Page 124: Figure 3-37 Aaa Accounting Settings
Configuring the Switch The method name is only used to describe the accounting method(s) configured on the specified accounting servers, and do not actually send any information to the servers about the methods to use. • Service Request – Specifies the service as either 802.1X (user accounting) or Exec (administrative accounting for local console, Telnet, or SSH connections).
Page 125: Aaa Accounting Update
User Authentication CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-116 Console(config)# AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server.
Page 126: Aaa Accounting 802.1X Port Settings
Configuring the Switch AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-66).
Page 127: Aaa Accounting Exec Command Privileges
User Authentication AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.
Page 128: Aaa Accounting Exec Settings
Configuring the Switch AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 129: Figure 3-42 Aaa Accounting Summary
User Authentication Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-122 Accounting Type : dot1x Method List : default Group List : radius Interface...
Page 130: Authorization Settings
Configuring the Switch Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services.
Page 131: Authorization Exec Settings
User Authentication Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 132: Authorization Summary
Configuring the Switch Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied. Command Attributes • Accounting Type - Displays the accounting service. • Method List - Displays the user-defined or default authorization method. •...
Page 133: Configuring Https
User Authentication Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
Page 134: Replacing The Default Secure-Site Certificate
Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-124 Console(config)#ip http secure-port 443 4-125...
Page 135: Configuring The Secure Shell
User Authentication • Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate.
Page 136 Configuring the Switch Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Page 137 User Authentication 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c.
Page 138: Generating The Host Key Pair
Configuring the Switch Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
Page 139: Figure 3-48 Ssh Host-Key Settings
User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI –...
Page 140: Importing User Public Keys
Configuring the Switch Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Page 141: Figure 3-49 Ssh User Public-Key Settings
User Authentication Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-49 SSH User Public-Key Settings 3-85...
Page 142: Configuring The Ssh Server
Configuring the Switch CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key 4-35 TFTP server IP address: 192.168.1.254...
Page 143: Figure 3-50 Ssh Server Settings
User Authentication • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Page 144: Configuring 802.1X Port Authentication
Configuring the Switch Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 145: Displaying 802.1X Global Settings
User Authentication • Each switch port that will be used must be set to dot1X “Auto” mode. • Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) •...
Page 146: Configuring 802.1X Global Settings
Configuring the Switch Configuring 802.1X Global Settings The 802.1X protocol provides port-based client authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 147: Figure 3-53 802.1X Port Configuration
User Authentication • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 148 Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-143. Console(config)#interface ethernet 1/2 4-188 Console(config-if)#dot1x port-control auto 4-138 Console(config-if)#dot1x re-authentication 4-140 Console(config-if)#dot1x max-req 5 4-138...
Page 149: Displaying 802.1X Statistics
User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 150: Filtering Ip Addresses For Management Access
Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-54 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-143 Eth 1/4...
Page 151: Figure 3-55 Creating An Ip Filter List
User Authentication • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges.
Page 152: General Security Measures
Configuring the Switch CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-146 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 153: Configuring Port Security
General Security Measures • IP Source Guard – Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table. (See “IP Source Guard” on page 3-123.) Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 154: Web Authentication
Configuring the Switch • Security Status – Enables or disables port security on the port. (Default: Disabled) • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) •...
Page 155: Configuring Web Authentication
General Security Measures Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) •...
Page 156: Configuring Web Authentication For Ports
Configuring the Switch Configuring Web Authentication for Ports Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. •...
Page 157: Displaying Web Authentication Port Information
General Security Measures Displaying Web Authentication Port Information This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. •...
Page 158: Network Access (Mac Address Authentication)
Configuring the Switch Web – Click Security, Web Authentication, Re-authentication. Figure 3-60 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 4-162 Console# Network Access MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 159: Configuring The Mac Authentication Reauthentication Time
General Security Measures • Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. • When port status changes to down, all MAC addresses are cleared from the secure MAC address table.
Page 160: Configuring Mac Authentication For Ports
Configuring the Switch CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-155 Console(config)#network-access aging 4-151 Console(config)#exit Console#show network-access interface ethernet 1/1 4-157 Global secure port information Reauthentication Time : 3000 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action...
Page 161: Figure 3-62 Network Access Port Configuration
General Security Measures Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-62 Network Access Port Configuration CLI –...
Page 162: Displaying Secure Mac Address Information
Configuring the Switch Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table.
Page 163: Mac Authentication
General Security Measures CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-158 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s...
Page 164: Access Control Lists
Configuring the Switch Web – Click Security, MAC Authentication. Modify the Maximum MAC Count and Intrusion Action. Click Apply. Figure 3-64 MAC Authentication Port Configuration CLI – This example configures the maximum MAC count to 32 and sets the intrusion action to block all traffic for port 1.
Page 165: Setting The Acl Name And Type
General Security Measures The order in which active ACLs are checked is as follows: 1. User-defined rules in the Ingress MAC ACL for ingress ports. 2. User-defined rules in the Ingress IP ACL for ingress ports. 3. Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports. 4.
Page 166: Configuring A Standard Ip Acl
Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 167: Configuring An Extended Ip Acl
General Security Measures Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Page 168: Figure 3-67 Configuring Extended Ip Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 169: Configuring A Mac Acl
General Security Measures Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 170: Figure 3-68 Configuring Mac Acls
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 171: Binding A Port To An Access Control List
Command Attributes • Port – Fixed port or SFP module. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port.
Page 172: Dhcp Snooping
Configuring the Switch DHCP Snooping The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 173: Configuring Dhcp Snooping
General Security Measures - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.
Page 174: Configuring Vlans For Dhcp Snooping
Configuring the Switch Configuring VLANs for DHCP Snooping Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 175: Figure 3-72 Dhcp Snooping Information Option Configuration
General Security Measures Command Usage • DHCP Snooping (see page 3-117) must be enabled for Option 82 information to be inserted into request packets. • When Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Page 176: Configuring Ports For Dhcp Snooping
Configuring the Switch CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-169 Console(config)#ip dhcp snooping information policy replace 4-170 Console(config)#exit Console#show ip dhcp snooping 4-171 Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs:...
Page 177: Figure 3-73 Dhcp Snooping Port Configuration
General Security Measures Command Attributes • Trust Status – Enables or disables port as trusted. Web – Click DHCP Snooping, Information Option Configuration. Figure 3-73 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-167...
Page 178: Displaying Dhcp Snooping Binding Information
Configuring the Switch Displaying DHCP Snooping Binding Information Binding table entries can be displayed on the Binding Information page. Command Attributes • Store DHCP snooping binding entries to flash. – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 179: Ip Source Guard
General Security Measures IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-116).
Page 180: Figure 3-75 Ip Source Guard Port Configuration
Configuring the Switch Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. •...
Page 181: Configuring Static Binding For Ip Source Guard
• Current Static Binding Table – The list of current static entries in the table. • Port – The port to which a static entry is bound. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • VLAN ID – ID of a configured VLAN (Range: 1-4094) •...
Page 182: Displaying Information For Dynamic Ip Source Guard Bindings
Configuring the Switch Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-76 Static IP Source Guard Binding Configuration CLI –...
Page 183: Figure 3-77 Dynamic Ip Source Guard Binding Information
General Security Measures Web – Click IP Source Guard, Dynamic Information. Figure 3-77 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-175 Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface...
Page 184: Port Configuration
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 185 (Display options: shutdown, trap, trap-and-shutdown, or none) • Media Type – Shows the forced or preferred port type to use for combination ports 25-28 on iES4028F, 27-28 on iES4028FP, and 23-24 on iES4024GP. (Display options: copper forced, SFP forced, SFP preferred auto) •...
Page 186: Configuring Interface Connections
Configuring the Switch Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. •...
Page 187 Port Configuration trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy Mode attribute described below.
Page 188: Figure 3-79 Port/Trunk Configuration
1000BASE-SX/LX/LH – 1000full) • Media Type – Configures the forced/preferred port type to use for the combination ports. (Ports 25-28 on iES4028F, 27-28 on iES4028FP, and 23-24 on iES4024GP) - Copper-Forced - Always uses the built-in RJ-45 port. - SFP-Forced - Always uses the SFP port (even if module is not installed).
Page 189 Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-188 Console(config-if)#description RD SW#13 4-189 Console(config-if)#shutdown 4-195 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-190 Console(config-if)#speed-duplex 100half 4-189 Console(config-if)#flowcontrol 4-192 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-191 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# 3-133...
Page 190: Creating Trunk Groups
Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 191: Statically Configuring A Trunk
- Trunk – Trunk identifier. (Range: 1-8) - Port – Port identifier. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 192: Enabling Lacp On Selected Ports
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-188 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-188 Console(config-if)#channel-group 2 4-203 Console(config-if)#exit...
Page 193: Figure 3-81 Lacp Trunk Configuration
• New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Page 194: Configuring Parameters For Lacp Group Members
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lacp 4-204 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 195 • Port – Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Page 196: Figure 3-82 Lacp Port Configuration
Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 197: Configuring Parameters For Lacp Groups
Port Configuration CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lacp actor system-priority 3 4-205 Console(config-if)#lacp actor admin-key 120 4-206 Console(config-if)#lacp actor port-priority 128 4-208 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 198: Displaying Lacp Port Counters
Configuring the Switch Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP group, and click Apply. Figure 3-83 LACP Aggregation Group Configuration CLI – The following example sets the LACP admin key for port channel 1. Console(config)#interface port-channel 1 4-188 Console(config-if)#lacp actor admin-key 3...
Page 199: Displaying Lacp Settings And Status For The Local Side
Port Configuration Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-84 LACP - Port Counters Information CLI – The following example displays LACP counters. Console#show lacp counters 4-209 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 -------------------------------------------------------------------------...
Page 200: Figure 3-85 Lacp - Port Internal Information
Configuring the Switch Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 201: Displaying Lacp Settings And Status For The Remote Side
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-209 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal:...
Page 202: Figure 3-86 Lacp - Port Neighbors Information
Configuring the Switch Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-86 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-209 Port channel 1 neighbors...
Page 203: Setting Broadcast Storm Thresholds
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or 1000BASE-SFP) • Protect Status – Enables or disables broadcast storm control. (Default: Enabled) • Threshold – Threshold level as a rate; i.e., kilobits per second.
Page 204: Figure 3-87 Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold and mark the Enabled field for the required interface, then click Apply. Figure 3-87 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Page 205: Setting Multicast Storm Thresholds
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) • Protect Status – Enables or disables multicast storm control. (Default: Disabled) • Threshold – Threshold as percentage of port bandwidth. (Range: 64-100000 kilobits per second for Fast Ethernet ports;...
Page 206: Setting Unknown Unicast Storm Thresholds
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) • Protect Status – Enables or disables unknown unicast storm control. (Default: Disabled) •...
Page 207: Configuring Port Mirroring
• Mirror Sessions – Displays a list of current mirror sessions. • Source Port – The port whose traffic will be monitored. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both.
Page 208: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic into or out of the switch. Packets that exceed the acceptable amount of traffic are dropped.
Page 209: Showing Port Statistics
Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Page 210 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Page 211 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Page 212: Figure 3-90 Port Statistics
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-90 Port Statistics 3-156...
Page 213: Power Over Ethernet Settings
Power Over Ethernet Settings CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-198 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 214: Switch Power Status
Configuring the Switch Switch Power Status Use the Main Power Status page to display the Power over Ethernet settings for the switch. Command Attributes • Maximum Available Power – The configured power budget for the switch. • System Operation Status – The PoE power service provided to the switch ports. •...
Page 215: Setting A Switch Power Budget
Power Over Ethernet Settings Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Page 216: Configuring Port Poe Power
Configuring the Switch Web – Click PoE, Power Port Status. Figure 3-93 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-217 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable...
Page 217: Figure 3-94 Configuring Port Poe Power
Power Over Ethernet Settings Command Attributes • Port – The port number on the switch. (Range: 1-24) • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget.
Page 218: Address Table Settings
Configuring the Switch Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 219: Displaying The Address Table
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-222 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 220: Changing The Aging Time
Configuring the Switch CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-224 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# Changing the Aging Time...
Page 221: Spanning Tree Algorithm Configuration
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 222 Configuring the Switch MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Page 223: Configuring Port And Trunk Loopback Detection
Field Attributes • Port – Indicates the interface to be configured. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Status – Enables Loopback Detection on this interface. (Default: Enabled) • Trap – Enables SNMP trap notification for loopback events on this port.
Page 224: Displaying Global Settings
Configuring the Switch CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables SNMP trap notification for detected loopback BPDU’s. Console(config)#interface ethernet 1/5 4-188 Console(config-if)#spanning-tree loopback-detection 4-242 Console(config-if)#spanning-tree loopback-detection release-mode auto4-242 Console(config-if)#spanning-tree loopback-detection trap 4-243 Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 225 Spanning Tree Algorithm Configuration These additional parameters are only displayed for the CLI: • Spanning Tree Mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) •...
Page 226: Figure 3-99 Displaying Spanning Tree Information
Configuring the Switch Web – Click Spanning Tree, STA, Information. Figure 3-99 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-246 Spanning-tree information --------------------------------------------------------------- Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Enabled Instance:...
Page 227: Configuring Global Settings
Spanning Tree Algorithm Configuration Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 228 Configuring the Switch • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 229 Spanning Tree Algorithm Configuration Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.
Page 230: Figure 3-100 Configuring Spanning Tree
Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-100 Configuring Spanning Tree 3-174...
Page 231: Displaying Interface Settings
Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 4-227 Console(config)#spanning-tree mode mstp 4-228 Console(config)#spanning-tree priority 45056 4-231 Console(config)#spanning-tree hello-time 5 4-229 Console(config)#spanning-tree max-age 38 4-230 Console(config)#spanning-tree forward-time 20 4-229...
Page 232 Configuring the Switch • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Page 233: Figure 3-101 Displaying Spanning Tree Port Information
Spanning Tree Algorithm Configuration should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal Admin Path Cost – The path cost for the MST. See the preceding item. •...
Page 234: Configuring Interface Settings
Configuring the Switch CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-246 1/ 5 information -------------------------------------------------------------- Admin Status: Enabled Role: Designate State: Forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 100000 Internal Oper Path Cost:...
Page 235: Table 3-12 Recommended Sta Path Cost Range
Spanning Tree Algorithm Configuration The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 3-171) or when spanning tree is disabled on specific port.
Page 236: Table 3-14 Default Sta Path Costs
Configuring the Switch Table 3-13 Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001...
Page 237: Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-102 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-188 Console(config-if)#no spanning-tree port-bpdu-flooding 4-240...
Page 238: Figure 3-103 Configuring Multiple Spanning Trees
Configuring the Switch Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) •...
Page 239 Spanning Tree Algorithm Configuration CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port. Console(config)#spanning-tree mst configuration 4-233 Console(config-mst)#mst 1 priority 4096 4-234 Console(config-mstp)#mst 1 vlan 1...
Page 240: Displaying Interface Settings For Mstp
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings”...
Page 241 Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-246 Spanning Tree Information...
Page 242: Configuring Interface Settings For Mstp
Configuring the Switch Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Page 243: Vlan Configuration
VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-105 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 4-188 Console(config-if)#spanning-tree mst port-priority 0...
Page 244: Assigning Ports To Vlans
Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 245 VLAN Configuration Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
Page 246: Enabling Or Disabling Gvrp (Global Setting)
Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 247: Displaying Basic Vlan Information
VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 248: Displaying Current Vlans
Configuring the Switch Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
Page 249: Creating Vlans
VLAN Configuration • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI –...
Page 250: Figure 3-109 Configuring A Vlan Static List
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-109 Configuring a VLAN Static List CLI –...
Page 251: Adding Static Members To Vlans (Vlan Index)
VLAN Configuration Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Page 252: Figure 3-110 Configuring A Vlan Static Table
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 253: Adding Static Members To Vlans (Port Index)
VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 254: Configuring Vlan Behavior For Interfaces
Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 255 VLAN Configuration • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Page 256: Configuring Ieee 802.1Q Tunneling
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-112 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
Page 257 VLAN Configuration QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
Page 258 Configuring the Switch process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: 1. New SPVLAN tags are added to all incoming packets, no matter how many tags they already have. The ingress process constructs and inserts the outer tag (SPVLAN) into the packet based on the default VLAN ID and Tag Protocol Identifier (TPID, that is, the ether-type of the tag).
Page 259 VLAN Configuration 4. After successful source and destination lookups, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
Page 260: Enabling Qinq Tunneling On The Switch
Configuring the Switch 5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (see “Adding Static Members to VLANs (VLAN Index)” on page 3-195). 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Configuring VLAN Behavior for Interfaces”...
Page 261: Adding An Interface To A Qinq Tunnel
VLAN Configuration CLI – This example sets the switch to operate in QinQ mode. 4-264 Console(config)#dot1q-tunnel system-tunnel-control 4-265 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config)#exit 4-266 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x9100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x9100.
Page 262: Traffic Segmentation
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-114 Tunnel Port Configuration CLI –...
Page 263: Configuring Global Settings For Traffic Segmentation
VLAN Configuration Configuring Global Settings for Traffic Segmentation Use the Traffic Segmentation Status page to enable traffic segmentation, and to block or forward traffic between uplink ports assigned to different client sessions. Command Attributes • Traffic Segmentation Status – Enables port-based traffic segmentation. (Default: Disabled) •...
Page 264: Figure 3-116 Traffic Segmentation Session Configuration
Configuring the Switch Web – Click VLAN, Traffic Segmentation, Session Configuration. Set the session number, specify whether an uplink or downlink is to be used, select the interface, and click Apply. Figure 3-116 Traffic Segmentation Session Configuration CLI – This example enables traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions.
Page 265: Private Vlans
VLAN Configuration Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports private VLANs with primary/secondary associated groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Page 266: Configuring Private Vlans
Configuring the Switch Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-117 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 267: Associating Vlans
VLAN Configuration Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Page 268: Displaying Private Vlan Interface Information
Configuring the Switch CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-254 Console(config-vlan)#private-vlan 5 association 6 4-273 Console(config-vlan)#private-vlan 5 association 7 4-273 Console(config)# Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.
Page 269: Configuring Private Vlan Interfaces
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 270: Protocol Vlans
Configuring the Switch Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
Page 271: Configuring Protocol Vlan Groups
VLAN Configuration Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-193). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
Page 272: Configuring The Protocol Vlan System
Configuring the Switch CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip 4-277 Console(config)# Configuring the Protocol VLAN System Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN.
Page 273: Link Layer Discovery Protocol
Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 274: Figure 3-124 Lldp Configuration
Configuring the Switch This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval • Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds) When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted.
Page 275: Configuring Lldp Interface Attributes
Link Layer Discovery Protocol CLI – This example sets several attributes which control basic LLDP message timing. Console(config)#lldp 4-288 Console(config)#lldp refresh-interval 60 4-290 Console(config)#lldp holdtime-multiplier 10 4-288 Console(config)#lldp tx-delay 10 4-291 Console(config)#lldp reinit-delay 10 4-290 Console(config)#lldp notification-interval 30 4-289 Console(config)#lldp medFastStartCount 6 4-289 Console(config)#exit Console#show lldp config...
Page 276 Configuring the Switch • TLV Type – Configures the information included in the TLV field of advertised messages. - Port Description – The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Page 277: Figure 3-125 Lldp Port Configuration
Link Layer Discovery Protocol power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities. - Inventory – This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information.
Page 278: Displaying Lldp Local Device Information
Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lldp admin-status tx-rx 4-292 Console(config-if)#lldp notification 4-292...
Page 279 Link Layer Discovery Protocol • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name – An string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 3-12). •...
Page 280: Table 3-16 System Capabilities
Configuring the Switch Web – Click LLDP, Local Information. Figure 3-126 LLDP Local Device Information CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-305 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name...
Page 281: Displaying Lldp Remote Port Information
Link Layer Discovery Protocol This example displays detailed information for a specific port on the local switch. Console#show lldp info local-device ethernet 1/1 4-305 LLDP Port Information Detail Port : Eth 1/1 Port Type : MAC Address Port ID : 00-01-02-03-04-06 Port Desc : Ethernet Port on unit 1, port 1 Console# Displaying LLDP Remote Port Information...
Page 282: Displaying Lldp Remote Information Details
Configuring the Switch Displaying LLDP Remote Information Details Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. •...
Page 283: Figure 3-128 Lldp Remote Information Details
Link Layer Discovery Protocol Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query. Figure 3-128 LLDP Remote Information Details CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Page 284: Displaying Device Statistics
Configuring the Switch Displaying Device Statistics Use the LLDP Device Statistics screen to general statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Field Attributes General Statistics on Remote Devices •...
Page 285: Displaying Detailed Device Statistics
Link Layer Discovery Protocol CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-307 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...
Page 286: Class Of Service Configuration
Configuring the Switch Web – Click LLDP, Device Statistics Details. Figure 3-130 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-307 LLDP Port Statistics Detail PortName...
Page 287: Layer 2 Queue Settings
Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Page 288: Table 3-18 Mapping Cos Values To Egress Queues
Configuring the Switch CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-188 Console(config-if)#switchport priority default 5 4-309 Console(config-if)#end Console#show interfaces switchport ethernet 1/3 4-199 Information of Eth 1/3 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...
Page 289: Figure 3-132 Traffic Classes
Class of Service Configuration Table 3-19 CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control Command Attributes • Priority – CoS value. (Range: 0-7, where 7 is the highest priority) •...
Page 290: Selecting The Queue Mode
Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 291: Layer 3/4 Priority Settings
Class of Service Configuration Note: This switch does not allow the queue service weights to be set. The weights are 1, 2, 4, 8, for queues 0 through 3 respectively. fixed as Command Attributes • WRR Setting Table – Displays a list of weights for each traffic class (i.e., queue). •...
Page 292: Enabling Ip Dscp Priority
Configuring the Switch Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority. Command Attributes • IP DSCP Priority Status – The following options are: - Disabled – Disables the priority service. (Default Setting: Disabled) - IP DSCP –...
Page 293: Mapping Dscp Priority
Class of Service Configuration Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant devices will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 294: Quality Of Service
Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-313 Console(config)#interface ethernet 1/1 4-188 Console(config-if)#map ip dscp 1 cos 0 4-313...
Page 295: Configuring Quality Of Service Parameters
Quality of Service You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-244). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.
Page 296 Configuring the Switch • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. •...
Page 297: Figure 3-137 Configuring Class Maps
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-137 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Page 298: Creating Qos Policies
Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-239. - Open the Policy Map page, and click Add Policy.
Page 299 Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-239).
Page 300: Figure 3-138 Configuring Policy Maps
Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-138 Configuring Policy Maps 3-244...
Page 301: Attaching A Policy Map To Ingress Queues
Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-319 Console(config-pmap)#class rd_class#3 4-319...
Page 302: Voip Traffic Configuration
Configuring the Switch VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter.
Page 303: Configuring Voip Traffic Ports
Quality of Service Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-140 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
Page 304: Figure 3-141 Voip Traffic Port Configuration
Configuring the Switch address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Page 305: Configuring Telephony Oui
Quality of Service CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-282 Console(config-if)#switchport voice vlan security 4-283 Console(config-if)#switchport voice vlan rule oui 4-283 Console(config-if)#switchport voice vlan priority 5 4-284 Console(config-if)#exit...
Page 306: Figure 3-142 Telephony Oui List
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Page 307: Multicast Filtering
Multicast Filtering Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 308: Layer 2 Igmp (Snooping And Query)
Configuring the Switch Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-253) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Page 309: Configuring Igmp Snooping And Query Parameters
Multicast Filtering Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-259). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Page 310: Figure 3-143 Igmp Configuration
Configuring the Switch • IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds; Default: 10) •...
Page 311: Enabling Igmp Immediate Leave
Multicast Filtering CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-325 Console(config)#ip igmp snooping querier 4-329 Console(config)#ip igmp snooping query-count 10 4-330 Console(config)#ip igmp snooping query-interval 100 4-330 Console(config)#ip igmp snooping query-max-response-time 20 4-331 Console(config)#ip igmp snooping router-port-expire-time 300 4-332...
Page 312: Displaying Interfaces Attached To A Multicast Router
Configuring the Switch Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.
Page 313: Specifying Static Interfaces For A Multicast Router
Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-145 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Page 314: Displaying Port Members Of Multicast Services
Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
Page 315: Assigning Ports To Multicast Services
Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-147 IP Multicast Registration Table CLI –...
Page 316: Igmp Filtering And Throttling
Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.
Page 317: Enabling Igmp Filtering
Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Page 318: Configuring Igmp Filter Profiles
Configuring the Switch Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode. Command Usage • Each profile has only one access mode; either permit or deny. •...
Page 319: Configuring Igmp Filtering And Throttling For Interfaces
Multicast Filtering CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 4-335 Console(config-igmp-profile)#permit 4-336...
Page 320: Figure 3-151 Igmp Filter And Throttling Port Configuration
Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-151 IGMP Filter and Throttling Port Configuration CLI –...
Page 321: Multicast Vlan Registration
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 322: Configuring Global Mvr Settings
Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Page 323: Displaying Mvr Interface Status
Multicast VLAN Registration Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-152 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Page 324: Displaying Port Members Of Multicast Groups
Configuring the Switch Web – Click MVR, Port or Trunk Information. Figure 3-153 MVR Port Information CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface 4-344 Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP...
Page 325: Figure 3-154 Mvr Group Ip Information
Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-154 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr interface 4-344 MVR Group IP Status Members ---------------- -------- -------...
Page 326: Configuring Mvr Interface Status
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 327: Assigning Static Multicast Groups To Interfaces
Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...
Page 328: Figure 3-156 Mvr Group Member Configuration
Configuring the Switch • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. Command Attributes • Interface – Indicates a port or trunk. •...
Page 329: Switch Clustering
Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 330: Configuring Cluster Members
Configuring the Switch • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Page 331: Displaying Information On Cluster Members
Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-159 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-75 Console(config)#end Console#show cluster candidates...
Page 332: Displaying Information On Cluster Candidates
Configuring the Switch Web – Click Cluster, Member Information. Figure 3-160 Cluster Member Information CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-77 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Displaying Information on Cluster Candidates Use the Cluster Candidate Information page to display information about discovered...
Page 333: Upnp
UPnP CLI – This example shows information about cluster Candidate switches. 4-77 Vty-0#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks.
Page 334: Upnp Configuration
Configuring the Switch Using UPnP under Windows Vista – To access or manage the switch with the aid of UPnP under Windows Vista, open the Network and Sharing Center, and enable Network Discovery. Then click on the node representing your local network under the Network Sharing Center.
Page 335 UPnP CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration. Console(config)#upnp device 4-78 Console(config)#upnp device advertise duration 200 4-79 Console(config)#upnp device ttl 6 4-78 Console(config)#end Console#sh upnp...
Page 336 Configuring the Switch This page is intentionally left blank. 3-280...
Page 337: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI accessing the management interface for the switch over a direct connection to When the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 338: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 339: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 340: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 341: Partial Keyword Lookup
Entering Commands vlan Virtual LAN settings voice Shows the voice VLAN information web-auth Shows web authentication configuration Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup...
Page 342: Exec Commands
Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Page 343: Configuration Commands
Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Page 344: Command Line Processing
Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 345: Command Groups
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-10 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-16...
Page 346: General Commands
Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports 4-324 attached to a multicast router, and enables multicast VLAN registration IP Interface Configures IP address for the switch 4-347 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration)
Page 347: Enable
General Commands enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 4-5. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 348: Configure
Command Line Interface Example Console#disable Console> Related Commands enable (4-11) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 349: Reload
General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer...
Page 350: Show Reload
Command Line Interface Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. If a delayed reset has already been scheduled, then the newly configured reset will overwrite the original delay configuration.
Page 351: End
General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console#...
Page 352: Quit
Command Line Interface quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification...
Page 353: Device Designation Commands
System Management Commands Table 4-6 System Management Commands (Continued) Command Group Function Page Web Server Enables management access via a web browser 4-123 Telnet Server Enables management access via Telnet 4-126 Secure Shell Provides secure replacement for Telnet 4-127 Device Designation Commands Table 4-7 Device Designation Commands Command Function...
Page 354: Banner Information Commands
Command Line Interface Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.
Page 355: Banner Configure Company
Example Console(config)#banner configure Company: Samsung Corporation Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Wile E.
Page 356: Banner Configure Dc-Power-Info
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 357: Banner Configure Department
System Management Commands banner configure department This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None...
Page 358: Banner Configure Equipment-Location
Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 359: Banner Configure Ip-Lan
System Management Commands banner configure ip-lan This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
Page 360: Banner Configure Manager-Info
Command Line Interface Example Console(config)#banner configure lp-number 12 Console(config)# banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number]...
Page 361: Banner Configure Mux
System Management Commands banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None...
Page 362: Show Banner
Command Line Interface Command Usage Input strings cannot contain spaces. The banner configure note command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmware- upgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected...
Page 363: System Status Commands
System Management Commands System Status Commands This section describes commands used to display system information. Table 4-9 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-27 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-29...
Page 364: Interface Settings
Command Line Interface - Spanning tree settings - Interface settings - Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw...
Page 365: Show Running-Config
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 366 Command Line Interface Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0...
Page 367: Show System
System Management Commands show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
Page 368: Show Version
Command Line Interface Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14 VTY 0 admin 0:00:00 192.168.1.19 SSH 1 steve...
Page 369: Show Memory
System Management Commands show memory This command shows the location and size of free system memory. Command Mode Privileged Exec Example Console#show memory FREE LIST: Addr Size --- ---------- ---------- 0x7176640 1024 0x7176498 Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch.
Page 370: File Management Commands
Command Line Interface connections, all devices in the collision domain would need to support jumbo frames. • The current setting for jumbo frames can be displayed with the show system command (page 4-31). Example Console(config)#jumbo frame Console(config)# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server.
Page 371: Copy
System Management Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 372 Command Line Interface • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
Page 373: Delete
System Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 374: Dir
Command Line Interface Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
Page 375: Whichboot
System Management Commands Example The following example shows how to display all file information: File name File type Startup Size (byte) ------------------------------------- -------------- ------- ---------- Unit1: diag.bix Boot-Rom Image 1377600 iES4024GP_bootrom_V1.0.0.10.bix Boot-Rom Image 1398712 iES4024GP_V1.1.0.14.bix Operation Code 3961940 Factory_Default_Config.cfg Config File startup1.cfg Config File 4667...
Page 376: Line Commands
Command Line Interface Command Mode Global Configuration Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-38)
Page 377: Line
System Management Commands line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 378: Password
Command Line Interface Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
Page 379: Timeout Login Response
System Management Commands number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
Page 380: Exec-Timeout
Command Line Interface Related Commands silent-time (4-45) exec-timeout (4-14) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds;...
Page 381: Silent-Time
System Management Commands Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Page 382: Databits
Command Line Interface databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. •...
Page 383: Speed
System Management Commands Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Page 384: Disconnect
Command Line Interface Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
Page 385: Event Logging Commands
System Management Commands Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times...
Page 386: Logging History
Command Line Interface Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Page 387: Logging Host
System Management Commands Default Setting Flash: errors (level 3 - 0) RAM: warnings (level 7 - 0) Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)#...
Page 388: Logging Trap
Command Line Interface Default Setting Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 389: Clear Log
System Management Commands Example Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 390: Table 4-16 Show Logging Flash/Ram - Display Description
Command Line Interface Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “informational” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...
Page 391: Show Log
System Management Commands show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} [login] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 392: Smtp Alert Commands
Command Line Interface SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 4-18 SMTP Alert Commands Command Function Mode Page logging sendmail host SMTP servers to receive alert messages 4-56 logging sendmail level Severity threshold used to trigger alert messages...
Page 393: Logging Sendmail Level
Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will set the source email john@samsung.com. Console(config)#logging sendmail source-email john@samsung.com Console(config)# 4-57...
Page 394: Logging Sendmail Destination-Email
Command Line Interface logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode...
Page 395: Time Commands
Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------- 1. geoff@samsung.com SMTP source email address: john@samsung.com SMTP status: Enabled Console# Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 396: Sntp Client
Command Line Interface Table 4-19 Time Commands (Continued) Command Function Mode Page clock summertime Configures summer time (daylight savings time) for the switch’s 4-70 (recurring) internal clock calendar set Sets the system date and time 4-72 show calendar Displays the current date and time setting NE, PE 4-72 sntp client...
Page 397: Sntp Server
System Management Commands sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Page 398: Show Sntp
Command Line Interface Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-60) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Page 399: Ntp Server
System Management Commands • This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. • SNTP and NTP clients cannot both be enabled at the same time. Example Console(config)#ntp client Console(config)#...
Page 400: Ntp Poll
Command Line Interface Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)# Related Commands ntp client (4-62) ntp poll (4-64) show ntp (4-66) ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode.
Page 401: Ntp Authentication-Key
System Management Commands Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Page 402: Show Ntp
Command Line Interface Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (4-64) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Page 403: Clock Timezone-Predefined
System Management Commands clock timezone-predefined This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. Syntax clock timezone-predefined offset-city no clock timezone-predefined • offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-Greenwich-Mean-Time;...
Page 404: Clock Summer-Time (Date)
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 405: Clock Summer-Time (Predefined)
System Management Commands • e-minute - The minute summer-time will end. (Range: 0-59 minutes) • offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Page 406: Clock Summer-Time (Recurring)
Command Line Interface Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
Page 407 System Management Commands • b-hour - The hour when summer-time will begin. (Range: 0-23 hours) • b-minute - The minute when summer-time will begin. (Range: 0-59 minutes) • e-week - The week of the month when summer-time will end. (Range: 1-5) •...
Page 408: Calendar Set
Command Line Interface calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 409: Switch Cluster Commands
System Management Commands Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 410: Cluster Commander
Command Line Interface Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Page 411: Cluster Ip-Pool
System Management Commands cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 412: Rcommand
Command Line Interface Command Usage • The maximum number of cluster Members is 36. The maximum number of switch Candidates is 100 • Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Page 413: Show Cluster Members
System Management Commands show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: Ubigate iES4024GP Switch Console# show cluster candidates This command shows the discovered Candidate switches in the network.
Page 414: Upnp Device
Command Line Interface upnp device This command enables UPnP on the device. Use the no form to disable UPnP. Syntax [no] upnp device Default Setting Enabled Command Mode Global Configuration Command Usage You must enable UPnP before you can configure time out settings for sending of UPnP messages.
Page 415: Upnp Device Advertise Duration
System Management Commands Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device advertise duration This command sets the duration for which a device will advertise its presence on the local network. Syntax upnp device advertise duration value value - A time out value expressed in seconds.
Page 416: Debug Commands
Command Line Interface Debug Commands Table 4-22 Debug Commands Command Function Mode Page debug dot1x Configures debug settings for IEEE 802.1X 4-80 debug radius Configures debug settings for RADIUS 4-82 debug tacacs Configures debug settings for TACACS 4-84 debug dot1x This command configures debug settings for IEEE 802.1X authentication processes.
Page 417 System Management Commands an 802.1X system event occurs. When debugging is enabled for the packet classification, debug messages will be shown when the switch sends or receives an EAPOL packet. • Use the debug dot1x show state-machine command to show debug messages for all state-machine related events.
Page 418: Debug Radius
Command Line Interface When the debug state-machine option is selected, messages similar to those shown below are displayed when a change occurs in the state-machine. 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from initialize to disconnected 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from disconnected to connecting 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from connecting to timeout...
Page 419 System Management Commands Command Mode Privileged Exec Command Usage • Use the debug radius command without any classification or feature to enable debugging for all RADIUS processes. • Use the debug radius all command to enable debugging for all of the classification options (i.e., config, database, event, packet and avpair).
Page 420: Debug Tacacs
Command Line Interface When the debug packet option is selected, messages similar to those shown below are displayed when a RADIUS reply packet is received. 01:02:03: RADIUS: pkt/authen/author: Received a reply packet, code=accept, id=10, length=56 01:02:03 RADIUS: pkt/authen/author: Received a reply packet, code=access-chall, i d=179, length=75 01:02:03 RADIUS: avpair/authen/author: state=5342522D43...,...
Page 421 System Management Commands TACACS configuration commands are entered. When debugging is enabled for the database classification, debug messages will be shown when a memory operation is applied to the TACACS database. When debugging is enabled for the event classification, debug messages will be shown when a TACACS system event occurs.
Page 422: Snmp Commands
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 423: Show Snmp
SNMP Commands Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 424: Snmp-Server Community
Command Line Interface snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 425: Snmp-Server Location
SNMP Commands Related Commands snmp-server location (4-89) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...
Page 426: Snmp-Server Host
Command Line Interface snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
Page 427 SNMP Commands command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. •...
Page 428: Snmp-Server Enable Traps
Command Line Interface Related Commands snmp-server enable traps (4-92) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] •...
Page 429: Snmp-Server Engine-Id
SNMP Commands snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • local - Specifies the SNMP engine on this switch. •...
Page 430: Show Snmp Engine-Id
Command Line Interface Related Commands snmp-server host (4-90) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID IP address 80000000030004e2b316c54321...
Page 431: Show Snmp View
SNMP Commands Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Page 432: Snmp-Server Group
Command Line Interface snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Page 433: Show Snmp Group
SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Page 434: Snmp-Server User
Command Line Interface Table 4-26 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 435: Show Snmp User
SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-93) to specify the engine ID for the remote device where the user resides.
Page 436: Authentication Commands
Command Line Interface Table 4-27 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Page 437: Username
Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 438: Enable Password
Command Line Interface Example This example shows how to set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place.
Page 439: Authentication Sequence
Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-31 Authentication Sequence Command Function Mode Page...
Page 440: Authentication Enable
Command Line Interface Related Commands username - for setting the local user names and passwords (4-101) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-11).
Page 441: Radius Client
Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 442: Radius-Server Auth-Port
Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port...
Page 443: Radius-Server Attribute 4
Authentication Commands radius-server attribute 4 This command sets the IP address of the Network Access Server (NAS) to use in the attribute 4 address field in packets sent to the RADIUS server. Use the no form to restore the default setting. Syntax radius-server attribute 4 nas_ip_address no radius-server attribute 4...
Page 444: Radius-Server Retransmit
Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 445: Show Radius-Server
Authentication Commands show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port : 1812 Accounting Port : 1813 Retransmit Times Request Timeout : 5 seconds Attributes:...
Page 446: Tacacs-Server Host
Command Line Interface tacacs-server host This command specifies a TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Page 447: Tacacs-Server Key
Authentication Commands Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 448: Tacacs-Server Timeout
Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 449: Show Tacacs-Server
Authentication Commands show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: Retransmit Times Request Times Server 1: Server IP address:...
Page 450: Aaa Commands
Command Line Interface AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-1 AAA Commands Command Function Mode...
Page 451: Server
Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies a server index and the sequence to use for the group. (Range: RADIUS 1-5, TACACS+ 1) •...
Page 452: Aaa Accounting Dot1X
Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} •...
Page 453: Aaa Accounting Exec
Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} •...
Page 454: Aaa Accounting Commands
Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} •...
Page 455: Aaa Accounting Update
Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Page 456: Accounting Exec
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...
Page 457: Aaa Authorization Exec
Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...
Page 458: Authorization Exec
• statistics - Displays accounting records. • user-name - Displays accounting records for a specified user name. • interface ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) 4-122...
Page 459: Ip Http Port
Authentication Commands Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands...
Page 460: Ip Http Server
Command Line Interface Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-124) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting...
Page 461: Ip Http Secure-Port
Authentication Commands Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
Page 462: Telnet Server Commands
Command Line Interface Default Setting Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 463: Secure Shell Commands
Authentication Commands Example Console(config)#ip telnet server Console(config)#ip telnet server port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 464 Command Line Interface To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 465: Ip Ssh Server
Authentication Commands Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Page 466: Ip Ssh Timeout
Command Line Interface • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. •...
Page 467: Ip Ssh Authentication-Retries
Authentication Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 468: Delete Public-Key
Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Page 469: Ip Ssh Crypto Zeroize
Authentication Commands Related Commands ip ssh crypto zeroize (4-133) ip ssh save host-key (4-133) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Page 470: Show Ip Ssh
Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-132) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
Page 471: Show Public-Key
Authentication Commands Table 4-38 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 472 Command Line Interface Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 4-136...
Page 473: 802.1X Port Authentication
Authentication Commands 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-39 802.1X Port Authentication Command Function...
Page 474: Dot1X Default
Command Line Interface dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 475: Dot1X Operation-Mode
Authentication Commands Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 476: Dot1X Re-Authenticate
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 477: Dot1X Timeout Quiet-Period
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (4-141) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Page 478: Dot1X Timeout Tx-Period
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 479: Show Dot1X
• statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Command Mode Privileged Exec Command Usage This command displays the following information: •...
Page 480 Command Line Interface - max-req – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-138). - Status – Authorization status (authorized or not). - Operation Mode –...
Page 481 Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/24 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Page 482: Management Ip Filter Commands
Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-40 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 4-146 show management Displays the switch to be monitored or configured from a browser PE 4-147 management...
Page 483: Show Management
Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Page 484: General Security Measures
Command Line Interface General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 485: Port Security Commands
General Security Measures Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 486: Network Access (Mac Address Authentication)
Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 487: Network-Access Aging
General Security Measures Table 4-43 Network Access (Continued) Command Function Mode Page network-access Enables dynamic VLAN assignment from a RADIUS 4-153 dynamic-vlan server network-access guest-vlan Specifies the guest VLAN 4-154 mac-authentication Sets the time period after which a connected MAC 4-155 reauth-time address must be re-authenticated...
Page 488: Network-Access Mode
Command Line Interface network-access mode Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication. Syntax [no] network-access mode mac-authentication Default Setting Disabled Command Mode Interface Configuration Command Usage •...
Page 489: Network-Access Max-Mac-Count
General Security Measures network-access max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count...
Page 490: Network-Access Guest-Vlan
Command Line Interface have same VLAN configuration, or they are treated as an authentication failure. • If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host assigned to the default untagged VLAN.
Page 491: Mac-Authentication Reauth-Time
General Security Measures mac-authentication reauth-time Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
Page 492: Mac-Authentication Max-Mac-Count
• mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec...
Page 493: Show Network-Access
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec...
Page 494: Show Network-Access Mac-Address-Table
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • sort - Sorts displayed entries by either MAC address or interface. Default Setting Displays all filters.
Page 495: Web Authentication
General Security Measures Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication methods are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for http protocol traffic, is blocked.
Page 496: Web-Auth Quiet-Period
Command Line Interface Default Setting 3 login attempts Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet-period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Page 497: Web-Auth System-Auth-Control
General Security Measures Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an...
Page 498: Web-Auth Re-Authenticate (Port)
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec...
Page 499: Show Web-Auth
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds.
Page 500: Show Web-Auth Summary
Command Line Interface Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- 1.1.1.1 Authenticated 1.1.1.2 Authenticated Console# show web-auth summary This command displays a summary of web authentication port parameters and statistics.
Page 501: Ip Dhcp Snooping
General Security Measures Table 4-45 DHCP Snooping Commands (Continued) Command Function Mode Page ip dhcp snooping Sets the information option policy for DHCP client packets that 4-170 information policy include Option 82 information ip dhcp snooping Writes all dynamically learned snooping entries to flash 4-170 database flash memory...
Page 502 Command Line Interface port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table. - If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: * If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
Page 503: Ip Dhcp Snooping Vlan
General Security Measures ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
Page 504: Ip Dhcp Snooping Verify Mac-Address
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. •...
Page 505: Ip Dhcp Snooping Information Option
General Security Measures Command Usage If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. Example This example enables MAC address verification.
Page 506: Ip Dhcp Snooping Information Policy
Command Line Interface Example This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} •...
Page 507: Clear Ip Dhcp Snooping Database Flash
General Security Measures Example Console(config)#ip dhcp snooping database flash Console(config)# clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings.
Page 508: Ip Source Guard Commands
Command Line Interface IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands”...
Page 509 General Security Measures • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
Page 510: Ip Source-Guard Binding
• ip-address - A valid unicast IP address, including classful types A, B or C. • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting No configured entries Command Mode...
Page 511: Show Ip Source-Guard
General Security Measures Related Commands ip source-guard (4-172) ip dhcp snooping (4-165) ip dhcp snooping vlan (4-167) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ---------...
Page 512: Access Control List Commands
Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 513: Access-List Ip
Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name •...
Page 514: Permit, Deny (Standard Acl)
Command Line Interface permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 515: Permit, Deny (Extended Acl)
Access Control List Commands permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
Page 516 Command Line Interface “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. •...
Page 517: Show Ip Access-List
Access Control List Commands show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...
Page 518: Show Ip Access-Group
Command Line Interface Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-181) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...
Page 519: Access-List Mac
Access Control List Commands access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Page 520: Permit, Deny (Mac Acl)
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 521: Show Mac Access-List
Access Control List Commands • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. •...
Page 522: Mac Access-Group
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 523: Acl Information
Access Control List Commands ACL Information Table 4-50 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-187 show access-group Shows the ACLs assigned to each port 4-187 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 524: Interface Commands
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) 4-188...
Page 525: Description
Interface Commands Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached...
Page 526: Negotiation
Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 527: Capabilities
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Page 528: Flowcontrol
Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Page 529: Media-Type
Interface Commands • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
Page 530: Giga-Phy-Mode
Command Line Interface giga-phy-mode This command forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex. Use the no form to restore the default mode. Syntax giga-phy-mode mode no giga-phy-mode mode • master - Sets the selected port as master. •...
Page 531: Shutdown
Interface Commands shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.
Page 532: Clear Counters
Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec 4-196...
Page 533: Show Interfaces Status
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Page 534: Show Interfaces Counters
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode...
Page 535: Show Interfaces Switchport
Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows all interfaces. 4-199...
Page 536 Command Line Interface Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...
Page 537 Interface Commands Table 4-52 Interfaces Switchport Statistics (Continued) Field Description Priority for Untagged Indicates the default priority for untagged frames (page 4-286). Traffic GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-250). Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)”...
Page 538: Link Aggregation Commands
Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 539: Channel-Group
Link Aggregation Commands • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. •...
Page 540: Lacp
Command Line Interface lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
Page 541: Lacp System-Priority
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 542: Lacp Admin-Key (Ethernet Interface)
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 543: Lacp Admin-Key (Port Channel)
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 544: Lacp Port-Priority
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 545: Lacp Active/Passive
Link Aggregation Commands lacp active/passive This command configures active or passive LACP initiation mode. Use the no form to restore the default setting. Syntax lacp {actor | partner} {active | passive} no lacp {actor | partner} • actor - The local side an aggregate link. •...
Page 546: Table 4-54 Show Lacp Counters - Display Description
Command Line Interface Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/11 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-54 show lacp counters - display description...
Page 547 Link Aggregation Commands Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: Oper Key: Admin State: defaulted, aggregation, long timeout, active Oper State: distributing, collecting, synchronization, aggregation, long timeout, active...
Page 548: Table 4-56 Show Lacp Neighbors - Display Description
Command Line Interface Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/11 ------------------------------------------------------------------------- Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-16-B6-F0-71-3C Partner Admin Port Number: 11 Partner Oper Port Number: Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key:...
Page 549: Power Over Ethernet Commands
Power over Ethernet Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 32768 00-13-F7-D3-7E-60 Console# Table 4-57 show lacp sysid - display description Field Description Channel group...
Page 550: Power Mainpower Maximum Allocation
Command Line Interface power mainpower maximum allocation This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting. Syntax power mainpower maximum allocation watts watts - The power budget for the switch. (Range: 37-180 watts) Default Setting 180 watts Command Mode...
Page 551: Power Inline
Power over Ethernet Commands this switch can detect 802.3af compliant devices and the more recent 802.3af non-compliant devices that also reflect the test voltages back to the switch. It cannot detect other legacy devices that do not reflect back the test voltages. •...
Page 552: Power Inline Maximum Allocation
Command Line Interface power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).
Page 553: Show Power Inline Status
Power over Ethernet Commands - If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is still be turned on if the switch can drop power to one or more lower-priority ports and keep within its budget. Power will be dropped from low-priority ports in sequence starting from port number 1.
Page 554: Show Power Mainpower
Command Line Interface Table 4-59 show power inline status parameters Parameter Description Admin The power mode set on the port (see power inline on page -215) Oper The current operating power status (displays on or off) Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation on page -216) Power (used) The current power consumption on the port in milliwatts...
Page 555: Mirror Port Commands
• interface - ethernet unit/port (source port) - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • rx - Mirror received packets. • tx - Mirror transmitted packets. • both - Mirror both received and transmitted packets.
Page 556: Show Port Monitor
Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Page 557: Rate Limit Commands
Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 558: Address Table Commands
• interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan-id - VLAN ID (Range: 1-4094) • action - - delete-on-reset - Assignment lasts until the switch is reset.
Page 559: Clear Mac-Address-Table Dynamic
Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
Page 560: Show Mac-Address-Table
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan-id - VLAN ID (Range: 1-4094) • sort - Sort by address, vlan or interface.
Page 561: Mac-Address-Table Aging-Time
Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Page 562: Spanning Tree Commands
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-64 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-227 spanning-tree mode...
Page 563: Spanning-Tree
Spanning Tree Commands Table 4-64 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree mst cost Configures the path cost of an instance in the MST 4-244 spanning-tree mst Configures the priority of an instance in the MST 4-245 port-priority spanning-tree Re-checks the appropriate BPDU format 4-245...
Page 564: Spanning-Tree Mode
Command Line Interface spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) •...
Page 565: Spanning-Tree Forward-Time
Spanning Tree Commands Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Page 566: Spanning-Tree Max-Age
Command Line Interface Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-229) spanning-tree max-age (4-230) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch.
Page 567: Spanning-Tree Priority
Spanning Tree Commands Related Commands spanning-tree forward-time (4-229) spanning-tree hello-time (4-229) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Page 568: Spanning-Tree Pathcost Method
Command Line Interface Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-240). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree.
Page 569: Spanning-Tree Mst Configuration
Spanning Tree Commands Default Setting Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst configuration This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting •...
Page 570: Mst Priority
Command Line Interface Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 571: Name
Spanning Tree Commands • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located.
Page 572: Max-Hops
Command Line Interface Command Usage The MST region name (page 4-235) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 573: Spanning-Tree Cost
Spanning Tree Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default.
Page 574: Spanning-Tree Port-Priority
Command Line Interface Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 575: Spanning-Tree Edge-Port
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 576: Spanning-Tree Portfast
Command Line Interface Related Commands spanning-tree portfast (4-240) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 577: Spanning-Tree Link-Type
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command (page 4-231).
Page 578: Spanning-Tree Loopback-Detection
Command Line Interface spanning-tree loopback-detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port. Use the no form to disable this feature. Syntax spanning-tree loopback-detection no spanning-tree loopback-detection Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 579: Spanning-Tree Loopback-Detection Trap
Spanning Tree Commands Command Usage • If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: - The port receives any other BPDU except for it’s own, or; - The port’s link status changes to link down and then link up again, or;...
Page 580: Spanning-Tree Mst Cost
Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Page 581: Spanning-Tree Mst Port-Priority
This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) 4-245...
Page 582: Show Spanning-Tree
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • instance_id - Instance identifier of the multiple spanning tree. (Range: 0-4094, no leading zeroes)
Page 583 Spanning Tree Commands items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-175. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4092 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 584: Show Spanning-Tree Mst Configuration
Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
Page 585: Gvrp And Bridge Extension Commands
VLAN Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 586: Show Bridge-Ext
Command Line Interface show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-191 and “Displaying Bridge Extension Capabilities” on page 3-16 for a description of the displayed items.
Page 587: Show Gvrp Configuration
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration. Command Mode...
Page 588: Clear Gvrp Statistics
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Normal Exec, Privileged Exec Example Console#clear gvrp statistics...
Page 589: Garp Timer
VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 590: Show Garp Timer
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows all GARP timers. Command Mode...
Page 591: Vlan
VLAN Commands Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Page 592: Configuring Vlan Interfaces
Command Line Interface • You can configure up to 255 VLANs on the switch. Note: The switch allows 255 user-manageable VLANs. One extra, unmanageable VLAN (VLAN ID 4093) is maintained for switch clustering. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Page 593: Switchport Mode
VLAN Commands Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-195) switchport mode This command configures the VLAN membership mode for a port.
Page 594: Switchport Acceptable-Frame-Types
Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
Page 595: Switchport Native Vlan
VLAN Commands • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
Page 596: Switchport Allowed Vlan
Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 597: Switchport Forbidden Vlan
VLAN Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 598: Displaying Vlan Information
Command Line Interface Displaying VLAN Information Table 4-72 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-262 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-197 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-199...
Page 599: Configuring Ieee 802.1Q Tunneling
VLAN Commands Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
Page 600: Dot1Q-Tunnel System-Tunnel-Control
Command Line Interface reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode.
Page 601: Switchport Dot1Q-Tunnel Tpid
VLAN Commands • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...
Page 602: Show Dot1Q-Tunnel
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-199) show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end...
Page 603: Configuring Port-Based Traffic Segmentation
VLAN Commands Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.
Page 604: Pvlan Uplink/Downlink
• interface-list – One or more uplink or downlink interfaces. • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None...
Page 605: Pvlan Session
VLAN Commands Command Mode Global Configuration Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • A downlink port can only communicate with an uplink port in the same session.
Page 606: Pvlan Up-To-Up
Command Line Interface pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default. Syntax [no] pvlan up-to-up {blocking | forwarding} • blocking – Blocks traffic between uplink ports assigned to different sessions.
Page 607: Configuring Private Vlans
VLAN Commands Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Page 608: Private-Vlan
Command Line Interface Use the switchport private-vlan host-association command to assign a port to a secondary VLAN. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN.
Page 609: Private Vlan Association
VLAN Commands private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Page 610: Switchport Private-Vlan Host-Association
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. •...
Page 611: Switchport Private-Vlan Mapping
VLAN Commands switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode...
Page 612: Configuring Protocol-Based Vlans
Command Line Interface Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 613: Protocol-Vlan Protocol-Group (Configuring Groups)
VLAN Commands protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or adds specific protocols to a group. Only one frame type and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
Page 614: Show Protocol-Vlan Protocol-Group
Command Line Interface Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-255), the switch will admit traffic of any protocol type into the associated VLAN.
Page 615: Show Protocol-Vlan Protocol-Group-Vid
VLAN Commands show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed. Command Mode Privileged Exec Example This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID...
Page 616: Voice Vlan
Command Line Interface voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode...
Page 617: Voice Vlan Mac-Address
VLAN Commands Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port. Example The following example configures the Voice VLAN aging time as 3000 minutes.
Page 618: Switchport Voice Vlan
Command Line Interface • Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range. Selecting FF-FF-FF-FF-FF-FF specifies a single MAC address. Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00-00 description A new phone Console(config)#...
Page 619: Switchport Voice Vlan Rule
VLAN Commands switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} • oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address.
Page 620: Switchport Voice Vlan Priority
Command Line Interface Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
Page 621: Show Voice Vlan
VLAN Commands show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode...
Page 622: Lldp Commands
Command Line Interface LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 623: Table 4-79 Lldp Commands
LLDP Commands Table 4-79 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-296 system-name name lldp dot1-tlv Configures an LLDP-enabled port to advertise the supported 4-296 proto-ident* protocols lldp dot1-tlv Configures an LLDP-enabled port to advertise port related 4-297 proto-vid* VLAN information...
Page 624: Lldp
Command Line Interface lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
Page 625: Lldp Medfaststartcount
LLDP Commands lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...
Page 626: Lldp Refresh-Interval
Command Line Interface notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
Page 627: Lldp Tx-Delay
LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Page 628: Lldp Admin-Status
Command Line Interface lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...
Page 629: Lldp Mednotification
LLDP Commands therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes.
Page 630: Lldp Basic-Tlv Management-Ip-Address
Command Line Interface lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 631: Lldp Basic-Tlv System-Capabilities
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)#...
Page 632: Lldp Basic-Tlv System-Name
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description...
Page 633: Lldp Dot1-Tlv Proto-Vid
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information.
Page 634: Lldp Dot1-Tlv Vlan-Name
Command Line Interface Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-259). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name.
Page 635: Lldp Dot3-Tlv Mac-Phy
LLDP Commands Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities.
Page 636: Lldp Dot3-Tlv Poe
Command Line Interface Command Usage Refer to “Frame Size Commands” on page 4-33 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities.
Page 637: Lldp Medtlv Inventory
LLDP Commands Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Page 638: Lldp Medtlv Med-Cap
Command Line Interface Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp medtlv med-cap...
Page 639: Show Lldp Config
• detail - Shows configuration summary. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec 4-303...
Page 640 Command Line Interface Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
Page 641: Show Lldp Info Local-Device
• detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example...
Page 642: Show Lldp Info Remote-Device
• detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example...
Page 643: Show Lldp Info Statistics
• detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example...
Page 644: Class Of Service Commands
Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 645: Switchport Priority Default
Class of Service Commands Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
Page 646: Queue Cos-Map
Command Line Interface • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port.
Page 647: Show Queue Mode
Class of Service Commands Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1...
Page 648: Show Queue Cos-Map
Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec...
Page 649: Priority Commands (Layer 3 And 4)
Class of Service Commands Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-83 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping 4-313 map ip dscp...
Page 650: Table 4-84 Ip Dscp To Cos Vales
Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-84 IP DSCP to CoS Vales IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...
Page 651: Show Map Ip Dscp
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec...
Page 652: Quality Of Service Commands
Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 653: Class-Map
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 4-317) before creating a Policy Map (page 4-319). Otherwise, you will not be able to specify a Class Map with the class command (page 4-319) after entering Policy-Map Configuration mode.
Page 654: Match
Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 655: Policy-Map
Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 656: Set
Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Page 657: Police
Quality of Service Commands average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic. Use the no form to remove a policer.
Page 658: Service-Policy
Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
Page 659: Show Policy-Map
This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) 4-323...
Page 660: Multicast Filtering Commands
Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
Page 661: Ip Igmp Snooping
• ip-address - IP address for multicast group • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode...
Page 662: Ip Igmp Snooping Version
Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Page 663: Ip Igmp Snooping Immediate-Leave
Multicast Filtering Commands Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)#...
Page 664: Show Ip Igmp Snooping
Command Line Interface show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-253 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping...
Page 665: Igmp Query Commands (Layer 2)
Multicast Filtering Commands Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Page 666: Ip Igmp Snooping Query-Count
Command Line Interface Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 667: Ip Igmp Snooping Query-Max-Response-Time
Multicast Filtering Commands Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Page 668: Ip Igmp Snooping Router-Port-Expire-Time
Command Line Interface ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 669: Ip Igmp Snooping Vlan Mrouter
• interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting No static multicast router ports are configured. Command Mode...
Page 670: Igmp Filtering And Throttling Commands
Command Line Interface Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static...
Page 671: Ip Igmp Filter (Global Configuration)
Multicast Filtering Commands ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 672: Permit, Deny
Command Line Interface Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Page 673: Ip Igmp Filter (Interface Configuration)
Multicast Filtering Commands Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Page 674: Ip Igmp Max-Groups
Command Line Interface ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 675: Show Ip Igmp Filter
[interface interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec...
Page 676: Show Ip Igmp Profile
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
Page 677: Multicast Vlan Registration Commands
Multicast Filtering Commands Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 678 Command Line Interface Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Page 679: Mvr (Interface Configuration)
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
Page 680: Show Mvr
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • ip-address - IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255)
Page 681: Table 4-92 Show Mvr - Display Description
Multicast Filtering Commands Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN.
Page 682: Table 4-94 Show Mvr Members - Display Description
Command Line Interface Table 4-93 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...
Page 683: Ip Interface Commands
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 684: Ip Default-Gateway
Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
Page 685: Ip Dhcp Restart
IP Interface Commands Related Commands show ip redirects (4-350) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.
Page 686: Show Ip Redirects
Command Line Interface Related Commands show ip redirects (4-350) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-348) ping This command sends ICMP echo request packets to another node on the network.
Page 687 IP Interface Commands - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press <Esc> to stop pinging. Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms...
Page 688 Command Line Interface This page is intentionally left blank. 4-352...
Page 689: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH General Security Measures Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.1X), Port Security, DHCP Snooping (with Option 82 relay information), IP Source Guard Power over Ethernet DHCP Client Port Configuration...
Page 690: Management Features
Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client Link Layer Discovery Protocol SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping...
Page 691: Management Information Bases
Management Information Bases IEEE 802.3ac VLAN tagging IEEE 802.3af-2003 Power over Ethernet (PoE) DHCP Client (RFC 2131) DHCP Options (RFC 2132) HTTPS IGMPv1 (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415)
Page 692 Software Specifications SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013)
Page 693: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 694: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 695: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 696 Glossary packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 697 Glossary IEEE 802.1s An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 698 Glossary Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device.
Page 699 Glossary the size of each region, and prevents VLAN members from being segmented from the rest of the group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 700 Glossary traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow. Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central RADIUS server to control access to RADIUS-compliant devices on the network.
Page 701 Glossary Terminal Access Controller Access Control System Plus (TACACS+) is a logon authentication protocol that uses software running on a central TACACS+ server to control access to TACACS-compliant devices on the network. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol.
Page 702 Glossary This page is intentionally left blank. Glossary-8...
Page 703: Index
Index Extended IP 3-109, 4-176, 4-179 Numerics MAC 3-109, 4-182, 4-183–4-185 802.1Q tunnel 3-200, 4-263 Standard IP 3-109, 4-176, 4-178 configuration, guidelines 3-203, address table 3-162, 4-222 4-263 aging time 3-164, 4-225 configuration, limitations 3-203 authentication description 3-200 MAC 3-107, 4-150 ethernet type 3-204, 4-265 MAC address authentication 3-102, interface configuration 3-204, 3-205,...
Page 704 Index dynamic VLAN assignment 3-102, configuring 3-230, 4-308 3-104, 4-153 DSCP 3-237, 4-313 layer 3/4 priorities 3-235, 4-313 queue mapping 3-232, 4-310 edge port, STA 3-177, 3-180, 4-239 queue mode 3-234, 4-308 encryption traffic class weights 3-234 DSA 3-82, 3-84, 4-132 RSA 3-82, 3-84, 4-132 engine ID 3-46, 4-93 debug commands 4-80...
Page 705 Index IGMP host, generating 3-82, 4-132 filter profiles, configuration 3-262, 4-336 filtering, enabling 3-261 LACP filtering/throttling 3-260, 4-335 group attributes, configuring 3-141, filtering/throttling, configuring 4-207 profile 4-337 group members, configuring 3-138, filtering/throttling, creating 4-205, 4-206, 4-208 profile 4-336 local parameters 3-143, 4-209 filtering/throttling, enabling 3-260, partner parameters 3-145, 4-209 4-336...
Page 706 Index TLV, port description 3-220, 4-294 media-type 3-132, 4-193 TLV, system capabilities 3-220, mirror port, configuring 3-151, 4-219 4-295 MSTP 3-181–3-186, 4-228 TLV, system description 3-220, configuring 3-181, 4-233–4-236 4-295 global settings 3-181, 4-226 TLV, system name 3-220, 4-296 global settings, configuring 3-171, LLDP-MED 3-217 4-228 notification, status 3-221, 4-293...
Page 707 Index priority, default port ingress 3-231, 4-309 packet filtering 3-108, 4-176 private key 3-79, 4-127 password, changing privilege private VLANs, configuring 3-209, mode 4-102 3-210, 4-271 password, line 4-42 private VLANs, displaying 3-209, passwords 2-4, 3-58 4-262 administrator setting 3-58, 4-101 problems, troubleshooting B-1 path cost 3-168, 3-176 promiscuous ports 3-209, 4-271...
Page 708 Index global settings, displaying 3-168, link type 3-177, 3-180, 4-241 4-246 loopback detection 3-167, 4-242 interface settings, configuring 3-178, path cost 3-168, 3-176, 4-237 4-236–4-243 path cost method 3-173, 4-232 interface settings, displaying 3-175, port priority 3-177, 4-238 4-246 port/trunk loopback detection 3-167, 4-242 protocol migration 3-180, 4-245 transmission limit 3-173, 4-232...
Page 709 Index trap manager 2-7, 3-43, 4-90 protocol 3-214, 4-276, 4-277 troubleshooting B-1 protocol, binding to interfaces 3-216, trunk 4-277 configuration 3-134, 4-202 protocol, configuring groups 3-215, LACP 3-136, 4-204 4-277 static 3-135, 4-203 voice 3-246, 4-279 Type Length Value See also voice VLAN 3-246, 4-279 LLDP-MED TLV voice VLANs 3-246, 4-279...
Page 710 Index This page is intentionally left blank. Index-8...
Page 711 This page is intentionally left blank.
Page 712 iES4028F/4028FP/4024GP...

This manual is also suitable for:

Ies4028fp Ies4024gp

Samsung iES4028F Management Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Quick Links

Related Manuals for Samsung iES4028F

Summary of Contents for Samsung iES4028F