Page 3
COPYRIGHT This manual is proprietary to SAMSUNG Electronics Co., Ltd. and is protected by copyright. No information contained herein may be copied, translated, transcribed or duplicated for any commercial purposes or disclosed to third parties in any form without the prior written consent of SAMSUNG Electronics Co., Ltd.
This section summarizes the changes in each revision of this guide. August 2008 Revision This is the third revision of this guide. It combines information for the Ubigate iES4028F, iES4028FP and iES4024GP. This guide is valid for software release v1.1.0.14. Other than...
Page 6
This was the second revision of this guide. It combines information for the Ubigate iES4028F and iES4028FP. This guide is valid for software release v1.1.0.13. Other than the addition of information about the iES4028F, it also includes the following updated and additional information in the indicated tables or sections: •...
Page 7
• Command Usage and Command Attributes under “Configuring the DHCP Snooping Information Option” on page 3-118. • Command Usage under “Configuring Ports for DHCP Snooping” on page 3-120. • Command Usage under “IP Source Guard” on page 3-123. • Command Usage under “Configuring Static Binding for IP Source Guard” on page 3-125.
Page 8
• Command Usage and Command Attributes under “Configuring MVR Interface Status” on page 3-270. • Command Usage under “Switch Clustering” on page 3-273. • Introduction under “UPnP” on page 3-277. • Command Usage under “jumbo frame” on page 4-33. • Command Usage under “copy”...
Page 9
• “spanning-tree port-bpdu-flooding” on page 4-240. • Syntax and Default Setting under “spanning-tree mst cost” on page 4-244. • Syntax for “switchport mode” on page 4-257. • Removed note under “switchport ingress-filtering” on page 4-258. • Removed note under “switchport allowed vlan” on page 4-260. •...
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 12
Contents Managing Firmware 3-21 Downloading System Software from a Server 3-22 Saving or Restoring Configuration Settings 3-23 Downloading Configuration Settings from a Server 3-24 Console Port Settings 3-25 Telnet Settings 3-27 Configuring Event Logging 3-29 System Log Configuration 3-29 Remote Log Configuration 3-30 Displaying Log Messages 3-32...
Page 13
Contents Configuring HTTPS 3-77 Replacing the Default Secure-site Certificate 3-78 Configuring the Secure Shell 3-79 Generating the Host Key Pair 3-82 Importing User Public Keys 3-84 Configuring the SSH Server 3-86 Configuring 802.1X Port Authentication 3-88 Displaying 802.1X Global Settings 3-89 Configuring 802.1X Global Settings 3-90...
Page 14
Contents Creating Trunk Groups 3-134 Statically Configuring a Trunk 3-135 Enabling LACP on Selected Ports 3-136 Configuring Parameters for LACP Group Members 3-138 Configuring Parameters for LACP Groups 3-141 Displaying LACP Port Counters 3-142 Displaying LACP Settings and Status for the Local Side 3-143 Displaying LACP Settings and Status for the Remote Side 3-145...
Page 16
Contents Displaying Port Members of Multicast Services 3-258 Assigning Ports to Multicast Services 3-259 IGMP Filtering and Throttling 3-260 Enabling IGMP Filtering 3-261 Configuring IGMP Filter Profiles 3-262 Configuring IGMP Filtering and Throttling for Interfaces 3-263 Multicast VLAN Registration 3-265 Configuring Global MVR Settings 3-266 Displaying MVR Interface Status...
Page 17
Contents reload 4-13 show reload 4-14 prompt 4-14 4-15 exit 4-15 quit 4-16 System Management Commands 4-16 Device Designation Commands 4-17 hostname 4-17 Banner Information Commands 4-18 banner configure 4-18 banner configure company 4-19 banner configure dc-power-info 4-20 banner configure department 4-21 banner configure equipment-info 4-21...
Page 18
Contents databits 4-46 parity 4-46 speed 4-47 stopbits 4-47 disconnect 4-48 show line 4-48 Event Logging Commands 4-49 logging on 4-49 logging history 4-50 logging host 4-51 logging facility 4-51 logging trap 4-52 clear log 4-53 show logging 4-53 show log 4-55 SMTP Alert Commands 4-56...
Page 19
Contents rcommand 4-76 show cluster 4-76 show cluster members 4-77 show cluster candidates 4-77 UPnP Commands 4-77 upnp device 4-78 upnp device ttl 4-78 upnp device advertise duration 4-79 show upnp 4-79 Debug Commands 4-80 debug dot1x 4-80 debug radius 4-82 debug tacacs 4-84...
Page 20
Contents TACACS+ Client 4-109 tacacs-server host 4-110 tacacs-server port 4-110 tacacs-server key 4-111 tacacs-server retransmit 4-111 tacacs-server timeout 4-112 show tacacs-server 4-113 AAA Commands 4-114 aaa group server 4-114 server 4-115 aaa accounting dot1x 4-116 aaa accounting exec 4-117 aaa accounting commands 4-118 aaa accounting update 4-119...
Page 21
Contents dot1x re-authenticate 4-140 dot1x re-authentication 4-140 dot1x timeout quiet-period 4-141 dot1x timeout re-authperiod 4-141 dot1x timeout tx-period 4-142 dot1x intrusion-action 4-142 show dot1x 4-143 Management IP Filter Commands 4-146 management 4-146 show management 4-147 General Security Measures 4-148 Port Security Commands 4-149 port security 4-149...
Page 22
Contents show ip dhcp snooping 4-171 show ip dhcp snooping binding 4-171 IP Source Guard Commands 4-172 ip source-guard 4-172 ip source-guard binding 4-174 show ip source-guard 4-175 show ip source-guard binding 4-175 Access Control List Commands 4-176 IP ACLs 4-176 access-list ip 4-177...
Page 23
Contents lacp port-priority 4-208 lacp active/passive 4-209 show lacp 4-209 Power over Ethernet Commands 4-213 power mainpower maximum allocation 4-214 power inline compatible 4-214 power inline 4-215 power inline maximum allocation 4-216 power inline priority 4-216 show power inline status 4-217 show power mainpower 4-218...
Page 26
Contents lldp medtlv med-cap 4-302 lldp medtlv network-policy 4-302 show lldp config 4-303 show lldp info local-device 4-305 show lldp info remote-device 4-306 show lldp info statistics 4-307 Class of Service Commands 4-308 Priority Commands (Layer 2) 4-308 queue mode 4-308 switchport priority default 4-309...
Page 27
Contents Static Multicast Routing Commands 4-333 ip igmp snooping vlan mrouter 4-334 show ip igmp snooping mrouter 4-334 IGMP Filtering and Throttling Commands 4-335 ip igmp filter (Global Configuration) 4-336 ip igmp profile 4-336 permit, deny 4-337 range 4-337 ip igmp filter (Interface Configuration) 4-338 ip igmp max-groups 4-339...
Page 28
Contents This page is intentionally left blank. xxviii...
Page 29
Tables Table 1-1 Differences in Switch Models Table 1-2 Key Features Table 1-3 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-29 Table 3-5 Supported Notification Messages 3-52 Table 3-6 HTTPS System Support 3-77 Table 3-7 802.1X Statistics 3-93...
Page 35
Figures Figure 3-1 Port Multicast Control 3-149 Figure 3-2 Port Unknown Unicast Control 3-150 Figure 3-88 Mirror Port Configuration 3-151 Figure 3-89 Input Rate Limit Port Configuration 3-152 Figure 3-90 Port Statistics 3-156 Figure 3-91 Displaying the Global PoE Status 3-158 Figure 3-92 Setting the Switch Power Budget...
IEEE 802.3af Power-over-Ethernet (PoE) standard that enables DC power to be supplied to attached devices over the connecting Ethernet cable. This guide describes device management for the Ubigate iES4028F, iES4028FP, and iES4024GP. The only significant differences between these switches are listed in the following table.
Introduction Key Features Table 1-2 Key Features Feature Description Power over Ethernet Powers attached devices using IEEE 802.3af Power over Ethernet (PoE) Configuration Backup and Backup to TFTP server Restore Authentication and Console, Telnet, web – User name / password, RADIUS, TACACS+ Security Measures AAA –...
Description of Software Features Table 1-2 Key Features (Continued) Feature Description Tunneling Supports tunneling with IEEE 802.1Q tunneling (QinQ) Switch Clustering Supports up to 36 Member switches in a cluster Description of Software Features This switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Page 40
Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the iES4028F/iES4028FP provide 1 Mbits and the iES4024GP provides 1.5 Mbits for frame buffering. This buffer can...
Page 41
Description of Software Features Spanning Tree Algorithm – This switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection and recovery by allowing two or more redundant connections to be created between a pair of LAN segments.
Page 42
Introduction This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame. When these services are enabled, the priorities are mapped to a Class of Service value by this switch, and the traffic then sent to the corresponding output queue.
System Defaults System Defaults The system defaults for this switch are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-23). The following table lists some of the basic system defaults. Table 1-3 System Defaults Function Parameter...
Page 44
Introduction Table 1-3 System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation Enabled...
Page 45
System Defaults Table 1-3 System Defaults (Continued) Function Parameter Default IP Settings IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Disabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged...
Page 46
Introduction This page is intentionally left blank. 1-10...
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options These switches include a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast storm control on any port • Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Console(config)#username admin password 0 [password] Console(config)# * This manual covers both the Ubigate iES4028F, iES4028FP and iES4024GP switches. Other than the differences listed in Table 1-1, “Differences in Switch Models,” on page 1-1, there are no other significant differences. Therefore all of the screen display examples are based on the iES4024GP.
Basic Configuration Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Initial Configuration To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. At the interface-configuration mode prompt, use one of the following commands: •...
Basic Configuration Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Initial Configuration see “snmp-server host” on page 4-90. The following example creates a trap host for each type of SNMP client. Console(config)#snmp-server host 10.1.19.23 batman 4-90 Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth Console(config)# Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view...
Managing System Files • Operation Code — System software that is executed after boot-up, also known as run-time or firmware code. This code runs the switch operations and provides the CLI and web management interfaces. See “Managing Firmware” on page 3-21 for more information.
Initial Configuration To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Note: The examples in this chapter are based on the Ubigate iES4024GP. The key differences between the Ubigate iES4028F, iES4028FP and iES4024GP are described in Table 1-1 on page 1-1. The panel graphics for the various switch types are shown on the following page.
Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-130. iES4028F iES4028FP iES4024GP...
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page SNMPv3 3-46 Engine ID Sets the SNMP v3 engine ID on this switch 3-46 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-47 Users Configures SNMP v3 users on this switch 3-48 Remote Users Configures SNMP v3 users from a remote device...
Page 62
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Port Security Configures per port security, including status, response for 3-97 security breach, and maximum allowed MAC addresses 802.1X 3-88 Information Displays global configuration settings for 802.1X Port 3-90 authentication Configuration Configures the global configuration settings...
Page 63
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Port Counters Information Displays statistics for LACP protocol messages 3-142 Port Internal Information Displays settings and operational state for the local side 3-143 Port Neighbors Information Displays settings and operational state for the remote side 3-145 Port Broadcast Control Sets the broadcast storm threshold for each port...
Page 64
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Trunk Information Displays individual trunk settings for STA 3-175 Port Configuration Configures individual port settings for STA 3-178 Trunk Configuration Configures individual trunk settings for STA 3-178 MSTP 3-181 VLAN Configuration Configures priority and VLANs for a spanning tree instance 3-181...
Page 65
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Association Each community VLAN must be associated with a primary VLAN 3-211 Port Information Shows VLAN port type, and associated primary or secondary 3-212 VLANs Port Configuration Sets the private VLAN interface type, and associates the 3-213 interfaces with a private VLAN Trunk Information...
Page 66
Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page 3-238 DiffServ 3-238 Class Map Sets Class Maps 3-239 Policy Map Sets Policy Maps 3-242 Service Policy Defines service policy settings for ports 3-245 VoIP Traffic Setting 3-246 Configuration VoIP Traffic Setting Configuration 3-246 Port Configuration...
Page 67
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Trunk Configuration Configures MVR interface type and immediate leave status 3-270 Group Member Configuration Statically assigns MVR multicast streams to an interface 3-271 DHCP Snooping 3-116 Configuration Enables DHCP Snooping and DHCP Snooping MAC-Address 3-117 Verification VLAN Configuration...
Configuring the Switch Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
UART Loopback Test ... PASS POE UART Loopback Test ..PASS DRAM Test ....PASS Switch Int Loopback Test ..PASS Done All Pass. Console# * The iES4028F, iES4028FP, iES4024GP MIB Object Identifiers are 1.3.6.1.4.1.236.4.1.12.1.102, 1.3.6.1.4.1.236.4.1.12.1.101, and 1.3.6.1.4.1.236.4.1.12.1.103 respectively. 3-13...
Configuring the Switch Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 71
Basic Configuration CLI – Use the following command to display version information. Console#show version 4-32 Unit 1 Serial Number: A622016032 Hardware Version: EPLD Version: 0.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version:...
Configuring the Switch Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Basic Configuration CLI – Enter the following command. Console#show bridge-ext 4-250 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled GMRP:...
Configuring the Switch Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Basic Configuration Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Configuring the Switch Web – If the address assigned by DHCP is no longer functioning, you will not be able to renew the IP settings via the web interface. You can only restart DHCP service via the web interface if the current address is still available. CLI –...
Two copies of runtime code can be stored in the file directory on the iES4028F. This allows this switch to be set to use new firmware without overwriting the previous version.
Configuring the Switch Downloading System Software from a Server When downloading runtime code, the new operation code file will overwrite the existing file. Versions of the code prior to 1.1.0.10 require the operation code file being transferred to have the same destination file name as the existing code file for the transfer to succeed.
Basic Configuration CLI – To download new firmware from a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, and then restart the switch for the new code to take effect.
Configuring the Switch Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it.
Basic Configuration CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-35 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Configuring the Switch • Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud) •...
Basic Configuration CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 4-41 Console(config-line)#login local 4-41 Console(config-line)#password 0 secret 4-42...
Configuring the Switch • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. (Default: No password) •...
Basic Configuration Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Configuring the Switch Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-15 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Basic Configuration Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-16 Remote Logs CLI –...
Configuring the Switch Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Basic Configuration configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.
Configuring the Switch CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 4-56 Console(config)#logging sendmail level 3 4-57...
Basic Configuration Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset.
Configuring the Switch Setting the Time Manually You can set the system time on the switch manually without using SNTP. CLI – This example sets the system clock time and then displays the current time and date Console#calendar set 17 46 00 october 18 2008 4-72 Console#show calendar 4-72...
Basic Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-61 Console(config)#sntp poll 60 4-61 Console(config)#sntp client 4-60 Console(config)#exit Console#show sntp Current time: 6 14:56:05 2004 Poll interval: 60...
Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply. Figure 3-21 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-65 Console(config)#ntp authentication-key 30 md5 ntpkey30...
Basic Configuration Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Configuring the Switch Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Simple Network Management Protocol Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security noAuthNoPriv public defaultview none none Community string only (read only) noAuthNoPriv private defaultview defaultview none Community string only (read/write) noAuthNoPriv user defined user defined user defined user defined Community string only noAuthNoPriv public defaultview...
Configuring the Switch Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Simple Network Management Protocol Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 100
Configuring the Switch top of the SNMP Configuration page (for Version 1 or 2c clients), or define a corresponding “User Name” in the SNMPv3 Users page (for Version 3 clients). (Range: 1-32 characters, case sensitive) • Trap UDP Port – Specifies the UDP port number used by the trap manager. (Default: 162) •...
Simple Network Management Protocol Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add.
Configuring the Switch Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Simple Network Management Protocol Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Configuring the Switch Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Configuring the Switch Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 109
Simple Network Management Protocol Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP linkDown entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
* These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu. † The MIB Object Identifiers for the iES4028F, iES4028FP, and iES4024GP are 1.3.6.1.4.1.236.4.1.12.1.102, 1.3.6.1.4.1.236.4.1.12.1.101, and 1.3.6.1.4.1.236.4.1.12.1.103 respectively. Just note that the iES4028F does not support PoE and therefore does not include these private traps.
Simple Network Management Protocol CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview 4-96 Console(config)#exit Console#show snmp group...
Configuring the Switch Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
User Authentication CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-94 Console(config)#exit Console#show snmp view 4-95 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Configuring the Switch Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place.
User Authentication Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 116
Configuring the Switch multiple user name/password pairs with associated privilege levels for each user that requires management access to the switch. RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 117
User Authentication - Accounting Port Number – UDP port on authentication server used for accounting messages. (Range: 1-65535; Default: 1813) - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply –...
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings 3-62...
Configuring the Switch Console#configure Console(config)#authentication login tacacs 4-103 Console(config)#tacacs-server 1 host 10.20.30.40 4-110 Console(config)#tacacs-server port 200 4-110 Console(config)#tacacs-server retransmit 5 4-111 Console(config)#tacacs-server timeout 10 4-112 Console(config)#tacacs-server key green 4-111 Console#show tacacs-server 4-113 Remote TACACS+ server configuration: Global Settings: Server Port Number: Retransmit Times Request Times Server 1:...
User Authentication - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web –...
Configuring the Switch • Accounting for users that access management interfaces on the switch through the console and Telnet. • Accounting for commands that users enter at specific CLI privilege levels. • Authorization of users that access management interfaces on the switch through the console and Telnet.
User Authentication CLI – Specify the group name for a list of RADIUS servers, and then specify the index number of a RADIUS server to add it to the group. Console(config)#aaa group server radius tps 4-114 Console(config-sg-radius)#server 1 4-115 Console(config-sg-radius)#server 2 4-115 Console(config-sg-radius)# Configuring AAA TACACS+ Group Settings...
Configuring the Switch The method name is only used to describe the accounting method(s) configured on the specified accounting servers, and do not actually send any information to the servers about the methods to use. • Service Request – Specifies the service as either 802.1X (user accounting) or Exec (administrative accounting for local console, Telnet, or SSH connections).
User Authentication CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-116 Console(config)# AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server.
Configuring the Switch AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-66).
User Authentication AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.
Configuring the Switch AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
User Authentication Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-122 Accounting Type : dot1x Method List : default Group List : radius Interface...
Configuring the Switch Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type : exec Username : admin Interface : vty 0 Time elapsed since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services.
User Authentication Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Configuring the Switch Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied. Command Attributes • Accounting Type - Displays the accounting service. • Method List - Displays the user-defined or default authorization method. •...
User Authentication Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
Configuring the Switch Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-124 Console(config)#ip http secure-port 443 4-125...
User Authentication • Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate.
Page 136
Configuring the Switch Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Page 137
User Authentication 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c.
Configuring the Switch Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI –...
Configuring the Switch Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
User Authentication Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-49 SSH User Public-Key Settings 3-85...
Configuring the Switch CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key 4-35 TFTP server IP address: 192.168.1.254...
User Authentication • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Configuring the Switch Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
User Authentication • Each switch port that will be used must be set to dot1X “Auto” mode. • Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) •...
Configuring the Switch Configuring 802.1X Global Settings The 802.1X protocol provides port-based client authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
User Authentication • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 148
Configuring the Switch CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-143. Console(config)#interface ethernet 1/2 4-188 Console(config-if)#dot1x port-control auto 4-138 Console(config-if)#dot1x re-authentication 4-140 Console(config-if)#dot1x max-req 5 4-138...
User Authentication Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Configuring the Switch Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-54 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-143 Eth 1/4...
User Authentication • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges.
Configuring the Switch CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-146 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address ----------------------------------------------- 1.
General Security Measures • IP Source Guard – Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table. (See “IP Source Guard” on page 3-123.) Note: The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Configuring the Switch • Security Status – Enables or disables port security on the port. (Default: Disabled) • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) •...
General Security Measures Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) •...
Configuring the Switch Configuring Web Authentication for Ports Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. •...
General Security Measures Displaying Web Authentication Port Information This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. •...
Configuring the Switch Web – Click Security, Web Authentication, Re-authentication. Figure 3-60 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 4-162 Console# Network Access MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
General Security Measures • Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. • When port status changes to down, all MAC addresses are cleared from the secure MAC address table.
Configuring the Switch CLI – This example sets and displays the reauthentication time. Console(config)#mac-authentication reauth-time 3000 4-155 Console(config)#network-access aging 4-151 Console(config)#exit Console#show network-access interface ethernet 1/1 4-157 Global secure port information Reauthentication Time : 3000 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action...
General Security Measures Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-62 Network Access Port Configuration CLI –...
Configuring the Switch Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table.
General Security Measures CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table 4-158 ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s...
Configuring the Switch Web – Click Security, MAC Authentication. Modify the Maximum MAC Count and Intrusion Action. Click Apply. Figure 3-64 MAC Authentication Port Configuration CLI – This example configures the maximum MAC count to 32 and sets the intrusion action to block all traffic for port 1.
General Security Measures The order in which active ACLs are checked is as follows: 1. User-defined rules in the Ingress MAC ACL for ingress ports. 2. User-defined rules in the Ingress IP ACL for ingress ports. 3. Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports. 4.
Configuring the Switch Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
General Security Measures Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
General Security Measures Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Command Attributes • Port – Fixed port or SFP module. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port.
Configuring the Switch DHCP Snooping The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
General Security Measures - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.
Configuring the Switch Configuring VLANs for DHCP Snooping Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
General Security Measures Command Usage • DHCP Snooping (see page 3-117) must be enabled for Option 82 information to be inserted into request packets. • When Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Configuring the Switch CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-169 Console(config)#ip dhcp snooping information policy replace 4-170 Console(config)#exit Console#show ip dhcp snooping 4-171 Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs:...
General Security Measures Command Attributes • Trust Status – Enables or disables port as trusted. Web – Click DHCP Snooping, Information Option Configuration. Figure 3-73 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust 4-167...
Configuring the Switch Displaying DHCP Snooping Binding Information Binding table entries can be displayed on the Binding Information page. Command Attributes • Store DHCP snooping binding entries to flash. – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
General Security Measures IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-116).
Configuring the Switch Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. •...
• Current Static Binding Table – The list of current static entries in the table. • Port – The port to which a static entry is bound. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • VLAN ID – ID of a configured VLAN (Range: 1-4094) •...
Configuring the Switch Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-76 Static IP Source Guard Binding Configuration CLI –...
General Security Measures Web – Click IP Source Guard, Dynamic Information. Figure 3-77 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-175 Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface...
Configuring the Switch Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 185
(Display options: shutdown, trap, trap-and-shutdown, or none) • Media Type – Shows the forced or preferred port type to use for combination ports 25-28 on iES4028F, 27-28 on iES4028FP, and 23-24 on iES4024GP. (Display options: copper forced, SFP forced, SFP preferred auto) •...
Configuring the Switch Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. •...
Page 187
Port Configuration trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy Mode attribute described below.
1000BASE-SX/LX/LH – 1000full) • Media Type – Configures the forced/preferred port type to use for the combination ports. (Ports 25-28 on iES4028F, 27-28 on iES4028FP, and 23-24 on iES4024GP) - Copper-Forced - Always uses the built-in RJ-45 port. - SFP-Forced - Always uses the SFP port (even if module is not installed).
Page 189
Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-188 Console(config-if)#description RD SW#13 4-189 Console(config-if)#shutdown 4-195 Console(config-if)#no shutdown Console(config-if)#no negotiation 4-190 Console(config-if)#speed-duplex 100half 4-189 Console(config-if)#flowcontrol 4-192 Console(config-if)#negotiation Console(config-if)#capabilities 100half 4-191 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# 3-133...
Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
- Trunk – Trunk identifier. (Range: 1-8) - Port – Port identifier. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-188 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-188 Console(config-if)#channel-group 2 4-203 Console(config-if)#exit...
• New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lacp 4-204 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 195
• Port – Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Port Configuration CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lacp actor system-priority 3 4-205 Console(config-if)#lacp actor admin-key 120 4-206 Console(config-if)#lacp actor port-priority 128 4-208 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Configuring the Switch Web – Click Port, LACP, Aggregator. Set the Admin Key for the required LACP group, and click Apply. Figure 3-83 LACP Aggregation Group Configuration CLI – The following example sets the LACP admin key for port channel 1. Console(config)#interface port-channel 1 4-188 Console(config-if)#lacp actor admin-key 3...
Port Configuration Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-84 LACP - Port Counters Information CLI – The following example displays LACP counters. Console#show lacp counters 4-209 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 -------------------------------------------------------------------------...
Configuring the Switch Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Port Configuration CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-209 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal:...
Configuring the Switch Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-86 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-209 Port channel 1 neighbors...
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or 1000BASE-SFP) • Protect Status – Enables or disables broadcast storm control. (Default: Enabled) • Threshold – Threshold level as a rate; i.e., kilobits per second.
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold and mark the Enabled field for the required interface, then click Apply. Figure 3-87 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) • Protect Status – Enables or disables multicast storm control. (Default: Disabled) • Threshold – Threshold as percentage of port bandwidth. (Range: 64-100000 kilobits per second for Fast Ethernet ports;...
Command Attributes • Port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Indicates the port type. (1000BASE-T or 1000BASE-SFP) • Protect Status – Enables or disables unknown unicast storm control. (Default: Disabled) •...
• Mirror Sessions – Displays a list of current mirror sessions. • Source Port – The port whose traffic will be monitored. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both.
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic into or out of the switch. Packets that exceed the acceptable amount of traffic are dropped.
Port Configuration Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
Page 210
Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Page 211
Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-90 Port Statistics 3-156...
Configuring the Switch Switch Power Status Use the Main Power Status page to display the Power over Ethernet settings for the switch. Command Attributes • Maximum Available Power – The configured power budget for the switch. • System Operation Status – The PoE power service provided to the switch ports. •...
Power Over Ethernet Settings Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Configuring the Switch Web – Click PoE, Power Port Status. Figure 3-93 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-217 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable...
Power Over Ethernet Settings Command Attributes • Port – The port number on the switch. (Range: 1-24) • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget.
Configuring the Switch Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Address Table Settings CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-222 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Configuring the Switch CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-224 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# Changing the Aging Time...
Spanning Tree Algorithm Configuration Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 222
Configuring the Switch MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Field Attributes • Port – Indicates the interface to be configured. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • Status – Enables Loopback Detection on this interface. (Default: Enabled) • Trap – Enables SNMP trap notification for loopback events on this port.
Configuring the Switch CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables SNMP trap notification for detected loopback BPDU’s. Console(config)#interface ethernet 1/5 4-188 Console(config-if)#spanning-tree loopback-detection 4-242 Console(config-if)#spanning-tree loopback-detection release-mode auto4-242 Console(config-if)#spanning-tree loopback-detection trap 4-243 Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 225
Spanning Tree Algorithm Configuration These additional parameters are only displayed for the CLI: • Spanning Tree Mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s) •...
Configuring the Switch Web – Click Spanning Tree, STA, Information. Figure 3-99 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-246 Spanning-tree information --------------------------------------------------------------- Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Enabled Instance:...
Spanning Tree Algorithm Configuration Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 228
Configuring the Switch • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 229
Spanning Tree Algorithm Configuration Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.
Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-100 Configuring Spanning Tree 3-174...
Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 4-227 Console(config)#spanning-tree mode mstp 4-228 Console(config)#spanning-tree priority 45056 4-231 Console(config)#spanning-tree hello-time 5 4-229 Console(config)#spanning-tree max-age 38 4-230 Console(config)#spanning-tree forward-time 20 4-229...
Page 232
Configuring the Switch • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Spanning Tree Algorithm Configuration should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal Admin Path Cost – The path cost for the MST. See the preceding item. •...
Spanning Tree Algorithm Configuration The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 3-171) or when spanning tree is disabled on specific port.
Configuring the Switch Table 3-13 Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001...
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-102 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-188 Console(config-if)#no spanning-tree port-bpdu-flooding 4-240...
Configuring the Switch Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) •...
Page 239
Spanning Tree Algorithm Configuration CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port. Console(config)#spanning-tree mst configuration 4-233 Console(config-mst)#mst 1 priority 4096 4-234 Console(config-mstp)#mst 1 vlan 1...
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes • MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under “Displaying Interface Settings”...
Page 241
Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-246 Spanning Tree Information...
Configuring the Switch Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
VLAN Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-105 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 4-188 Console(config-if)#spanning-tree mst port-priority 0...
Configuring the Switch This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 245
VLAN Configuration Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
Configuring the Switch Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
VLAN Configuration Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Configuring the Switch Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
VLAN Configuration • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI –...
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-109 Configuring a VLAN Static List CLI –...
VLAN Configuration Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
VLAN Configuration Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 255
VLAN Configuration • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-112 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
Page 257
VLAN Configuration QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
Page 258
Configuring the Switch process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: 1. New SPVLAN tags are added to all incoming packets, no matter how many tags they already have. The ingress process constructs and inserts the outer tag (SPVLAN) into the packet based on the default VLAN ID and Tag Protocol Identifier (TPID, that is, the ether-type of the tag).
Page 259
VLAN Configuration 4. After successful source and destination lookups, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
Configuring the Switch 5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (see “Adding Static Members to VLANs (VLAN Index)” on page 3-195). 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (see “Configuring VLAN Behavior for Interfaces”...
VLAN Configuration CLI – This example sets the switch to operate in QinQ mode. 4-264 Console(config)#dot1q-tunnel system-tunnel-control 4-265 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config)#exit 4-266 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x9100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x9100.
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-114 Tunnel Port Configuration CLI –...
VLAN Configuration Configuring Global Settings for Traffic Segmentation Use the Traffic Segmentation Status page to enable traffic segmentation, and to block or forward traffic between uplink ports assigned to different client sessions. Command Attributes • Traffic Segmentation Status – Enables port-based traffic segmentation. (Default: Disabled) •...
Configuring the Switch Web – Click VLAN, Traffic Segmentation, Session Configuration. Set the session number, specify whether an uplink or downlink is to be used, select the interface, and click Apply. Figure 3-116 Traffic Segmentation Session Configuration CLI – This example enables traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions.
VLAN Configuration Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports private VLANs with primary/secondary associated groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Configuring the Switch Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-117 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
VLAN Configuration Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Configuring the Switch CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-254 Console(config-vlan)#private-vlan 5 association 6 4-273 Console(config-vlan)#private-vlan 5 association 7 4-273 Console(config)# Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.
VLAN Configuration CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Configuring the Switch Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
VLAN Configuration Command Usage To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-193). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
Configuring the Switch CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip 4-277 Console(config)# Configuring the Protocol VLAN System Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN.
Link Layer Discovery Protocol Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Configuring the Switch This attribute must comply with the rule: (4 * Delay Interval) ≤ Transmission Interval • Reinitialization Delay – Configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. (Range: 1-10 seconds; Default: 2 seconds) When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted.
Link Layer Discovery Protocol CLI – This example sets several attributes which control basic LLDP message timing. Console(config)#lldp 4-288 Console(config)#lldp refresh-interval 60 4-290 Console(config)#lldp holdtime-multiplier 10 4-288 Console(config)#lldp tx-delay 10 4-291 Console(config)#lldp reinit-delay 10 4-290 Console(config)#lldp notification-interval 30 4-289 Console(config)#lldp medFastStartCount 6 4-289 Console(config)#exit Console#show lldp config...
Page 276
Configuring the Switch • TLV Type – Configures the information included in the TLV field of advertised messages. - Port Description – The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Link Layer Discovery Protocol power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities. - Inventory – This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information.
Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-188 Console(config-if)#lldp admin-status tx-rx 4-292 Console(config-if)#lldp notification 4-292...
Page 279
Link Layer Discovery Protocol • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name – An string that indicates the system’s administratively assigned name (see “Displaying System Information” on page 3-12). •...
Configuring the Switch Web – Click LLDP, Local Information. Figure 3-126 LLDP Local Device Information CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-305 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name...
Link Layer Discovery Protocol This example displays detailed information for a specific port on the local switch. Console#show lldp info local-device ethernet 1/1 4-305 LLDP Port Information Detail Port : Eth 1/1 Port Type : MAC Address Port ID : 00-01-02-03-04-06 Port Desc : Ethernet Port on unit 1, port 1 Console# Displaying LLDP Remote Port Information...
Configuring the Switch Displaying LLDP Remote Information Details Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. •...
Link Layer Discovery Protocol Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query. Figure 3-128 LLDP Remote Information Details CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Configuring the Switch Displaying Device Statistics Use the LLDP Device Statistics screen to general statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Field Attributes General Statistics on Remote Devices •...
Link Layer Discovery Protocol CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-307 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...
Configuring the Switch Web – Click LLDP, Device Statistics Details. Figure 3-130 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-307 LLDP Port Statistics Detail PortName...
Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Configuring the Switch CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-188 Console(config-if)#switchport priority default 5 4-309 Console(config-if)#end Console#show interfaces switchport ethernet 1/3 4-199 Information of Eth 1/3 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...
Class of Service Configuration Table 3-19 CoS Priority Levels (Continued) Priority Level Traffic Type Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control Command Attributes • Priority – CoS value. (Range: 0-7, where 7 is the highest priority) •...
Configuring the Switch Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Class of Service Configuration Note: This switch does not allow the queue service weights to be set. The weights are 1, 2, 4, 8, for queues 0 through 3 respectively. fixed as Command Attributes • WRR Setting Table – Displays a list of weights for each traffic class (i.e., queue). •...
Configuring the Switch Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority. Command Attributes • IP DSCP Priority Status – The following options are: - Disabled – Disables the priority service. (Default Setting: Disabled) - IP DSCP –...
Class of Service Configuration Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant devices will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-313 Console(config)#interface ethernet 1/1 4-188 Console(config-if)#map ip dscp 1 cos 0 4-313...
Quality of Service You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-244). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.
Page 296
Configuring the Switch • Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. •...
Quality of Service Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-137 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3.
Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-239. - Open the Policy Map page, and click Add Policy.
Page 299
Quality of Service Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-239).
Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-138 Configuring Policy Maps 3-244...
Quality of Service CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-319 Console(config-pmap)#class rd_class#3 4-319...
Configuring the Switch VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter.
Quality of Service Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-140 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
Configuring the Switch address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Quality of Service CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 Console(config-if)#switchport voice vlan auto 4-282 Console(config-if)#switchport voice vlan security 4-283 Console(config-if)#switchport voice vlan rule oui 4-283 Console(config-if)#switchport voice vlan priority 5 4-284 Console(config-if)#exit...
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Multicast Filtering Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Configuring the Switch Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-253) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Multicast Filtering Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-259). Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Configuring the Switch • IGMP Report Delay — Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds; Default: 10) •...
Configuring the Switch Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.
Multicast Filtering Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 3-145 Displaying Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Configuring the Switch Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply.
Multicast Filtering Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 3-147 IP Multicast Registration Table CLI –...
Configuring the Switch • Multicast IP – The IP address for a specific multicast service • Port or Trunk – Specifies the interface attached to a multicast router/switch. Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add.
Multicast Filtering IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace”. If the action is set to deny, any new IGMP join reports will be dropped.
Configuring the Switch Configuring IGMP Filter Profiles When you have created an IGMP profile number, you can then configure the multicast groups to filter and set the access mode. Command Usage • Each profile has only one access mode; either permit or deny. •...
Multicast Filtering CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 4-335 Console(config-igmp-profile)#permit 4-336...
Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-151 IGMP Filter and Throttling Port Configuration CLI –...
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Multicast VLAN Registration Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-152 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Configuring the Switch Web – Click MVR, Port or Trunk Information. Figure 3-153 MVR Port Information CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface 4-344 Port Type Status Immediate Leave ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP...
Multicast VLAN Registration Web – Click MVR, Group IP Information. Figure 3-154 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr interface 4-344 MVR Group IP Status Members ---------------- -------- -------...
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...
Configuring the Switch • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. Command Attributes • Interface – Indicates a port or trunk. •...
Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Configuring the Switch • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Switch Clustering Web – Click Cluster, Member Configuration. Figure 3-159 Cluster Member Configuration CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 4-75 Console(config)#end Console#show cluster candidates...
Configuring the Switch Web – Click Cluster, Member Information. Figure 3-160 Cluster Member Information CLI – This example shows information about cluster Member switches. Vty-0#show cluster members 4-77 Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Displaying Information on Cluster Candidates Use the Cluster Candidate Information page to display information about discovered...
UPnP CLI – This example shows information about cluster Candidate switches. 4-77 Vty-0#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks.
Configuring the Switch Using UPnP under Windows Vista – To access or manage the switch with the aid of UPnP under Windows Vista, open the Network and Sharing Center, and enable Network Discovery. Then click on the node representing your local network under the Network Sharing Center.
Page 335
UPnP CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration. Console(config)#upnp device 4-78 Console(config)#upnp device advertise duration 200 4-79 Console(config)#upnp device ttl 6 4-78 Console(config)#end Console#sh upnp...
Page 336
Configuring the Switch This page is intentionally left blank. 3-280...
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI accessing the management interface for the switch over a direct connection to When the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Entering Commands vlan Virtual LAN settings voice Shows the voice VLAN information web-auth Shows web authentication configuration Console#show The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup...
Command Line Interface current mode. The command classes and associated modes are displayed in the following table: Table 4-1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Entering Commands Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command. The configuration commands are organized into different modes: •...
Command Line Interface For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Command Groups Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-10 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-16...
Command Line Interface Table 4-4 Command Groups (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports 4-324 attached to a multicast router, and enables multicast VLAN registration IP Interface Configures IP address for the switch 4-347 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration)
General Commands enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 4-5. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Command Line Interface Example Console#disable Console> Related Commands enable (4-11) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer...
Command Line Interface Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. If a delayed reset has already been scheduled, then the newly configured reset will overwrite the original delay configuration.
General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console#...
Command Line Interface quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification...
System Management Commands Table 4-6 System Management Commands (Continued) Command Group Function Page Web Server Enables management access via a web browser 4-123 Telnet Server Enables management access via Telnet 4-126 Secure Shell Provides secure replacement for Telnet 4-127 Device Designation Commands Table 4-7 Device Designation Commands Command Function...
Command Line Interface Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.
Example Console(config)#banner configure Company: Samsung Corporation Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Wile E.
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
System Management Commands banner configure department This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure company dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None...
Command Line Interface Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
System Management Commands banner configure ip-lan This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
Command Line Interface Example Console(config)#banner configure lp-number 12 Console(config)# banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number]...
System Management Commands banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None...
Command Line Interface Command Usage Input strings cannot contain spaces. The banner configure note command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmware- upgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected...
System Management Commands System Status Commands This section describes commands used to display system information. Table 4-9 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-27 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-29...
Command Line Interface - Spanning tree settings - Interface settings - Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw...
System Management Commands show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 366
Command Line Interface Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-16-b6-f0-6f-fd_00</stackingMac> phymap 00-16-b6-f0-6f-fd sntp server 0.0.0.0 0.0.0.0 0.0.0.0 ntp poll 16 no dot1q-tunnel system-tunnel-control power mainpower maximum allocation 180 unit 1 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0...
System Management Commands show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
System Management Commands show memory This command shows the location and size of free system memory. Command Mode Privileged Exec Example Console#show memory FREE LIST: Addr Size --- ---------- ---------- 0x7176640 1024 0x7176498 Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch.
Command Line Interface connections, all devices in the collision domain would need to support jumbo frames. • The current setting for jumbo frames can be displayed with the show system command (page 4-31). Example Console(config)#jumbo frame Console(config)# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server.
System Management Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 372
Command Line Interface • The Boot ROM and Loader cannot be uploaded or downloaded from the TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. • For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate”...
System Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Command Line Interface Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
System Management Commands Example The following example shows how to display all file information: File name File type Startup Size (byte) ------------------------------------- -------------- ------- ---------- Unit1: diag.bix Boot-Rom Image 1377600 iES4024GP_bootrom_V1.0.0.10.bix Boot-Rom Image 1398712 iES4024GP_V1.1.0.14.bix Operation Code 3961940 Factory_Default_Config.cfg Config File startup1.cfg Config File 4667...
Command Line Interface Command Mode Global Configuration Command Usage • A colon (:) is required after the specified unit number and file type. • If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-38)
System Management Commands line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Command Line Interface Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
System Management Commands number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state. • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server.
Command Line Interface Related Commands silent-time (4-45) exec-timeout (4-14) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds;...
System Management Commands Default Setting The default value is three attempts. Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
Command Line Interface databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. •...
System Management Commands Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Command Line Interface Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
System Management Commands Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times...
Command Line Interface Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
System Management Commands Default Setting Flash: errors (level 3 - 0) RAM: warnings (level 7 - 0) Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)#...
Command Line Interface Default Setting Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
System Management Commands Example Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Command Line Interface Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “informational” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...
System Management Commands show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} [login] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Command Line Interface SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 4-18 SMTP Alert Commands Command Function Mode Page logging sendmail host SMTP servers to receive alert messages 4-56 logging sendmail level Severity threshold used to trigger alert messages...
Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will set the source email john@samsung.com. Console(config)#logging sendmail source-email john@samsung.com Console(config)# 4-57...
Command Line Interface logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode...
Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------- 1. geoff@samsung.com SMTP source email address: john@samsung.com SMTP status: Enabled Console# Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Command Line Interface Table 4-19 Time Commands (Continued) Command Function Mode Page clock summertime Configures summer time (daylight savings time) for the switch’s 4-70 (recurring) internal clock calendar set Sets the system date and time 4-72 show calendar Displays the current date and time setting NE, PE 4-72 sntp client...
System Management Commands sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Command Line Interface Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-60) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
System Management Commands • This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. • SNTP and NTP clients cannot both be enabled at the same time. Example Console(config)#ntp client Console(config)#...
Command Line Interface Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)# Related Commands ntp client (4-62) ntp poll (4-64) show ntp (4-66) ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode.
System Management Commands Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Command Line Interface Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (4-64) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
System Management Commands clock timezone-predefined This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. Syntax clock timezone-predefined offset-city no clock timezone-predefined • offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-Greenwich-Mean-Time;...
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
System Management Commands • e-minute - The minute summer-time will end. (Range: 0-59 minutes) • offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Command Line Interface Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
Page 407
System Management Commands • b-hour - The hour when summer-time will begin. (Range: 0-23 hours) • b-minute - The minute when summer-time will begin. (Range: 0-59 minutes) • e-week - The week of the month when summer-time will end. (Range: 1-5) •...
Command Line Interface calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
System Management Commands Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Command Line Interface Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
System Management Commands cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Command Line Interface Command Usage • The maximum number of cluster Members is 36. The maximum number of switch Candidates is 100 • Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
System Management Commands show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: Ubigate iES4024GP Switch Console# show cluster candidates This command shows the discovered Candidate switches in the network.
Command Line Interface upnp device This command enables UPnP on the device. Use the no form to disable UPnP. Syntax [no] upnp device Default Setting Enabled Command Mode Global Configuration Command Usage You must enable UPnP before you can configure time out settings for sending of UPnP messages.
System Management Commands Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device advertise duration This command sets the duration for which a device will advertise its presence on the local network. Syntax upnp device advertise duration value value - A time out value expressed in seconds.
Command Line Interface Debug Commands Table 4-22 Debug Commands Command Function Mode Page debug dot1x Configures debug settings for IEEE 802.1X 4-80 debug radius Configures debug settings for RADIUS 4-82 debug tacacs Configures debug settings for TACACS 4-84 debug dot1x This command configures debug settings for IEEE 802.1X authentication processes.
Page 417
System Management Commands an 802.1X system event occurs. When debugging is enabled for the packet classification, debug messages will be shown when the switch sends or receives an EAPOL packet. • Use the debug dot1x show state-machine command to show debug messages for all state-machine related events.
Command Line Interface When the debug state-machine option is selected, messages similar to those shown below are displayed when a change occurs in the state-machine. 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from initialize to disconnected 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from disconnected to connecting 01:02:03: DOT1X: event/pae-sm: State changing on port=1/1 from connecting to timeout...
Page 419
System Management Commands Command Mode Privileged Exec Command Usage • Use the debug radius command without any classification or feature to enable debugging for all RADIUS processes. • Use the debug radius all command to enable debugging for all of the classification options (i.e., config, database, event, packet and avpair).
Command Line Interface When the debug packet option is selected, messages similar to those shown below are displayed when a RADIUS reply packet is received. 01:02:03: RADIUS: pkt/authen/author: Received a reply packet, code=accept, id=10, length=56 01:02:03 RADIUS: pkt/authen/author: Received a reply packet, code=access-chall, i d=179, length=75 01:02:03 RADIUS: avpair/authen/author: state=5342522D43...,...
Page 421
System Management Commands TACACS configuration commands are entered. When debugging is enabled for the database classification, debug messages will be shown when a memory operation is applied to the TACACS database. When debugging is enabled for the event classification, debug messages will be shown when a TACACS system event occurs.
Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
SNMP Commands Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Command Line Interface snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
SNMP Commands Related Commands snmp-server location (4-89) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...
Command Line Interface snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
Page 427
SNMP Commands command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. •...
Command Line Interface Related Commands snmp-server enable traps (4-92) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] •...
SNMP Commands snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • local - Specifies the SNMP engine on this switch. •...
Command Line Interface Related Commands snmp-server host (4-90) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID IP address 80000000030004e2b316c54321...
SNMP Commands Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Command Line Interface snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
SNMP Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Command Line Interface Table 4-26 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
SNMP Commands Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-93) to specify the engine ID for the remote device where the user resides.
Command Line Interface Table 4-27 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Authentication Commands username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Command Line Interface Example This example shows how to set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place.
Authentication Commands Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-31 Authentication Sequence Command Function Mode Page...
Command Line Interface Related Commands username - for setting the local user names and passwords (4-101) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-11).
Authentication Commands RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default. Syntax radius-server auth-port port_number no radius-server auth-port...
Authentication Commands radius-server attribute 4 This command sets the IP address of the Network Access Server (NAS) to use in the attribute 4 address field in packets sent to the RADIUS server. Use the no form to restore the default setting. Syntax radius-server attribute 4 nas_ip_address no radius-server attribute 4...
Command Line Interface Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Authentication Commands show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port : 1812 Accounting Port : 1813 Retransmit Times Request Timeout : 5 seconds Attributes:...
Command Line Interface tacacs-server host This command specifies a TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Authentication Commands Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Command Line Interface tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Authentication Commands show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: Retransmit Times Request Times Server 1: Server IP address:...
Command Line Interface AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-1 AAA Commands Command Function Mode...
Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies a server index and the sequence to use for the group. (Range: RADIUS 1-5, TACACS+ 1) •...
Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} •...
Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} •...
Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} •...
Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...
Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...
• statistics - Displays accounting records. • user-name - Displays accounting records for a specified user name. • interface ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) 4-122...
Command Line Interface Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-124) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting...
Authentication Commands Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
Command Line Interface Default Setting Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Authentication Commands Example Console(config)#ip telnet server Console(config)#ip telnet server port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 464
Command Line Interface To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Authentication Commands Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Command Line Interface • The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. •...
Authentication Commands ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
Authentication Commands Related Commands ip ssh crypto zeroize (4-133) ip ssh save host-key (4-133) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-132) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
Authentication Commands Table 4-38 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Authentication Commands 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-39 802.1X Port Authentication Command Function...
Command Line Interface dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Authentication Commands Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (4-141) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
• statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Command Mode Privileged Exec Command Usage This command displays the following information: •...
Page 480
Command Line Interface - max-req – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-138). - Status – Authorization status (authorized or not). - Operation Mode –...
Page 481
Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/24 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-40 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access 4-146 show management Displays the switch to be monitored or configured from a browser PE 4-147 management...
Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Command Line Interface General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
General Security Measures Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
General Security Measures Table 4-43 Network Access (Continued) Command Function Mode Page network-access Enables dynamic VLAN assignment from a RADIUS 4-153 dynamic-vlan server network-access guest-vlan Specifies the guest VLAN 4-154 mac-authentication Sets the time period after which a connected MAC 4-155 reauth-time address must be re-authenticated...
Command Line Interface network-access mode Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication. Syntax [no] network-access mode mac-authentication Default Setting Disabled Command Mode Interface Configuration Command Usage •...
General Security Measures network-access max-mac-count Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count...
Command Line Interface have same VLAN configuration, or they are treated as an authentication failure. • If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host assigned to the default untagged VLAN.
General Security Measures mac-authentication reauth-time Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
• mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec...
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec...
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • sort - Sorts displayed entries by either MAC address or interface. Default Setting Displays all filters.
General Security Measures Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication methods are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for http protocol traffic, is blocked.
Command Line Interface Default Setting 3 login attempts Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth quiet-period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
General Security Measures Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system-auth-control This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an...
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec...
• interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds.
Command Line Interface Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address Web-Auth-State Remaining-Session-Time --------------- -------------- ---------------------- 1.1.1.1 Authenticated 1.1.1.2 Authenticated Console# show web-auth summary This command displays a summary of web authentication port parameters and statistics.
General Security Measures Table 4-45 DHCP Snooping Commands (Continued) Command Function Mode Page ip dhcp snooping Sets the information option policy for DHCP client packets that 4-170 information policy include Option 82 information ip dhcp snooping Writes all dynamically learned snooping entries to flash 4-170 database flash memory...
Page 502
Command Line Interface port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table. - If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: * If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
General Security Measures ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. •...
General Security Measures Command Usage If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. Example This example enables MAC address verification.
Command Line Interface Example This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} •...
General Security Measures Example Console(config)#ip dhcp snooping database flash Console(config)# clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings.
Command Line Interface IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands”...
Page 509
General Security Measures • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
• ip-address - A valid unicast IP address, including classful types A, B or C. • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting No configured entries Command Mode...
General Security Measures Related Commands ip source-guard (4-172) ip dhcp snooping (4-165) ip dhcp snooping vlan (4-167) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ---------...
Command Line Interface Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name •...
Command Line Interface permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Access Control List Commands permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
Page 516
Command Line Interface “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. •...
Access Control List Commands show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...
Command Line Interface Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-181) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...
Access Control List Commands access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Access Control List Commands • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. •...
Command Line Interface mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Access Control List Commands ACL Information Table 4-50 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-187 show access-group Shows the ACLs assigned to each port 4-187 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Interface Commands Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached...
Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting for both 100BASE-TX and Gigabit Ethernet ports is 100full. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Interface Commands Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. •...
Command Line Interface Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to 100half, 100full and flow control.
Interface Commands • Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. Example The following example enables flow control on port 5.
Command Line Interface giga-phy-mode This command forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex. Use the no form to restore the default mode. Syntax giga-phy-mode mode no giga-phy-mode mode • master - Sets the selected port as master. •...
Interface Commands shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode...
Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows all interfaces. 4-199...
Page 536
Command Line Interface Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...
Page 537
Interface Commands Table 4-52 Interfaces Switchport Statistics (Continued) Field Description Priority for Untagged Indicates the default priority for untagged frames (page 4-286). Traffic GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-250). Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)”...
Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Link Aggregation Commands • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. •...
Command Line Interface lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Link Aggregation Commands lacp active/passive This command configures active or passive LACP initiation mode. Use the no form to restore the default setting. Syntax lacp {actor | partner} {active | passive} no lacp {actor | partner} • actor - The local side an aggregate link. •...
Command Line Interface power mainpower maximum allocation This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting. Syntax power mainpower maximum allocation watts watts - The power budget for the switch. (Range: 37-180 watts) Default Setting 180 watts Command Mode...
Power over Ethernet Commands this switch can detect 802.3af compliant devices and the more recent 802.3af non-compliant devices that also reflect the test voltages back to the switch. It cannot detect other legacy devices that do not reflect back the test voltages. •...
Command Line Interface power inline maximum allocation This command limits the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).
Power over Ethernet Commands - If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is still be turned on if the switch can drop power to one or more lower-priority ports and keep within its budget. Power will be dropped from low-priority ports in sequence starting from port number 1.
Command Line Interface Table 4-59 show power inline status parameters Parameter Description Admin The power mode set on the port (see power inline on page -215) Oper The current operating power status (displays on or off) Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation on page -216) Power (used) The current power consumption on the port in milliwatts...
• interface - ethernet unit/port (source port) - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • rx - Mirror received packets. • tx - Mirror transmitted packets. • both - Mirror both received and transmitted packets.
Syntax show port monitor [interface] interface - ethernet unit/port (source port) • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
• interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan-id - VLAN ID (Range: 1-4094) • action - - delete-on-reset - Assignment lasts until the switch is reset.
Address Table Commands Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: •...
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • vlan-id - VLAN ID (Range: 1-4094) • sort - Sort by address, vlan or interface.
Address Table Commands mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode...
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-64 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-227 spanning-tree mode...
Spanning Tree Commands Table 4-64 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree mst cost Configures the path cost of an instance in the MST 4-244 spanning-tree mst Configures the priority of an instance in the MST 4-245 port-priority spanning-tree Re-checks the appropriate BPDU format 4-245...
Command Line Interface spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) •...
Spanning Tree Commands Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Command Line Interface Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-229) spanning-tree max-age (4-230) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch.
Spanning Tree Commands Related Commands spanning-tree forward-time (4-229) spanning-tree hello-time (4-229) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Command Line Interface Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-240). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree.
Spanning Tree Commands Default Setting Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst configuration This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting •...
Command Line Interface Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Spanning Tree Commands • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located.
Command Line Interface Command Usage The MST region name (page 4-235) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default.
Command Line Interface Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Command Line Interface Related Commands spanning-tree portfast (4-240) spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command (page 4-231).
Command Line Interface spanning-tree loopback-detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port. Use the no form to disable this feature. Syntax spanning-tree loopback-detection no spanning-tree loopback-detection Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Spanning Tree Commands Command Usage • If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: - The port receives any other BPDU except for it’s own, or; - The port’s link status changes to link down and then link up again, or;...
Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) 4-245...
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • instance_id - Instance identifier of the multiple spanning tree. (Range: 0-4094, no leading zeroes)
Page 583
Spanning Tree Commands items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-175. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4092 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
VLAN Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Command Line Interface show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-191 and “Displaying Bridge Extension Capabilities” on page 3-16 for a description of the displayed items.
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration. Command Mode...
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Command Mode Normal Exec, Privileged Exec Example Console#clear gvrp statistics...
VLAN Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
VLAN Commands Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Command Line Interface • You can configure up to 255 VLANs on the switch. Note: The switch allows 255 user-manageable VLANs. One extra, unmanageable VLAN (VLAN ID 4093) is maintained for switch clustering. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
VLAN Commands Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-195) switchport mode This command configures the VLAN membership mode for a port.
Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
VLAN Commands • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
VLAN Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Command Line Interface Displaying VLAN Information Table 4-72 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-262 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-197 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-199...
VLAN Commands Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
Command Line Interface reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode.
VLAN Commands • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...
VLAN Commands Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.
• interface-list – One or more uplink or downlink interfaces. • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None...
VLAN Commands Command Mode Global Configuration Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • A downlink port can only communicate with an uplink port in the same session.
Command Line Interface pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default. Syntax [no] pvlan up-to-up {blocking | forwarding} • blocking – Blocks traffic between uplink ports assigned to different sessions.
VLAN Commands Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/ secondary associated groups, and stand-alone isolated VLANs. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Command Line Interface Use the switchport private-vlan host-association command to assign a port to a secondary VLAN. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN.
VLAN Commands private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. •...
VLAN Commands switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode...
Command Line Interface Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
VLAN Commands protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or adds specific protocols to a group. Only one frame type and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
Command Line Interface Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-255), the switch will admit traffic of any protocol type into the associated VLAN.
VLAN Commands show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed. Command Mode Privileged Exec Example This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID...
Command Line Interface voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode...
VLAN Commands Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port. Example The following example configures the Voice VLAN aging time as 3000 minutes.
Command Line Interface • Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range. Selecting FF-FF-FF-FF-FF-FF specifies a single MAC address. Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00-00 description A new phone Console(config)#...
VLAN Commands switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} • oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address.
Command Line Interface Command Usage • Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch.
VLAN Commands show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} • oui - Displays the OUI Telephony list. • status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode...
Command Line Interface LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
LLDP Commands Table 4-79 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-296 system-name name lldp dot1-tlv Configures an LLDP-enabled port to advertise the supported 4-296 proto-ident* protocols lldp dot1-tlv Configures an LLDP-enabled port to advertise port related 4-297 proto-vid* VLAN information...
Command Line Interface lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
LLDP Commands lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...
Command Line Interface notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Command Line Interface lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...
LLDP Commands therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes.
Command Line Interface lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)#...
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description...
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information.
Command Line Interface Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-259). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name.
LLDP Commands Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities.
Command Line Interface Command Usage Refer to “Frame Size Commands” on page 4-33 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities.
LLDP Commands Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Command Line Interface Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp medtlv med-cap...
Command Line Interface Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Commands Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
Command Line Interface • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port.
Class of Service Commands Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1...
Class of Service Commands Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-83 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping 4-313 map ip dscp...
Command Line Interface Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-84 IP DSCP to CoS Vales IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...
Command Line Interface Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Quality of Service Commands Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. You should create a Class Map (page 4-317) before creating a Policy Map (page 4-319). Otherwise, you will not be able to specify a Class Map with the class command (page 4-319) after entering Policy-Map Configuration mode.
Command Line Interface match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Quality of Service Commands average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic. Use the no form to remove a policer.
Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) 4-323...
Command Line Interface Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
• ip-address - IP address for multicast group • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode...
Command Line Interface ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 •...
Multicast Filtering Commands Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)#...
Command Line Interface show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-253 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping...
Multicast Filtering Commands Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Command Line Interface Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Multicast Filtering Commands Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds: Console(config)#ip igmp snooping query-interval 100 Console(config)# ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default.
Command Line Interface ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
• interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting No static multicast router ports are configured. Command Mode...
Command Line Interface Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static. Example The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static...
Multicast Filtering Commands ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage •...
Command Line Interface Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode;...
Multicast Filtering Commands Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch.
Command Line Interface ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
[interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
Multicast Filtering Commands Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR).
Page 678
Command Line Interface Default Setting • MVR is disabled. • No MVR group address is defined. • The default number of contiguous addresses is 0. • MVR VLAN ID is 1. Command Mode Global Configuration Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Multicast Filtering Commands mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, or configures an interface as a static member of the MVR VLAN using the group keyword.
• ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28 on iES4028F/iES4028FP, 1-24 on iES4024GP) • port-channel channel-id (Range: 1-8) • ip-address - IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255)
Multicast Filtering Commands Default Setting Displays global configuration settings for MVR when no keywords are used. Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN.
Command Line Interface Table 4-93 show mvr interface - display description (Continued) Field Description Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE”...
IP Interface Commands IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Command Line Interface • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
IP Interface Commands Related Commands show ip redirects (4-350) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.
Command Line Interface Related Commands show ip redirects (4-350) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-348) ping This command sends ICMP echo request packets to another node on the network.
Page 687
IP Interface Commands - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press <Esc> to stop pinging. Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms...
Page 688
Command Line Interface This page is intentionally left blank. 4-352...
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH General Security Measures Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.1X), Port Security, DHCP Snooping (with Option 82 relay information), IP Source Guard Power over Ethernet DHCP Client Port Configuration...
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 696
Glossary packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 697
Glossary IEEE 802.1s An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 698
Glossary Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device.
Page 699
Glossary the size of each region, and prevents VLAN members from being segmented from the rest of the group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 700
Glossary traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow. Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central RADIUS server to control access to RADIUS-compliant devices on the network.
Page 701
Glossary Terminal Access Controller Access Control System Plus (TACACS+) is a logon authentication protocol that uses software running on a central TACACS+ server to control access to TACACS-compliant devices on the network. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol.
Page 702
Glossary This page is intentionally left blank. Glossary-8...