SMC Networks 100BASE-TX Management Manual

Tigerswitch 10/100 16-port fast ethernet switch

Table of Contents

Quick Links

Download this manual

TigerSwitch 10/100

16-Port Fast Ethernet Switch

◆ 16 10BASE-T/100BASE-TX ports

◆ Optional 1000BASE-X or 100BASE-FX modules

◆ 8.8 Gbps of aggregate bandwidth

◆ Non-blocking switching architecture

◆ Spanning Tree Protocol

◆ Up to four port trunks

◆ RADIUS and TACACS+ authentication

◆ Rate limiting for bandwidth management

◆ QoS support for four-level priority

◆ Full support for VLANs with GVRP

◆ IP Multicasting with IGMP Snooping

◆ Manageable via console, Web, SNMP/RMON

Management Guide

SMC6716AL2

Table of Contents

Summary of Contents for SMC Networks 100BASE-TX

Page 1: Management Guide
TigerSwitch 10/100 16-Port Fast Ethernet Switch ◆ 16 10BASE-T/100BASE-TX ports ◆ Optional 1000BASE-X or 100BASE-FX modules ◆ 8.8 Gbps of aggregate bandwidth ◆ Non-blocking switching architecture ◆ Spanning Tree Protocol ◆ Up to four port trunks ◆ RADIUS and TACACS+ authentication ◆...
Page 3 TigerSwitch 10/100 Installation Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 July 2004 Pub. # 150000013500H...
Page 4 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 5 IMITED ARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller.
Page 6 * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase. SMC Networks, Inc. 38 Tesla Irvine, CA 92618...
Page 7: Table Of Contents
Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings Trap Receivers Saving Configuration Settings Managing System Files Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu...
Page 8 Contents Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Logs Configuration Displaying Log Messages Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol Setting Community Access Strings Specifying Trap Managers and Trap Types User Authentication Configuring User Accounts Configuring Local/Remote Logon Authentication...
Page 9 Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Rate Limit Granularity Rate Limit Configuration Showing Port Statistics Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Spanning Tree Algorithm Configuration Displaying Global Settings Configuring Global Settings Displaying Interface Settings Configuring Interface Settings...
Page 10 Contents Configuring IGMP Snooping and Query Parameters Displaying Interfaces Attached to a Multicast Router Specifying Static Interfaces for a Multicast Router Displaying Port Members of Multicast Services Assigning Ports to Multicast Services Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection...
Page 11 reload exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet port ip telnet server Secure Shell Commands...
Page 12 Contents sntp server sntp poll show sntp clock timezone calendar set show calendar System Status Commands light unit show startup-config show running-config show system show users show version Frame Size Commands jumbo frame Flash/File Commands copy delete whichboot boot system Authentication Commands Authentication Sequence authentication login...
Page 13 dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list ip access-group show ip access-group map access-list ip show map access-list ip MAC ACLs access-list mac...
Page 14 Contents show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit rate-limit granularity show rate-limit Link Aggregation Commands channel-group lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Address Table Commands mac-address-table static...
Page 15 switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring Private VLANs private-vlan private vlan association switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp...
Page 16 Contents ip igmp snooping version show ip igmp snooping show mac-address-table multicast IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count ip igmp snooping query-interval ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IP Interface Commands...
Page 17 Tables Table 1-1. Key Features Table 1-2. System Defaults Table 3-1. Configuration Options Table 3-2. Main Menu Table 3-3. Logging Levels Table 3-4. Compatible Operating Systems Table 3-5. 802.1x Statistics Table 3-6. LACP Statistics Table 3-7. Displaying LACP Local Settings Table 3-8.
Page 18 Tables Table 4-27. Authentication Sequence Table 4-28. RADIUS Client Commands Table 4-29. TACACS Commands Table 4-30. Port Security Commands Table 4-31. 802.1x Port Authentication Table 4-33. IP ACLs Table 4-32. Access Control Lists Table 4-34. Egress Queue Priority Mapping Table 4-35. MAC ACLs Table 4-36.
Page 19 Figures Figure 3-1. Home Page Figure 3-2. Front Panel Indicators Figure 3-3. Displaying System Information Figure 3-4. Displaying Switch Information Figure 3-5. Displaying Bridge Extension Configuration Figure 3-6. IP Configuration Figure 3-7. IP Configuration using DHCP Figure 3-8. Operation Code Image File Transfer Figure 3-9.
Page 20 Figures Figure 3-43. LACP Port Configuration Figure 3-44. Displaying LACP Port Counters Figure 3-45. Displaying LACP Port Internal Information Figure 3-46. Displaying LACP Port Neighbors Information Figure 3-47. Enabling Port Broadcast Control Figure 3-48. Mirror Port Configuration Figure 3-49. Rate Limit Granularity Configuration Figure 3-50.
Page 21: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 22: Description Of Software Features
Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings. Authentication – This switch authenticates management access via the console port, Telnet or web browser.
Page 23 Description of Software Features Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
Page 24 GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: •...
Page 25: System Defaults
System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-19). The following table lists some of the basic system defaults.
Page 26 Switchport Mode (Egress Mode) GVRP (global) GVRP (port interface) Default Enabled Enabled Disabled 100BASE-TX – 10 Mbps half duplex 10 Mbps full duplex 100 Mbps half duplex 100 Mbps full duplex Full-duplex flow control disabled Symmetric flow control disabled 100BASE -FX –...
Page 27 Table 1-2. System Defaults (Continued) Function Parameter Traffic Prioritization Ingress Port Priority Weighted Round Robin IP Precedence Priority IP DSCP Priority IP Port Priority IP Settings IP Address Subnet Mask Default Gateway DHCP BOOTP Multicast Filtering IGMP Snooping System Log Status Messages Logged Messages Logged to Flash...
Page 28 Introduction...
Page 29: Chapter 2: Initial Configuration
(CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
Page 30: Required Connections
Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
Page 31: Remote Connections
IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 32: Setting Passwords
This can be done in either of the following ways: Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
Page 33: Dynamic Configuration
“netmask” is the network mask for the network. Press <Enter>. Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway.
Page 34: Enabling Snmp Management Access
When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
Page 35: Trap Receivers
Console(config)#snmp-server community private Console(config)# Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp-server host host-address community-string,” where “host-address” is the IP address for the trap receiver and “community-string”...
Page 36: Managing System Files
The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 37: Chapter 3: Configuring The Switch
(Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”...
Page 38: Navigating The Web Browser Interface
The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side.
Page 39: Configuration Options
Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-64.
Page 40: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Menu...
Page 41 Table 3-2. Main Menu (Continued) Menu Settings Host-Key Settings Port Security 802.1x Information Configuration Port Configuration Statistics Configuration Port Binding IP Filter Port Port Information Trunk Information Port Configuration Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Port Internal Information Port Neighbors Information Displays settings and operational state for the remote side Port Broadcast Control Trunk Broadcast Control...
Page 42 Configures individual port settings for STA Configures individual trunk settings for STA Enables GVRP VLAN registration protocol Displays information on the VLAN type supported by this switch Shows the current port members of each VLAN and whether or not the port is tagged or untagged...
Page 43 Displays the ports that are attached to a neighboring multicast router for each VLAN ID Assigns ports that are attached to a neighboring multicast router Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID Indicates multicast addresses associated with the selected...
Page 44: Basic Configuration
Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location. • Contact – Administrator responsible for the system.
Page 45: Displaying Switch Hardware/Software Versions
• Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master (i.e., operating stand-alone). Expansion Slot • Expansion Slot 1/2 – Indicates any installed module type.
Page 46: Figure 3-4. Displaying Switch Information
• Unit ID – Unit number in stack. • Redundant Power Status – Displays the status of the redundant power supply. Web – Click System, Switch Information. Figure 3-4. Displaying Switch Information CLI – Use the following command to display version information.
Page 47: Displaying Bridge Extension Capabilities
GMRP (GARP Multicast Registration Protocol). • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-120.) • Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses.
Page 48: Setting The Switch's Ip Address
This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your...
Page 49: Manual Configuration
Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0...
Page 50: Using Dhcp/Bootp
If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. 3-14...
Page 51: Managing Firmware
You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.
Page 52: Downloading System Software From A Server
IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
Page 53: Saving Or Restoring Configuration Settings
• File Transfer Method – The configuration copy operation includes these options: - file to file – Copies a file within the switch directory, assigning it a new name. - file to running-config – Copies a file in the switch to the running configuration.
Page 54: Downloading Configuration Settings From A Server
Web – Click System, File, Copy. Select “tftp to startup-config” or “tftp to file” and enter the IP address of the TFTP server. Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name, then click Apply.
Page 55: Console Port Settings
Figure 3-12. Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19...
Page 56: Figure 3-13. Console Port Settings
Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 57: Telnet Settings
• Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) • Telnet Port Number – Sets the TCP port number for Telnet on the switch. (Default: 23) • Login Timeout – Sets the interval that the system waits for a user to log into the CLI.
Page 58: Figure 3-14. Enabling Telnet
Configuring the Switch • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 59: Configuring Event Logging
Console# Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 60: Table 3-3. Logging Levels
* There are only Level 2, 5 and 6 error messages for the current firmware release. • RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM.
Page 61: Remote Logs Configuration
The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
Page 62: Displaying Log Messages
The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 63: Resetting The System
You can also manually set the clock using the CLI. (See “calendar set” on page 4-53.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 64: Configuring Sntp
(Range: 16-16284 seconds; Default: 16 seconds) • SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
Page 65: Setting The Time Zone
HP OpenView. Access rights to the onboard agent are controlled by community strings. To communicate with the switch, the management station must first submit a valid Simple Network Management Protocol...
Page 66: Setting Community Access Strings
Command Attributes • SNMP Community Capability – Indicates that the switch supports up to five community strings. • Community String – A community string that acts like a password and permits access to the SNMP protocol.
Page 67: Specifying Trap Managers And Trap Types
Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 68: User Authentication
User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure access rights on the switch for specified users. • Authentication Settings – Use remote authentication to configure access rights. • HTTPS Settings – Provide a secure web connection.
Page 69: Figure 3-23. Access Levels
Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply.
Page 70: Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 71 - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) •...
Page 72: Figure 3-24. Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-24. Authentication Settings CLI –...
Page 73: Configuring Https
Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
Page 74: Replacing The Default Secure-Site Certificate
Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key> Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Console#reload 3-38 Figure 3-25.
Page 75: Configuring The Secure Shell
Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
Page 76 Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access. The following exchanges take place during this process: The client sends its public key to the switch.
Page 77: Generating The Host Key Pair
A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
Page 78: Figure 3-26. Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Page 79: Configuring The Ssh Server
The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
Page 80: Configuring Port Security
Console# Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 81: Figure 3-28. Configuring Port Security
• If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-64). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-105). • Action – Indicates the action to be taken when a port security violation is detected: - None: No action should be taken.
Page 82: Configuring 802.1X Port Authentication
(i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client.
Page 83: Displaying 802.1X Global Settings
• The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying 802.1x Global Settings The 802.1x protocol provides client authentication. Command Attributes •...
Page 84: Configuring 802.1X Global Settings
Command Attributes • 802.1x System Authentication Control – Sets the global setting for 802.1x. (Default: Disabled) Web – Select Security, 802.1x, Configuration. Enable 802.1x globally for the switch, and click Apply. CLI – This example enables 802.1x globally for the switch.
Page 85: Figure 3-31. 802.1X Port Configuration
EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
Page 86 Configuring the Switch CLI – This example sets the 802.1x parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-82. Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5...
Page 87: Displaying 802.1X Statistics
Displaying 802.1x Statistics This switch can display statistics for dot1x protocol exchanges for any port. Statistical Values Parameter Rx EAPOL Start Rx EAPOL Logoff Rx EAPOL Invalid Rx EAPOL Total Rx EAP Resp/Id Rx EAP Resp/Oth Rx EAP LenError Rx Last EAPOLVer...
Page 88: Figure 3-32. Displaying 802.1X Port Statistics
Configuring the Switch Web – Select Security, 802.1x, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-32. Displaying 802.1x Port Statistics CLI – This example displays the 802.1x statistics for port 4.
Page 89: Access Control Lists
• However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. • This switch supports ACLs for ingress filtering only. However, you can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering. In other words, only two ACLs can be bound to an interface - Ingress IP ACL and Ingress MAC ACL.
Page 90: Setting The Acl Name And Type
Configuring the Switch Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address.
Page 91: Configuring A Standard Ip Acl
Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit) • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 92: Configuring An Extended Ip Acl
Configuring the Switch Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain either all permit rules or all deny rules. (Default: Permit rules) • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP”...
Page 93: Figure 3-35. Configuring Extended Acls
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 94: Configuring A Mac Acl
Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain all permit rules or all deny rules. (Default: Permit rules) • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
Page 95: Binding A Port To An Access Control List
After configuring Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can assign one IP access list to any port, but you can only assign one MAC access list to all the ports on the switch. Command Attributes •...
Page 96: Filtering Addresses For Management Access
• If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 97: Figure 3-38. Creating A Web Ip Filter List
Web – Click Security, IP Filter. Enter the IP addresses or range of addresses, and click Add IP Filtering Entry to update the filter list. Figure 3-38. Creating a Web IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client...
Page 98: Port Configuration
Field Attributes (Web) • Name – Interface label. • Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • Admin Status – Shows if the interface is enabled or disabled. • Oper Status – Indicates if the link is Up or Down.
Page 99 Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-12.) Configuration: •...
Page 100: Configuring Interface Connections
Configuring the Switch CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit:...
Page 101: Figure 3-40. Port/Trunk Configuration
Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.) (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-TX – 10half, 10full, 100half, 100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full;...
Page 102: Creating Trunk Groups
LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them.
Page 103: Statically Configuring A Trunk
Web – Click Port, Trunk Membership. Enter a trunk ID of 1-4 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 104: Enabling Lacp On Selected Ports
ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Page 105: Figure 3-42. Lacp Configuration
Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-42. LACP Configuration CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk.
Page 106: Configuring Lacp Parameters
- Ports must be configured with the same system priority to join the same LAG. - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 107: Figure 3-43. Lacp Port Configuration
Port Configuration Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 108 Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 Console(config-if)#lacp actor admin-key 120 Console(config-if)#lacp actor port-priority 128 Console(config-if)#exit...
Page 109: Displaying Lacp Port Counters
Displaying LACP Port Counters You can display statistics for LACP protocol messages. Field LACPDUs Sent LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts LACPDUs Illegal Pkts Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information.
Page 110: Displaying Lacp Settings And Status For The Local Side
Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-7. Displaying LACP Local Settings Field Description Oper Key Current operational value of the key for the aggregation port.
Page 111: Figure 3-45. Displaying Lacp Port Internal Information
Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-45. Displaying LACP Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal Channel group : 1 -------------------------------------------------------------------------...
Page 112: Displaying Lacp Settings And Status For The Remote Side
Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-8. Displaying LACP Remote Settings Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
Page 113: Setting Broadcast Storm Thresholds
• The default threshold is 32000 octets per second. • Broadcast control does not effect IP multicast traffic. • The specified threshold applies to all ports on the switch. Command Attributes • Threshold – Threshold as percentage of port bandwidth.
Page 114: Figure 3-47. Enabling Port Broadcast Control
Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-47. Enabling Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 octets per second for port 2.
Page 115: Configuring Port Mirroring
Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Command Usage •...
Page 116: Configuring Rate Limits
Configuring the Switch Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic transmitted or received on a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 117: Rate Limit Configuration
Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting. Command Usage • Input and output rate limit can be enabled or disabled for individual interfaces. Command Attributes • Port/Trunk – Displays the port number. • Rate Limit Status – Enables or disables the rate limit. (Default: Disabled) •...
Page 118: Showing Port Statistics
This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port.
Page 119 Table 3-9. Port Statistics (Continued) Parameter Transmit Discarded Packets Transmit Errors Etherlike Statistics Alignment Errors Late Collisions FCS Errors Excessive Collisions Single Collision Frames Internal MAC Transmit Errors Multiple Collision Frames Carrier Sense Errors SQE Test Errors Frames Too Long Deferred Transmissions Internal MAC Receive Errors RMON Statistics...
Page 120 Configuring the Switch Table 3-9. Port Statistics (Continued) Parameter Received Frames Broadcast Frames Multicast Frames CRC/Alignment Errors Undersize Frames Oversize Frames Fragments 64 Bytes Frames 65-127 Byte Frames 128-255 Byte Frames 256-511 Byte Frames 512-1023 Byte Frames 1024-1518 Byte Frames...
Page 121: Figure 3-51. Port Statistics
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-51. Port Statistics 3-85...
Page 122: Address Table Settings
Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 123: Displaying The Address Table
Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 124: Figure 3-53. Configuring A Dynamic Address Table
Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-53. Configuring a Dynamic Address Table CLI –...
Page 125: Changing The Aging Time
This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 126: Displaying Global Settings
STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network. • Bridge ID – A unique identifier for this bridge, consisting of the bridge priority and MAC address (where the address is taken from the switch system).
Page 127 Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 128: Figure 3-55. Displaying Spanning Tree Information
Configuring the Switch • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. Web – Click Spanning Tree, STA, Information.
Page 129: Configuring Global Settings
RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
Page 130 Configuring the Switch • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Page 131: Figure 3-56. Configuring Spanning Tree
Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-56. Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree Console(config)#spanning-tree mode rst Console(config)#spanning-tree priority 45056...
Page 132: Displaying Interface Settings
- A port on a network segment with no other STA compliant bridging device is always forwarding. - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
Page 133: Figure 3-57. Bpdu Transmission
• Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.
Page 134: Figure 3-58. Displaying Spanning Tree Information
- Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 135: Configuring Interface Settings
• Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
Page 136: Figure 3-59. Configuring Spanning Tree Per Port
- Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.) •...
Page 137: Vlan Configuration
• Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
Page 138 VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
Page 139 VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame. When the switch receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by the frame tag.
Page 140: Enabling Or Disabling Gvrp (Global Setting)
The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number* – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch.
Page 141: Displaying Current Vlans
• VLAN ID – ID of configured VLAN (1-4094). • Up Time at Creation – Time this VLAN was created (i.e., System Up Time). • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP.
Page 142: Figure 3-62. Displaying Current Vlans
Figure 3-62. Displaying Current VLANs Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry.
Page 143: Creating Vlans
Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes •...
Page 144: Adding Static Members To Vlans (Vlan Index)
Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Page 145: Figure 3-64. Configuring A Vlan Static Table
Command Attributes • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 146: Adding Static Members To Vlans (Port Index)
Configuring the Switch CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged...
Page 147: Configuring Vlan Behavior For Interfaces
STP. However, they do affect VLAN dependent BPDU frames, such as GMRP. • GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect. (See “Displaying Bridge Extension Capabilities” on page 3-11.) When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports.
Page 148: Figure 3-66. Configuring Vlans Per Port
Configuring the Switch • GARP Leave Timer* – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Page 149: Private Vlans
VLAN. A community VLAN conveys traffic between community ports, and from the community ports to their associated promiscuous ports. Multiple primary VLANs can be configured on this switch, and multiple community VLANs can be configured within each primary VLAN.
Page 150: Displaying Current Private Vlans
(i.e., community VLAN). Displaying Current Private VLANs The Private VLAN Information page displays information on the private VLANs configured on the switch, including primary and community VLANs, and their associated interfaces. Command Attributes • VLAN ID – ID of configured VLAN (1-4094, no leading zeroes).
Page 151: Configuring Private Vlans
CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 152: Associating Community Vlans
Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Page 153: Displaying Private Vlan Interface Information
Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface. • PVLAN Port Type – Displays private VLAN port types. - Normal – The port is not configured in a private VLAN.
Page 154: Configuring Private Vlan Interfaces
Web – Click VLAN, Private VLAN, Port Information or Trunk Information. Figure 3-70. Displaying Private VLAN Port Information CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 155: Figure 3-71. Private Vlan Port Configuration
• Secondary VLAN – On this switch all secondary VLANs are community VLANs. A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. If PVLAN Port Type is “Host,” then specify the associated secondary VLAN.
Page 156: Class Of Service Configuration
Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Page 157: Figure 3-72. Port Priority Configuration
Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-72. Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)#end Console#show interfaces switchport ethernet 1/3...
Page 158: Mapping Cos Values To Egress Queues
The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
Page 159: Selecting The Queue Mode
Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 160: Setting The Service Weight For Traffic Classes
Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-122, the traffic classes are mapped to one of the four egress queues provided for each port.
Page 161: Figure 3-75. Configuring Interfaces For Queue Scheduling
Web – Click Priority, Queue Scheduling. Select the interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-75. Configuring Interfaces for Queue Scheduling CLI – The following example shows how to assign WRR weights to each of the priority queues.
Page 162: Layer 3/4 Priority Settings
Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Page 163: Mapping Ip Precedence
Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Page 164: Mapping Dscp Priority
Configuring the Switch CLI* – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence Console(config)#interface ethernet 1/1...
Page 165: Figure 3-78. Mapping Ip Dscp Priority Values
DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-78. Mapping IP DSCP Priority Values CLI* – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 166: Mapping Ip Port Priority
Configuring the Switch Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110.
Page 167: Mapping Cos Values To Acls
CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port Console(config)#interface ethernet 1/5...
Page 168: Multicast Filtering
It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router. Although this approach reduces the network overhead required by a multicast server,...
Page 169: Layer 2 Igmp (Snooping And Query)
• IGMP Querier – A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic. If there is more than one router/switch on the LAN performing IP multicasting, one of these devices is elected “querier”...
Page 170: Figure 3-82. Igmp Configuration
(Default: Enabled) • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10; Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.
Page 171: Displaying Interfaces Attached To A Multicast Router
Console# Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 172: Specifying Static Interfaces For A Multicast Router
IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 173: Displaying Port Members Of Multicast Services
VLAN to propagate a specific multicast service. Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service.
Page 174: Assigning Ports To Multicast Services
Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Page 175 CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.1.12 224.1.2.3...
Page 176 Configuring the Switch 3-140...
Page 177: Chapter 4: Command Line Interface
Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Page 178 Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.254 255.255.255.0...
Page 179: Entering Commands
Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 180: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 181: Partial Keyword Lookup
Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp sntp...
Page 182: Exec Commands
Command Line Interface Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode.
Page 183: Table 4-2. Configuration Modes
To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands.
Page 184: Command Line Processing
Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 185: Command Groups
Controls system logs, system passwords, user name, browser management options, and a variety of other system information Flash/File Manages code image or switch configuration files Authentication Configures logon access using local or remote authentication; also configures port security and IEEE 802.1x port access control...
Page 186: Line Commands
Command Line Interface Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Command Function line...
Page 187: Login
Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
Page 188: Password
Command Line Interface Example Console(config-line)#login local Console(config-line)# Related Commands username (4-26) password (4-12) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 189: Timeout Login Response
timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no silent-time seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds;...
Page 190: Password-Thresh
Command Line Interface Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. •...
Page 191: Silent-Time
Related Commands silent-time (4-15) timeout login response (4-13) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 192: Parity
Command Line Interface Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 193: Speed
speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 9600...
Page 194: Disconnect
Command Line Interface disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Page 195: General Commands
Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: Databits: Parity: Stopbits: VTY configuration: Password threshold: Interactive timeout: 600 sec Login timeout: 300 sec Cshoonsole# General Commands Command Function enable...
Page 196: Disable
This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 4-5.
Page 197: Configure
This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 198: Reload
None Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None...
Page 199: Exit
exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 200: System Management Commands
Table 4-7. System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch User Access Configures the basic user names and passwords for management access IP Filter Configures IP addresses that are allowed management access...
Page 201: Hostname
User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-10), user authentication via a remote authentication server (page 4-67), and host access authentication for specific ports (page 4-77).
Page 202: Username
Command Line Interface username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 203: Enable Password
enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 204: Ip Filter Commands
Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 205: Show Management
Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} • all-client - Adds IP address(es) to the SNMP, web and Telnet groups.
Page 206: Web Server Commands
Specifies the port to be used by the web browser interface ip http server Allows the switch to be monitored or configured from a browser GC ip http secure-server Enables HTTPS/SSL for encrypted communications ip http secure-port...
Page 207: Ip Http Secure-Server
This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server...
Page 208: Ip Http Secure-Port
(4-61) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Page 209: Telnet Server Commands
Specifies the port to be used by the Telnet interface ip telnet server Allows the switch to be monitored or configured from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
Page 210: Secure Shell Commands
Telnet. When a client contacts the switch via the SSH protocol, the switch uses a public-key that the client must match along with a local user name and password for access authentication.
Page 211 Configure Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key...
Page 212: Ip Ssh Server
The client sends its public key to the switch. The switch compares the client's public key to those stored in memory. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client.
Page 213: Ip Ssh Timeout
Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 214: Ip Ssh Server-Key Size
Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512...
Page 215: Ip Ssh Crypto Host-Key Generate
Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. • rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs.
Page 216: Ip Ssh Save Host-Key
Command Line Interface Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize dsa Console#...
Page 217: Show Ssh
Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Session-Started Console# Table 4-16.
Page 218: Show Public-Key
Command Line Interface show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...
Page 219: Event Logging Commands
Displays log messages show logging Displays the state of logging configuration logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None...
Page 220: Logging History
Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 221: Logging Host
The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 222: Logging Trap
Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 223: Show Log
Related Commands show logging (4-48) show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 224: Show Logging
Command Line Interface show logging This command displays the logging configuration. Syntax show logging {flash | ram | trap} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 225: Time Commands
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup. Command...
Page 226: Sntp Client
• The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
Page 227: Sntp Server
Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
Page 228: Show Sntp
Command Line Interface Command Usage This command is only applicable when the switch is set to SNTP client mode. Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-50) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
Page 229: Calendar Set
(4-52) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 230: System Status Commands
This command displays the unit ID of a switch using its front-panel LED indicators. Syntax light unit [unit] • unit - specifies a unit in a switch stack to light the panel LEDs Default Setting None Command Mode...
Page 231: Show Startup-Config
show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 232: Show Running-Config
“!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for each switch in the stack - SNTP server settings - SNMP community strings - Users (names, access levels, and encrypted passwords)
Page 233 Example Console#show running-config building running-config, please wait... SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca logging history ram 6 logging history flash 3 vlan database...
Page 234: Show System
DUMMY Test 1...PASS UART LOOP BACK Test...PASS DRAM Test...PASS Timer Test...PASS RTC Initialization...PASS Switch Int Loopback test...PASS Done All Pass. Console# show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.
Page 235: Show Version
This command displays hardware and software version information for the system. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-9 for detailed information on the items displayed by this command. System Management Commands None None 0:14:14 0:00:00 192.168.1.19...
Page 236: Frame Size Commands
Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 237: Flash/File Commands
This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 238 • To replace the startup configuration, you must use startup-config as the destination. • Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack.
Page 239 \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate...
Page 240: Delete
The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of the file or image. If this file exists but contains errors, information on this file cannot be shown.
Page 241: Whichboot
Command Mode Privileged Exec Command Usage • If you enter the command dir without any parameters, the system displays all files. • A colon (:) is required after the specified unit number. • File information is shown below: Column Heading file name file type startup...
Page 242: Boot System
Command Line Interface Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot -------------------------------- -------------- ------- ----------- D2.2.1.3 V2.2.1.9 Factory_Default_Config.cfg Console# boot system This command specifies the image used to start up the system.
Page 243: Authentication Commands
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x. Table 4-26. Authentication Commands...
Page 244: Authentication Enable
Command Line Interface • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. • You can specify three authentication methods in a single command to indicate the authentication sequence.
Page 245: Radius Client
RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-28. RADIUS Client Commands Command...
Page 246: Radius-Server Port
Command Line Interface • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) • retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) •...
Page 247: Radius-Server Key
This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode...
Page 248: Radius-Server Timeout
RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting Command Mode Global Configuration...
Page 249: Tacacs+ Client
TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Command Function...
Page 250: Tacacs-Server Key
Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 251: Port Security Commands
MAC address that is unknown or has been previously learned from another port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
Page 252 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 253: 802.1X Port Authentication
EAP packet show dot1x Shows all dot1x related information dot1x system-auth-control This command enables 802.1x port authentication globally on the switch. Use the no form to restore the default. Syntax [no] system-auth-control Default Setting...
Page 254: Dot1X Default
Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Page 255: Dot1X Port-Control
dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 256: Dot1X Re-Authenticate
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
Page 257: Dot1X Timeout Quiet-Period
This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
Page 258: Dot1X Timeout Tx-Period
Command Line Interface dot1x timeout tx-period This command sets the time that the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Page 259 • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled - reauth-period - quiet-period - tx-period - supplicant-timeout - server-timeout - reauth-max - max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier...
Page 260 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status disabled enabled 1/18 disabled 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800 quiet-period: tx-period: supplicant-timeout:...
Page 261: Access Control List Commands
• However, due to resource restrictions, the average number of rules bound the ports should not exceed 20. • This switch supports ACLs for ingress filtering only. However, you can only bind one IP ACL to any port and one MAC ACL globally for ingress filtering. In other words, only two ACLs can be bound to an interface - Ingress IP ACL and Ingress MAC ACL.
Page 262: Ip Acls
Command Line Interface Command Groups Function IP ACLs Configures ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code MAC ACLs Configures ACLs based on hardware addresses, packet format, and Ethernet type ACL Information Displays ACLs and associated rules; shows ACLs assigned to each port IP ACLs Command Function...
Page 263: Permit, Deny (Standard Acl)
Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. •...
Page 264: Permit, Deny (Extended Acl)
Command Line Interface Example This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask. Console(config-std-acl)#permit host 10.1.1.21 Console(config-std-acl)#permit 168.92.16.0 255.255.240.0 Console(config-std-acl)# Related Commands access-list ip (4-86) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL.
Page 265 Default Setting None Command Mode Extended ACL Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 266: Show Ip Access-List
Command Line Interface This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-ext-acl)# Related Commands access-list ip (4-86) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] •...
Page 267: Show Ip Access-Group
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 268: Show Map Access-List Ip
Command Line Interface Command Usage A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on page 4-166. Table 4-34.
Page 269: Mac Acls
MAC ACLs Command Function access-list mac Creates a MAC ACL and enters configuration mode permit, deny Filters packets matching a specified source and destination address, packet format, and Ethernet type show mac access-list Displays the rules for configured MAC ACLs mac access-group Adds a port to a MAC ACL show mac access-group...
Page 270: Permit, Deny (Mac Acl)
Command Line Interface Related Commands permit, deny (MAC ACL) (4-94) mac access-group (4-95) show mac access-list (4-95) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 271: Show Mac Access-List
Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (4-93) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name –...
Page 272: Show Mac Access-Group
• A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example...
Page 273: Show Map Access-List Mac
Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown below. Table 4-36. Egress Queue Priority Mapping Queue Priority Example...
Page 274: Acl Information
Command Line Interface ACL Information Command Function show access-list Show all ACLs and associated rules show access-group Shows the ACLs assigned to each port show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 275: Snmp Commands
SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. Command Function snmp-server community Sets up the community access string to permit access to...
Page 276: Snmp-Server Contact
Command Line Interface Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None...
Page 277: Snmp-Server Host
• Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. • The switch can send SNMP version 1 or version 2c notifications to a host IP address, depending on the SNMP version that the management station supports.
Page 278: Snmp-Server Enable Traps
Command Line Interface Related Commands snmp-server enable traps (4-102) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps (SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] •...
Page 279 Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp System Contact: Joe System Location: Room 23 SNMP traps: Authentication: enabled...
Page 280: Interface Commands
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Command Function interface Configures an interface type and enters interface configuration mode description Adds a description to an interface configuration speed-duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled...
Page 281: Description
Command Mode Global Configuration Example To specify port 16, enter the following command: Console(config)#interface ethernet 1/16 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Page 282: Negotiation
Command Line Interface Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 283: Capabilities
(The current switch ASIC only supports symmetric pause frames.) Default Setting • 100BASE-TX: 10half, 10full, 100half, 100full • 1000BASE-T: 10half, 10full, 100half, 100full, 1000full • SFP: 1000full Command Mode...
Page 284: Flowcontrol
Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.
Page 285: Shutdown
Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-106) capabilities (flowcontrol, symmetric) (4-107) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting...
Page 286: Switchport Broadcast Packet-Rate
• This command can enable or disable broadcast storm control for the selected interface. However, the specified threshold value applies to all ports on the switch. Example The following shows how to configure broadcast storm control at 600 octets per...
Page 287: Show Interfaces Status
Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 288: Show Interfaces Counters
Command Line Interface Example Console#show interfaces status ethernet 1/4 Information of Eth 1/4 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security: Max MAC count: Port security action: Current status: Link status: Operation speed-duplex: 100full...
Page 289: Show Interfaces Switchport
Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
Page 290: Table 4-40. Interfaces Switchport Statistics
Command Line Interface Example This example shows the configuration setting for port 16. Console#show interfaces switchport ethernet 1/16 Broadcast threshold: LACP status: Ingress rate limit: disable, Level: 30 Egress rate limit: disable, Level: 30 VLAN membership mode: Ingress rule: Acceptable frame type: Native VLAN: Priority for untagged traffic: 0 Gvrp status:...
Page 291: Mirror Port Commands
[rx | tx] no port monitor interface • interface - ethernet unit/port (source port) - unit - Switch (unit 1). - port - Port number. • rx - Mirror received packets. • tx - Mirror transmitted packets.
Page 292: Show Port Monitor
Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
Page 293: Rate Limit Commands
Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 294: Rate-Limit Granularity
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input level 20 Console(config-if)# rate-limit granularity Use this command to define the rate limit granularity for the Fast Ethernet ports, and the Gigabit Ethernet ports. Use the no form of this command to restore the default setting.
Page 295: Link Aggregation Commands
Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to four trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
Page 296: Channel-Group
Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. 4-120...
Page 297: Lacp
• A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 298: Lacp System-Priority
Command Line Interface Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 299: Lacp Admin-Key (Ethernet Interface)
• Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 300: Lacp Admin-Key (Port Channel)
{actor | partner} admin-key key [no] lacp {actor | partner} admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch. (Range: 0-65535) Default Setting...
Page 301: Lacp Port-Priority
lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. •...
Page 302: Table 4-44. Show Lacp Counters - Display Description
Command Line Interface Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show 1 lacp counters Channel group : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-44.
Page 303: Table 4-45. Show Lacp Internal - Display Description
Console#show lacp 1 internal Channel group : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation, long timeout, LACP-activity...
Page 304: Table 4-46. Show Lacp Neighbors - Display Description
Command Line Interface Console#show lacp 1 neighbors Channel group 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Page 305: Address Table Commands
Console# Table 4-47. show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC address. System MAC Address a. The LACP system priority and system MAC address are concatenated to form the LAG system ID.
Page 306: Mac-Address-Table Static
• port-channel channel-id (Range: 1-4) • vlan-id - VLAN ID (Range: 1-4094) • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent.
Page 307: Clear Mac-Address-Table Dynamic
clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic show mac-address-table This command shows classes of entries in the bridge-forwarding database.
Page 308: Mac-Address-Table Aging-Time
Command Line Interface 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address --------- ----------------- ---- ----------------- Eth 1/1 00-e0-29-94-34-de Trunk 2 00-E0-29-8F-AA-1B Console# mac-address-table aging-time This command sets the aging time for entries in the address table.
Page 309: Spanning Tree Commands
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-49. Spanning Tree Commands Command Function spanning-tree Enables the spanning tree protocol...
Page 310: Spanning-Tree Mode
This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp} no spanning-tree mode •...
Page 311: Spanning-Tree Forward-Time
Example Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds.
Page 312: Spanning-Tree Max-Age
Console(config)#spanning-tree hello-time 5 Console(config)# spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 313: Spanning-Tree Priority
This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288,...
Page 314: Spanning-Tree Transmission-Limit
Command Line Interface Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 4-138) takes precedence over port priority (page 4-139).
Page 315: Spanning-Tree Port-Priority
• This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 316: Spanning-Tree Edge-Port
Command Line Interface Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 128 Related Commands spanning-tree cost (4-138) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)
Page 317: Spanning-Tree Portfast
spanning-tree portfast This command sets an interface to fast forwarding. Use the no form to disable fast forwarding. Syntax [no] spanning-tree portfast Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port.
Page 318: Spanning-Tree Protocol-Migration
• When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Page 319: Show Spanning-Tree
Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface.
Page 320 Command Line Interface Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: Spanning tree enabled/disabled: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Designated Root: Current root port: Current root cost:...
Page 321: Vlan Commands
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 322: Vlan
• no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Page 323: Configuring Vlan Interfaces
Configuring VLAN Interfaces Table 4-52. Configuring VLAN Interfaces Command Function interface vlan Enters interface configuration mode for a specified VLAN switchport mode Configures VLAN membership mode for an interface switchport Configures frame types to be accepted by an interface acceptable-frame-types switchport ingress-filtering Enables ingress filtering on an interface switchport native vlan...
Page 324: Switchport Mode
Command Line Interface switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid | private-vlan} no switchport mode • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
Page 325: Switchport Ingress-Filtering
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. Example The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged...
Page 326: Switchport Native Vlan
Command Line Interface Example The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Page 327: Switchport Allowed Vlan
VLAN groups as a tagged member. • Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
Page 328: Switchport Forbidden Vlan
Command Line Interface switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 329: Displaying Vlan Information
Displaying VLAN Information Command Function show vlan Shows VLAN information show interfaces status vlan Displays status for the specified VLAN interface show interfaces switchport Displays the administrative and operational status of an interface show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name | private-vlan private-vlan-type] •...
Page 330: Configuring Private Vlans
Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLAN ports: promiscuous, and community ports. A promiscuous port can communicate with all interfaces within a private VLAN. Community ports can only communicate with other ports in their own community VLAN, and with their designated promiscuous ports.
Page 331: Private-Vlan
private-vlan Use this command to create a primary, isolated or community private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary | isolated} no private-vlan vlan-id • vlan-id - ID of private VLAN. (Range: 1-4094, no leading zeroes). •...
Page 332: Private Vlan Association
Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Page 333: Switchport Private-Vlan Host-Association
Default Setting Normal VLAN Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Promiscuous ports assigned to a primary VLAN can communicate with all other promiscuous ports in the same VLAN, as well as with all the ports in the associated secondary VLANs.
Page 334: Switchport Private-Vlan Mapping
Console(config-if)#switchport private-vlan mapping 2 Console(config-if)# show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | isolated | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
Page 335: Gvrp And Bridge Extension Commands
This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration...
Page 336: Show Bridge-Ext
Command Line Interface Example Console(config)#bridge-ext gvrp Console(config)# show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Enabling or Disabling GVRP (Global Setting)” on page 3-104 and “Displaying Bridge Extension Capabilities” on page 3-11 for a description of the displayed items.
Page 337: Show Gvrp Configuration
show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number. • port-channel channel-id (Range: 1-4) Default Setting Shows both global and interface-specific configuration. Command Mode Normal Exec, Privileged Exec Example...
Page 338: Show Garp Timer
Command Line Interface Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Page 339: Priority Commands
The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 340: Queue Mode
Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 341: Switchport Priority Default
Default Setting Weights 1, 2, 4, 6 are assigned to queues 0-3 respectively. Queue 0 is non-configurable. Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 1 - 3: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands...
Page 342: Queue Cos-Map
Command Line Interface • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the...
Page 343: Show Queue Mode
Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to map CoS values 0, 1 and 2 to egress queue 0, value 3 to egress queue 1, values 4 and 5 to egress queue 2, and values 6 and 7 to egress queue 3: Console(config)#interface ethernet 1/1...
Page 344: Show Queue Cos-Map
Command Line Interface Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - This is device 1. - port - Port number.
Page 345: Priority Commands (Layer 3 And 4)
Priority Commands (Layer 3 and 4) Table 4-59. Priority Commands (Layer 3 and 4) Command Function map ip port Enables TCP class of service mapping map ip port Maps TCP socket to a class of service map ip precedence Enables IP precedence class of service mapping map ip precedence Maps IP precedence value to a class of service map ip dscp...
Page 346: Map Ip Port (Interface Configuration)
Command Line Interface map ip port (Interface Configuration) This command sets IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port number cos cos-value no map ip port port-number •...
Page 347: Map Ip Precedence (Interface Configuration)
Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Page 348: Map Ip Dscp (Global Configuration)
Command Line Interface map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 349: Show Map Ip Port
Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-61. IP DSCP to CoS Vales IP DSCP Value 10, 12, 14, 16 18, 20, 22, 24 26, 28, 30, 32, 34, 36 38, 40, 42...
Page 350: Show Map Ip Precedence
Command Line Interface Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands...
Page 351: Show Map Ip Dscp
Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands map ip port (Global Configuration) (4-169)
Page 352: Multicast Filtering Commands
(Interface Configuration) (4-172) Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 353: Ip Igmp Snooping
This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping...
Page 354: Ip Igmp Snooping Version
Version 1. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout. Example The following configures the switch to use IGMP Version 1: Console(config)#ip igmp snooping version 1 Console(config)# show ip igmp snooping This command shows the IGMP snooping configuration.
Page 355: Show Mac-Address-Table Multicast
Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Querier status: Query count: Query interval: Query max response time: 10 sec Router port expire time: 300 sec IGMP snooping version: Console# show mac-address-table multicast This command shows known multicast addresses.
Page 356: Igmp Query Commands (Layer 2)
Configures the query timeout router-port-expire-time ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode...
Page 357: Ip Igmp Snooping Query-Interval
This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds...
Page 358: Ip Igmp Snooping Query-Max-Response-Time
Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries...
Page 359: Static Multicast Routing Commands
Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)#...
Page 360: Show Ip Igmp Snooping Mrouter
Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 361: Ip Interface Commands
An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 362: Ip Dhcp Restart
Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
Page 363: Ip Default-Gateway
Related Commands ip address (4-185) ip default-gateway This command establishes a static route between this switch and management stations that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway...
Page 364: Show Ip Redirects
• size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. • count - Number of packets to send. (Range: 1-16, default: 5) Default Setting This command has no default for the host.
Page 365 Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 366 Command Line Interface 4-190...
Page 367: Appendix A: Software Specifications
Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 88 lists) DHCP Client Port Configuration Fixed Ports:100BASE-TX –10/100 Mbps, half/full duplex Optional Modules: 100BASE-FX: 100 Mbps, full duplex, 1000BASE-T: 1000 Mbps, full duplex, 1000BASE-SX/LX/LH: 1000 Mbps, full duplex Flow Control Full Duplex: IEEE 802.3x...
Page 368: Management Features
Software Specifications Additional Features BOOTP client CIDR (Classless Inter-Domain Routing) SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 DB-9 console port Software Loading TFTP in-band or XModem out-of-band...
Page 369: Management Information Bases
Management Information Bases SNMPv2 (RFC 2571) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233)
Page 370 Software Specifications...
Page 371: Appendix B: Troubleshooting
• Be sure the management station has an IP address in the same subnet as • If you are trying to connect to the switch via the IP address for a tagged • If you cannot connect using Telnet, you may have exceeded the maximum Cannot connect using •...
Page 372: Using System Logs
Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 373: Glossary
EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
Page 374 IEEE 802.1x Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 375 Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 376 Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
Page 377 A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Page 378 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 379: Index
Index Numerics 802.1x, port authentication 3-46, 4-77 acceptable frame type 3-111, 4-148 Access Control List See ACL Extended IP 3-54, 4-85, 4-86, 4-88 MAC 3-54, 4-85, 4-93, 4-93–4-95 Standard IP 3-54, 4-85, 4-86, 4-87 address table 3-86, 4-129 aging time 3-89, 4-132 BOOTP 3-14, 4-185 BPDU 3-90 broadcast storm, threshold 3-77, 4-110...
Page 380 Index IGMP groups, displaying 3-137, 4-179 Layer 2 3-133, 4-176 query 3-133, 4-180 query, Layer 2 3-133, 4-180 snooping 3-133, 4-177 snooping, configuring 3-133, 4-176 ingress filtering 3-111, 4-149 IP address BOOTP/DHCP 3-14, 4-185, 4-186 setting 2-4, 3-12, 4-185 IP precedence enabling 3-126, 4-169, 4-170 mapping priorities 3-127, 4-171 jumbo frame 4-60...
Page 381 RADIUS, logon authentication 4-69 rate limits, setting 3-80, 4-117 remote logging 4-46 restarting the system 3-27, 4-22 RSTP 3-89, 4-134 global configuration 3-90, 4-134 secondary VLAN 3-114 secure shell 3-39, 4-34 Secure Shell configuration 3-39, 4-37 serial port configuring 4-10 Simple Network Management Protocol See SNMP SNMP 3-29...
Page 382 Index Web interface access requirements 3-1 configuration buttons 3-3 home page 3-2 menu list 3-4 panel display 3-3 Index-4...
Page 384 FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; (949) 679-8000; Fax: (949) 679-1481 From Europe (8:00 AM - 5:30 PM UK Time) 44 (0) 118 974 8700; Fax: 44 (0) 118 974 8701 INTERNET E-mail addresses: techsupport@smc.com...

This manual is also suitable for:

16 10base-t Smc6716al2

SMC Networks 100BASE-TX Management Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Chapter 4: Command Line Interface

Quick Links

Management Guide

Related Manuals for SMC Networks 100BASE-TX

Summary of Contents for SMC Networks 100BASE-TX