Page 1: Management Guide
TigerStack 10G Gigabit Ethernet Switch ◆ 24/48 auto-MDI/MDI-X 10/100/1000BASE-T ports ◆ 4 ports shared with 4 SFP transceiver slots ◆ Non-blocking switching architecture ◆ Support for a redundant power unit ◆ Spanning Tree Protocol, RSTP, and MSTP ◆ Up to 32 LACP or static 8-port trunks ◆...
Page 4 TigerStack 10G Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000 October 2004 Pub. # 150200049000A...
Page 5 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or oth- erwise under any patent or patent rights of SMC.
Page 6 IMITED ARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller.
Page 7 * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase. SMC Networks, Inc. 38 Tesla Irvine, CA 92618...
Page 8 IMITED ARRANTY...
Page 9: Table Of Contents
Connecting to the Switch ........
Page 10 Displaying Bridge Extension Capabilities ....3-16 Setting the Switch’s IP Address ......3-18 Manual Configuration .
Page 11 Configuring Local/Remote Logon Authentication ..3-60 Configuring HTTPS ........3-65 Replacing the Default Secure-site Certificate .
Page 12 ONTENTS Configuring Rate Limits ......3-126 Showing Port Statistics ....... 3-127 Address Table Settings .
Page 13 Selecting IP Precedence/DSCP Priority ... . . 3-193 Mapping IP Precedence ......3-193 Mapping DSCP Priority .
Page 14 ........4-33 switch renumber ....... . . 4-33 User Access Commands .
Page 15 ip http secure-port ....... . 4-42 Telnet Server Commands ......4-43 ip telnet server .
Page 16 ONTENTS clock timezone ........4-73 calendar set ........4-74 show calendar .
Page 17 dot1x default ........4-105 dot1x max-req ........4-106 dot1x port-control .
Page 18 ONTENTS ACL Information ........4-144 show access-list ....... . . 4-145 show access-group .
Page 19 media-type ......... 4-179 shutdown .
Page 20 ONTENTS mst priority ........4-221 name .
Page 21 GVRP and Bridge Extension Commands ..... 4-254 bridge-ext gvrp ........4-254 show bridge-ext .
Page 22 ONTENTS ip igmp snooping query-max-response-time ..4-283 ip igmp snooping router-port-expire-time ... . 4-284 Static Multicast Routing Commands ....4-285 ip igmp snooping vlan mrouter .
Page 23 Table 1-1 Key Features ........1-1 Table 1-2 System Defaults .
Page 24 ABLES Table 4-17 Event Logging Commands ..... . . 4-56 Table 4-18 Logging Levels ....... . . 4-58 Table 4-19 show logging flash/ram - display description .
Page 25 Table 4-54 Address Table Commands ..... . 4-206 Table 4-55 Spanning Tree Commands ..... . 4-210 Table 4-56 VLAN Commands .
Page 26 System Information ......3-13 Figure 3-4 Switch Information ......3-15 Figure 3-5 Bridge Extension Configuration .
Page 27 IGURES Figure 3-34 SSH Server Settings ......3-73 Figure 3-35 Port Security ........3-76 Figure 3-36 802.1X Global Information .
Page 28 IGURES Figure 3-71 MSTP Port Configuration ..... . 3-163 Figure 3-72 Enabling GVRP Status ......3-168 Figure 3-73 VLAN Basic Information .
Page 29: Introduction
This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular...
Page 30: Description Of Software Features
Multicast Filtering Supports IGMP snooping and query Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network.
Page 31: Management Features
Use the full-duplex mode on ports whenever possible to double the throughput of switch connections. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of...
Page 32 Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 33 (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the switch provides 1 MB for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
Page 34 VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STA). Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 35: System Defaults
Class of Service value by the switch, and the traffic then sent to the corresponding output queue. Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN.
Page 36 NTRODUCTION Function Authentication Web Management HTTP Server SNMP Table 1-2 System Defaults Parameter Privileged Exec Level Normal Exec Level Enable Privileged Exec from Normal Exec Level RADIUS Authentication TACACS Authentication 802.1X Port Authentication HTTPS Port Security IP Filtering HTTP Port Number HTTP Secure Server HTTP Secure Port Number Community Strings...
Page 37 Function Parameter Port Admin Status Configuration Auto-negotiation Flow Control Rate Limiting Input and output limits Port Trunking Static Trunks LACP (all ports) Broadcast Storm Status Protection Broadcast Limit Rate Spanning Tree Status Protocol Fast Forwarding (Edge Port) Disabled Address Table Aging Time Virtual LANs Default VLAN...
Page 38: Table 1-2 System Defaults
NTRODUCTION Function IP Settings Multicast Filtering IGMP Snooping System Log SMTP Email Alerts SNTP 1-10 Table 1-2 System Defaults Parameter Management VLAN IP Address Subnet Mask Default Gateway DHCP BOOTP Status Messages Logged Messages Logged to Flash Event Handler Clock Synchronization Default Any VLAN configured with an IP address...
Page 39: Initial Configuration
(CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-10. The switch’s HTTP Web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard Web browser such as Netscape Navigator version 6.2 and higher or Microsoft...
Page 40: Required Connections
Configure Spanning Tree parameters • Configure Class of Service (CoS) priority queuing • Configure up to 6 static or LACP trunks per switch, up to 32 per stack, from 2 to 8 ports per trunk • Enable port mirroring •...
Page 41 Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
Page 42: Remote Connections
IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is assigned via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 43: Stack Operations
Up port) in the stack designated as unit 1. This unit identification number appears on the Stack Unit ID LED on the front panel of the switch. It can also be selected on the front panel graphic of the web interface, or from the CLI.
Page 44: Master Backup Unit
NITIAL ONFIGURATION • If a unit is removed from the stack, and powered up as a stand-alone unit, it will also retain the original unit number obtained during stacking. Master Backup Unit Once the Master unit finishes booting up, the Slave unit in the stack with the lowest MAC address functions as the primary backup unit.
Page 45: Ip Interface For Stack Management
fails, the stack will be broken in two. The Stack Link LED on the unit that is no longer receiving traffic from the next unit up in the stack will begin flashing to indicate that the stack link is broken. When the stack fails, a Master unit is selected from the two stack segments, either the unit with the Master button depressed, or the unit with the lowest MAC address if the Master button is not depressed on any unit.
Page 46: Resilient Configuration
Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1.
Page 47: Setting Passwords
“username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin”...
Page 48: Setting An Ip Address
DHCP address allocation servers on the network. Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 49: Dynamic Configuration
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or...
Page 50: Enabling Snmp Management Access
The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as SMC EliteView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 51: Community Strings (For Snmp Version 1 And 2C Clients)
- with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch via SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 52: Trap Receivers
Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community string [version {1|2c|3 {auth|noauth|priv}}] where “host-address”...
Page 53: Saving Configuration Settings
Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-45, or refer to the specific CLI commands for SNMP starting on page 4-146.
Page 54: Managing System Files
Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.
Page 55 ANAGING YSTEM ILES Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
Page 56 NITIAL ONFIGURATION 2-18...
Page 57: Configuring The Switch
Telnet. For more information on using the CLI, refer to Chapter 4 “Command Line Interface.” Prior to accessing the switch from a Web browser, be sure you have first performed the following tasks: 1. Configure the switch with a valid IP address, subnet mask, and default gateway using an out-of-band serial connection, BOOTP or DHCP protocol.
Page 58 If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3. If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin...
Page 59: Navigating The Web Browser Interface
“admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side.
Page 60: Configuration Options
Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control).
Page 61: Main Menu
Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Menu System System Information...
Page 62 Port Security 802.1X Information Table 3-2 Main Menu (Continued) Description Restarts the switch Configures SNTP client settings, including broadcast mode or a specified list of servers Sets the local time zone for the system clock Configures community strings and related...
Page 63 Table 3-2 Main Menu (Continued) Menu Configuration Port Configuration Statistics IP Filter Configuration Mask Configuration Port Binding Port Port Information Trunk Information Port Configuration Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Information Port Internal Information Port Neighbors Information AVIGATING THE Description...
Page 64 ONFIGURING THE WITCH Menu Port Broadcast Control Trunk Broadcast Control Mirror Port Configuration Rate Limit Input Port Configuration Input Trunk Configuration Output Port Configuration Output Trunk Configuration Port Statistics Address Table Static Addresses Dynamic Addresses Address Aging Spanning Tree Information Configuration Port Information Trunk Information...
Page 65 MST instance Enables GVRP VLAN registration protocol Displays information on the VLAN type supported by this switch Shows the current port members of each VLAN and whether or not the port is tagged or untagged Used to create or remove VLAN groups...
Page 66 ONFIGURING THE WITCH Menu Private VLAN Status Link Status Protocol VLAN Configuration Port Configuration Priority Default Port Priority Default Trunk Priority Traffic Classes Traffic Classes Status Queue Mode Queue Scheduling IP Precedence/ DSCP Priority Status IP Precedence Priority IP DSCP Priority IP Port Priority Status IP Port Priority 3-10...
Page 67 VLAN ID Assigns ports that are attached to a neighboring multicast router Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID Indicates multicast addresses associated with the selected VLAN Enables DNS; configures domain name and domain list;...
Page 68: Basic Configuration
Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location. • Contact – Administrator responsible for the system.
Page 69: Figure 3-3 System Information
ASIC ONFIGURATION Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information 3-13...
Page 70: Displaying Switch Hardware/Software Versions
Fan Speed Test ... PASS Done All Pass. Console# Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board •...
Page 71: Figure 3-4 Switch Information
• Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master or Slave. These additional parameters are displayed for the CLI. • Unit ID – Unit number in stack.
Page 72: Displaying Bridge Extension Capabilities
Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol). • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-186.) •...
Page 73: Figure 3-5 Bridge Extension Configuration
• Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs. • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.
Page 74: Setting The Switch's Ip Address
Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings (IP address 0.0.0.0 and netmask 255.0.0.0) to...
Page 75: Manual Configuration
(Default: 0.0.0.0) • MAC Address – The physical layer address for this switch. Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,”...
Page 76: Using Dhcp/Bootp
IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
Page 77 Console# Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
Page 78: Managing Firmware
You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
Page 79: Downloading System Software From A Server
“opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
Page 80: Figure 3-9 Setting The Startup Code
ONFIGURING THE WITCH If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system, via the System/Reset menu.
Page 81: Saving Or Restoring Configuration Settings
Console#reload Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes •...
Page 82 - tftp to startup-config – Copies a file from a TFTP server to the startup config. - file to unit – Copies a file from this switch to another unit in the stack. - unit to file – Copies a file from another unit in the stack to this switch.
Page 83: Downloading Configuration Settings From A Server
“tftp to file,” and enter the IP address of the TFTP server. Specify the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Apply.
Page 84: Console Port Settings
ONFIGURING THE WITCH CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch Console#copy tftp startup-config TFTP server ip address: 192.168.1.19...
Page 85 • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 86: Figure 3-13 Configuring The Console Port
ONFIGURING THE WITCH Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-13 Configuring the Console Port CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Page 87: Telnet Settings
These parameters can be configured via the Web or CLI interface. Command Attributes • Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) • Telnet Port Number – Sets the TCP port number for Telnet on the switch.
Page 88: Figure 3-14 Configuring The Telnet Interface
ONFIGURING THE WITCH Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-14 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Page 89: Configuring Event Logging
Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 90: Figure 3-15 System Logs
• RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM.
Page 91: Remote Log Configuration
The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
Page 92: Figure 3-16 Remote Logs
ONFIGURING THE WITCH • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add.
Page 93: Displaying Log Messages
Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 94 • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.
Page 95: Figure 3-18 Enabling And Configuring Smtp Alerts
ASIC ONFIGURATION Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add.
Page 96: Renumbering The Stack
WITCH CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration.
Page 97: Resetting The System
Console#switch all renumber Console# Resetting the System Web – Click System, Reset. Click the Reset button to restart the switch. When prompted, confirm that you want to reset the switch. CLI – Use the reload command to restart the switch.
Page 98: Setting The System Clock
You can also manually set the clock using the CLI. (See “calendar set” on page 4-74.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 99: Setting The Time Zone
Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-21 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client Console(config)#sntp poll 16 Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.24-70...
Page 100: Figure 3-22 Setting The Time Zone
ONFIGURING THE WITCH • Minutes (0-59) – The number of minutes before/after UTC. • Direction – Configures the time zone to be before (east) or after (west) UTC. Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply.
Page 101: Management Information Bases
MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as SMC EliteView.
Page 102: Table 3-4 Snmpv3 Security Models And Levels
WITCH Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Page 103: Enabling The Snmp Agent
SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply. CLI – The following example enables SNMP on the switch. Console(config)#snmp-server Console(config)# Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c.
Page 104: Specifying Trap Managers And Trap Types
Console(config)# Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as SMC EliteView).
Page 105 Command Attributes • Trap Manager Capability – This switch supports up to five trap managers. • Current – Displays a list of the trap managers currently configured. • Trap Manager IP Address – IP address of a new management station to receive notification messages.
Page 106: Configuring Snmpv3 Management Access
1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and...
Page 107: Setting An Engine Id
The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engineID is deleted or changed, all SNMP users will be cleared.
Page 108: Configuring Snmpv3 Users
ONFIGURING THE WITCH Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read and a write view. Command Attributes •...
Page 109: Figure 3-27 Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 110: Configuring Snmpv3 Groups
ONFIGURING THE WITCH CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#exit Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56...
Page 111: Figure 3-28 Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list.
Page 112: Setting Snmpv3 Views
ONFIGURING THE WITCH CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group v3secure v3 priv read defaultview write defaultview Console(config)#exit Console#show snmp group Group Name: v3secure...
Page 113: Figure 3-29 Configuring Snmpv3 Views
In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings.
Page 114: User Authentication
Subtree OID: 1 View Type: included Storage Type: nonvolatile Row Status: active Console# User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure management access rights on for users. •...
Page 115: Configuring User Accounts
Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place. The default guest name is “guest”...
Page 116: Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 117 Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.
Page 118: Radius Settings
• Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only.
Page 119 (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) •...
Page 120: Figure 3-31 Authentication Server Settings
ONFIGURING THE WITCH Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-31 Authentication Server Settings CLI –...
Page 121: Configuring Https
Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch.
Page 122: Replacing The Default Secure-Site Certificate
This is because the certificate has not been signed by an approved certification authority. If you want this warning to be replaced by a message confirming that the connection to the switch is secure, you must obtain a unique certificate and a private key and password from a recognized certification authority.
Page 123: Configuring The Secure Shell
Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key> Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems.
Page 124 51941746772984865468615717739390164779355942303577413098022737087794545240839 71752646358058176716709574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-84) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these...
Page 125 The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client. d. The client uses its private key to decrypt the bytes, and sends the decrypted bytes back to the switch.
Page 126: Generating The Host Key Pair
Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
Page 127: Figure 3-33 Ssh Host-Key Settings
UTHENTICATION Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-33 SSH Host-Key Settings 3-71...
Page 128: Configuring The Ssh Server
(Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. • SSH Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.
Page 129: Figure 3-34 Ssh Server Settings
SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default: 768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits.
Page 130: Configuring Port Security
Console#disconnect 0 Console# Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 131 Any other device that attempts to use the port will be prevented from accessing the switch. Command Usage • A secure port has the following restrictions: - It cannot use port monitoring.
Page 132: Configuring 802.1X Port Authentication
The IEEE 802.1X (dot1x) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch 3-76 Figure 3-35 Port Security...
Page 133 (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.
Page 134: Displaying 802.1X Global Settings
RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. • Each switch port that will be used must be set to dot1x “Auto” mode. • Each client that needs to be authenticated must have dot1x client software installed and properly configured.
Page 135: Configuring 802.1X Global Settings
. 802.1X is disabled on port 1/48 Console# Configuring 802.1X Global Settings The 802.1X protocol includes port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes • 802.1X System Authentication Control – Sets the global setting for 802.1X.
Page 136: Configuring Port Settings For 802.1X
• Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) 3-80 4-108...
Page 137: Figure 3-38 802.1X Port Configuration
EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60) •...
Page 138: C Onfiguring The S Witch
ONFIGURING THE WITCH CLI – This example sets the authentication mode to enable 802.1X on port 2, and allows up to ten clients to connect to this port. Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5 Console(config-if)#dot1x timeout quiet-period 40 Console(config-if)#dot1x timeout re-authperiod 5 Console(config-if)#dot1x timeout tx-period 40 Console(config-if)#end...
Page 139: Displaying 802.1X Statistics
Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Parameter Rx EAPOL Start Rx EAPOL Logoff Rx EAPOL Invalid Rx EAPOL Total Rx EAP Resp/Id Rx EAP Resp/Oth Rx EAP LenError Rx Last EAPOLVer...
Page 140: Figure 3-39 802.1X Port Statistics
ONFIGURING THE WITCH Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 Eth 1/4 Rx: EXPOL Start...
Page 141: Filtering Ip Addresses For Management Access
• If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 142: Figure 3-40 Ip Filter
ONFIGURING THE WITCH • Start IP Address – A single IP address, or the starting address of a range. • End IP Address – The end address of a range. Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry.
Page 143: Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
Page 144: Setting The Acl Name And Type
ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
Page 145: Configuring A Standard Ip Acl
Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-41 Selecting ACL Type CLI –...
Page 146: Configuring An Extended Ip Acl
ONFIGURING THE WITCH Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Page 147 • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 3-89.) • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-8) - TOS –...
Page 148: Figure 3-43 Acl Configuration - Extended Ip
ONFIGURING THE WITCH Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 149: Configuring A Mac Acl
3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-ext-acl)# Configuring a MAC ACL Command Attributes •...
Page 150: Figure 3-44 Acl Configuration - Mac
ONFIGURING THE WITCH • Packet Format – This attribute includes the following packet types: Any – Any Ethernet packet type. Untagged-eth2 – Untagged Ethernet II packets. Untagged-802.3 – Untagged Ethernet 802.3 packets. Tagged-eth2 – Tagged Ethernet II packets. Tagged-802.3 – Tagged Ethernet 802.3 packets. Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets.
Page 151: Configuring Acl Masks
Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You must also configure up to seven user-defined masks for an ingress or egress ACL.
Page 152: Configuring An Ip Acl Mask
ONFIGURING THE WITCH Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. Figure 3-45 Selecting ACL Mask Types CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries.
Page 153: Figure 3-46 Acl Mask Configuration - Ip
specify a host address (not a subnet), or “IP” to specify a range of addresses. (Options: Any, Host, IP; Default: Any) • Source/Destination Subnet Mask – Source or destination address of rule must match this bitmask. (See the description for SubMask on page 3-89.) •...
Page 154: Configuring A Mac Acl Mask
ONFIGURING THE WITCH CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255”...
Page 155: Figure 3-47 Configuring A Mac Based Acl
CCESS ONTROL ISTS Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s).
Page 156: Binding A Port To An Access Control List
• This switch supports ACLs for both ingress and egress filtering. However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress filtering.
Page 157: Figure 3-48 Acl Port Binding
ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
Page 158: Port Configuration
ONFIGURING THE WITCH CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip access-group david in Console(config-if)#mac access-group jerry in Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#ip access-group david in Console(config-if)# Port Configuration...
Page 159: Figure 3-49 Port Status Information
• Port type – Indicates the port type. (1000BASE-T or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-18.) Configuration: •...
Page 160 ONFIGURING THE WITCH - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1000 Mbps full-duplex operation • Broadcast storm – Shows if broadcast storm control is enabled or disabled. • Broadcast storm limit – Shows the broadcast storm threshold. (500 - 262143 packets per second) •...
Page 161: Configuring Interface Connections
CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: 1000full Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security: Max MAC count:...
Page 162 ONFIGURING THE WITCH • Autonegotiation (Port Capabilities) – Allows auto-negotiation to be enabled/disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised. When auto-negotiation is disabled, you can force the settings for speed, mode, and flow control. The following capabilities are supported.
Page 163: Creating Trunk Groups
A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices (i.e., single switch or a stack). You can create up to 32 trunks.
Page 164 • You can create up to 32 trunks on the switch, with up to eight ports per trunk. Note that because the stack functions conceptually as a single system, you can include ports from different units in the same stack.
Page 165: Statically Configuring A Trunk
However, note that the static trunks on this switch are Cisco EtherChannel compatible. • To avoid creating a loop in the network, be sure you add a static...
Page 166: Figure 3-51 Static Trunk Configuration
Web – Click Port, Trunk Membership. Enter a trunk ID of 1-32 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 167: Enabling Lacp On Selected Ports
CLI – This example creates trunk 2 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 Console(config-if)#exit Console(config)#interface ethernet 1/9 Console(config-if)#channel-group 1 Console(config-if)#exit Console(config)#interface ethernet 1/10...
Page 168: Figure 3-52 Lacp Trunk Configuration
ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 169: Configuring Lacp Parameters
CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 170 - Ports must be configured with the same system priority to join the same LAG. - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 171: Figure 3-53 Lacp - Aggregation Port
ONFIGURATION Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 172: Displaying Lacp Port Counters
ONFIGURING THE WITCH CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 Console(config-if)#lacp actor admin-key 1204-198 Console(config-if)#lacp actor port-priority 128 Console(config-if)#exit...
Page 173: Figure 3-54 Lacp - Port Counters Information
Table 3-7 LACP Port Counters (Continued) Field Description Marker Received Number of valid Marker PDUs received by this channel group. LACPDUs Unknown Number of frames received that either (1) Carry the Slow Pkts Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 174: Displaying Lacp Settings And Status For The Local Side
ONFIGURING THE WITCH CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters Channel group : 1 ------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0...
Page 175 Table 3-8 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 176: Figure 3-55 Lacp - Port Internal Information
ONFIGURING THE WITCH Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-55 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal Port channel: 1 -------------------------------------------------------------------...
Page 177: Displaying Lacp Settings And Status For The Remote Side
Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of a link aggregation. Table 3-9 LACP Neighbor Configuration Information Field Partner Admin System Partner Oper System Partner Admin Port Number Partner Oper Port Number...
Page 178: Figure 3-56 Lacp - Port Neighbors Information
ONFIGURING THE WITCH Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-56 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors Port channel 1 neighbors -------------------------------------------------------------------...
Page 179: Setting Broadcast Storm Thresholds
• The default threshold is 500 packets per second. • Broadcast control does not effect IP multicast traffic. • The specified threshold applies to all ports on the switch. Command Attributes • Port – Port number. • Trunk – Trunk number.
Page 180: Figure 3-57 Port Broadcast Control
ONFIGURING THE WITCH Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
Page 181: Configuring Port Mirroring
Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 182: Configuring Rate Limits
Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 183: Showing Port Statistics
RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or Figure 3-59 Rate Limit Configuration...
Page 184: Table 3-10 Port Statistics
ONFIGURING THE WITCH unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port. All values displayed have been accumulated since the last system reboot, and are shown as counts per second. Statistics are refreshed every 60 seconds by default.
Page 185 Table 3-10 Port Statistics (Continued) Parameter Transmit Unicast Packets Transmit Multicast Packets The total number of packets that higher-level Transmit Broadcast Packets Transmit Discarded Packets Transmit Errors Etherlike Statistics Alignment Errors Late Collisions FCS Errors Excessive Collisions Description The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Page 186 ONFIGURING THE WITCH Parameter Single Collision Frames Internal MAC Transmit Errors Multiple Collision Frames A count of successfully transmitted frames for which Carrier Sense Errors SQE Test Errors Frames Too Long Deferred Transmissions Internal MAC Receive Errors RMON Statistics Drop Events Jabbers Received Bytes 3-130...
Page 187 Table 3-10 Port Statistics (Continued) Parameter Collisions Received Frames Broadcast Frames Multicast Frames CRC/Alignment Errors Undersize Frames Oversize Frames Fragments 64 Bytes Frames 65-127 Byte Frames 128-255 Byte Frames 256-511 Byte Frames 512-1023 Byte Frames 1024-1518 Byte Frames 1519-1536 Byte Frames Description The best estimate of the total number of collisions on this Ethernet segment.
Page 188: Figure 3-60 Port Statistics
ONFIGURING THE WITCH Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. 3-132 Figure 3-60 Port Statistics...
Page 189: Figure 3-61 Port Statistics (Continued)
ONFIGURATION Figure 3-61 Port Statistics (continued) 3-133...
Page 190: Address Table Settings
Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 191: Table
MAC address and VLAN, then click Add Static Address. CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# 5.
Page 192: Displaying The Address Table
Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 193: Changing The Aging Time
Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address --------- ----------------- ---- -----------------...
Page 194: Spanning Tree Algorithm Configuration
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure...
Page 195 ONFIGURATION STA uses a distributed algorithm to select a bridging device (STA-compliant switch, bridge or router) that serves as the root of the spanning tree network. It selects a root port on each bridging device (except for the root device) which incurs the lowest path cost when forwarding a packet from that device to the root device.
Page 196: Displaying Global Settings
STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network. • Bridge ID – A unique identifier for this bridge, consisting of the bridge priority and MAC address (where the address is taken from the switch system).
Page 197 Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port.
Page 198 ONFIGURING THE WITCH • Root Hello Time – Interval (in seconds) at which this device transmits a configuration message. • Root Maximum Age – The maximum time (in seconds) this device can wait without receiving a configuration message before attempting to reconfigure.
Page 199: Figure 3-65 Sta Information
Web – Click Spanning Tree, STA, Information. Figure 3-65 STA Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Instance Vlans configuration Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.)
Page 200: Configuring Global Settings
RSTP node transmits, as described below: - STA Mode – If the switch receives an 802.1D BPDU (i.e., STA BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
Page 201 Spanning Tree Type – Specifies the type of spanning tree used on this switch: - STA: Spanning Tree Algorithm (IEEE 802.1D); (i.e., when this option is selected, the switch will use RSTP set to STA forced compatibility mode). - RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
Page 202 ONFIGURING THE WITCH • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Page 203 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.
Page 204: Figure 3-66 Sta Configuration
ONFIGURING THE WITCH Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. CLI – This example enables Spanning Tree Algorithm, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree Console(config)#spanning-tree mode mst Console(config)#spanning-tree priority 4096 Console(config)#spanning-tree hello-time 5 Console(config)#spanning-tree max-age 20...
Page 205: Displaying Interface Settings
- A port on a network segment with no other STA compliant bridging device is always forwarding. - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
Page 206 WITCH • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – The contribution of this port to the path cost of paths towards the spanning tree which include this port.
Page 207 Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 208: Figure 3-67 Sta Port Information
- Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 209: Configuring Interface Settings
CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 1/ 5 information -------------------------------------------------------------- Admin status: Role: State: External admin path cost: 10000 Internal admin path cost: 10000 External oper path cost: Internal oper path cost: Priority: Designated cost: Designated port:...
Page 210 Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 211 - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.)
Page 212: Configuring Multiple Spanning Trees
By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 65 instances. You should try to group VLANs which cover the same general area of your network. However,...
Page 213 (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. To use multiple spanning trees: 1. Set the spanning tree type to MSTP (STA Configuration, page 3-144). 2.
Page 214: Figure 3-69 Mstp Vlan Configuration
ONFIGURING THE WITCH Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 3-69 MSTP VLAN Configuration 3-158...
Page 215: Each Port
CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode Spanning tree enable/disable Instance Vlans configuration Priority Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.) Root Max Age (sec.)
Page 216: Displaying Interface Settings For Mstp
ONFIGURING THE WITCH CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst configuration Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mstp)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
Page 217: Spanning Tree
CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 3-140), the settings for other instances only apply to the local spanning tree.
Page 218: Configuring Interface Settings For Mstp
Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 219: Figure 3-71 Mstp Port Configuration
• Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) Note that when the Path Cost Method is set to short (page 3-63), the maximum path cost is 65,535.
Page 220: Vlan Configuration
IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
Page 221: Assigning Ports To Vlans
VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 222 IEEE 802.1Q VLAN protocol, it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join. When this switch receives these messages, it will automatically place the receiving port in the specified VLANs, and then forward the message to all other ports.
Page 223 When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags. When forwarding a frame from this switch along a path that does not contain any VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame.
Page 224: Enabling Or Disabling Gvrp (Global Setting)
WITCH receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by the frame tag. However, when this switch receives an untagged frame from a VLAN-unaware device, it first decides where to forward the frame, and then inserts a VLAN tag reflecting the ingress port’s default VID.
Page 225: Displaying Current Vlans
Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch. Web – Click VLAN, 802.1Q VLAN, Basic Information. CLI – Enter the following command. Console#show bridge-ext...
Page 226: Figure 3-74 Vlan Current Table
Up Time at Creation – Time this VLAN was created (i.e., System Up Time). • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry.
Page 227: Creating Vlans
Console# Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes •...
Page 228: Figure 3-75 Creating Virtual Lans
ONFIGURING THE WITCH • Status (Web) – Enables or disables the specified VLAN. - Enable: VLAN is operational - Disable: VLAN is suspended; i.e., does not pass packets. • State (CLI) – Enables or disables the specified VLAN. - Active: VLAN is operational. - Suspend: VLAN is suspended;...
Page 229: Adding Static Members To Vlans (Vlan Index)
VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1. You can also use the VLAN Static Membership by Port page to configure VLAN groups based on the port index (page 3-175).
Page 230 ONFIGURING THE WITCH Command Attributes • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended;...
Page 231: Adding Static Members To Vlans (Port Index)
Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-76 VLAN Static Table - Adding Static Members CLI –...
Page 232: Figure 3-77 Vlan Static Membership By Port
ONFIGURING THE WITCH • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Click VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
Page 233: Configuring Vlan Behavior For Interfaces
Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 234 • GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect. (See “Displaying Bridge Extension Capabilities” on page 3-16.) When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports.
Page 235: Figure 3-78 Vlan Port Configuration
• Mode – Indicates VLAN membership mode for an interface. (Default: Hybrid) - 1Q Trunk – Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. However, note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Page 236: Configuring Private Vlans
Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) 3-180 Uplink Ports...
Page 237: Enabling Private Vlans
Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 238: Configuring Protocol-Based Vlans
ONFIGURING THE WITCH Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply. CLI – This configures ports 3 and 4 as uplinks and ports 5 and 6 as downlinks.
Page 239: Configuring Protocol Groups
To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol. When a frame is received at a port, its VLAN membership can then be determined based on the protocol type being used by the inbound packets.
Page 240: Mapping Protocols To Vlans
ONFIGURING THE WITCH Web – Click VLAN, Protocol VLAN, Configuration. Enter a protocol group ID, frame type and protocol type, then click Apply. Figure 3-81 Protocol VLAN Configuration CLI – The following creates protocol group 1, and then specifies Ethernet frames with IP and ARP protocol types.
Page 241: Figure 3-82 Protocol Vlan Port Configuration
- If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Command Attributes • Interface – Port or trunk identifier. • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) •...
Page 242: Class Of Service Configuration
Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Page 243: Figure 3-83 Default Port Priority
• Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-83 Default Port Priority CLI –...
Page 244: Mapping Cos Values To Egress Queues
The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
Page 245: Figure 3-84 Traffic Classes
Console# Note: Mapping specific values for CoS priorities is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. 11. CLI shows Queue ID. LASS OF – Output queue buffer. (Range: 0-7, where 7 is the...
Page 246: Selecting The Queue Mode
WITCH Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 247: Setting The Service Weight For Traffic Classes
Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-188, the traffic classes are mapped to one of the four egress queues provided for each port.
Page 248: Layer 3/4 Priority Settings
Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner: • The precedence for priority mapping is IP Port Priority, IP Precedence or DSCP Priority, and then Default Port Priority.
Page 249: Selecting Ip Precedence/Dscp Priority
Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) •...
Page 250: Table 3-13 Mapping Ip Precedence
ONFIGURING THE WITCH Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types. ToS bits are defined in the following table. Priority Level Command Attributes •...
Page 251: Mapping Dscp Priority
CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.* Console(config)#map ip precedence Console(config)#interface ethernet 1/1 Console(config-if)#map ip precedence 1 cos 0...
Page 252: Figure 3-89 Ip Dscp Priority
Class of Service Value field, then click Apply. CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 253: Mapping Ip Port Priority
Note: Mapping specific values for IP DSCP is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header.
Page 254: Figure 3-90 Ip Port Priority Status
Service box, and then click Apply. CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings. Console(config)#map ip port...
Page 255: Mapping Cos Values To Acls
Note: Mapping specific values for IP Port Priority is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. Mapping CoS Values to ACLs Use the ACL CoS Mapping page to set the output queue for packets matching an ACL rule as shown in the following table.
Page 256: Figure 3-92 Acl Cos Priority
ONFIGURING THE WITCH Web – Click Priority, ACL CoS Priority. Enable mapping for any port, select an ACL from the scroll-down list, then click Apply. CLI – This example assigns a CoS value of zero to packets matching rules within the specified ACL on port 24. Console(config)#interface ethernet 1/24 Console(config-if)#map access-list ip bill cos 0 Console(config-if)#...
Page 257: Multicast Filtering
It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. This procedure is called multicast filtering.
Page 258: Layer 2 Igmp (Snooping And Query)
IGMP querier, you can manually designate a known IGMP querier (i.e., a multicast router/switch) connected over the network to an interface on your switch (page 3-206). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch.
Page 259 This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic. (Default: Enabled) •...
Page 260: Figure 3-93 Igmp Configuration
ONFIGURING THE WITCH • IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Range: 1-2; Default: 2) Notes: 1. All systems on the subnet must support the same version. 2. Some attributes are only enabled for IGMPv2, including IGMP Report Delay and IGMP Query Timeout.
Page 261: Displaying Interfaces Attached To A Multicast Router
VLAN ID – ID of configured VLAN (1-4093). • Multicast Router List – Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch. Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers.
Page 262: Specifying Static Interfaces For A Multicast Router
IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 263: Displaying Port Members Of Multicast Services
Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-95 Static Multicast Router Port Configuration CLI –...
Page 264: Assigning Ports To Multicast Services
Query Parameters” on page 3-202. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Page 265: Figure 3-97 Igmp Member Port Table
Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Page 266: Configuring Domain Name Service
IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 267 • When an incomplete host name is received by the DNS server on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 268: Figure 3-98 Dns General Configuration
ONFIGURING THE WITCH Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-98 DNS General Configuration 3-212...
Page 269: Configuring Static Dns Host To Address Entries
CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#ip domain-lookup Console(config)#exit Console#show dns...
Page 270: Figure 3-99 Dns Static Host Table
ONFIGURING THE WITCH Field Attributes • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-64 characters) • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) •...
Page 271: Displaying The Dns Cache
CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#ip host rd6 10.1.0.55 Console(config)#exit Console#show host Hostname Inet address 192.168.1.5 10.1.0.55 Alias 1.rd6 Console# Displaying the DNS Cache...
Page 272: Figure 3-100 Dns Cache
ONFIGURING THE WITCH Web – Select DNS, Cache. CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache FLAG Console# 3-216 Figure 3-100 DNS Cache TYPE CNAME 207.46.134.222 CNAME 207.46.134.190 CNAME 207.46.134.155 CNAME 207.46.249.222 CNAME...
Page 273: Command Line Interface
Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 274: Telnet Connection
Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet.
Page 275: Entering Commands
2. At the prompt, enter the user name and system password. The CLI will display the “Vty-n#” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you are using normal access mode (i.e., Normal Exec), where n indicates the number of the current Telnet session.
Page 276: Minimum Abbreviation
OMMAND NTERFACE • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
Page 277: Showing Commands
Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Page 278: Partial Keyword Lookup
OMMAND NTERFACE The command “show interfaces ?” will display the following information: Console#show interfaces ? counters protocol-vlan status switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?”...
Page 279: Understanding Command Modes
You must be in Global Configuration mode to access any of the other configuration modes. Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt.
Page 280: Configuration Commands
Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
Page 281: Table 4-2 Configuration Commands
• Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • VLAN Configuration - Includes the command to create VLAN groups. • Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance.
Page 282: Command Line Processing
OMMAND NTERFACE For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode. Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 283: Command Groups
CLI name, browser management options, and a variety of other system information Manages code image or switch configuration files Configures logon access using local or remote authentication; also configures port security and IEEE 802.1X port access control...
Page 284 Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time Configures Spanning Tree settings for the switch Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs and protocol VLANs Configures GVRP settings that permit automatic VLAN learning;...
Page 285: Line Commands
Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Command line login password timeout login...
Page 286: Line
OMMAND NTERFACE line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 287: Login
Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
Page 288: Password
OMMAND NTERFACE Example Console(config-line)#login local Console(config-line)# Related Commands username (4-34) password (4-16) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 289: Timeout Login Response
Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-15) password-thresh (4-19) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response...
Page 290: Exec-Timeout
OMMAND NTERFACE exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0 - 65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes...
Page 291: Password-Thresh
password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
Page 292: Silent-Time
OMMAND NTERFACE silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 293: Parity
Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 294: Speed
Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Page 295: Stopbits
Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} • 1 - One stop bit •...
Page 296: Show Line
OMMAND NTERFACE Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (4-54) show users (4-81) show line This command displays the terminal line’s parameters.
Page 297: General Commands
Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: Databits: Parity: Stopbits: VTY configuration: Password threshold: Interactive timeout: 600 sec Login timeout: 300 sec Console# General Commands Command enable disable...
Page 298: Enable
OMMAND NTERFACE enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. (See “Understanding Command Modes” on page 4-7.) Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 299: Disable
This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 300: Show History
OMMAND NTERFACE Example Console#configure Console(config)# Related Commands end (4-29) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 301: Reload
None Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None...
Page 302: Exit
OMMAND NTERFACE Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode: Console(config-if)#end Console# exit This command returns to the previous configuration mode or exit the configuration program.
Page 303: System Management Commands
SMTP Alerts Time (System Clock) Sets the system clock automatically via NTP/SNTP YSTEM Function Configures information that uniquely identifies this switch Configures the basic user names and passwords for management access Configures IP addresses that are allowed management access Enables management access via a web browser...
Page 304: Device Designation Commands
Table 4-8 Device Designation Commands Command Function prompt Customizes the prompt used in PE and NE mode hostname Specifies the host name for the switch snmp-server Sets the system contact string contact snmp-server Sets the system location string location switch...
Page 305: Hostname
Console(config)#hostname RD#1 Console(config)# switch renumber This command resets the switch unit identification numbers in the stack. All stack members are numbered sequentially starting from the top unit for a non-loop stack, or starting from the Master unit for a looped stack.
Page 306: User Access Commands
User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-13), user authentication via a remote authentication server (page 4-91), and host access authentication for specific ports (page 4-104).
Page 307: Table 4-10 Default Login Settings
• password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting • The default access level is Normal Exec. • The factory defaults for the user names and passwords are: Table 4-10 Default Login Settings username access-level...
Page 308: Enable Password
OMMAND NTERFACE enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 309: Ip Filter Commands
Displays the switch to be monitored or management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] •...
Page 310: Show Management
NTERFACE Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 311: Web Server Commands
End IP address 192.168.1.19 192.168.1.30 Table 4-12 Web Server Command Function Specifies the port to be used by the web browser interface Allows the switch to be monitored or configured from a browser Enables HTTPS/SSL for encrypted communications ANAGEMENT OMMANDS Mode Page...
Page 312: Ip Http Port
OMMAND NTERFACE ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Page 313: Ip Http Secure-Server
This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server...
Page 314: Ip Http Secure-Port
(4-42) copy tftp https-certificate (4-84) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Page 315: Ip Telnet Server
This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server YSTEM Table 4-14 Telnet Server Commands Function Allows the switch to be monitored or configured from Telnet interface ANAGEMENT OMMANDS Mode Page 4-43...
Page 316: Ip Telnet Server Port
OMMAND NTERFACE Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# ip telnet server port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax [no] ip telnet server port [port-number] port-number - The TCP port to be used by the browser interface.
Page 317: Table 4-15 Secure Shell Commands
Telnet. When a client contacts the switch via the SSH protocol, the switch uses a public-key that the client must match along with a local user name and password for access authentication. SSH also encrypts all data...
Page 318 4-92. If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server.
Page 319 The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses the public key to encrypt a random sequence of bytes, and sends this string to the client. YSTEM...
Page 320: Ip Ssh Server
The client uses its private key to decrypt the bytes, and sends the decrypted bytes back to the switch. e. The switch compares the decrypted bytes to the original bytes it sent. If the two sets match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 321: Ip Ssh Timeout
Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 322: Ip Ssh Authentication-Retries
OMMAND NTERFACE ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 323: Delete Public-Key
Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# delete public-key This command deletes the specified user’s public key.
Page 324: Ip Ssh Crypto Zeroize
OMMAND NTERFACE Command Mode Privileged Exec Command Usage • This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. • Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process.
Page 325: Ip Ssh Save Host-Key
Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
Page 326: Show Ssh
OMMAND NTERFACE show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh...
Page 327: Table 4-7 System Management Commands
Table 4-16 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1 aes256-cbc-hmac-sha1...
Page 328: Table 4-17 Event Logging Commands
4-56 Table 4-17 Event Logging Commands Function Controls logging of error messages Limits syslog messages saved to switch memory based on severity Adds a syslog server host IP address that will receive logging messages Mode Page 4-57...
Page 329: Logging On
This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode...
Page 330: Logging History
OMMAND NTERFACE logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 331: Logging Host
Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages.
Page 332: Logging Facility
The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 333: Logging Trap
logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap...
Page 334: Clear Log
Related Commands show log (4-64) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} •...
Page 335: Table 4-19 Show Logging Flash/Ram - Display Description
Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: History logging in FLASH: level errors...
Page 336: Table 4-20 Show Logging Trap - Display Description
OMMAND NTERFACE Table 4-20 show logging trap - display description Field Syslog logging REMOTELOG status REMOTELOG facility type REMOTELOG level type REMOTELOG server IP address Related Commands show logging sendmail (4-69) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} •...
Page 337: Table 4-21 Smtp Alert Commands
Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port level: 6, module: 5, function: 1, and event no.: 1 Console# SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert...
Page 338: Logging Sendmail Host
• You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 339: Logging Sendmail Level
logging sendmail level This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 4-58). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode...
Page 340: Logging Sendmail Destination-Email
Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will send email alerts for system errors from level 3 through 0.
Page 341: Logging Sendmail
logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
Page 342: Sntp Client
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 343: Sntp Server
Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (e.g., 00:00:00, Jan. 1, 2001).
Page 344: Sntp Poll
(4-72) show sntp (4-73) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Page 345: Show Sntp
SNTP server 137.92.140.80 0.0.0.0 0.0.0.0 Current server: 137.92.140.80 Console# clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym.
Page 346: Calendar Set
(4-73) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 347: Show Calendar
Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15 12 34 1 February 2002 Console# show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec...
Page 348: System Status Commands
OMMAND NTERFACE System Status Commands Command show startup-config show running-config show system show users show version show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Default Setting None Command Mode Privileged Exec Command Usage •...
Page 349: Show Running-Config
- VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address configured for the switch - Spanning tree settings - Any configured settings for the console port and Telnet...
Page 350 - VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address configured for the switch - Spanning tree settings - Any configured settings for the console port and Telnet...
Page 351: Related Commands
Example Console#show running-config building running-config, please wait... !<stackingDB>0000000000000000</stackingDB> !<stackingMac>01_00-30-f1-df-9c-a0_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> !<stackingMac>00_00-00-00-00-00-00_00</stackingMac> phymap 00-30-f1-df-9c-a0 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
Page 352: Show System
DRAM Test ... PASS Timer Test ... PASS PCI Device 1 Test ... PASS I2C Bus Initialization ... PASS Switch Int Loopback Test ... PASS Crossbar Int Loopback Test ... PASS Fan Speed Test ... PASS Done All Pass. Console# 4-80 R &...
Page 353: Show Users
show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 354: Frame Size Commands
OMMAND NTERFACE Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-14 for detailed information on the items displayed by this command. Example Console#show version Unit 1 Serial number: Hardware version: EPLD version: Number of ports:...
Page 355 Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 356: Flash/File Commands
This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
Page 357 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the switch supports only two operation code files. • The maximum number of user-defined configuration files depends on available memory.
Page 358: L Ine I Nterface
\Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate...
Page 359: Delete
This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
Page 360: Dir
The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of the file or image. If this file exists but contains errors, information on this file cannot be shown.
Page 361: Whichboot
Command Usage • If you enter the command dir without any parameters, the system displays all files. • A colon (:) is required after the specified unit number. • File information is shown below: Column Heading file name file type startup size Example...
Page 362: Boot System
OMMAND NTERFACE Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot -------------------------------- ----------------------- ------- ----------- Unit1: Console# boot system...
Page 363: Authentication Commands
(4-88) whichboot (4-89) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
Page 364: Authentication Login
OMMAND NTERFACE authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
Page 365: Authentication Enable
Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-34) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-26).
Page 366: Radius Client
RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Command radius-server host radius-server port...
Page 367: Radius-Server Host
• port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) • retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 368: Radius-Server Port
OMMAND NTERFACE radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
Page 369: Radius-Server Retransmit
RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting UTHENTICATION...
Page 370: Show Radius-Server
TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. 4-98 1812...
Page 371: Tacacs-Server Host
Command tacacs-server host tacacs-server port tacacs-server key show tacacs-server tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server host host_ip_address no tacacs-server host host_ip_address - IP address of a TACACS+ server. Default Setting 10.11.12.13 Command Mode...
Page 372: Tacacs-Server Port
OMMAND NTERFACE tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
Page 373: Show Tacacs-Server
Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 374: Port Security
OMMAND NTERFACE Command port security mac-address-table static Maps a static address to a port in a show mac-address-table Displays entries in the port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
Page 375 Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 376: 802.1X Port Authentication
OMMAND NTERFACE 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 377 This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 378: Dot1X Max-Req
OMMAND NTERFACE dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax...
Page 379: Dot1X Operation-Mode
Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 380: Dot1X Re-Authenticate
OMMAND NTERFACE • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10...
Page 381: Dot1X Timeout Quiet-Period
Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax...
Page 382: Dot1X Timeout Tx-Period
Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax...
Page 383 This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status–...
Page 384 OMMAND NTERFACE - Port-control –Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-106). - Supplicant – MAC address of authorized client. - Current Identifier – The integer (0-255) used by the Authenticator to identify the current authentication session. •...
Page 385 Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status disabled disabled 1/25 disabled 1/26 enabled 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 26 reauth-enabled: reauth-period: quiet-period: tx-period: supplicant-timeout: server-timeout: reauth-max: max-req:...
Page 386: Access Control List Commands
An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
Page 387 • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
Page 388: Ip Acls
Masks for Access Control Lists You must specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/ filter packets matching the permit/deny rules specified in an ingress ACL.
Page 389: Access-List Ip
Table 4-34 IP ACL Commands (Continued) Command access-list ip mask-precedence mask show access-list ip mask-precedence ip access-group show ip access-group map access-list ip show map access-list ip match access-list ip Changes the 802.1p priority, IP show marking access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs.
Page 390: Permit, Deny (Standard Acl)
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage • An egress ACL must contain all deny rules. • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 391: Default Setting
Default Setting None Command Mode Standard ACL Command Usage • New rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 392: Permit, Deny (Extended Acl)
OMMAND NTERFACE permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 393 Command Mode Extended ACL Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 394: Show Ip Access-List
OMMAND NTERFACE Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any...
Page 395: Access-List Ip Mask-Precedence
Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 0.0.15.255 Console# Related Commands permit, deny 4-118 ip access-group (4-128) access-list ip mask-precedence This command accesses the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} •...
Page 396: Mask (Ip Acl)
OMMAND NTERFACE Related Commands mask (IP ACL) (4-124) ip access-group (4-128) mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask}...
Page 397 Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
Page 398 OMMAND NTERFACE This shows how to create a standard ACL with an ingress mask to deny access to the IP host 171.69.198.102, and permit access to any others. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit any Console(config-std-acl)#deny host 171.69.198.102 Console(config-std-acl)#end Console#show access-list IP standard access-list A2: deny host 171.69.198.102 permit any...
Page 399: Show Access-List Ip Mask-Precedence
ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask. Switch(config)#access-list ip extended 6 Switch(config-ext-acl)#permit any any Switch(config-ext-acl)#deny tcp any any control-flag 2 2 Switch(config-ext-acl)#end Console#show access-list IP extended access-list A6: permit any any...
Page 400: Ip Access-Group
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 401: Show Ip Access-Group
Example Console(config)#int eth 1/25 Console(config-if)#ip access-group standard david in Console(config-if)# Related Commands show ip access-list (4-122) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP standard access-list david Console# Related Commands ip access-group (4-128)
Page 402: Show Map Access-List Ip
OMMAND NTERFACE Command Mode Interface Configuration (Ethernet) Command Usage • You must configure an ACL mask before you can map CoS values to the rule. • A packet matching a rule within the specified ACL is mapped to one of the output queues as shown in the following table. For information on mapping the CoS values to output queues, see queue cos-map on 4-263.
Page 403: Match Access-List Ip
Command Mode Privileged Exec Example Console#show map access-list ip Access-list to COS of Eth 1/24 Access-list ALS1 cos 0 Console# Related Commands map access-list ip (4-129) match access-list ip This command changes the IEEE 802.1p priority, IP Precedence, or DSCP Priority of a frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker.
Page 404: Show Marking
To specify the DSCP priority, use the set dscp keywords. Note that the IP frame header can include either the IP Precedence or DSCP priority type. • The precedence for priority mapping by this switch is IP Precedence or DSCP Priority, and then 802.1p priority. Example...
Page 405: Mac Acls
MAC ACLs Command access-list mac permit, deny show mac access-list Displays the rules for configured access-list mac mask-precedence mask show access-list mac mask-precedence mac access-group show mac access-group map access-list mac show map access-list match access-list mac Changes the 802.1p priority the show marking CCESS Table 4-36 MAC ACL Commands...
Page 406: Access-List Mac
OMMAND NTERFACE access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode...
Page 407: Permit, Deny (Mac Acl)
permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 408 OMMAND NTERFACE • address-bitmask format). • vid – VLAN ID. (Range: 1-4095) • vid-bitmask • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. •...
Page 409: Show Mac Access-List
show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any host 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 4-135...
Page 410: Mask (Mac Acl)
OMMAND NTERFACE Command Usage • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. • A mask can only be used by all ingress ACLs or all egress ACLs. •...
Page 411 • ethertype – Check the Ethernet type field. • ethertype-bitmask – Ethernet type of rule must match this bitmask. Default Setting None Command Mode MAC Mask Command Usage • Up to seven masks can be assigned to an ingress or egress ACL. •...
Page 412: Show Access-List Mac Mask-Precedence
OMMAND NTERFACE This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.3 host 00-11-11-11-11-11 any deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806 Console(config)#access-list mac mask-precedence out Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any vid...
Page 413: Mac Access-Group
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 414: Map Access-List Mac
OMMAND NTERFACE Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-141) map access-list mac This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue;...
Page 415: Show Map Access-List Mac
Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-263) show map access-list mac (4-143) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list mac [interface]...
Page 416: Match Access-List Mac
OMMAND NTERFACE match access-list mac This command changes the IEEE 802.1p priority of a Layer 2 frame matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) Use the no form to remove the ACL marker. Syntax match access-list mac acl_name set priority priority no match access-list mac acl_name...
Page 417: Show Access-List
show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
Page 418: Snmp Commands
OMMAND NTERFACE SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 419: Snmp-Server
Table 4-39 SNMP Commands (Continued) Command snmp-server group show snmp group snmp-server user show snmp user snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server.
Page 420: Show Snmp
OMMAND NTERFACE show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 421: Snmp-Server Community
snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 422: Snmp-Server Contact
OMMAND NTERFACE snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 423: Snmp-Server Host
Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-150) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [version {1 | 2c | 3 {auth | noauth | priv}} [udp-port port]] no snmp-server host host-addr •...
Page 424 For example, some notification types are always enabled. • The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications.
Page 425: Snmp-Server Enable Traps
Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-153) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps (SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] •...
Page 426: Snmp-Server Engine-Id
- String identifying the engine ID. (Range: 1-26 hexadecimal characters) Default Setting A unique engine ID is automatically generated by the switch based on its MAC address. Command Mode Global Configuration Command Usage •...
Page 427: Show Snmp Engine-Id
• A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 4-161).
Page 428: Snmp-Server View
OMMAND NTERFACE snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 429: Show Snmp View
This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent...
Page 430: Snmp-Server Group
OMMAND NTERFACE snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] no snmp-server group groupname •...
Page 431: Show Snmp Group
Example Console(config)#snmp-server group r&d v3 auth write daily Console(config)# show snmp group Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec SNMP C OMMANDS 4-159...
Page 432: Table 4-42 Show Snmp Group - Display Description
OMMAND NTERFACE Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: Write View: Notify View: Storage Type: Row Status: Group Name: public Security Model: v1 Read View: Write View: Notify View: Storage Type: Row Status: Group Name: public Security Model: v2c Read View: Write View:...
Page 433: Snmp-Server User
Table 4-42 show snmp group - display description Field writeview notifyview storage-type Row Status snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group.
Page 434: Show Snmp User
OMMAND NTERFACE Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...
Page 435: Dns Commands
Table 4-43 show snmp user - display description Field Privacy Protocol Storage Type Row Status DNS Commands These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation.
Page 436: Ip Host
OMMAND NTERFACE Command show dns show dns cache clear dns cache ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry. Syntax [no] ip host name address1 [address2 …...
Page 437: Clear Host
Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} •...
Page 438: Ip Domain-Name
OMMAND NTERFACE ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 439: Ip Domain-List
• Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS server on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 440: Ip Name-Server
OMMAND NTERFACE Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: Console#...
Page 441: Ip Domain-Lookup
Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...
Page 442: Show Hosts
OMMAND NTERFACE Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (4-166) ip name-server (4-168) show hosts This command displays the static host name-to-address mapping table.
Page 443: Show Dns
show dns This command displays the configuration of the DNS server. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 444: Clear Dns Cache
OMMAND NTERFACE Field FLAG TYPE DOMAIN clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG Console# 4-172 Description The entry number for each resource record. The flag is always “4”...
Page 445: Interface Commands
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Command interface description speed-duplex negotiation capabilities flowcontrol media-type shutdown switchport broadcast packet-rate clear counters show interfaces status Displays status for the specified show interfaces counters show interfaces...
Page 446: Interface
OMMAND NTERFACE interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id • interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number.
Page 447: Speed-Duplex
Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 24. Console(config)#interface ethernet 1/24 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex...
Page 448: Negotiation
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Page 449: Capabilities
• symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...
Page 450: Flowcontrol
Command Usage When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Page 451: Media-Type
• To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To enable flow control under auto-negotiation, “flowcontrol”...
Page 452: Shutdown
NTERFACE Default Setting sfp-preferred-auto Command Mode Interface Configuration (Ethernet) Example This forces the switch to use the built-in RJ-45 port for the combination port 21. Console(config)#interface ethernet 1/21 Console(config-if)#combo-forced-mode copper-forced Console(config-if)# shutdown This command disables an interface. To restart a disabled interface, use the no form.
Page 453: Switchport Broadcast Packet-Rate
• This command can enable or disable broadcast storm control for the selected interface. However, the specified threshold value applies to all ports on the switch. Example The following shows how to configure broadcast storm control at 600...
Page 454: Clear Counters
OMMAND NTERFACE clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode Privileged Exec...
Page 455: Show Interfaces Status
show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) • port-channel channel-id (Range: 1-32) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces.
Page 456: Show Interfaces Counters
OMMAND NTERFACE Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security: Max MAC count: Port security action: Media type: Current status: Link status:...
Page 457: Table 4-45 Interface Commands
Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 3-127. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0...
Page 458: Show Interfaces Switchport
OMMAND NTERFACE show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) •...
Page 459: Table 4-46 Show Interfaces Switchport - Display Description
Table 4-46 show interfaces switchport - display description Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 4-181). LACP status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 4-194).
Page 460: Mirror Port Commands
OMMAND NTERFACE Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Command port monitor show port monitor Shows the configuration for a mirror port port monitor This command configures a mirror session. Use the no form to clear a mirror session.
Page 461: Show Port Monitor
However, you should avoid sending too much traffic to the destination port from multiple source ports. Example The following example configures the switch to mirror all packets from port 6 to 11. Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both...
Page 462: Rate Limit Commands
OMMAND NTERFACE Example The following shows mirroring configured from port 6 to port 11. Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/1 Source port(monitored port) Mode Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface.
Page 463: Rate-Limit
rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} •...
Page 464: Link Aggregation Commands
For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to six trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
Page 465: Guidelines For Creating Trunks
Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to 32 ports. • The ports at both ends of a connection must be configured as trunk ports.
Page 466: Channel-Group
• When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 11.
Page 467 • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • If more than four ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 468 OMMAND NTERFACE Example The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established. Console(config)#interface ethernet 1/10 Console(config-if)#lacp Console(config-if)#exit...
Page 469: Lacp System-Priority
• Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 470: Lacp Admin-Key (Ethernet Interface)
OMMAND NTERFACE lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
Page 471: Lacp Admin-Key (Port Channel)
Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch. (Range: 0-65535) Default Setting Command Mode Interface Configuration (Port Channel) Command Usage •...
Page 472: Lacp Port-Priority
OMMAND NTERFACE lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 473: Show Lacp
show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-6) • counters - Statistics for LACP protocol messages. • internal - Configuration settings and operational state for local side.
Page 474: Table 4-50 Show Lacp Counters - Display Description
OMMAND NTERFACE Table 4-50 show lacp counters - display description Field LACPDUs Sent LACPDUs Received Number of valid LACPDUs received on this channel Marker Sent Marker Received LACPDUs Unknown Pkts LACPDUs Illegal Pkts Console#show lacp internal Channel group : 1 ------------------------------------------------------------------- Oper Key: Admin Key: 0...
Page 475 Table 4-51 show lacp internal - display description (Continued) Field Description LACPDUs Number of seconds before invalidating received LACPDU Internal information. LACP System LACP system priority assigned to this port channel. Priority LACP Port LACP port priority assigned to this interface within the Priority channel group.
Page 476: Table 4-52 Show Lacp Neighbors - Display Description
OMMAND NTERFACE Console#show lacp 1 neighbors Channel group 1 neighbors ------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------- Partner Admin System ID: Partner Oper System ID: Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: Port Oper Priority: Admin Key: Oper Key: Admin State: Oper State: Table 4-52 show lacp neighbors - display description...
Page 477: Table 4-53 Show Lacp Sysid - Display Description
System Priority ------------------------------------------------------------------- Table 4-53 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC System MAC address. Address * The LACP system priority and system MAC address are concatenated to form the LAG system ID.
Page 478: Table 4-54 Address Table Commands
OMMAND NTERFACE Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Command mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time Sets the aging time of the address show mac-address-table aging-time mac-address-table static...
Page 479: Address Table Commands
• action - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN.
Page 480: Show Mac-Address-Table
OMMAND NTERFACE Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. •...
Page 481: Mac-Address-Table Aging-Time
example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address --------- ----------------- ---- ----------------- Eth 1/ 1 00-00-00-00-00-17 Eth 1/ 1 00-E0-29-94-34-DE Console# mac-address-table aging-time This command sets the aging time for entries in the address table.
Page 482: Show Mac-Address-Table Aging-Time
Console#show mac-address-table aging-time Aging time: 300 sec. Console# Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Command spanning-tree spanning-tree mode spanning-tree...
Page 483 Table 4-55 Spanning Tree Commands (Continued) Command spanning-tree mst configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port Enables fast forwarding for edge ports IC spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration...
Page 484: Spanning-Tree
Table 4-55 Spanning Tree Commands (Continued) Command show spanning-tree show spanning-tree mst configuration spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled.
Page 485: Spanning-Tree Mode
RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes that it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
Page 486: Spanning-Tree Forward-Time
Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree. Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch.
Page 487: Spanning-Tree Hello-Time
Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds).
Page 488: Spanning-Tree Max-Age
OMMAND NTERFACE spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 489: Spanning-Tree Priority
This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range – 0-61440, in steps of 4096; Options: 0, 4096,...
Page 490: Spanning-Tree Transmission-Limit
OMMAND NTERFACE Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 4-225) takes precedence over port priority (page 4-226).
Page 491: Spanning-Tree Mst Configuration
Use this command to change to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst configuration...
Page 492 • By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 58 instances. You should try to group VLANs which cover the same general area of your network. However,...
Page 493: Mst Priority
However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384.
Page 494: Name
OMMAND NTERFACE name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address...
Page 495: Max-Hops
The MST region name (page 4-222) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 496: Spanning-Tree Spanning-Disabled
OMMAND NTERFACE Command Usage A MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside a MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 497: Spanning-Tree Cost
spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default. Syntax spanning-tree cost cost no spanning-tree cost cost cost - The path cost for the port. (Range: 1-200,000,000)) The recommended range is: - Ethernet: 200,000-20,000,000 - Fast Ethernet: 20,000-2,000,000...
Page 498: Spanning-Tree Port-Priority
• This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 499: Spanning-Tree Portfast
Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 500: Spanning-Tree Link-Type
OMMAND NTERFACE Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. •...
Page 501: Spanning-Tree Mst Cost
• When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Page 502 OMMAND NTERFACE Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. • Ethernet – half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 •...
Page 503: Spanning-Tree Mst Port-Priority
Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 504: Spanning-Tree Protocol-Migration
Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 505: Show Spanning-Tree
Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 506 OMMAND NTERFACE Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: Spanning tree enabled/disabled: Instance: VLANs configuration: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Max hops: Remaining hops: Designated Root:...
Page 507: Show Spanning-Tree Mst Configuration
show spanning-tree mst configuration This command shows the multiple spanning tree configuration. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name:XSTP REGION 0 Revision level:0 Instance Vlans -------------------------------------------------------------- Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
Page 508: Editing Vlan Groups
OMMAND NTERFACE Command Groups Configuring Private VLANs Configuring Protocol VLANs Editing VLAN Groups Command vlan database vlan vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage •...
Page 509: Vlan
• no vlan vlan-id deletes the VLAN. • no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. VLAN C OMMANDS 4-237...
Page 510: Configuring Vlan Interfaces
OMMAND NTERFACE Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4 -246) Configuring VLAN Interfaces Command interface vlan switchport mode...
Page 511: Interface Vlan
interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Syntax interface vlan vlan-id vlan-id - ID of the configured VLAN. (Range: 1-4093, no leading zeroes) Default Setting None Command Mode Global Configuration Example...
Page 512: Switchport Mode
OMMAND NTERFACE switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {trunk | hybrid} no switchport mode • trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN.
Page 513: Switchport Acceptable-Frame-Types
switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
Page 514: Switchport Ingress-Filtering
OMMAND NTERFACE switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. •...
Page 515: Switchport Native Vlan
switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) Default Setting VLAN 1...
Page 516: Switchport Allowed Vlan
VLAN groups as a tagged member. • Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
Page 517: Switchport Forbidden Vlan
• If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1.
Page 518: Displaying Vlan Information
OMMAND NTERFACE Example The following example shows how to prevent port 1 from being added to VLAN 3. Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information Table 4-59 Displaying VLAN Information Command show vlan show interfaces status vlan show interfaces switchport...
Page 519: Configuring Private Vlans
Example The following example shows how to display information for VLAN 1. Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs.
Page 520: Show Pvlan
• Private VLANs and normal VLANs can exist simultaneously within the same switch. • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN.
Page 521: Configuring Protocol-Based Vlans
VLANs, including security and easy accessibility. To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol. When a frame is received at a port, its VLAN membership can then be determined based on the protocol type in use by the inbound packets.
Page 522: Protocol-Vlan Protocol-Group (Configuring Groups)
Console(config)#protocol-vlan protocol-group 1 add frame_type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame_type ethernet protocol-type arp Console(config)# 17. SNAP frame types are not supported by this switch due to hardware limitations. 4-250 - Frame type used by this protocol. (Options: ethernet,...
Page 523: Protocol-Vlan Protocol-Group (Configuring Interfaces)
protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan •...
Page 524: Show Protocol-Vlan Protocol-Group
OMMAND NTERFACE Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
Page 525: Show Interfaces Protocol-Vlan Protocol-Group
show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] • interface - ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) - port-channel channel-id (Range: 1-32) Default Setting The mapping for all interfaces is displayed.
Page 526: Gvrp And Bridge Extension Commands
Configures forbidden VLANs for show gvrp configuration garp timer show garp timer bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled...
Page 527: Show Bridge-Ext
GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp...
Page 528: Switchport Gvrp
OMMAND NTERFACE switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 529: Garp Timer
garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 530: Show Garp Timer
OMMAND NTERFACE Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (4 -258) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit.
Page 531: Priority Commands
Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 532: Queue Mode
OMMAND NTERFACE Priority Commands (Layer 2) Command queue mode switchport priority default queue bandwidth queue cos map show queue mode show queue bandwidth show queue cos-map Shows the class-of-service map show interfaces switchport queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues.
Page 533: Switchport Priority Default
Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 534: Queue Bandwidth
If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command.
Page 535: Queue Cos-Map
Default Setting Weights 1, 2, 4, 6, 8, 10, 12, 14 are assigned to queues 0 - 7 respectively. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to each of the priority queues for port 5.
Page 536: Table 4-65 Default Cos Priority Levels
OMMAND NTERFACE Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Page 537: Show Queue Mode
show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#sh queue mode Queue mode: strict Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the eight priority queues. Default Setting None Command Mode...
Page 538: Show Queue Cos-Map
OMMAND NTERFACE show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode...
Page 539: Priority Commands (Layer 3 And 4)
Priority Commands (Layer 3 and 4) Table 4-66 Priority Commands (Layer 3 and 4) Command map ip port map ip port map ip precedence map ip precedence map ip dscp map ip dscp map access-list ip map access-list mac show map ip port show map ip precedence show map ip dscp...
Page 540: Map Ip Port (Global Configuration)
OMMAND NTERFACE map ip port (Global Configuration) This command enables IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Syntax [no] map ip port Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP...
Page 541: Map Ip Precedence (Global Configuration)
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • This command sets the IP port priority for all interfaces. Example The following example shows how to map HTTP traffic to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0 Console(config-if)#...
Page 542: Map Ip Precedence (Interface Configuration)
OMMAND NTERFACE Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Page 543: Map Ip Dscp (Global Configuration)
Example The following example shows how to map IP precedence value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip precedence 1 cos 0 Console(config-if)# map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping).
Page 544: Map Ip Dscp (Interface Configuration)
OMMAND NTERFACE map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - 8-bit DSCP value. (Range: 0-255) •...
Page 545: Show Map Ip Port
Example The following example shows how to map IP DSCP value 1 to CoS value 0. Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# show map ip port Use this command to show the IP port priority map. Syntax show map ip port [interface] interface...
Page 546: Show Map Ip Precedence
OMMAND NTERFACE show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode...
Page 547: Show Map Ip Dscp
show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-24/48) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode...
Page 548: Multicast Filtering Commands
OMMAND NTERFACE Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 549: Ip Igmp Snooping
This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping...
Page 550: Ip Igmp Snooping Version
• All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout.
Page 551: Show Ip Igmp Snooping
show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-202 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Querier status:...
Page 552: Igmp Query Commands (Layer 2)
OMMAND NTERFACE Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Console#...
Page 553: Ip Igmp Snooping Querier
This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Page 554: Ip Igmp Snooping Query-Interval
This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds Command Mode...
Page 555: Ip Igmp Snooping Query-Max-Response-Time
Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of...
Page 556: Ip Igmp Snooping Router-Port-Expire-Time
- The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 557: Static Multicast Routing Commands
Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 558: Show Ip Igmp Snooping Mrouter
OMMAND NTERFACE Example The following shows how to configure port 11 as a multicast router port within VLAN 1: Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports.
Page 559: Ip Interface Commands
IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 560: Ip Address
• You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch. Note: Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN,...
Page 561: Ip Dhcp Restart
If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN. Example In the following example, the device is assigned an address in VLAN 1.
Page 562: Ip Default-Gateway
Dhcp. Console# Related Commands ip address (4 -288) ip default-gateway This command establishes a static route between this switch and devices that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway...
Page 563: Show Ip Interface
Related Commands show ip redirects (4 -291) show ip interface This command displays the settings of an IP interface. Default Setting All interfaces Command Mode Privileged Exec Example Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified.
Page 564: Ping
• size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. • count - Number of packets to send. (Range: 1-16, default: 5) Default Setting This command has no default for the host.
Page 565 Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
Page 566 OMMAND NTERFACE 4-294...
Page 567 PPENDIX OFTWARE PECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) DHCP Client DNS Server Port Configuration 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX - 1000 Mbps at full duplex (SFP), 1000BASE-ZX - 1000 Mbps at full duplex (SFP), Flow Control...
Page 568: Software Specifications
OFTWARE PECIFICATIONS Port Trunking Static trunks (Cisco EtherChannel compliant) Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Protocol Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 255 groups;...
Page 569: Standards
OFTWARE PECIFICATIONS Software Loading TFTP in-band or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.1D Spanning Tree Protocol and traffic priorities IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1s Multiple Spanning Tree Protocol...
Page 570: Management Information Bases
OFTWARE PECIFICATIONS SNMPv2 (RFC 2571) SNMPv3 (RFC 3414, RFC 2570, RFC 2273, RFC 3411 & RFC 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) DNS Resolver MIB (RFC 1612) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742)
Page 571 OFTWARE PECIFICATIONS Trap (RFC 1215) UDP MIB (RFC 2012)
Page 572 OFTWARE PECIFICATIONS...
Page 573: Troubleshooting
IP interface to which it is connected. • If you are trying to connect to the switch via the IP address for a tagged VLAN group, your management station, and the ports connecting intermediate switches in the network, must be configured with the appropriate tag.
Page 574 • Be sure you have generated a public key on the switch, and exported this key to the SSH client. • Be sure you have set up an account on the switch for each SSH user, including user name, authentication level, and password.
Page 575: Using System Logs
Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging.
Page 576 ROUBLESHOOTING...
Page 577: Glossary
Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 578 EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
Page 579 An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
Page 580: Ip Multicast Filtering
Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 581: Link Aggregation
Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
Page 582: Port Trunk
A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25.
Page 583 Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates SNTP from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers.
Page 584 LOSSARY User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Page 585: Index
Numerics 802.1X, port authentication 4-104 acceptable frame type 3-177 Access Control List See ACL Extended IP 3-88 4-114 4-120 MAC 3-88 4-114 4-133 – 4-134 4-137 Standard IP 3-88 4-114 address table 3-134 4-206 aging time 3-137 4-210 BOOTP 3-20 4-288 BPDU 3-139 broadcast storm, threshold 3-123...
Page 586 NDEX edge port, STA 3-152 3-155 event logging 4-56 firmware displaying version 3-14 upgrading 3-23 4-84 GARP VLAN Registration Protocol See GVRP gateway, default 3-19 4-290 GVRP global setting 3-168 4-254 interface configuration 3-178 hardware version, displaying 3-14 HTTPS 3-65 4-41 HTTPS, secure server 3-65 IEEE 802.1D 3-138...
Page 587 multicast groups 3-207 displaying 4-279 static 3-207 4-277 4-279 multicast services configuring 3-208 4-277 displaying 3-207 4-279 multicast, static router port 3-206 password, line 4-16 passwords 2-9 administrator setting 3-59 path cost 3-141 3-151 method 3-146 4-217 STA 3-141 3-151 4-217 port authentication 4-104 port priority...
Page 588 NDEX interface settings 3-149 – 4-225 4-232 4-233 link type 3-152 3-155 path cost 3-141 3-151 path cost method 3-146 port priority 3-151 4-226 protocol migration 3-155 transmission limit 3-147 standards, IEEE A-3 startup files creating 3-27 4-84 displaying 3-23 4-76 setting 3-23 4-90...
Page 590 FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; Phn: (949) 679-8000; Fax: (949) 679-1481 From Europe: Contact details can be found on www.smc-europe.com or www.smc.com INTERNET E-mail addresses: techsupport@smc.com european.techsupport@smc-europe.com Driver updates: http://www.smc.com/index.cfm?action=tech_support_drivers_downloads World Wide Web:...
Page 591 38 Tesla Irvine, CA 92618 Phone: (949) 679-8000...

This manual is also suitable for:

Smc tigerstack 1000 smc8748m Smc8724m Smc8748m 8700s-130 - annexe 1 8700s-30 - annexe 1 8724m int - annexe 1 ... Show all

SMC Networks SMC TigerStack 1000 SMC8724M Management Manual

1 Introduction

2 Initial Configuration

3 Configuring the Switch

4 Command Line Interface

Quick Links

Management Guide

Related Manuals for SMC Networks SMC TigerStack 1000 SMC8724M

Summary of Contents for SMC Networks SMC TigerStack 1000 SMC8724M