SMC Networks SMC8126L2 Management Manual

SMC Networks SMC8126L2 Management Manual

Tigerswitch 10/100/1000 26/50-port gigabit managed switch
Hide thumbs Also See for SMC8126L2:
Table of Contents

Advertisement

MANAGEMENT GUIDE

ta
SMC8126L2
TM
TigerSwitch
10/100/1000
26-Port Gigabit Managed Switch
SMC8150L2
50-Port Gigabit Managed Switch

Advertisement

Table of Contents
loading

Summary of Contents for SMC Networks SMC8126L2

  • Page 1: Management Guide

    MANAGEMENT GUIDE SMC8126L2 TigerSwitch 10/100/1000 26-Port Gigabit Managed Switch SMC8150L2 50-Port Gigabit Managed Switch...
  • Page 3 TigerSwitch 10/100/1000 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 Phone: (949) 679-8000 September 2007 Pub. # 149100036100A E092007-AP-R01...
  • Page 4 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
  • Page 5: Table Of Contents

    Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Saving Configuration Settings Managing System Files Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page Configuration Options...
  • Page 6 Contents Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging Displaying Log Messages System Log Configuration Remote Log Configuration Simple Mail Transfer Protocol Renumbering the System Resetting the System Setting the System Clock Configuring SNTP Setting the Time Zone Simple Network Management Protocol...
  • Page 7 Adding Static Members to VLANs (VLAN Index) Adding Static Members to VLANs (Port Index) Configuring VLAN Behavior for Interfaces Configuring IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Configuring Private VLANs Enabling Private VLANs...
  • Page 8 Contents Protocol VLAN Group Configuration Configuring Protocol VLAN Interfaces Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces Mapping CoS Values to Egress Queues Enabling CoS Selecting the Queue Mode Setting the Service Weight for Traffic Classes Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority...
  • Page 9 DHCP Snooping Binding Information IP Source Guard IP Source Guard Port Configuration Static IP Source Guard Binding Configuration Dynamic IP Source Guard Binding Information Switch Clustering Cluster Configuration Cluster Member Configuration Cluster Member Information Cluster Candidate Information Chapter 4: Command Line Interface...
  • Page 10 Contents disconnect show line General Commands enable disable configure show history reload exit quit System Management Commands Device Designation Commands prompt hostname User Access Commands username enable password IP Filter Commands management show management Web Server Commands ip http port ip http server ip http secure-server ip http secure-port...
  • Page 11 logging facility logging trap clear logging show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp clock timezone calendar set show calendar...
  • Page 12 Contents TACACS+ Client tacacs-server host tacacs-server port tacacs-server key show tacacs-server Port Security Commands port security 802.1X Port Authentication dot1x system-auth-control dot1x default dot1x max-req dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period show dot1x Access Control List Commands IP ACLs...
  • Page 13 show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Interface Commands interface description speed-duplex negotiation capabilities flowcontrol shutdown switchport broadcast packet-rate clear counters show interfaces status show interfaces counters show interfaces switchport Mirror Port Commands port monitor show port monitor...
  • Page 14 Contents spanning-tree priority spanning-tree pathcost method spanning-tree transmission-limit spanning-tree mst-configuration mst vlan mst priority name revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp...
  • Page 15 Related Commands show dot1q-tunnel Configuring Private VLANs pvlan show pvlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Priority Commands Priority Commands (Layer 2) queue mode switchport priority default queue bandwidth queue cos-map show queue mode show queue bandwidth...
  • Page 16 Switch Cluster Commands 4-206 4-206 4-207 4-208 4-208 4-209...
  • Page 17 cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index Contents 4-238...
  • Page 18 Contents...
  • Page 19 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels Table 3-4 Supported Notification Messages Table 3-5 HTTPS System Support Table 3-6 802.1X Statistics Table 3-7 LACP Port Counters Table 3-8 LACP Internal Configuration Information Table 3-9...
  • Page 20 Tables Table 4-27 Authentication Commands Table 4-28 Authentication Sequence Table 4-29 RADIUS Client Commands Table 4-30 TACACS Commands Table 4-31 Port Security Commands Table 4-32 802.1X Port Authentication Table 4-33 Access Control Lists Table 4-34 IP ACLs Table 4-35 MAC ACL Commands Table 4-36 ACL Information Table 4-37...
  • Page 21 Table 4-75 show mvr members - display description Table 4-76 IP Interface Commands Table 4-77 IP Source Guard Commands Table 4-78 DHCP Snooping Commands Table 4-79 Switch Cluster Commands Table B-1 Troubleshooting Chart Tables 4-206 4-209 4-211 4-217 4-221 4-222...
  • Page 22 Tables xviii...
  • Page 23 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information Figure 3-4 Switch Information Figure 3-5 Bridge Extension Configuration Figure 3-6 Manual IP Configuration Figure 3-7 DHCP IP Configuration Figure 3-8 Bridge Extension Configuration Figure 3-9 Copy Firmware...
  • Page 24 Figures Figure 3-43 Selecting ACL Type Figure 3-44 Configuring Standard IP ACLs Figure 3-45 Configuring Extended IP ACLs Figure 3-46 Configuring MAC ACLs Figure 3-47 Configuring ACL Port Binding Figure 3-48 Creating an IP Filter List Figure 3-49 Displaying Port/Trunk Information Figure 3-50 Port/Trunk Configuration Figure 3-51...
  • Page 25 Figure 3-88 Configuring Queue Scheduling Figure 3-89 IP Precedence/DSCP Priority Status Figure 3-90 Mapping IP Precedence Priority Values Figure 3-91 Mapping IP DSCP Priority Values Figure 3-92 IP Port Priority Status Figure 3-93 IP Port Priority Figure 3-94 Configuring Class Maps Figure 3-95 Configuring Policy Maps Figure 3-96...
  • Page 26 Figures xxii...
  • Page 27: Chapter 1: Introduction

    Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
  • Page 28: Description Of Software Features

    Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings. Authentication – This switch authenticates management access via the console port, Telnet or web browser.
  • Page 29 Ethernet size and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the SMC8126L2 and SMC8150L2 provide 4 Mbits respectively for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
  • Page 30 GVRP, or ports can be manually assigned to a specific set of VLANs. This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned. By segmenting your network into VLANs, you can: •...
  • Page 31 VLAN. The switch uses IGMP Snooping and Query to manage multicast group registration. It also supports Multicast VLAN Registration (MVR) which allows common multicast...
  • Page 32: System Defaults

    System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-19). The following table lists some of the basic system defaults.
  • Page 33 Table 1-2 System Defaults (Continued) Function Parameter Port Configuration Admin Status Auto-negotiation Flow Control Rate Limiting Input and output limits Port Trunking Static Trunks LACP (all ports) Broadcast Storm Status Protection Broadcast Limit Rate Spanning Tree Status Algorithm Fast Forwarding (Edge Port) Address Table Aging Time Virtual LANs...
  • Page 34 Messages Logged Messages Logged to Flash SMTP Email Alerts Event Handler SNTP Clock Synchronization DHCP Snooping Status IP Source Guard Status Switch Clustering Status Commander Default Enabled Levels 0-7 (all) Levels 0-3 Enabled (but no server defined) Disabled Disabled Disabled (all ports)
  • Page 35: Chapter 2: Initial Configuration

    A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
  • Page 36: Required Connections

    Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the Installation Guide.
  • Page 37: Remote Connections

    IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
  • Page 38: Setting Passwords

    Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
  • Page 39: Dynamic Configuration

    “netmask” is the network mask for the network. Press <Enter>. Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway.
  • Page 40: Enabling Snmp Management Access

    When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
  • Page 41: Trap Receivers

    • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
  • Page 42: Configuring Access For Snmp Version 3 Clients

    Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 3-33, or refer to the specific CLI commands for SNMP starting on page 4-100.
  • Page 43: Managing System Files

    The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
  • Page 44 Initial Configuration 2-10...
  • Page 45: Chapter 3: Configuring The Switch

    (Internet Explorer 5.0 or above, or Netscape 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet. For more information on using the CLI, refer to Chapter 4: “Command Line Interface.”...
  • Page 46: Navigating The Web Browser Interface

    Note: The examples in this chapter are based on the SMC8126L2. Other than the number of fixed ports, there are no other differences between the SMC8126L2 and SMC8150L2. The panel graphics for both switch types are shown on the following page.
  • Page 47: Configuration Options

    Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex, or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 3-78.
  • Page 48: Main Menu

    Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Menu...
  • Page 49 Navigating the Web Browser Interface Table 3-2 Main Menu (Continued) Description Sets the SNMP v3 engine ID on this switch Sets the SNMP v3 engine ID for a remote device Configures SNMP v3 users on this switch Configures SNMP v3 users from a remote device...
  • Page 50 Configuring the Switch Menu Aggregation Port Port Counters Information Port Internal Information Port Neighbors Information Displays settings and operational state for the remote side Port Broadcast Control Trunk Broadcast Control Mirror Port Configuration Rate Limit Input Port Configuration Input Trunk Configuration...
  • Page 51 Description Enables GVRP VLAN registration protocol Enables QinQ Tunneling on the switch Displays information on the VLAN type supported by this switch Shows the current port members of each VLAN and whether or not the port is tagged or untagged...
  • Page 52 Defines service policy settings for ports Enables multicast filtering; configures parameters for multicast query Enables IGMP filtering and throttling for the switch, creates filter profile numbers Enables the immediate leave function Displays the ports that are attached to a neighboring multicast...
  • Page 53 Enables IP source guard and selects filter type per port Adds a static addresses to the source-guard binding table Displays the source-guard binding table for a selected interface Globally enables clustering for the switch Adds switch Members to the cluster Displays cluster Member switch information...
  • Page 54: Basic Configuration

    Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location. • Contact – Administrator responsible for the system.
  • Page 55: Displaying Switch Hardware/Software Versions

    • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master or Slave. : TigerSwitch 10/100/1000 26/50 PORT MANAGED : 1.3.6.1.4.1.202.20.68...
  • Page 56: Figure 3-4 Switch Information

    Configuring the Switch Web – Click System, Switch Information. CLI – Use the following command to display version information. Console#show version Unit 1 Serial number: Hardware version: EPLD Version: Number of ports: Main power status: Redundant power status: Agent (master)
  • Page 57: Displaying Bridge Extension Capabilities

    GMRP (GARP Multicast Registration Protocol). • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Configuration” on page 3-144.) • Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses.
  • Page 58: Setting The Switch's Ip Address

    • Management VLAN – ID of the configured VLAN (1-4094, no leading zeroes). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
  • Page 59: Manual Configuration

    Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.1 255.255.255.0...
  • Page 60: Using Dhcp/Bootp

    If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI. 3-16 Figure 3-7 DHCP IP Configuration User specified.
  • Page 61: Enabling Jumbo Frames

    You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version.
  • Page 62: Downloading System Software From A Server

    IP address of the TFTP server, set the file type to “opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
  • Page 63: Saving Or Restoring Configuration Settings

    • File Transfer Method – The configuration copy operation includes these options: - file to file – Copies a file within the switch directory, assigning it a new name. - file to running-config – Copies a file in the switch to the running configuration.
  • Page 64: Downloading Configuration Settings From A Server

    Web – Click System, File, Copy Operation. Select “tftp to startup-config” or “tftp to file” and enter the IP address of the TFTP server. Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name, then click Apply.
  • Page 65: Console Port Settings

    Figure 3-13 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.23...
  • Page 66: Figure 3-14 Console Port Settings

    Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Silent Time – Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded.
  • Page 67: Telnet Settings

    • Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) • Telnet Port Number – Sets the TCP port number for Telnet on the switch. (Default: 23) • Login Timeout – Sets the interval that the system waits for a user to log into the CLI.
  • Page 68: Figure 3-15 Enabling Telnet

    Configuring the Switch system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt. (Range: 0-120; Default: 3 attempts) • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password.
  • Page 69: Configuring Event Logging

    Console# Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
  • Page 70: System Log Configuration

    Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems. Up to 4096 log entries can be stored in the flash memory, with the oldest entries being overwritten first when the available log memory (256 kilobytes) has been exceeded.
  • Page 71: Remote Log Configuration

    The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
  • Page 72: Simple Mail Transfer Protocol

    Configuring the Switch • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
  • Page 73: Figure 3-19 Enabling And Configuring Smtp

    • Severity – Specifies the degree of urgency that the message carries. • Debugging – Sends a debugging notification. (Level 7) • Information – Sends informatative notification only. (Level 6) • Notice – Sends notification of a normal but significant condition, such as a cold start.
  • Page 74: Renumbering The System

    Web – Click System, Renumber. Click the Renumber button to renumber the switch. When prompted, confirm that you want to renumber the switch. CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch.
  • Page 75: Setting The System Clock

    You can also manually set the clock using the CLI. (See “calendar set” on page 4-56) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
  • Page 76: Setting The Time Zone

    Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#exit Console#show sntp Current time:...
  • Page 77: Simple Network Management Protocol

    HP OpenView. Access rights to the onboard agent are controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication. The options for configuring community strings, trap functions, and restricting access to clients with specified IP addresses are described in the following sections.
  • Page 78: Specifying Trap Managers And Trap Types

    Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
  • Page 79: Enabling Snmp Agent Status

    Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply. Figure 3-25 Configuring IP Trap Managers CLI –...
  • Page 80: Configuring Snmpv3 Management Access

    SNMPv3 packets. A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared.
  • Page 81: Specifying A Remote Engine Id

    Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
  • Page 82 Configuring the Switch • Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
  • Page 83: Figure 3-29 Configuring Snmpv3 Users

    Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
  • Page 84: Configuring Remote Snmpv3 Users

    Configuring the Switch Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view.
  • Page 85: Configuring Snmpv3 Groups

    CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#exit Console#show snmp user No user exist. SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark...
  • Page 86 Configuring the Switch Table 3-4 Supported Notification Messages (Continued) Object Label Object ID topologyChange 1.3.6.1.2.1.17.0.2 SNMPv2 Traps coldStart 1.3.6.1.6.3.1.1.5.1 warmStart 1.3.6.1.6.3.1.1.5.2 1.3.6.1.6.3.1.1.5.3 linkDown linkUp 1.3.6.1.6.3.1.1.5.4 authenticationFailure 1.3.6.1.6.3.1.1.5.5 RMON Events (V2) risingAlarm 1.3.6.1.2.1.16.0.1 fallingAlarm 1.3.6.1.2.1.16.0.2 3-42 Description A topologyChange trap is sent by a bridge when...
  • Page 87 Table 3-4 Supported Notification Messages (Continued) Object Label Object ID Private Traps swPowerStatus 1.3.6.1.4.1.202.20.68.2.1.0.1 ChangeTrap swIpFilterRejectTrap 1.3.6.1.4.1.202.20.68.2.1.0.1 pethPsePortOnOff 1.3.6.1.4.1.202.20.68.2.1.0.1 Notification pethPsePortPower 1.3.6.1.4.1.202.20.68.2.1.0.1 MaintenanceStatus Notification pethMainPower 1.3.6.1.4.1.202.20.68.2.1.0.1 UsageOnNotification pethMainPower 1.3.6.1.4.1.202.20.68.2.1.0.1 UsageOffNotification a. These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu.
  • Page 88: Figure 3-31 Configuring Snmpv3 Groups

    Configuring the Switch Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list.
  • Page 89: Setting Snmpv3 Views

    Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
  • Page 90: User Authentication

    User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure access rights on the switch for specified users. • Authentication Settings – Use remote authentication to configure access rights. • HTTPS Settings – Provide a secure web connection.
  • Page 91: Figure 3-33 Access Levels

    • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16) - Access Level – Specifies the user level. (Options: Normal and Privileged) - Password –...
  • Page 92: Configuring Local/Remote Logon Authentication

    Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
  • Page 93 - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) •...
  • Page 94: Figure 3-34 Authentication Settings

    Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-34 Authentication Settings...
  • Page 95 CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server port 181 Console(config)#radius-server key green Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.25 Console(config)#end Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: Retransmit times: Request timeout:...
  • Page 96: Configuring Https

    Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
  • Page 97: Replacing The Default Secure-Site Certificate

    Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key> Note: The switch must be reset for the new certificate to be activated. To reset the switch, type: Console#reload User Authentication...
  • Page 98: Configuring The Secure Shell

    SSH-enabled management station clients, and ensures that data traveling over the network arrives unaltered. Note: You need to install an SSH client on the management station to access the switch for management via the SSH protocol. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
  • Page 99 Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access. The following exchanges take place during this process: The client sends its public key to the switch.
  • Page 100: Configuring The Ssh Server

    The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
  • Page 101: Generating The Host Key Pair

    A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage).
  • Page 102: Figure 3-37 Ssh Host-Key Settings

    Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
  • Page 103: Configuring Port Security

    Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
  • Page 104: Configuring 802.1X Port Authentication

    The IEEE 802.1X (dot1X) standard defines a port-based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
  • Page 105: Displaying 802.1X Global Settings

    (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client.
  • Page 106: Configuring 802.1X Global Settings

    Command Attributes • 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-40 802.1X Global Configuration CLI – This example enables 802.1X globally for the switch.
  • Page 107: Configuring Port Settings For 802.1X

    EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
  • Page 108: Figure 3-41 802.1X Port Configuration

    Configuring the Switch Figure 3-41 802.1X Port Configuration 3-64...
  • Page 109: Table 4-58 Mode

    CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-86. Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5 Console(config-if)#dot1x timeout quiet-period 30 Console(config-if)#dot1x timeout re-authperiod 1800 Console(config-if)#dot1x timeout tx-period 40 Console(config-if)#exit...
  • Page 110: Displaying 802.1X Statistics

    Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
  • Page 111: Access Control Lists

    Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
  • Page 112: Setting The Acl Name And Type

    Configuring the Switch Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. If no explicit rule is matched, the implicit default is permit all. Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL.
  • Page 113: Configuring A Standard Ip Acl

    Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
  • Page 114 Configuring the Switch host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any) • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address.
  • Page 115: Figure 3-45 Configuring Extended Ip Acls

    Figure 3-45 Configuring Extended IP ACLs CLI – This example adds two rules: (1) Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 &...
  • Page 116: Configuring A Mac Acl

    Configuring the Switch Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields.
  • Page 117: Binding A Port To An Access Control List

    After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage This switch supports ACLs for ingress filtering only. Command Attributes • Port – Fixed port or SFP module. (Range: 1-26/50) •...
  • Page 118: Filtering Ip Addresses For Management Access

    • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
  • Page 119: Figure 3-48 Creating An Ip Filter List

    • You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses. • You can delete an address range just by specifying the start address, or by specifying both the start address and end address. Command Attributes •...
  • Page 120: Port Configuration

    • Flow Control Status – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or None) • Autonegotiation – Shows if auto-negotiation is enabled or disabled. • Media Type – Media type used for the combo ports 21-24 (SMC8126L2) or 45-48 (SMC8150L2). (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) •...
  • Page 121: Figure 3-49 Displaying Port/Trunk Information

    Web – Click Port, Port Information or Trunk Information. Figure 3-49 Displaying Port/Trunk Information Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see 3-14.) Configuration: •...
  • Page 122: Configuring Interface Connections

    Configuring the Switch • Port Security – Shows if port security is enabled or disabled. • Max MAC count – Shows the maximum number of MAC address that can be learned by a port. (0 - 1024 addresses) • Port security action – Shows the response to take when a security violation is detected.
  • Page 123: Figure 3-50 Port/Trunk Configuration

    (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-TX – 10half, 10full, 100half, 100full; 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; 1000BASE-SX/LX/ZX – 1000full) • Media Type – Media type used for the combo ports 21-24 (SMC8126L2) or 45-48 (SMC8150L2). (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) •...
  • Page 124: Creating Trunk Groups

    LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them.
  • Page 125: Statically Configuring A Trunk

    Web – Click Port, Trunk Membership. Enter a trunk ID of 1-32 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
  • Page 126: Enabling Lacp On Selected Ports

    ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
  • Page 127: Figure 3-52 Lacp Trunk Configuration

    • New – Includes entry fields for creating new trunks. - Port – Port identifier. (Range: 1-26/50) Web – Click Port, LACP, Configuration. Select any of the switch ports from the scroll-down port list and click Add. After you have completed adding ports to the member list, click Apply.
  • Page 128: Configuring Lacp Parameters

    Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end...
  • Page 129: Figure 3-53 Lacp Port Configuration

    - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Admin Key – The LACP administration key must be set to the same value for ports that belong to the same LAG.
  • Page 130: Displaying Lacp Port Counters

    Configuring the Switch CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 Console(config-if)#lacp actor admin-key 120 Console(config-if)#lacp actor port-priority 128 Console(config-if)#exit...
  • Page 131: Figure 3-54 Lacp - Port Counters Information

    Table 3-7 LACP Port Counters (Continued) Field Marker Unknown Pkts Marker Illegal Pkts Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-54 LACP - Port Counters Information CLI – The following example displays LACP counters. Console#show lacp counters Port channel : 1 -------------------------------------------------------------------------...
  • Page 132: Displaying Lacp Settings And Status For The Local Side

    Configuring the Switch Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation. Table 3-8 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port.
  • Page 133: Figure 3-55 Lacp - Port Internal Information

    Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-55 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal Port channel : 1 -------------------------------------------------------------------------...
  • Page 134: Displaying Lacp Settings And Status For The Remote Side

    Configuring the Switch Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-9 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user.
  • Page 135: Setting Broadcast Storm Thresholds

    CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID: Partner Oper System ID: Partner Admin Port Number: 5 Partner Oper Port Number: Port Admin Priority:...
  • Page 136: Figure 3-57 Port Broadcast Control

    Configuring the Switch Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 packets per second for port 2.
  • Page 137: Configuring Port Mirroring

    Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Command Usage •...
  • Page 138: Configuring Rate Limits

    Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
  • Page 139: Showing Port Statistics

    This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port.
  • Page 140 Configuring the Switch Parameter Transmit Multicast Packets Transmit Broadcast Packets Transmit Discarded Packets Transmit Errors Etherlike Statistics Alignment Errors Late Collisions FCS Errors Excessive Collisions Single Collision Frames Internal MAC Transmit Errors Multiple Collision Frames Carrier Sense Errors SQE Test Errors...
  • Page 141 Table 3-10 Port Statistics (Continued) Parameter RMON Statistics Drop Events Jabbers Received Bytes Collisions Received Frames Broadcast Frames Multicast Frames CRC/Alignment Errors Undersize Frames Oversize Frames Fragments 64 Bytes Frames 65-127 Byte Frames 128-255 Byte Frames 256-511 Byte Frames 512-1023 Byte Frames 1024-1518 Byte Frames 1519-1536 Byte Frames Description...
  • Page 142: Figure 3-60 Port Statistics

    Configuring the Switch Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-60 Port Statistics 3-98...
  • Page 143: Address Table Settings

    Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
  • Page 144: Displaying The Address Table

    Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
  • Page 145: Figure 3-62 Configuring A Dynamic Address Table

    Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-62 Configuring a Dynamic Address Table CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address --------- ----------------- ---- -----------------...
  • Page 146: Changing The Aging Time

    This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
  • Page 147 Spanning Tree Algorithm Configuration disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
  • Page 148 Configuring the Switch An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest-V see 3-116). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
  • Page 149: Displaying Global Settings

    Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
  • Page 150: Figure 3-64 Displaying Spanning Tree Information

    Configuring the Switch However, if all devices have the same priority, the device with the lowest MAC address will then become the root device. • Root Hello Time – Interval (in seconds) at which this device transmits a configuration message.
  • Page 151: Configuring Global Settings

    RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
  • Page 152 • Spanning Tree State – Enables/disables STA on this switch. (Default: Enabled) • Spanning Tree Type – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode).
  • Page 153 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. • Region Revision – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name – The name for this MSTI. (Maximum length: 32 characters) •...
  • Page 154: Figure 3-65 Configuring Spanning Tree

    Configuring the Switch Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-65 Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters.
  • Page 155: Displaying Interface Settings

    - A port on a network segment with no other STA compliant bridging device is always forwarding. - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
  • Page 156 • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops.
  • Page 157: Figure 3-66 Displaying Spanning Tree Port Information

    - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
  • Page 158: Configuring Interface Settings

    • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
  • Page 159: Figure 3-67 Configuring Spanning Tree Per Port

    - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.) •...
  • Page 160: Configuring Multiple Spanning Trees

    By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 65 instances. You should try to group VLANs which cover the same general area of your network.
  • Page 161: Figure 3-68 Configuring Multiple Spanning Trees

    Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add. Figure 3-68 Configuring Multiple Spanning Trees CLI –...
  • Page 162: Displaying Interface Settings For Mstp

    Configuring the Switch CLI – This example sets STA attributes for port 1, , followed by settings for each port. Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2...
  • Page 163: Figure 3-69 Displaying Mstp Interface Settings

    Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-69 Displaying MSTP Interface Settings 3-119...
  • Page 164: Configuring Interface Settings For Mstp

    Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree.
  • Page 165 • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
  • Page 166: Vlan Configuration

    In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
  • Page 167: Assigning Ports To Vlans

    VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
  • Page 168 VLAN form a broadcast domain that is separate from other VLANs configured on the switch. Packets are forwarded only between ports that are designated for the same VLAN. Untagged VLANs can be used to manually isolate user groups or subnets.
  • Page 169: Enabling Or Disabling Gvrp (Global Setting)

    Ports can be assigned to multiple tagged VLANs, but are only allowed one untagged VLAN. Each port on the switch is capable of passing tagged or untagged frames. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
  • Page 170: Displaying Basic Vlan Information

    Field Attributes • VLAN Version Number the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch. • Maximum Number of Supported VLANs – Maximum number of VLANs that can be configured on this switch.
  • Page 171: Figure 3-73 Displaying Current Vlans

    • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry. • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members.
  • Page 172: Creating Vlans

    Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes •...
  • Page 173: Adding Static Members To Vlans (Vlan Index)

    Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
  • Page 174 Configuring the Switch VLAN 1 is the default untagged VLAN containing all ports on the switch, and can only be modified by first reassigning the default port VLAN ID as described under “Configuring VLAN Behavior for Interfaces” on page 3-132.
  • Page 175: Adding Static Members To Vlans (Port Index)

    Figure 3-75 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 2 tagged Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged Adding Static Members to VLANs (Port Index)
  • Page 176: Configuring Vlan Behavior For Interfaces

    Configuring the Switch Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
  • Page 177: Configuring Ieee 802.1Q Tunneling

    Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-77 Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, and then sets the switchport mode to hybrid.
  • Page 178 However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network. The packet is sent as a normal IEEE 802.1Q-tagged frame, preserving the original VLAN numbers used in the customer’s network.
  • Page 179 4. After successful source and destination lookup, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
  • Page 180 General Configuration Guidelines for QinQ 1. Configure the switch to QinQ mode (see “Enabling QinQ Tunneling on the Switch” on page 3-137). 2. Create a Service Provider VLAN, also referred to as an SPVLAN (see “Creating VLANs”...
  • Page 181: Enabling Qinq Tunneling On The Switch

    Command Attributes • 802.1Q Tunnel – Sets the switch to QinQ mode, and allows the QinQ tunnel port to be configured. The default is for the switch to function in normal mode. • 802.1Q Ethernet Type – The Tag Protocol Identifier (TPID) specifies the ethertype of incoming packets on a tunnel port.
  • Page 182: Adding An Interface To A Qinq Tunnel

    Console# Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the access port on the edge switch to 802.1Q Tunnel mode. Also set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
  • Page 183: Figure 3-79 Tunnel Port Configuration

    Configuring IEEE 802.1Q Tunneling - 802.1Q Tunnel Uplink – Configures IEEE 802.1Q tunneling (QinQ) for an uplink port to another device within the service provider network. Web – Click VLAN, 802.1Q VLAN, Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink.
  • Page 184 Configuring the Switch CLI – This example sets port 1 to tunnel access mode, indicates that the TPID used for 802.1Q tagged frames is 9100 hexadecimal, and sets port 2 to tunnel uplink mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access...
  • Page 185: Configuring Private Vlans

    VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function.
  • Page 186: Configuring Uplink And Downlink Ports

    Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
  • Page 187: Configuring Protocol Vlan Interfaces

    • Protocol Type – The only option for the LLC Other frame type is IPX Raw. The options for all other frames types include IP, ARP, or RARP. Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-82 Protocol VLAN Configuration Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to set the protocol VLAN settings per port.
  • Page 188: Class Of Service Configuration

    Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
  • Page 189: Mapping Cos Values To Egress Queues

    Console# Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
  • Page 190: Table 3-12 Cos Priority Levels

    The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
  • Page 191: Enabling Cos

    Web – Click Priority, Traffic Classes Status. Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
  • Page 192: Setting The Service Weight For Traffic Classes

    Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3-145, the traffic classes are mapped to one of the eight egress queues provided for each port.
  • Page 193: Layer 3/4 Priority Settings

    Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
  • Page 194: Mapping Ip Precedence

    Web – Click Priority, IP Precedence/DSCP Priority Status. Select Disabled, IP Precedence or IP DSCP from the scroll-down menu, then click Apply. Figure 3-89 IP Precedence/DSCP Priority Status CLI – The following example enables IP Precedence service on the switch. Console(config)#map ip precedence Console(config)#...
  • Page 195: Figure 3-90 Mapping Ip Precedence Priority Values

    Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 3-90 Mapping IP Precedence Priority Values CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
  • Page 196: Mapping Dscp Priority

    Configuring the Switch Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
  • Page 197: Mapping Ip Port Priority

    CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0...
  • Page 198: Quality Of Service

    IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port.
  • Page 199: Configuring Quality Of Service Parameters

    All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class. Class information can be assigned by end hosts, or switches or routers along the path. Priority can then be assigned based on a general policy, or a detailed examination of the packet.
  • Page 200 Configuring the Switch based on an access list, a DSCP or IP Precedence value, or a VLAN, and click the Add button next to the field for the selected traffic criteria. You can specify up to 16 items to match when assigning ingress traffic to a class map.
  • Page 201: Figure 3-94 Configuring Class Maps

    Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
  • Page 202: Creating Qos Policies

    Configuring the Switch Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-155.
  • Page 203 Policy Rule Settings - Class Settings - • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on 3-155).
  • Page 204: Figure 3-95 Configuring Policy Maps

    Configuring the Switch Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
  • Page 205: Attaching A Policy Map To Ingress Queues

    Attaching a Policy Map to Ingress Queues This function binds a policy map to the ingress queue of a particular interface. Command Usage • You must first define a class map, then define a policy map, and finally bind the service policy to the required interface.
  • Page 206: Multicast Filtering

    It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. This procedure is called multicast filtering.
  • Page 207: Configuring Igmp Snooping And Query Parameters

    (Default: Enabled) • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10; Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.
  • Page 208: Enabling Igmp Immediate Leave

    IGMP group-specific query to the interface. Upon receiving a group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port.
  • Page 209: Displaying Interfaces Attached To A Multicast Router

    Console# Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
  • Page 210: Specifying Static Interfaces For A Multicast Router

    IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
  • Page 211: Displaying Port Members Of Multicast Services

    Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-100 Static Multicast Router Port Configuration CLI –...
  • Page 212: Assigning Ports To Multicast Services

    Configuring the Switch Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service.
  • Page 213: Igmp Filtering And Throttling

    When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the...
  • Page 214: Enabling Igmp Filtering And Throttling

    IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups. Enabling IGMP Filtering and Throttling To implement IGMP filtering and throttling on the switch, you must first enable the feature globally and create IGMP profile numbers. Command Attributes •...
  • Page 215: Configuring Igmp Filtering And Throttling For Interfaces

    When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
  • Page 216: Configuring Igmp Filter Profiles

    Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-104 IGMP Filter and Throttling Port Configuration CLI –...
  • Page 217: Figure 3-105 Igmp Profile Configuration

    deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Command Attributes • Profile ID – Selects an existing profile number to configure. After selecting an ID number, click the Query button to display the current configuration. •...
  • Page 218: Multicast Vlan Registration

    Configuring the Switch CLI – This example configures profile number 19 by setting the access mode to “permit” and then specifying a range of multicast groups that a user can join. The current profile configuration is then displayed. Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)#range 239.1.1.1...
  • Page 219: Configuring Global Mvr Settings

    Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
  • Page 220: Displaying Mvr Interface Status

    • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
  • Page 221: Figure 3-107 Mvr Port Information

    Web – Click MVR, Port or Trunk Information. CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface Port Type Status ------- -------- ------------- --------------- eth1/1 SOURCE ACTIVE/UP eth1/2 RECEIVER ACTIVE/UP Console# Figure 3-107 MVR Port Information Immediate Leave Disable Disable...
  • Page 222: Displaying Port Members Of Multicast Groups

    Configuring the Switch Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN.
  • Page 223: Configuring Mvr Interface Status

    • Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
  • Page 224: Assigning Static Multicast Groups To Interfaces

    Configuring the Switch Web – Click MVR, Port or Trunk Configuration. CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/2...
  • Page 225: Configuring Domain Name Service

    Configuring General DNS Service Parameters Command Usage • To enable DNS service on this switch, first configure one or more name servers, and then enable domain lookup status. • To append domain names to incomplete host names received from a DNS client (i.e., not formatted with dotted notation), you can specify a default domain name or...
  • Page 226: Figure 3-111 Dns General Configuration

    Configuring the Switch • When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
  • Page 227: Configuring Static Dns Host To Address Entries

    CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#ip domain-lookup Console#show dns Domain Lookup Status:...
  • Page 228: Figure 3-112 Dns Static Host Table

    Configuring the Switch Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
  • Page 229: Displaying The Dns Cache

    Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
  • Page 230: Dhcp Snooping

    Console# DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
  • Page 231: Dhcp Snooping Configuration

    DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
  • Page 232: Dhcp Snooping Vlan Configuration

    When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
  • Page 233: Dhcp Snooping Port Configuration

    • DHCP Snooping Information Option Policy – Sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. • Replace – Overwrites the DHCP client packet information with the switch’s relay information. • Keep – Retains the client’s DHCP information.
  • Page 234: Dhcp Snooping Binding Information

    Configuring the Switch Web – Click DHCP Snooping, Information Option Configuration. Figure 3-117 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping trust Console(config-if)# DHCP Snooping Binding Information Displays the DHCP snooping binding information.
  • Page 235: Ip Source Guard

    Web – Click DHCP Snooping, DHCP Snooping Binding Information. Figure 3-118 DHCP Snooping Binding Information CLI – This example shows how to display the DHCP Snooping binding table entries Console#show ip dhcp snooping binding MacAddress IpAddress Interface ----------------- --------------- ---------- -------------------- ---- -- 11-22-33-44-55-66 192.168.0.99 Console# IP Source Guard...
  • Page 236: Static Ip Source Guard Binding Configuration

    Configuring the Switch Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port.
  • Page 237: Dynamic Ip Source Guard Binding Information

    Command Attributes • Static Binding Table Counts – The total number of static entries in the table. • Port – Switch port number. (Range: 1-26/50) • VLAN ID – ID of a configured VLAN (Range: 1-4094) • MAC Address – A valid unicast MAC address.
  • Page 238: Switch Clustering

    A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station can use both the web interface and Telnet to communicate directly while the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...
  • Page 239: Cluster Configuration

    (see 4-240) to connect to the Member switch. Cluster Configuration To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with the network IP subnet.
  • Page 240: Cluster Member Configuration

    Configuring the Switch Web – Click Cluster, Configuration. CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. Console(config)#cluster Console(config)#cluster commander Console(config)#cluster ip-pool 10.2.3.4 Console(config)# Cluster Member Configuration Adds Candidate switches to the cluster as Members.
  • Page 241: Cluster Member Information

    • Member ID – The ID number of the Member switch. (Range: 1-16) • Role – Indicates the current status of the switch in the cluster. • IP Address – The internal cluster IP address assigned to the Member switch. • MAC Address – The MAC address of the Member switch.
  • Page 242: Cluster Candidate Information

    Command Attributes • Role – Indicates the current status of Candidate switches in the network. • MAC Address – The MAC address of the Candidate switch. • Description – The system description string of the Candidate switch. Web – Click Cluster, Candidate Information.
  • Page 243: Chapter 4: Command Line Interface

    Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
  • Page 244: Telnet Connection

    The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
  • Page 245: Entering Commands

    Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
  • Page 246: Showing Commands

    Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
  • Page 247: Partial Keyword Lookup

    Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp sntp...
  • Page 248: Exec Commands

    You must be in Global Configuration mode to access any of the other configuration modes. Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>”...
  • Page 249: Configuration Commands

    Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
  • Page 250: Command Line Processing

    Command Line Interface Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
  • Page 251: Command Groups

    Controls system logs, system passwords, user name, browser management options, and a variety of other system information Flash/File Manages code image or switch configuration files Authentication Configures logon access using local or remote authentication; also configures port security and IEEE 802.1X port access control...
  • Page 252: Line Commands

    Command Line Interface The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC (Line Configuration) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
  • Page 253: Line

    - Selects local password checking. Authentication is based on the user name specified with the username command. Default Setting login local Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: Line Commands 4-11...
  • Page 254: Password

    - no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode. • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers.
  • Page 255: Timeout Login Response

    during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (4-11) password-thresh (4-14) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default.
  • Page 256: Password-Thresh

    Command Line Interface Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
  • Page 257: Silent-Time

    Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. •...
  • Page 258: Parity

    Command Line Interface Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
  • Page 259: Speed

    Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed...
  • Page 260: Disconnect

    Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...
  • Page 261: General Commands

    Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: Databits: Parity: Stopbits: VTY configuration: Password threshold: Interactive timeout: 600 sec Login timeout: 300 sec console# General Commands Command Function enable...
  • Page 262: Disable

    This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 4-5.
  • Page 263: Configure

    This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration. See “Understanding Command Modes”...
  • Page 264: Reload

    None Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None...
  • Page 265: Exit

    exit This command returns to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
  • Page 266: System Management Commands

    Table 4-7 System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch User Access Configures the basic user names and passwords for management access IP Filter Configures IP addresses that are allowed management access...
  • Page 267: Hostname

    User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-10), user authentication via a remote authentication server (page 4-70), and host access authentication for specific ports (page 4-81).
  • Page 268: Enable Password

    Command Line Interface • name - The name of the user. (Maximum length: 8 characters, case sensitive. Maximum users: 16) • access-level level - Specifies the user level. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. •...
  • Page 269: Ip Filter Commands

    Displays the switch to be monitored or configured from a browser management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] •...
  • Page 270: Show Management

    Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
  • Page 271: Web Server Commands

    Specifies the port to be used by the web browser interface ip http server Allows the switch to be monitored or configured from a browser GC ip http secure-server Enables HTTPS for encrypted communications ip http secure-port...
  • Page 272: Ip Http Server

    This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server...
  • Page 273: Ip Http Secure-Port

    (4-64) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
  • Page 274: Telnet Server Commands

    Specifies the port to be used by the Telnet interface ip telnet server Allows the switch to be monitored or configured from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
  • Page 275: Ip Telnet Server

    Telnet. When a client contacts the switch via the SSH protocol, the switch uses a public-key that the client must match along with a local user name and password for access authentication.
  • Page 276 4-71. If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server.
  • Page 277: Ip Ssh Server

    Configure Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can gain access.
  • Page 278: Ip Ssh Timeout

    Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
  • Page 279: Ip Ssh Authentication-Retries

    Command Mode Global Configuration Command Usage • The server key is a private key that is never shared outside the switch. • The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512...
  • Page 280: Delete Public-Key

    Command Line Interface delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key.
  • Page 281: Ip Ssh Crypto Zeroize

    Related Commands ip ssh crypto zeroize (4-39) ip ssh save host-key (4-39) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. •...
  • Page 282: Show Ip Ssh

    Command Line Interface Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-38) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99...
  • Page 283: Show Public-Key

    Table 4-16 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1 aes256-cbc-hmac-sha1...
  • Page 284 Command Line Interface Example Console#show public-key host Host: RSA: 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# 4-42...
  • Page 285: Event Logging Commands

    Displays the state of logging show log Displays log messages logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None...
  • Page 286: Logging History

    Command Line Interface logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
  • Page 287: Logging Host

    The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
  • Page 288: Logging Trap

    Command Line Interface logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
  • Page 289: Show Logging

    (4-47) show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
  • Page 290: Show Log

    Command Line Interface The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
  • Page 291: Smtp Alert Commands

    Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and event no.: 1 [3] 00:00:54 2001-01-01 "STA root change notification."...
  • Page 292: Logging Sendmail Level

    If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval.
  • Page 293: Logging Sendmail Source-Email

    None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example This example will set the source email john@acme.com. Console(config)#logging sendmail source-email john@acme.com...
  • Page 294: Logging Sendmail

    Command Line Interface logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example...
  • Page 295: Time Commands

    (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup. Command...
  • Page 296: Sntp Server

    Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
  • Page 297: Sntp Poll

    This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds)
  • Page 298: Clock Timezone

    (4-55) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
  • Page 299: Show Calendar

    Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec...
  • Page 300 - Users (names and access levels) - VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - IP address configured for the switch - Spanning tree settings - Any configured settings for the console port and Telnet...
  • Page 301: Show Running-Config

    “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for each switch in the stack - SNTP server settings - Local time zone - SNMP community strings...
  • Page 302 Command Line Interface Example Console#show running-config building startup-config, please wait... phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
  • Page 303: Show System

    • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: TigerSwitch 10/100/1000 26/50 PORT MANAGED SWITCH System OID String: 1.3.6.1.4.1.202.20.68 System Information System Up Time: System Name:...
  • Page 304: Show Version

    This command displays hardware and software version information for the system. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-11 for detailed information on the items displayed by this command. 4-62 None None 0:14:14 0:00:00 192.168.1.19...
  • Page 305: Frame Size Commands

    Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
  • Page 306: Flash/File Commands

    This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 307 • To replace the startup configuration, you must use startup-config as the destination. • Use the copy file unit command to copy a local file to another switch in the stack. Use the copy unit file command to copy a file from another switch in the stack.
  • Page 308 \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate...
  • Page 309: Delete

    This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1.
  • Page 310: Dir

    The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of the configuration file or code image.
  • Page 311: Whichboot

    whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Stack unit. (Always unit 1) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
  • Page 312: Authentication Commands

    (4-68) whichboot (4-69) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
  • Page 313: Authentication Login

    authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login • local - Use local password. • radius - Use RADIUS server password. •...
  • Page 314: Authentication Enable

    Command Line Interface authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-19). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable...
  • Page 315: Radius Client

    RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Table 4-29 RADIUS Client Commands Command...
  • Page 316: Radius-Server Host

    • port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) • retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
  • Page 317: Radius-Server Key

    This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) Default Setting Command Mode...
  • Page 318: Radius-Server Timeout

    RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting Command Mode Global Configuration...
  • Page 319: Tacacs+ Client

    TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Command Function...
  • Page 320: Tacacs-Server Key

    Command Line Interface Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
  • Page 321: Port Security Commands

    MAC address that is unknown or has been previously learned from another port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
  • Page 322 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
  • Page 323: 802.1X Port Authentication

    EAP packet show dot1x Shows all dot1x related information dot1x system-auth-control This command enables 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dotx system-auth-control Default Setting...
  • Page 324: Dot1X Default

    Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
  • Page 325: Dot1X Operation-Mode

    Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
  • Page 326: Dot1X Re-Authenticate

    Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax...
  • Page 327: Dot1X Timeout Re-Authperiod

    Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax...
  • Page 328: Show Dot1X

    Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port.
  • Page 329 • 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled - reauth-period - quiet-period - tx-period - supplicant-timeout - server-timeout - reauth-max - max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier...
  • Page 330 Command Line Interface Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status disabled enabled 1/26 disabled 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800 quiet-period: tx-period: supplicant-timeout:...
  • Page 331: Access Control List Commands

    • However, due to resource restrictions, the average number of rules bound the ports should not exceed 20. • This switch supports ACLs for ingress filtering only. You can only bind one IP ACL to any port for ingress filtering. In other words, only one ACL can be bound to an interface - Ingress IP ACL.
  • Page 332: Ip Acls

    Command Line Interface IP ACLs Command Function access-list ip Creates an IP ACL and enters configuration mode permit, deny Filters packets matching a specified source IP address permit, deny Filters packets meeting the specified criteria, including source and destination IP address, TCP/UDP port number, and protocol type show ip access-list Displays the rules for configured IP ACLs...
  • Page 333: Permit, Deny (Standard Acl)

    Related Commands permit, deny 4-91 ip access-group (4-93) show ip access-list (4-93) permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
  • Page 334 Command Line Interface Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] [no] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [source-port sport [end]] [destination-port dport [end]] •...
  • Page 335: Show Ip Access-List

    This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP). Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)# Related Commands access-list ip (4-90) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] •...
  • Page 336: Show Ip Access-Group

    • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
  • Page 337: Mac Acls

    MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports Command Function...
  • Page 338: Permit, Deny (Mac Acl)

    Command Line Interface permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
  • Page 339: Show Mac Access-List

    Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: - 0800 - IP - 0806 - ARP...
  • Page 340: Mac Access-Group

    • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example...
  • Page 341: Acl Information

    ACL Information Command Function show access-list Show all ACLs and associated rules show access-group Shows the ACLs assigned to each port show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface (i.e., the ACL is active), the order in...
  • Page 342: Snmp Commands

    Command Line Interface SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
  • Page 343: Snmp-Server

    snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
  • Page 344: Snmp-Server Community

    Command Line Interface Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
  • Page 345: Snmp-Server Contact

    • private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information.
  • Page 346: Snmp-Server Host

    Command Line Interface Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-103) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}...
  • Page 347 6. Specify a remote engine ID where the user resides (page 4-107). 7. Then configure a remote user (page 4-113). • The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station...
  • Page 348: Snmp-Server Enable Traps

    Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host.
  • Page 349: Snmp-Server Engine-Id

    • ip-address - The Internet address of the remote device. • engineid-string - String identifying the engine ID. (Range: 9-64 hexadecimal characters) Default Setting A unique engine ID is automatically generated by the switch based on its MAC address. Command Mode Global Configuration Command Usage •...
  • Page 350: Show Snmp Engine-Id

    For example, entering the value “123456789” results in an engine ID of “1234567890.” • A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared.
  • Page 351: Snmp-Server View

    snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
  • Page 352: Show Snmp View

    Command Line Interface show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
  • Page 353 • When privacy is selected, the DES 56-bit algorithm is used for data encryption. • For additional information on the notification messages supported by this switch, see “Supported Notification Messages” on page 5-13. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 4-106).
  • Page 354: Show Snmp Group

    Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
  • Page 355: Snmp-Server User

    Table 4-40 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
  • Page 356 Command Line Interface Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. •...
  • Page 357: Show Snmp User

    show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt Privacy Protocol: des56...
  • Page 358: Interface Commands

    Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Command Function interface Configures an interface type and enters interface configuration mode description Adds a description to an interface configuration speed-duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled...
  • Page 359: Description

    Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
  • Page 360: Negotiation

    Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
  • Page 361: Capabilities

    • symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...
  • Page 362: Flowcontrol

    Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.
  • Page 363: Shutdown

    Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-118) capabilities (flowcontrol, symmetric) (4-119) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting...
  • Page 364: Switchport Broadcast Packet-Rate

    • This command can enable or disable broadcast storm control for the selected interface. However, the specified threshold value applies to all ports on the switch. Example The following shows how to configure broadcast storm control at 500 packets per...
  • Page 365: Show Interfaces Status

    Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
  • Page 366: Show Interfaces Counters

    Command Line Interface Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit: Flow control: Lacp: Port security: Max MAC count: Port security action: Current status: Link status: Port operation status:...
  • Page 367: Show Interfaces Switchport

    Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1...
  • Page 368 Command Line Interface Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast threshold: LACP status: Ingress Rate Limit: Egress Rate Limit: VLAN membership mode: Ingress rule: Acceptable frame type: Native VLAN: Priority for untagged traffic: 0 Gvrp status: Allowed Vlan: Forbidden Vlan:...
  • Page 369: Mirror Port Commands

    Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Command Function port monitor Configures a mirror session show port monitor Shows the configuration for a mirror port port monitor This command configures a mirror session. Use the no form to clear a mirror session.
  • Page 370: Show Port Monitor

    Command Line Interface Example The following example configures the switch to mirror received packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)# show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) •...
  • Page 371: Rate Limit Commands

    Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
  • Page 372: Link Aggregation Commands

    Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 32 trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
  • Page 373: Channel-Group

    • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Link Aggregation Commands 4-131...
  • Page 374: Lacp

    • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
  • Page 375: Lacp System-Priority

    Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/12...
  • Page 376: Lacp Admin-Key (Ethernet Interface)

    • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
  • Page 377: Lacp Admin-Key (Port Channel)

    {actor | partner} admin-key key [no] lacp {actor | partner} admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch. (Range: 0-65535) Default Setting...
  • Page 378: Lacp Port-Priority

    Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
  • Page 379: Table 4-47 Show Lacp Counters - Display Description

    Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-47 Field...
  • Page 380: Table 4-48 Show Lacp Internal - Display Description

    Command Line Interface Table 4-48 Field Description Oper Key Current operational value of the key for the aggregation port. Admin Key Current administrative value of the key for the aggregation port. LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel.
  • Page 381 Console# Table 4-50 Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC address. System MAC Address * The LACP system priority and system MAC address are concatenated to form the LAG system ID.
  • Page 382: Address Table Commands

    • port-channel channel-id (Range: 1-32) • vlan-id - VLAN ID (Range: 1-4094) • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent.
  • Page 383: Clear Mac-Address-Table Dynamic

    Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down.
  • Page 384: Mac-Address-Table Aging-Time

    Command Line Interface • sort - Sort by address, vlan or interface. Default Setting None Command Mode Privileged Exec Command Usage • The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: - Learned - Dynamic address entries - Permanent - Static entry - Delete-on-reset - Static entry to be deleted when system is reset...
  • Page 385: Show Mac-Address-Table Aging-Time

    Example Console(config)#mac-address-table aging-time 100 Console(config)# show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# Address Table Commands 4-143...
  • Page 386: Spanning Tree Commands

    Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-52 Spanning Tree Commands Command Function spanning-tree Enables the spanning tree protocol...
  • Page 387: Spanning-Tree

    This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Note: MSTP is not supported in the current software.
  • Page 388: Spanning-Tree Forward-Time

    RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
  • Page 389: Spanning-Tree Hello-Time

    Example Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds.
  • Page 390: Spanning-Tree Max-Age

    Console(config)# Related Commands spanning-tree forward-time (4-146) spanning-tree hello-time (4-147) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
  • Page 391: Spanning-Tree Pathcost Method

    Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
  • Page 392: Spanning-Tree Transmission-Limit

    This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst-configuration...
  • Page 393: Mst Vlan

    • By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 58 instances. You should try to group VLANs which cover the same general area of your network.
  • Page 394: Name

    MAC address will then become the root device. • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384.
  • Page 395: Revision

    The MST region name (page 4-152) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
  • Page 396: Spanning-Tree Spanning-Disabled

    Command Line Interface specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface.
  • Page 397: Spanning-Tree Port-Priority

    • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
  • Page 398: Spanning-Tree Edge-Port

    Command Line Interface Related Commands spanning-tree cost (4-154) spanning-tree edge-port This command specifies an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
  • Page 399: Spanning-Tree Link-Type

    • When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
  • Page 400: Spanning-Tree Mst Cost

    Command Line Interface • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple...
  • Page 401: Spanning-Tree Mst Port-Priority

    • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
  • Page 402: Spanning-Tree Protocol-Migration

    Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e.,...
  • Page 403: Table 4-53 Vlans

    Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
  • Page 404: Show Spanning-Tree Mst Configuration

    Command Line Interface --------------------------------------------------------------- 1/ 1 information --------------------------------------------------------------- Admin status: Role: State: External admin path cost: 10000 Internal admin cost: External oper path cost: Internal oper path cost: Priority: Designated cost: Designated port: Designated root: Designated bridge: Fast forwarding: Forward transitions: Admin edge port: Oper edge port: Admin Link type:...
  • Page 405: Vlan Commands

    VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
  • Page 406: Bridge-Ext Gvrp

    Command Line Interface bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network.
  • Page 407: Switchport Gvrp

    switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
  • Page 408: Garp Timer

    Command Line Interface garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
  • Page 409: Editing Vlan Groups

    Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting Shows all GARP timers. Command Mode Normal Exec, Privileged Exec Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status:...
  • Page 410: Vlan

    • no vlan vlan-id deletes the VLAN. • no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. 4-168...
  • Page 411: Configuring Vlan Interfaces

    Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-175) Configuring VLAN Interfaces Table 4-56 Command Function interface vlan Enters interface configuration mode for a specified VLAN...
  • Page 412: Switchport Mode

    Command Line Interface Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-121) switchport mode This command configures the VLAN membership mode for a port.
  • Page 413: Switchport Acceptable-Frame-Types

    This command enables ingress filtering for an interface. Note: Although the ingress filtering command is available, the switch has ingress filtering permanently set to enable. Therefore, trying to disable the filtering with the no switchport ingress-filtering command will produce this error message: “Note: Failed to ingress-filtering on ethernet interface !”...
  • Page 414: Switchport Native Vlan

    Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. •...
  • Page 415: Switchport Allowed Vlan

    VLAN groups as a tagged member. • Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
  • Page 416: Switchport Forbidden Vlan

    Command Line Interface Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.
  • Page 417: Displaying Vlan Information

    Displaying VLAN Information Table 4-57 Command Function show vlan Shows VLAN information show interfaces status vlan Displays status for the specified VLAN interface show interfaces switchport Displays the administrative and operational status of an interface show vlan This command shows VLAN information. Syntax show vlan [id vlan-id | name vlan-name | private-vlan private-vlan-type] •...
  • Page 418: Configuring Ieee 802.1Q Tunneling

    Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan, page 4-173). dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax...
  • Page 419: Switchport Dot1Q-Tunnel Mode

    Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (4-178) show interfaces switchport (4-125) switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port.
  • Page 420: Switchport Dot1Q-Tunnel Tpid

    VLAN of that port. • All ports on the switch will be set to the same ethertype. Example Console(config)#interface ethernet 1/1...
  • Page 421: Configuring Private Vlans

    Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
  • Page 422: Show Pvlan

    VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. • Private VLANs and normal VLANs can exist simultaneously within the same switch. • Entering the pvlan command without any parameters enables the private VLAN. Entering no pvlan disables the private VLAN.
  • Page 423: Configuring Protocol-Based Vlans

    • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • frame - Frame type used by this protocol. (Options: ethernet, rfc_1042, llc_other) SNAP frame types are not supported by this switch due to hardware limitations. VLAN Commands Mode Page...
  • Page 424: Protocol-Vlan Protocol-Group (Configuring Interfaces)

    Command Line Interface • protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: ip, arp, rarp, and user-defined (0801-FFFF hexadecimal). Default Setting No protocol groups are configured. Command Mode Global Configuration Example...
  • Page 425: Show Protocol-Vlan Protocol-Group

    - If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface. Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)#...
  • Page 426: Priority Commands

    The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
  • Page 427: Queue Mode

    Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
  • Page 428: Queue Bandwidth

    IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command.
  • Page 429: Queue Cos-Map

    7 is the highest priority. Default Setting This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
  • Page 430: Show Queue Mode

    Command Line Interface Command Usage • CoS values assigned at the ingress port are also used at the egress port. Example The following example shows how to change the CoS assignments: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0 Console(config-if)#queue cos-map 1 1 Console(config-if)#queue cos-map 2 2 Console(config-if)#exit Console#show queue cos-map ethernet 1/1...
  • Page 431: Show Queue Cos-Map

    Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-26/50) •...
  • Page 432: Map Ip Dscp (Interface Configuration)

    Command Line Interface Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. Example The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration)
  • Page 433: Show Map Ip Dscp

    Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP, and default switchport priority. • DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues.
  • Page 434: Quality Of Service Commands

    Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-189)
  • Page 435: Table 4-66 Quality Of Service Commands

    Table 4-66 Quality of Service Commands Command Function class-map Creates a class map for a type of traffic match Defines the criteria used to classify traffic policy-map Creates a policy map for multiple interfaces class Defines a traffic classification for the policy to act on Classifies IP traffic by setting a CoS, DSCP, or IP-precedence value in a packet police...
  • Page 436: Class-Map

    Command Line Interface class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode. Use the no form to delete a class map and return to Global configuration mode. Syntax [no] class-map class-map-name [match-any] •...
  • Page 437: Policy-Map

    • vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage • First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use the match command to specify the fields within ingress packets that must match to qualify for this class map.
  • Page 438: Class

    Command Line Interface Command Usage • Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches criteria defined in a class map. • A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page 4-199).
  • Page 439: Set

    Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
  • Page 440: Police

    Command Line Interface police This command defines an policer for classified traffic. Use the no form to remove a policer. Syntax [no] police rate-kbps burst-byte [exceed-action {drop | set}] • rate-kbps - Rate in kilobits per second. (Range: 1-100000 kbps or maximum port speed, whichever is lower) •...
  • Page 441: Service-Policy

    service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name • input - Apply to the input traffic. •...
  • Page 442: Show Policy-Map

    Command Line Interface Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
  • Page 443: Example

    Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
  • Page 444: Ip Igmp Snooping

    Command Line Interface ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping.
  • Page 445: Ip Igmp Snooping Version

    The following configures the switch to use IGMP Version 1: Console(config)#ip igmp snooping version 1 Console(config)# ip igmp snooping leave-proxy This command enables IGMP leave proxy on the switch. Use the no form to disable the feature. Syntax [no] ip igmp snooping leave-proxy...
  • Page 446: Ip Igmp Snooping Immediate-Leave

    Command Line Interface • The leave-proxy feature does not function when a switch is set as the querier. Example Console(config)#ip igmp snooping leave-proxy Console(config)# ip igmp snooping immediate-leave This command enables IGMP immediate leave for specific VLAN. Use the no form to disable the feature for a VLAN.
  • Page 447: Show Mac-Address-Table Multicast

    Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status: Querier status: Leave proxy status: Query count: Query interval: Query max response time: 20 sec Router port expire time: 300 sec Immediate Leave Processing: Disabled on all VLAN IGMP snooping version: Console# show mac-address-table multicast...
  • Page 448: Igmp Query Commands (Layer 2)

    Configures the query timeout router-port-expire-time ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode...
  • Page 449: Ip Igmp Snooping Query-Interval

    This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds...
  • Page 450: Ip Igmp Snooping Query-Max-Response-Time

    Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries...
  • Page 451: Static Multicast Routing Commands

    Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)#...
  • Page 452: Show Ip Igmp Snooping Mrouter

    Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
  • Page 453: Igmp Filtering And Throttling Commands

    Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port.
  • Page 454: Ip Igmp Profile

    Command Line Interface • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example Console(config)#ip igmp filter Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode.
  • Page 455: Range

    Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
  • Page 456: Ip Igmp Max-Groups

    When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
  • Page 457: Ip Igmp Max-Groups Action

    Interface Configuration Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
  • Page 458: Show Ip Igmp Profile

    Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting...
  • Page 459: Multicast Vlan Registration Commands

    - -port - Port number. (Range: 1-29) • port-channel channel-id (Range: 1-32) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32...
  • Page 460: Mvr (Global Configuration)

    Command Line Interface mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
  • Page 461: Mvr (Interface Configuration)

    • source - Configure the interface as an uplink port that can send and receive multicast data for the configured multicast groups. • immediate - Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
  • Page 462 IGMP version 2 or 3 hosts can issue multicast join or leave messages. Example The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a...
  • Page 463: Show Mvr

    Console# Table 4-73 Field Description MVR Status Shows if MVR is globally enabled on the switch. MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied. MVR multicast vlan Shows the VLAN used to transport all MVR multicast traffic.
  • Page 464: Table 4-74 Show Mvr Interface - Display Description

    Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
  • Page 465: Ip Interface Commands

    An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
  • Page 466: Ip Default-Gateway

    Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
  • Page 467: Ip Dhcp Restart

    ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. •...
  • Page 468: Show Ip Redirects

    • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the switch adds header information. • count - Number of packets to send. (Range: 1-16, default: 5) Default Setting This command has no default for the host.
  • Page 469: Ip Source Guard Commands

    Shows the source guard binding table source-guard binding ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. IP Source Guard Commands...
  • Page 470 Command Line Interface Syntax ip source-guard {sip | sip-mac} no ip source-guard • sip - Filters traffic based on IP addresses stored in the binding table. • sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Default Setting Disabled Command Mode...
  • Page 471: Ip Source-Guard Binding

    - If IP source guard if enabled on an interface for which IP source bindings (dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for DHCP packets.
  • Page 472: Show Ip Source-Guard

    Command Line Interface table, or static addresses configured in the source guard binding table with this command. • Static bindings are processed as follows: - If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding.
  • Page 473: Dhcp Snooping Commands

    Console# DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
  • Page 474 DHCP server must be configured as trusted (ip dhcp snooping trust, page 4-234). Note that the switch will not add a dynamic entry for itself to the binding table when it 4-232...
  • Page 475: Ip Dhcp Snooping Vlan

    ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
  • Page 476: Ip Dhcp Snooping Trust

    • When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
  • Page 477: Ip Dhcp Snooping Verify Mac-Address

    (4-233) ip dhcp snooping trust (4-234) ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option...
  • Page 478: Ip Dhcp Snooping Information Policy

    Command Line Interface identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
  • Page 479: Show Ip Dhcp Snooping

    Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...
  • Page 480: Cluster

    Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
  • Page 481: Cluster Commander

    This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage • Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network.
  • Page 482: Cluster Member

    Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander • You cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. Example Console(config)#cluster ip-pool 10.2.3.4...
  • Page 483: Show Cluster

    Role: commander Interval heartbeat: Heartbeat loss count: 3 Number of Members: Number of Candidates: 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2...
  • Page 484: Show Cluster Candidates

    Command Line Interface show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role --------------- ---------------------------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 CANDIDATE 00-12-cf-0b-47-a0 Console# 4-242 Description TigerSwitch 10/100/1000 SPORT MANAGE TigerSwitch 10/100/1000 SPORT MANAGE...
  • Page 485: Appendix A: Software Specifications

    Appendix A: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists 128 ACLS (96 MAC rules, 96 IP rules) DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/ZX - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2002...
  • Page 486: Management Features

    SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard Switch Clustering Management Features In-Band Management Telnet, Web-based HTTP or HTTPS, SNMP manager, or Secure Shell Out-of-Band Management RS-232 console port...
  • Page 487: Management Information Bases

    Management Information Bases RMON (RFC 1757 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2 (RFC 2571) SNMPv3 (RFC DRAFT 3414, 3410, 2273, 3411, 3415) SNTP (RFC 2030) SSH (Version 2.0) TFTP (RFC 1350) Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674)
  • Page 488 Software Specifications...
  • Page 489: Appendix B: Troubleshooting

    • Be sure the management station has an IP address in the same subnet as • If you are trying to connect to the switch via the IP address for a tagged • If you cannot connect using Telnet, you may have exceeded the maximum Cannot connect using •...
  • Page 490: Using System Logs

    Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
  • Page 491: Glossary

    EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
  • Page 492 IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging.
  • Page 493 Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
  • Page 494 Glossary Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
  • Page 495 A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
  • Page 496 Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
  • Page 497: Index

    Index Numerics 802.1Q tunnel 3-133, 4-176 description 3-133 interface configuration 3-138, 4-177–4-178 mode selection 3-138 TPID 3-137, 4-178 802.1X, port authentication 3-60, 3-67 acceptable frame type 3-132, 4-171 Access Control List See ACL Extended IP 4-89, 4-90, 4-91 MAC 4-95, 4-95–4-97 Standard IP 4-89, 4-90, 4-91 address table 3-99, 4-140 aging time 3-102, 4-143...
  • Page 498 Index firmware displaying version 3-11, 4-62 upgrading 3-18, 4-64 GARP VLAN Registration Protocol See GVRP gateway, default 3-14, 4-224 GVRP global setting 3-125, 4-164 interface configuration 4-165 hardware version, displaying 3-11, 4-62 HTTPS 3-52, 4-30 HTTPS, secure server 3-52, 4-30 IEEE 802.1D 3-102, 4-145 IEEE 802.1s 4-145 IEEE 802.1w 3-102, 4-145...
  • Page 499 password, line 4-12, 4-13 passwords 2-4 administrator setting 3-46, 4-25 path cost 3-105, 3-112 method 3-109, 4-149 STA 3-105, 3-112, 4-149 port authentication 3-60, 3-67 port priority configuring 3-144, 4-184, 4-192 default ingress 3-144, 4-185 STA 3-112, 4-155 port security, configuring 3-59, 4-79 port, statistics 3-95, 4-124 ports autonegotiation 3-79, 4-118...
  • Page 500 Index switchport mode dot1q-tunnel 4-177 system clock, setting 3-31, 4-53 system logs 3-25 system mode, normal or QinQ 3-137, 4-176 system software, downloading from server 3-18 TACACS+, logon authentication 3-48, 4-77 throttling, IGMP 3-169 time, setting 3-31, 4-53 TPID 3-137, 4-178 traffic class weights 3-148, 4-186 trap manager 2-7, 3-34, 4-104 troubleshooting B-1...
  • Page 502 SMC8126L2 SMC8150L2 149100036100A R01 TECHNICAL SUPPORT From U.S.A. and Canada (24 hours a day, 7 days a week) Phn: 800-SMC-4-YOU / 949-679-8000 Fax: 949-502-3400 ENGLISH Technical Support information available at www.smc.com FRENCH Informations Support Technique sur www.smc.com DEUTSCH Technischer Support und weitere Information unter www.smc.com SPANISH En www.smc.com Ud.

This manual is also suitable for:

Smc8150l28126l28150l2

Table of Contents