Enterasys vertical horizon vh-8g: user guide (48 pages)
Summary of Contents for Enterasys Matrix-V V2H124-24
Page 1
Matrix V-Series V2H124-24, V2H124-24FX, and V2H124-24P Fast Ethernet Switch Configuration Guide P/N 9033925-06...
Page 3
ENTERASYS NETWORKS reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult ENTERASYS NETWORKS to determine whether any such changes have been made.
Page 4
This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc. on behalf of itself and its Affiliates (as hereinafter defined) (“Enterasys”) that sets forth Your rights and obligations with respect to the Enterasys software program/firmware installed on the Enterasys product (including any accompanying documentation, hardware or media) (“Program”) in the package and prevails over any additional, conflicting or inconsistent...
Page 5
52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Program is considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the...
Page 6
(i) license fees due and paid, and (ii) the use, copying and deployment of the Program. You also grant to Enterasys and its authorized representatives, upon reasonable notice, the right to audit and examine during Your normal...
Page 7
Agreement shall be void and a breach of this Agreement. 12. WAIVER. A waiver by Enterasys of a breach of any of the terms and conditions of this Agreement must be in writing and will not be construed as a waiver of any subsequent breach of such term or condition.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Stack Operations Selecting the Stack Master Broken Link for Wrap-around Topologies Resilient IP Interface for Management Access Automatic Code Update Basic Configuration Console Connection...
Page 10
Contents Displaying Switch Hardware/Software Versions 3-10 Displaying Bridge Extension Capabilities 3-12 Setting the IP Address 3-14 Manual Configuration 3-15 Using DHCP/BOOTP 3-16 Managing Firmware 3-17 Downloading System Software from a Server 3-18 Saving or Restoring Configuration Settings 3-20 Downloading Configuration Settings from a Server 3-21 Console Port Settings 3-23...
Page 11
Contents Configuring 802.1X Port Authentication 3-65 Displaying and Configuring the 802.1x Global Setting 3-66 Configuring Port Settings for 802.1x 3-67 Displaying 802.1x Statistics 3-70 Filtering IP Addresses for Management Access 3-72 Access Control Lists 3-74 Configuring Access Control Lists 3-74 Setting the ACL Name and Type 3-75 Configuring a Standard IP ACL...
Page 12
Contents Spanning Tree Algorithm Configuration 3-123 Displaying Global Settings 3-124 Configuring Global Settings 3-127 Displaying Interface Settings 3-131 Configuring Interface Settings 3-135 Configuring Multiple Spanning Trees 3-137 Displaying Interface Settings for MSTP 3-140 Configuring Interface Settings for MSTP 3-142 VLAN Configuration 3-144 IEEE 802.1Q VLANs 3-144...
Page 13
Contents Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 14
Contents System Management Commands 4-24 Device Designation Commands 4-24 prompt 4-24 hostname 4-25 User Access Commands 4-25 username 4-26 enable password 4-27 IP Filter Commands 4-28 management 4-28 show management 4-29 Web Server Commands 4-30 ip http port 4-30 ip http server 4-30 ip http secure-server 4-31...
Page 15
Contents logging sendmail 4-53 show logging sendmail 4-53 Time Commands 4-54 sntp client 4-54 sntp server 4-55 sntp poll 4-56 show sntp 4-56 clock timezone 4-57 calendar set 4-58 show calendar 4-58 System Status Commands 4-59 light unit 4-59 show startup-config 4-59 show running-config 4-61...
Page 16
Contents authentication enable 4-85 RADIUS Client 4-86 radius-server host 4-87 radius-server port 4-88 radius-server key 4-88 radius-server retransmit 4-89 radius-server timeout 4-89 radius-server service-type 4-90 show radius-server 4-92 AAA Accounting 4-92 aaa group server 4-93 server 4-93 aaa accounting 4-94 accounting 4-94 show accounting...
Page 17
Contents show ip access-list 4-117 access-list ip mask-precedence 4-117 mask (IP ACL) 4-118 show access-list ip mask-precedence 4-121 ip access-group 4-122 show ip access-group 4-122 map access-list ip 4-123 show map access-list ip 4-124 match access-list ip 4-124 show marking 4-125 MAC ACLs 4-126...
Page 18
Contents description 4-151 speed-duplex 4-152 negotiation 4-153 capabilities 4-154 flowcontrol 4-155 shutdown 4-156 switchport broadcast packet-rate 4-156 clear counters 4-157 show interfaces status 4-158 show interfaces counters 4-159 show interfaces switchport 4-160 Mirror Port Commands 4-161 port monitor 4-161 show port monitor 4-162 Rate Limit Commands 4-163...
Page 20
Contents map ip port (Interface Configuration) 4-218 map ip precedence (Global Configuration) 4-218 map ip precedence (Interface Configuration) 4-219 map ip dscp (Global Configuration) 4-220 map ip dscp (Interface Configuration) 4-220 show map ip port 4-221 show map ip precedence 4-222 show map ip dscp 4-223...
Page 21
Contents Appendix A: Troubleshooting Problems Accessing the Management Interface Using System Logs Appendix B: Software Specifications Software Features Management Features Standards Management Information Bases Glossary Index...
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Introduction (Continued) Table 1-1. Key Features Feature Description Multicast Filtering Supports IGMP snooping and query AMAP Configures Alcatel Mapping Adjacency Protocol (AMAP) parameters and displays information on attached AMAP-aware devices Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation.
Page 33
Description of Software Features Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections.
Page 34
Introduction Spanning Tree Protocol – The switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol adds a level of fault tolerance by allowing two or more redundant connections to be created between a pair of LAN segments. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network.
System Defaults This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
Page 36
Introduction Table 1-2. System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number SNMP Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: DefaultROGroup (read only);...
Page 37
System Defaults Table 1-2. System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Weighted Round Robin Queue: 0, 1, 2, 3 Weight: 1, 4, 16, 64 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings Management VLAN IP Address 0.0.0.0 Subnet Mask...
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options This Matrix V-Series V2H124-24, V2H124-24FX and V2H124-24P switches include a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a Web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Initial Configuration • Configure Spanning Tree parameters • Configure Class of Service (CoS) priority queuing • Configure up to six static or LACP trunks • Filter packets using Access Control Lists (ACLs) • Enable port mirroring • Set broadcast storm control on any port •...
Stack Operations 2. Refer to “Line Commands” on page 4-9 for a complete description of console configuration options. 3. Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 4-1.
Initial Configuration Selecting the Stack Master Note the following points about unit numbering: • When the stack is initially powered on, the Master unit is designated as unit 1 for a ring topology. • If more than one stack Master is selected using the Master/Slave push button on the switch’s front panel, the system will select the unit with the lowest MAC address as the Master.
Basic Configuration Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: To initiate your console connection, press <Enter>.
Initial Configuration Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.254 Console(config)# Dynamic Configuration If you select the “bootp” or “dhcp” option, IP will be enabled but will not function until a BOOTP or DHCP reply has been received. You therefore need to use the “ip dhcp restart”...
Initial Configuration Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart Console#show ip interface IP interface vlan IP address and netmask: 10.1.0.54 255.255.255.0 on VLAN 1, and address mode: User specified. Console#copy running-config startup-config Startup configuration file name []: startup Console# Enabling SNMP Management Access The switch can be configured to accept management commands from Simple...
Basic Configuration To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.) To remove an existing string, simply type “no snmp-server community string,”...
Initial Configuration In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien...
Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, Web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: •...
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP Web agent. Using a Web browser you can configure the switch and view statistics to monitor network activity. The Web agent can be accessed by any computer on the network using a standard Web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Configuring the Switch Navigating the Web Browser Interface To access the Web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your Web browser connects with the switch’s Web agent, the home page is displayed as shown below.
Navigating the Web Browser Interface Notes: 1. To ensure proper screen refresh, be sure that Internet Explorer 5.x is configured as follows: Under the menu “Tools / Internet Options / General / Temporary Internet Files / Settings,” the setting for item “Check for newer versions of stored pages”...
Page 54
Configuring the Switch Table 3-2. Switch Main Menu (Continued) Menu Description Page 3-26 Logs Stores and displays error messages 3-26 System Logs Sends error messages to a logging process 3-28 Remote Logs Configures the logging of messages to a remote logging process 3-28 SMTP Sends an SMTP client message to a participating server 3-30...
Page 55
Navigating the Web Browser Interface Table 3-2. Switch Main Menu (Continued) Menu Description Page Port Security Configures per port security, including status, response for 3-63 security breach, and maximum allowed MAC addresses 802.1x Port authentication 3-65 Information Displays the global configuration setting 3-66 Configuration Configures the global configuration setting...
Page 56
Configuring the Switch Table 3-2. Switch Main Menu (Continued) Menu Description Page Enterasys 3-110 Cabletron Discovery Protocol home page 3-110 Global Settings Configures global CDP settings 3-110 Port Settings Configures CDP settings on a per port basis 3-112 Neighbors Information...
Page 57
Navigating the Web Browser Interface Table 3-2. Switch Main Menu (Continued) Menu Description Page Basic Information Displays basic information on the VLAN type supported by this 3-147 switch Current Table Shows the current port members of each VLAN and whether or 3-148 not the port supports VLAN tagging Static List...
Configuring the Switch Table 3-2. Switch Main Menu (Continued) Menu Description Page Static Multicast Router Port Assigns ports that are attached to a neighboring multicast router/ 3-175 Configuration switch IP Multicast Registration Displays all multicast groups active on this switch, including 3-176 Table multicast IP addresses and VLAN ID...
Basic Configuration Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that access the Command Line Interface via Telnet.) Figure 3-3. System Information...
Console(config)#snmp-server location TPS - 2nd Floor 4-140 Console(config)#snmp-server contact David 4-140 Console#show system System description: Enterasys Networks, Inc. V2H124-24; SW version: V2.5.2.1 System OID string: 1.3.6.1.4.1.5624.2.1.62 System information System Up time: 0 days, 5 hours, 3 minutes, and 38.47 seconds...
Basic Configuration Management Software • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master or Slave. Expansion Slot •...
Configuring the Switch CLI – Use the following command to display version information. Console#show version 4-64 Unit1 Serial number: 033840352141 Service tag: 0000000 Hardware version: Module A type: Stacking Module Module B type: Combo 1000BaseT SFP Number of ports: Main power status: Redundant power status: not present Agent (master)
Basic Configuration • Local VLAN Capable – This switch does not support multiple local bridges (i.e., multiple Spanning Trees). • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups. This switch does not support GMRP; it uses the Internet Group Management Protocol (IGMP) to provide automatic multicast filtering.
Configuring the Switch Setting the IP Address An IP address may be used for management access to the switch over your network. By default, the switch uses DHCP to assign IP settings to VLAN 1 on the switch. If you wish to manually configure IP settings, you need to change the switch’s user-specified defaults (IP address 0.0.0.0 and netmask 255.0.0.0) to values that are compatible with your network.
Basic Configuration Manual Configuration Web – Click System, IP. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply Figure 3-6. VLAN IP Configuration CLI –...
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Basic Configuration Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
Configuring the Switch Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web –Click System, File Management, Copy Operation.
Basic Configuration To delete a file, select System, File, Delete. Select the file name from the given list by checking the tick box and then click Apply. Note that t he file currently designated as the startup code cannot be deleted. Figure 3-10.
Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server or copy files to and from switch units in a stack. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes •...
Basic Configuration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Page 72
Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-66 TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Basic Configuration Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the Web or CLI interface.
Configuring the Switch Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-13. Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Basic Configuration Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password.
Configuring the Switch CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level. Console(config)#line vty 4-10 Console(config-line)#login local 4-11 Console(config-line)#password 0 secret...
Configuring the Switch Remote Log Configuration The Remote Logs page allows you to configure the logging of messages that are sent to syslog servers or other management stations. You can also limit the event messages sent to only those messages at or above a specified level. Command Attributes •...
Basic Configuration CLI – Enter the syslog server host IP address, choose the facility type and set the minimum level of messages to be logged. Console(config)#logging host 192.168.1.7 4-46 Console(config)#logging facility 23 4-46 Console(config)#logging trap 4 4-47 Console(config)#end Console#show logging trap 4-49 Syslog logging: Enabled...
Configuring the Switch CLI – This example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), the message level for RAM is “debugging” (i.e., default level 7 - 0), and lists one sample error. Console#show logging flash 4-49 Syslog logging: Enable...
Basic Configuration Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server text box and then click Add. To delete an IP address, click the entry in the SMTP Server List and then click Remove.
Basic Configuration Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Configuring the Switch CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-55 Console(config)#sntp poll 60 4-56 Console(config)#sntp client 4-54 Console(config)#exit Console#show sntp 4-56 Current time: June 6 14:56:05 2004...
Configuring SNMP CLI - This example shows how to set the time zone for the system clock. Console(config)#clock timezone Pacific hours 8 minute 0 before-UTC 4-54 Console# Configuring SNMP Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
Configuring the Switch Table 3-4. SNMPv3 Security Models and Levels Model Level Group Read View Write View Security noAuthNoPriv DefaultROGroup defaultview none Community string only noAuthNoPriv DefaultRWGroup defaultview defaultview Community string only noAuthNoPriv user defined user defined user defined Community string only noAuthNoPriv DefaultROGroup defaultview none...
Configuring SNMP Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings.
Configuring the Switch Specifying Trap Managers Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Configuring SNMP CLI – This example adds a trap manager and enables authentication traps. Console(config)#snmp-server host 10.1.19.23 batman private version 2c udp-port 162 4-141 Console(config)#snmp-server enable traps authentication 4-142 Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: If you want to change the default engine ID, it must be changed first before configuring other parameters.
Configuring the Switch CLI – This example sets an SNMPv3 engine ID. Console(config)#snmp-server engine-id local 12345abcdef 4-143 Console(config)#exit Console#show snmp engine-id 4-144 Local SNMP engineID: 12345abcdef000000000000000 Local SNMP engineBoots: 1 Console# Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group.
Configuring SNMP Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Configuring the Switch CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien 4-148 Console(config)#exit Console#show snmp user 4-149 EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5...
Configuring SNMP Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Configuring the Switch CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group v3secure v3 priv read defaultview write defaultview 4-146 Console(config)#exit Console#show snmp group...
Configuring SNMP Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Configuring the Switch CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-144 Console(config)#exit Console#show snmp view 4-145 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
User Authentication Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) • New Account – Allows configuration of a new account with Normal or Privileged access. • Add/Remove – Adds or removes an account from the list. •...
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 99
User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-30. Setting Local, RADIUS and TACACS Authentication 3-50...
Configuring the Switch Web – Click Security, AAA, Accounting Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-31. AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# 4-94...
User Authentication CLI – Specify the accounting method required, followed the start-stop method, then specify the RADIUS server index. Console(config)#aaa accounting dot1x default start-stop group Server_1 Console(config)# 4-94 AAA Accounting Update This feature sets the time period when accounting updates are sent to the AAA RADIUS server.
Configuring the Switch AAA Accounting 802.1X Port Settings This feature applies specified accounting methods to selected ports. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the port/trunk. This method must be defined in the “AAA Accounting Settings”...
User Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to Console and Telenet interfaces. Command Attributes • Method Name - Specifies a user defined method name to apply to the Console and Telenet interfaces. Web – Click Security, AAA, Exec Settings. Enter the predefined method name and click Apply.
Configuring the Switch Web – Click Security, AAA, Summary. Figure 3-36. AAA Summary CLI – Specify the required port and apply the accounting list to it. Console(config-if)#show accounting 4-95 Console(config)# Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface.
User Authentication • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Configuring the Switch Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 109
User Authentication Command Usage The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the Authentication Settings page (page 3-46).
Configuring the Switch Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access.
User Authentication Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-38.
Configuring the Switch Configuring the SSH Server The SSH server includes basic settings for authentication. Field Attributes • SSH Server Status – Allows you to enable/disable the SSH server feature on the switch. (Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients.
User Authentication CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SSH, and then disables this connection. Console(config)#ip ssh server 4-36 Console(config)#ip ssh timeout 100 4-37 Console(config)#ip ssh authentication-retries 5 4-37...
Configuring the Switch • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page, see “Configuring Interface Connections” on page 3-89. Command Attributes • Port – Port number. •...
User Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Configuring the Switch • The RADIUS server and client also have to support the same EAP authentication type – MD5. (Some clients have native support in Windows, otherwise the dot1x client must support it.) Displaying and Configuring the 802.1x Global Setting The 802.1x protocol must be enabled globally for the switch system before port settings are active.
User Authentication CLI – This example enables 802.1x globally for the switch and shows the current setting. Console(config)#dot1x system-auth-control 4-100 Console(config)# Console#show dot1x 4-105 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled...
Configuring the Switch • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client. (Range: 1-65535 seconds; Default: 60 seconds) • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated.
Page 119
User Authentication CLI – This example sets the 802.1x parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-105. Console(config)#interface ethernet 1/2 4-151 Console(config-if)#dot1x port-control auto 4-102 Console(config-if)#dot1x re-authentication 4-103 Console(config-if)#dot1x max-req 5 4-101...
Configuring the Switch Displaying 802.1x Statistics This switch can display statistics for dot1x protocol exchanges for any port. Statistical Values Table 3-6. 802.1x Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator.
User Authentication Web – Select Security, 802.1x, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-44. Displaying 802.1x Statistics CLI – This example displays the 802.1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-105 Eth 1/4 Rx: EXPOL...
Configuring the Switch Filtering IP Addresses for Management Access You can specify the client IP addresses that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
User Authentication Web – Click Security, IP Filter. Enter the addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 3-45. Entering IP Addresses to be Filtered CLI – This example restricts management access for Telnet and SNMP clients. Console(config)#management telnet-client 192.168.1.19 4-28 Console(config)#management telnet-client 192.168.1.25 192.168.1.30...
Configuring the Switch Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Access Control Lists Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 16 characters) • Type – There are three filtering modes: - Standard: IP ACL mode that filters packets based on the source IP address.
Configuring the Switch • Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Access Control Lists Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain permit rules, deny rules or a combination of both. (Default: Permit rules) • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any”...
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Access Control Lists Configuring a MAC ACL Command Attributes • Action – An ACL can contain permit rules, deny rules, or a combination of both. (Default: Permit rules) • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host”...
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.
Access Control Lists Configuring ACL Masks You must specify optional masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL.
Configuring the Switch CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet. Console(config)#access-list ip mask-precedence in 4-117 Console(config-ip-mask-acl)#mask host any...
Access Control Lists Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Configuring the Switch Configuring a MAC ACL Mask This mask defines the fields to check in the packet header. Command Usage You must configure a mask for an ACL rule before you can bind it to a port. Command Attributes •...
Access Control Lists CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 4-126 Console(config-mac-acl)#permit any any 4-127...
Configuring the Switch Web – Click ACL, ACL Port Binding. Mark the Enable field for the port you want to bind to an ACL for ingress or egress traffic, select the required ACL from the drop-down list, then click Apply. Figure 3-53.
Port Configuration • Flow Control Status – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or None) • Autonegotiation – Shows if auto-negotiation is enabled or disabled. • Trunk Member – Shows if port is a trunk member. (Port Information only.) •...
Page 138
Configuring the Switch - Sym - Transmits and receives pause frames for flow control - FC - Supports flow control • Broadcast storm – Shows if broadcast storm control is enabled or disabled. • Broadcast storm limit – Shows the broadcast storm threshold. (500 - 262143 packets per second) •...
Port Configuration Configuring Interface Connections You can use the Port Configuration or Trunk Configuration page to enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) •...
Configuring the Switch Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-55. Configuring Port Attributes CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 4-151 Console(config-if)#shutdown 4-156...
Port Configuration trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them. If an LACP trunk consists of more than four ports, all other ports will be placed in a standby mode. Should one link in the trunk fail, one of the standby ports will automatically be activated to replace it.
Configuring the Switch Web – Click Port, Trunk Membership. Enter a trunk ID of 1-6 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-56.
Port Configuration Enabling LACP on Selected Ports Command Usage • To avoid creating a loop in the network, be sure you dynamically enable LACP before connecting the ports, and also enabled disconnect the ports before disabling LACP. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated active backup...
Configuring the Switch CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-151 Console(config-if)#lacp 4-166 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 145
Port Configuration Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number. (Range: 1-24) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Configuring the Switch Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Port Configuration CLI – The following example configures LACP parameters for ports 1-6. Ports 1-4 are used as active members of the LAG; ports 5 and 6 are set to backup mode. Console(config)#interface ethernet 1/1 4-151 Console(config-if)#lacp actor system-priority 3 4-167 Console(config-if)#lacp actor admin-key 120 4-167...
Configuring the Switch Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-59. Displaying LACP Port Counters Information CLI – The following example displays LACP counters for port channel 1. Console#show 1 lacp counters 4-170 Channel group : 1 -----------------------------------------------------------------------...
Port Configuration Table 3-8. LACP Settings (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; •...
Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show 1 lacp internal 4-170 Channel group : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec...
Port Configuration Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-61. Displaying Remote LACP Port Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show 1 lacp neighbors 4-170 Channel group 1 neighbors...
Configuring the Switch Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Port Configuration CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2. Console(config)#interface ethernet 1/1 4-151 Console(config-if)#no switchport broadcast 4-156 Console(config-if)#exit 4-23...
Configuring the Switch Web – Click Port, Mirror. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 3-63. Configuring a Mirror Port CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port.
Port Configuration Command Attribute • Rate Limit – Sets the output rate limit for an interface. Default Status – Disabled Default Rate – 100 Mbps Range – 1 - 1000 Mbps Web - Click Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply.
Configuring the Switch Statistical Values Table 3-10. Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer.
Page 157
Port Configuration Table 3-10. Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision.
Configuring the Switch Table 3-10. Port Statistics (Continued) Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but...
Note: A device that sits between two or more CDP domains should set its Authentication Key to the default null value. Web – Select Enterasys, CDP, Global Settings. To enable CDP, set the global status to "Enabled" or "Auto Enabled," then set the Hold Time for retaining neighbor device information and the transmit time for sending CDP packets.
• Trunk – Specifies if a port is a member of a trunk. Web – Select Enterasys, CDP, Port Settings. For any selected port, set the desired CDP action. Click Apply.
• Neighbor Type – References one or more of the Neighbor Types. • Neighbor IP – The IP address of the network device. • Port ID – The port number. Web – Select Enterasys, CDP, Neighbors Information. Figure 3-69. CDP Neighbors Information 3-113...
Configuring the Switch CLI – This example displays CDP port neighbors information. For a description of the output see the tables below. Console#show cdp neighbors 4-76 Capability Codes: igmp(1),rip(2),bgp(3),ospf(4),dvmrp(5),ieee8021q(6), gvrp(7),gmrp(8),igmpSnoop(9) Neighbor types : secureFastSwitch(1), dot1qSwitch(2), router(3), dot1dBridge(4) vlanManager(5), dnsServer(6), dhcpServer(7), dnsDhcpServer(8) Device ID Local Intrface Holdtime Capability Nbr type Nbr IP...
CDP packet, or adding to the neighbor entry, or while trying to send a CDP packet. Web – Select Enterasys, CDP, Traffic Information. Figure 3-70. CDP Traffic Information CLI – This example displays CDP traffic information.
Configuring the Switch Power Over Ethernet Settings The V2H124-24P switch can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device. Once configured to supply power, an automatic detection process is initialized by the switch that is authenticated by a PoE signature from the connected device.
Power Over Ethernet Settings Web – Click PoE, then Power Status. Figure 3-71. Displaying the Global PoE Status CLI – This example displays the current power status for the V2H124-24P. Console#show power mainpower 4-83 Unit 1 Mainpower Status Maximum Available Power : 375 watts System Operation Status : on Mainpower Consumption : 0 watts...
Configuring the Switch CLI – Use the power mainpower maximum allocation command to set the PoE power budget for the switch. Console(config)#power mainpower maximum allocation 200 Displaying Port Power status Use the Power Port Status page to display the current PoE power status for all ports. Command Attributes •...
Power Over Ethernet Settings CLI – This example displays the PoE status and the priority of port 1. Console#show power inline status 4-82 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable 15400 1/ 2 enable 15400 1/ 3...
Configuring the Switch Web – Click PoE, Power Port Configuration. Enable PoE power on selected ports, set the priority and the power budget, and then click Apply. Figure 3-74. Configuring Port PoE Power CLI – This example sets the PoE power budget for port 1 to 8 watts, the priority to high (2), and then enables the power.
Address Table Settings Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-75. Mapping Ports to Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Configuring the Switch Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., Interface, MAC Address, or VLAN), the method of sorting the displayed addresses, then click Query Figure 3-76. Displaying the MAC Dynamic Address Table CLI – This example also displays the address table entries for port 11. Console#show mac-address-table ethernet 1/11 4-176 Interface...
Spanning Tree Algorithm Configuration Web – Click Address Table, Address Aging. Specify the new aging time, click Apply Figure 3-77. Setting the Aging Time CLI – This example sets the aging time to 300 seconds. Console(config)#mac-address-table aging-time 300 4-177 Console(config)#end Console#show mac-address-table aging-time 4-177 Aging time: 300 sec.
Configuring the Switch Designated Root Root Designated Port Port Designated Bridge Figure 3-78. Spanning Tree BPDUs Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 175
Spanning Tree Algorithm Configuration • Max Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Configuring the Switch • Root Maximum Age – The maximum time (in seconds) this device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network.
Spanning Tree Algorithm Configuration CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-196 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.) Root Hello Time (sec.)
Page 178
Configuring the Switch • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
Page 179
Spanning Tree Algorithm Configuration • Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Configuring the Switch Web – Click Spanning Tree, STA Configuration. Modify the required attributes, and click Apply. Figure 3-80. Configuring the Spanning Tree Algorithm 3-130...
Spanning Tree Algorithm Configuration CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 4-179 Console(config)#spanning-tree mode mst 4-179 Console(config)#spanning-tree priority 40000 4-183 Console(config)#spanning-tree hello-time 5 4-181 Console(config)#spanning-tree max-age 38 4-182 Console(config)#spanning-tree forward-time 20 4-181...
Configuring the Switch • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface. This parameter is determined by manual configuration or by auto-detection, as described for Admin Link Type in STA Port Configuration on page 4-178.
Page 183
Spanning Tree Algorithm Configuration These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices.
Configuring the Switch Web – Click Spanning Tree, STA Port Information or STA Trunk Information. Figure 3-82. Displaying STA - Port Status Information CLI – This example shows general STA configuration and attributes for all ports. Console#show spanning-tree ethernet 1/5 4-196 1/ 5 information --------------------------------------------------------------...
Spanning Tree Algorithm Configuration Configuring Interface Settings You can configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port. You may use a different priority or path cost for ports of the same media type to indicate the preferred path, link type to indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding.
Configuring the Switch • Admin Link Type – The link type attached to this interface. • Point-to-Point – A connection to exactly one other bridge. • Shared – A connection to two or more bridges. • Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Spanning Tree Algorithm Configuration Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Configuring the Switch Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 189
Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 2 4-198 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance Vlans configuration Priority :4096 Bridge Hello Time (sec.) Bridge Max Age (sec.) Bridge Forward Delay (sec.)
Configuring the Switch Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Field Attributes • MST Instance ID – Instance identifier to configure. (Range: 0-57; Default: 0) The other attributes are described under “Displaying Interface Settings,”...
Page 191
Spanning Tree Algorithm Configuration CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 3-140), the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-196 Spanning-tree information...
Configuring the Switch Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: •...
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-86. MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 4-151 Console(config-if)#spanning-tree mst port-priority 0...
Configuring the Switch VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains. VLANs confine broadcast traffic to the originating group, and can eliminate broadcast storms in large networks.
Page 195
VLAN Configuration Note: VLAN-tagged frames can pass through VLAN-aware or VLAN-unaware network interconnection devices, but the VLAN tags should be stripped off before passing it on to any end-node host that does not support VLAN tagging. tagged frames VA: VLAN Aware VU: VLAN Unaware tagged untagged...
Page 196
Configuring the Switch message arrives at another switch that supports GVRP, it will also place the receiving port in the specified VLANs, and pass the message on to all other ports. VLAN requirements are propagated in this way throughout the network. This allows GVRP-compliant devices to be automatically configured for VLAN groups based solely on endstation requests.
VLAN Configuration Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network.
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-208 Max support VLAN numbers: Max support VLAN ID: 4093 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Enabled...
VLAN Configuration Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, VLAN Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-90. VLAN Static List - Creating Virtual LANs CLI –...
Page 201
VLAN Configuration Command Attributes • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended;...
Configuring the Switch Web – Click VLAN, 802.1Q VLAN, VLAN Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
VLAN Configuration Figure 3-92. VLAN Static Membership CLI – This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3 from VLAN 2. Console(config)#interface ethernet 1/3 Console(config-if)#switchport allowed vlan add 1 tagged 4-204 Console(config-if)#switchport allowed vlan remove 2 Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP...
Page 204
Configuring the Switch • Ingress Filtering – If ingress filtering is enabled, incoming frames for VLANs which do not include this ingress port in their member set will be discarded at the ingress port. (Default: Disabled) - Ingress filtering only affects tagged frames. - If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, VLAN Port Configuration or VLAN Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-93. Configuring VLAN Ports CLI – This example sets port 1 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
Configuring the Switch Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Class of Service Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 4-212 Console(config-if)#end Console#show interfaces switchport ethernet 1/12 4-160 Information of Eth 1/12 Broadcast threshold: Enabled, 500 packets/second LACP status: Disabled Ingress rate limit:...
Configuring the Switch Command Attributes • Priority – CoS value. (Range: 0-7, where 7 is the highest priority) • Traffic Class* – Output queue buffer. (Range: 0-3, where 3 is the highest CoS priority queue) CLI shows Queue ID. Web* – Click Priority, Traffic Classes. Mark an interface and click Select to display the current mapping of CoS values to output queues.
Class of Service Configuration Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Configuring the Switch Web – Click Priority, Queue Scheduling. Select a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-97. Configuring Class of Service for Each Ingress Queue CLI – The following example shows how to assign WRR weights of 1, 4, 16 and 64 to the CoS priority queues 0, 1, 2 and 3.
Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Configuring the Switch Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Class of Service Configuration CLI* – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 on port 5, and then displays all the IP Precedence settings. Console(config)#map ip precedence 4-218 Console(config)#interface ethernet 1/5 Console(config-if)#map ip precedence 1 cos 0...
Configuring the Switch Command Attributes • DSCP Priority Table Shows the DSCP Priority to CoS map. – • Class of Service Value Maps a CoS value to the selected DSCP Priority value. – Note that “0” represents low priority and “7” represent high priority. Note: IP DSCP settings apply to all interfaces.
Class of Service Configuration Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. Command Attributes •...
Configuring the Switch CLI* – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic on port 5 to CoS value 0, and then displays all the IP Port Priority settings for that port. Console(config)#map ip port 4-217 Console(config)#interface ethernet 1/5 Console(config-if)#map ip port 80 cos 0...
Class of Service Configuration Web – Click Priority, Copy Settings. Select the source priority settings to be copied, enter the source port or trunk number and choose the destination interface/s to copy to, then select Copy Settings. Figure 3-103. Mapping Priority Settings to Ports/Trunks CLI –...
Configuring the Switch Mapping CoS Values to ACLs Use the ACL CoS Mapping page to set the output queue for packets matching an ACL rule as shown in the following table. Note that the specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself.
Class of Service Configuration Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule. (This feature is commonly referred to as ACL packet marking.) This switch can change the IEEE 802.1p priority, IP Precedence, or DSCP Priority of IP frames; or change the IEEE 802.1p priority of Layer 2 frames.
Configuring the Switch Web – Click Priority, ACL Marker. Select a port and an ACL rule. To specify a ToS priority, mark the Precedence/DSCP check box, select Precedence or DSCP from the scroll-down box, and enter a priority. To specify an 802.1p priority, mark the 802.1p Priority check box, and enter a priority.
Multicast Filtering Multicast Filtering Multicasting is used to support real-time Unicast applications such as video conferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Configuring the Switch IGMP Query (Layer 2 or 3) – IGMP Query can only be enabled globally at Layer 2, but can be enabled for individual VLAN interfaces at Layer 3 (page 3-149). However, note that Layer 2 query is disabled if Layer 3 query is enabled. Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently.
Multicast Filtering Notes: 1. All systems on the subnet must support the same version. 2. Some attributes are only enabled for IGMPv2, including IGMP Report Delay and IGMP Query Timeout. Web – Click IGMP, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply.
Configuring the Switch Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Multicast Filtering Specifying Interfaces Attached to a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure that interface to join all the current multicast groups.
Configuring the Switch Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast IP address. Command Attribute • VLAN ID – Selects the VLAN in which to display port members. • Multicast IP Address – The IP address for a specific multicast service •...
Multicast Filtering Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Layer 2 IGMP (Snooping and Query)” on page 3-171. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/12 4-225 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-227 VLAN M'cast IP addr.
Configuring Domain Name Service • Domain Name List* – Defines define a list of domain names that can be appended to incomplete host names. (Range: 1-64 alphanumeric characters. 1-5 names) • Name Server List – Specifies the address of one or more domain name servers to use for name-to-address resolution.
Configuring the Switch CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com 4-240 Console(config)#ip domain-list sample.com.uk 4-241 Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 4-242...
Configuring Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-112. Mapping IP Addresses to a Host Name CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
Configuring the Switch Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
Page 233
Configuring Domain Name Service CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 4-245 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME 207.46.134.155 www.microsoft.akadns.net CNAME 207.46.249.222 www.microsoft.akadns.net CNAME 207.46.249.27 www.microsoft.akadns.net ALIAS POINTER TO:4...
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 236
Command Line Interface To access the switch through a Telnet session, you must first set the IP address for the switch, and set the default gateway if you are managing the switch from a different IP subnet. For example, Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.1 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254...
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 238
Command Line Interface display a list of valid keywords for a specific command. For example, the command “show ?” displays a list of possible show commands: Console#show ? access-group Access groups access-list Access lists accounting Accounting information bridge-ext Bridge extension information calendar Date and time information Ctron Discovery Protocol (CDP)
Entering Commands Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.” Console#show s? snmp sntp...
Command Line Interface Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode.
Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands.
Command Line Interface Table 4-3. Keystroke Commands (Continued) Keystroke Function Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer.
Line Commands Table 4-4. Command Group Index (Continued) Command Group Description Page Rate Limiting Controls the maximum rate for traffic transmitted or received on a port 4-163 Link Aggregation Statically groups multiple ports into a single logical trunk; configures 4-164 Link Aggregation Control Protocol for port trunks Address Table Configures the address table for filtering specified addresses,...
Command Line Interface Table 4-5. Line Command Syntax (Continued) Command Function Mode Page silent-time* Sets the amount of time the management console is inaccessible 4-15 after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command databits* Sets the number of data bits per character that are interpreted and 4-15...
Line Commands login Use this command to enable password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Command Line Interface password Use this command to specify the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password - password - Character string that specifies the line password.
Line Commands timeout login response Use this command to set the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the number of seconds.
Command Line Interface Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. • The timeout for Telnet cannot be disabled. •...
Line Commands silent-time Use this command to set the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Command Line Interface Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Line Commands speed Use this command to set the terminal line's baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Command Line Interface Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage...
General Commands Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 5 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: auto Databits: Parity: none Stopbits: VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console# General Commands...
Command Line Interface Default Setting Level 15 Command Mode Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-27.) •...
General Commands configure Use this command to activate Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration and Multiple Spanning Tree Configuration.
Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
General Commands exit Use this command to return to the previous configuration mode or exit the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7. System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-24 User Access...
None Command Mode Global Configuration Example Console(config)#hostname Enterasys Matrix-V Series Console(config)# User Access Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-9), user authentication via a remote authentication server (page 4-137), and host access authentication for specific ports (page 4-99).
Command Line Interface username Use this command to add named users, require authentication at login, specify or change a user's password (or specify that no password is required), or specify or change a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
System Management Commands enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. Use this command to control access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Command Line Interface IP Filter Commands Table 4-10. IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-28 show management Displays the switch to be monitored or configured from a 4-29 browser management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
System Management Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Command Line Interface Web Server Commands Table 4-11. Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface 4-30 ip http server Allows the switch to be monitored or configured from a browser GC 4-30 ip http secure-server Enables HTTPS/SSL for encrypted communications...
System Management Commands Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-30) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server Default Setting...
Command Line Interface • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 3-58. Also refer to the copy command on page 4-66. Example Console(config)#ip http secure-server Console(config)# Related Commands ip http secure-port (4-32) copy tftp https-certificate (4-66) ip http secure-port This command specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface.
System Management Commands Telnet Server Commands Table 4-12. Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface 4-33 ip telnet server Allows the switch to be monitored or configured from Telnet 4-33 ip telnet port This command specifies the TCP port number used by the Telnet interface.
Command Line Interface Example Console(config)#ip telnet server Console(config)# Related Commands ip telnet port (4-33) Secure Shell Commands The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 269
System Management Commands Table 4-13. Secure Shell Commands (Continued) Command Function Mode Page show public-key Shows the public key for the specified user or for the host 4-42 show users Shows SSH users, including privilege level and public key type PE 4-43 The SSH server on this switch supports both password and public key authentication.
Command Line Interface Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. Configure Challenge-Response Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method.
System Management Commands Example Console(config)#ip ssh server Console(config)# Related Commands show ssh (4-41) ip ssh timeout Use this command to configure the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...
Command Line Interface Default Setting Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-40) ip ssh server-key size Use this command to set the SSH server key size. Use the no form to restore the default setting.
System Management Commands Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate Use this command to generate the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] •...
Command Line Interface Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. •...
System Management Commands Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh Use this command to display the current Secure Shell (SSH) server connections. Command Mode Privileged Exec Example Console#show ssh...
Command Line Interface Table 4-14. SSH Information (Continued) Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1 aes256-cbc-hmac-sha1...
System Management Commands Example Console#show public-key host Host: RSA: 1024 65537 15168894316079916307282441664563830753246889717995496953568303 6561991702376593528126088648692030912083830884268586191335105603631502289 3420676417361074463395913920603532487496642092968281121267054673939045686 5991045870701842501620430497248248649090881781527169860657481574636762465 2720825995018769351534686677 DSA: ssh-dss AAAAB3NzaC1kc3MAAACBAIZERDhRGM9jKjcjVzgGtlZgHT8QF8NtAA+P0nXMtRGc meEAgL0rD37v44dma5cHesl+4tuJ0Nu8BcwxjwMjeCiLXIfb5c4ymD+0eJH64AVP5lhzy4OWp UlNekLLft3mFP+E+Y5sm/RmW9xFP88lsJbsNlIS91LGTnmDuuuwsPslAAAAFQD2g/G3uer1P/ d993/9RfGtpnhVGQAAAIATfiinuujSoaK5fQ0SG5tMtjyzgkC619ekEZwvib+KPG+eJ0EMqe UQqlEi4SOtvF2b90G8RIVSmOIWmUAoO9gVshrZUJmLyE6RIfZsEOl6HEVL4pbgs3BzZXoqmM3 jwj7F/2+pk8Jl3QNfTH2QjdzSF6RK5r8RkETU67NCMMNwAAAIAT9lLW2TbhPOH3uU2qmsv +Jrlr 40VKRrrlG+wqd5kUdR2UL9V+n1SHSrrv4ZsF6KNqho5y6nixDW2qKXSsVRIAESSJK Udno \t3NnLCflQ/pBottKA96VKQ1/DpYs+AuJUbS5kLtgMi/6n2D61AIcHhFzcxb2LxeDHWI 0zhqQUHnZQ== Console# show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.
Command Line Interface Event Logging Commands Table 4-15. Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-44 logging history Limits syslog messages saved to switch memory based on 4-45 severity logging host Adds a syslog server host IP address that will receive logging 4-46 messages logging facility...
System Management Commands logging history Use this command to limit syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Command Line Interface logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
System Management Commands logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Command Line Interface Related Commands show logging (4-49) show log This command displays the system and event messages stored in memory. Syntax show log {flash | ram} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
System Management Commands show logging This command displays the logging configuration. Syntax show logging {flash | ram | trap} • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Command Line Interface Table 4-18. Remote Logging Field Description Syslog logging Shows if system logging has been enabled via the logging on command. REMOTELOG status Shows if remote logging has been enabled via the logging trap command. REMOTELOG The facility type for remote logging of syslog messages as specified in the logging facility type facility command.
System Management Commands Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail source-email anyone@enterasys.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Command Line Interface Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
System Management Commands Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current time: June 23 02:52:44 2004 Poll interval: 60 Current mode: unicast Console# Related Commands sntp server (4-55) sntp poll (4-56) show sntp (4-56) sntp server This command sets the IP address of the servers to which SNTP time requests are issued.
Command Line Interface sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds) Default Setting 16 seconds Command Mode...
System Management Commands clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 1-12 hours) •...
Command Line Interface calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Note that a switch does not provide a Real Time Clock and manual settings of the clock do not persist over system restarts.
System Management Commands System Status Commands Table 4-21. System Status Commands Command Function Mode Page light unit Displays the unit ID of a switch using its front-panel LED NE, PE 4-59 indicators show startup-config Displays the contents of the configuration file (stored in flash 4-59 memory) that is used to start up the system show running-config...
Page 294
Command Line Interface Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!”...
System Management Commands Related Commands show running-config (4-61) show running-config Use this command to display the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
• The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example This example displays system information for the V2H124-24P. Console#show system System description: Enterasys Networks, Inc. V2H124-24; SW version: V2.5.2.1 System OID string: 1.3.6.1.4.1.5624.2.1.62 System information System Up time: 0 days, 1 hours, 34 minutes, and 7.77 seconds...
System Management Commands Frame Size Commands Table 4-1 Frame Size Commands Command Function Mode Page system mtu Sets the maximum transfer unit 4-65 system mtu This command sets the maximum transfer unit for traffic crossing the switch. Use the no form to restore the default setting. Syntax system mtu size no system mtu...
Command Line Interface Flash/File Commands These commands are used to manage the system code or configuration files. Table 4-22. Flash/File Commands Command Function Mode Page copy Copies a code image or a switch configuration to or from 4-66 flash memory or a TFTP server delete Deletes a file or code image 4-69...
Page 301
Flash/File Commands Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 302
Command Line Interface The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name : startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Flash/File Commands This example shows how to download a PoE controller file from a TFTP server. Console#copy tftp file TFTP server IP address: 10.3.4.50 Choose file type: 1. config: 2. opcode 3. PD_Controller: <1-3>: 3 Source file name: 7012_007.s19 Destination file name: P-test Write to FLASH Programming.
Command Line Interface Related Commands dir (4-70) delete public-key (4-38) Use this command to display a list of files in flash memory. Syntax dir [boot-rom | config | opcode [:filename]] The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file •...
Flash/File Commands whichboot Use this command to display which files were booted when the system powered up. Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Command Line Interface Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-70) whichboot (4-71) Cabletron Discovery Protocol (CDP) The Cabletron Discovery Protocol (CDP) protocol enables a switch to discover the topology of other CDP-aware devices in the network. The protocol allows each switch to determine if other CDP-aware switches are adjacent to it.
Cabletron Discovery Protocol (CDP) Command Mode Global Configuration Command Usage • A CDP domain is a logical grouping of devices that exchange CDP packets. If the switch receives a CDP packet with a different Authentication Key, the CDP packet is discarded. If the Authentication Key is left at the default value (null), the switch processes all CDP packets received.
Command Line Interface cdp timer Use this command to set the frequency with which the switch transmits a CDP packet on all enabled ports. Use the no form to restore the default setting. Syntax cdp timer seconds no cdp timer seconds - The time between CDP packet transmissions.
Cabletron Discovery Protocol (CDP) • When the global CDP setting is disabled, the switch does not send CDP packets from any port, regardless of the port CDP setting. Any CDP packets received are flooded to all other ports. Example This example sets the switch to CDP Auto-enable mode. Console(config)#cdp auto-run Console(config)# cdp (Interface Configuration)
Command Line Interface show cdp Use this command to display global CDP settings. Command Mode Privileged Executive Example Console#sh cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPvX advertisements is auto enabled Console# show cdp interface Use this command to display CDP interface settings.
Cabletron Discovery Protocol (CDP) Example This example shows how to display information on CDP aware devices connected to the network. The ‘Capability Codes’ referenced in the Capability column describe the specific capabilities of the connected devices (see Table 3-20 on page 4-77.) Similarly the ‘Neighbor types’...
Command Line Interface Table 4-26. Show CDP Neighbors Output - Neighbor Types (Continued) Field Number Description Type dnsServer The connected device runs a Domain Name System server. dhcpServer The connected device runs Dynamic Host Configuration Protocol server. dnsDhcpServer The connected device runs a DNS server and a DHCP server. show cdp traffic Use this command to display CDP traffic statistics.
Power over Ethernet Commands Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the V2H124-24P switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
Command Line Interface • If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power. Example Console(config)#power mainpower maximum allocation 300 Console(config)# Related Commands power inline priority (4-81) power inline Use this command to turn power on for a specific port or force a port into test mode.
Power over Ethernet Commands power inline maximum allocation Use this command to limit the power allocated to specific ports. Use the no form to restore the default setting. Syntax power inline maximum allocation [milliwatts] no power inline maximum allocation milliwatts - The maximum power budget for the port. (Range: 3000 - 15400 milliwatts).
Command Line Interface Command Usage • If the power demand from devices connected to the V2H124-24P exceeds the power budget setting, the switch uses port power priority settings to control the supplied power. For example: - A device connected to a low-priority port that causes the switch to exceed its budget is not supplied power.
Power over Ethernet Commands • Priority – The port’s power priority setting (configurable, see power inline priority 4-81.) Example Console#show power inline status Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable 15400 1/ 2 enable 15400 1/ 3...
Command Line Interface Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1x. Table 4-29. Authentication Commands Command Group Function Page...
Authentication Commands • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. • You can specify three authentication methods in a single command to indicate the authentication sequence.
Command Line Interface • You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication enable radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server.
Authentication Commands radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port | acct-port acct_port] [timeout timeout] [retransmit retransmit] [key key] •...
Command Line Interface radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode...
Authentication Commands radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30) Default Setting Command Mode Global Configuration...
Filter ID sent by the switch during authentication: “Enterasys:version=n:mgmt=xx” according to the following rule: –> “Enterasys” is a required keyword and must be positioned first. –> “version” is a required keyword and specifies the Filter-ID syntax version. (Currently n=1 is the only value supported.) –>...
Command Line Interface show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: Auth-port: 1812 Acct-port: 1813 Retransmit times: Request timeout: Service-type:...
Authentication Commands aaa group server Use this command to name a list of RADIUS server hosts. To remove a group server from the configuration list, enter the no form of this command. Syntax [no] aaa group server [radius] group-name group-name - String used to name a group of RADIUS servers. (Range: 1-7 characters) Default Setting None...
Command Line Interface aaa accounting This command enables RADIUS accounting of requested services for billing or security purposes. Use the no form to disable the accounting service. Syntax aaa accounting [[dot1x | exec | update] default | server-name | periodic [start-stop group radius | server-name]] no radius-server •...
Authentication Commands Default Setting None Command Mode Interface Configuration Example Console(config)#interface ethernet 1/24 Console(config-if)#accounting dot1x default Console(config-if)# show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [[dot1x | statistics [username | interface]] | exec | statistics] •...
Command Line Interface TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Authentication Commands Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Command Line Interface Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Authentication Commands Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Command Line Interface Table 4-36. 802.1x Port Authentication Commands (Continued) Command Function Mode Page dot1x operation-mode Allows single or multiple hosts on an dot1x port 4-102 dot1x re-authenticate Forces re-authentication on specific ports 4-103 dot1x re-authentication Enables re-authentication for all ports 4-103 dot1x timeout quiet-period Sets the time that a switch port waits after the Max...
Authentication Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. Syntax dot1x default Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Command Line Interface dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control • auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Authentication Commands Command Mode Interface Configuration Command Usage • The “max-count” parameter specified by this command is only effective dot1x mode is set to “auto” by the dot1x port-control command (page 4-102.) • In “multi-host” mode, only one host connected to a port needs to authentication for all other hosts to be granted network access.
Command Line Interface Example Console(config)#interface ethernet 1/5 Console(config-if)#dot1x re-authentication Console(config-if)# dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Authentication Commands dot1x timeout tx-period This command sets the time that a port on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Page 340
Command Line Interface max-req (page 4-101). It also displays the following global parameters which are set to a fixed value, including the following items: - supp-timeout – Supplicant timeout. - server-timeout – Server timeout. - reauth-max – Maximum number of reauthentication attempts. - 802.1X Port Summary –...
Page 341
Authentication Commands Example Console#show dot1x Global 802.1X Parameters reauth-enabled: yes reauth-period: quiet-period: tx-period: supp-timeout: server-timeout: 30 reauth-max: max-req: 802.1X Port Summary Port Name Status Mode Authorized disabled ForceAuthorized disabled ForceAuthorized 1/11 disabled ForceAuthorized 1/12 enabled Auto 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period:...
Command Line Interface system vlan-auth This command enables VLAN authorization, enforcing modifications to VLAN attributes for packets forwarded through the switch. Use the no form to prevent modifications to VLAN attributes. Syntax [no] system vlan-auth Default Disabled Command Mode Global Configuration Command Usage This command can be used in conjunction with a RADIUS server to place a port into a particular VLAN based on the authentication result.
Authentication Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#vlan-auth enable Console(config-if)# vlan-auth enable egress This command controls the modification of the current VLAN egress list (of the VLAN returned in the VLAN-Tunnel-Type field) upon successful authentication. Syntax vlan-auth enable egress {none | tagged | untagged} •...
Command Line Interface show system vlan-auth This command shows VLAN authentication related settings on the switch or a specific interface. Syntax show system vlan-auth [interface interface] • interface • ethernet unit/port - unit - This is device 1. - port - Port number. Command Mode Privileged Exec Example...
Access Control List Commands rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted. There are three filtering modes: • Standard IP ACL mode (STD-ACL) filters packets based on the source IP address. •...
Command Line Interface Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type. Table 4-37. Access Control List Commands Command Groups Function Page IP ACLs Configures ACLs based on IP addresses, TCP/UDP port number, 4-112 protocol type, and TCP control code MAC ACLs...
Access Control List Commands access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name •...
Command Line Interface Command Mode Global Configuration Command Usage If this feature is disabled, fragmented packets will not be matched by any ACL rule, and will be handled according to the default permit or deny rule. Example Console(config)#tacacs-list ip extended fragment-auto-mask Console(config)# permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL.
Access Control List Commands permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule. Syntax [no] {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source}...
Page 350
Command Line Interface “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. •...
Access Control List Commands show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. - acl_name –...
Command Line Interface Example Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)# Related Commands mask (IP ACL) (4-118) ip access-group (4-122) mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask}...
Page 353
Access Control List Commands • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence. You can enter both tos and precedence without dscp. •...
Page 354
Command Line Interface This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port Console(config-ext-acl)#end Console#show access-list IP extended access-list A3:...
Access Control List Commands This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
Command Line Interface Related Commands mask (IP ACL) (4-118) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port. Syntax [no] ip access-group acl_name {in | out} • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Access Control List Commands Related Commands ip access-group (4-122) map access-list ip This command sets the output queue for packets matching an ACL rule. The specified CoS value is only used to map the matching packet to an output queue; it is not written to the packet itself.
Command Line Interface show map access-list ip This command shows the CoS value mapped to an IP ACL for the current interface. (The CoS value determines the output queue for packets matching an ACL rule.) Syntax show map access-list ip [interface] interface - ethernet unit/port - unit - This is device 1.
Access Control List Commands Command Usage • You must configure an ACL mask before you can change frame priorities based on an ACL rule. • Traffic priorities may be included in the IEEE 802.1p priority tag. This tag is also incorporated as part of the overall IEEE 802.1Q VLAN tag. To specify this priority, use the set priority keywords.
Command Line Interface MAC ACLs Table 4-40. MAC ACL Commands Command Function Mode Page access-list mac Creates a MAC ACL and enters configuration mode 4-126 permit, deny Filters packets matching a specified source and MAC-ACL 4-127 destination address, packet format, and Ethernet type show mac access-list Displays the rules for configured MAC ACLs 4-128...
Access Control List Commands • To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. • An ACL can contain up to 32 rules. Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny 4-127...
Command Line Interface • any – Any MAC source or destination address. • host – A specific MAC address. • source – Source MAC address. • destination – Destination MAC address range with bitmask. • address-bitmask* – Bitmask for MAC address (in hexadecimal format). •...
Access Control List Commands Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny 4-127 mac access-group (4-132) access-list mac mask-precedence This command changes to MAC Mask mode used to configure access control masks.
Command Line Interface mask (MAC ACL) This command defines a mask for MAC ACLs. This mask defines the fields to check in the packet header. Use the no form to remove a mask. Syntax [no] mask [pktformat] {any | host | source-bitmask} {any | host | destination-bitmask} [vid [vid-bitmask]] [ethertype [ethertype-bitmask]] •...
Page 365
Access Control List Commands Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3...
Command Line Interface show access-list mac mask-precedence This command shows the ingress or egress rule masks for MAC ACLs. Syntax show access-list mac mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs. Command Mode Privileged Exec Example...
Access Control List Commands Related Commands show mac access-list (4-128) show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 out Console# Related Commands mac access-group (4-132) map access-list mac This command sets the output queue for packets matching an ACL rule.
Command Line Interface Example Console(config)#int eth 1/5 Console(config-if)#map access-list mac M5 cos 0 Console(config-if)# Related Commands queue cos-map (4-214) show map access-list mac (4-134) show map access-list mac This command shows the CoS value mapped to a MAC ACL for the current interface.
Access Control List Commands Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage You must configure an ACL mask before you can change frame priorities based on an ACL rule. Example Console(config)#interface ethernet 1/12 Console(config-if)#match access-list mac a set priority 0 Console(config-if)# Related Commands show marking (4-125)
Command Line Interface Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 0.0.0.255 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6:...
SNMP Commands Example Console#show access-group Interface ethernet 1/2 IP standard access-list david MAC access-list jerry Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Command Line Interface snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp...
SNMP Commands Example Console#show snmp SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables...
Command Line Interface Command Mode Global Configuration Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact Use this command to set the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (4-140) snmp-server host Use this command to specify the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr community-string [version {1 | 2c | 3 {auth | noauth | priv}} [udp-port port]] no snmp-server host host-addr •...
Command Line Interface to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. • Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. •...
SNMP Commands keyword, only the notification type related to that keyword is enabled. • The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Command Line Interface show snmp engine-id Use this command to show the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Console# Table 4-44. SNMP Engine ID Field Description Local SNMP engineID...
SNMP Commands Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wildcard is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Command Line Interface snmp-server group Use this command to add an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] no snmp-server group groupname •...
Command Line Interface snmp-server user Use this command to add a user to an SNMP group, restricting the user to a specific SNMP Read and a Write View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]]...
SNMP Commands show snmp user Use this command to show information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 01000000000000000000000000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active Console# Table 4-47.
Command Line Interface Command Usage • You can create a list of up to 16 IP addresses or IP address groups that are allowed access to the switch via SNMP management software. • Address bitmasks are similar to a subnet mask, containing four decimal integers from 0 to 255, each separated by a period.
Page 385
Interface Commands Table 4-48. Interface Commands (Continued) Command Function Mode Page clear counters Clears the statistics on a given interface 4-157 show interfaces status Displays status for the specified interface NE, PE 4-158 show interfaces Displays statistics for the specified interfaces NE, PE 4-159 counters show interfaces...
Command Line Interface Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 25 Console(config)#interface ethernet 1/25 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex Use this command to configure the speed and duplex mode of a given interface when autonegotiation is disabled.
Interface Commands Example The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-153) capabilities (4-154) negotiation Use this command to enable autonegotiation for a given interface. Use the no form to disable autonegotiation.
Command Line Interface capabilities Use this command to advertise the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. Syntax [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric}...
Interface Commands Related Commands negotiation (4-153) speed-duplex (4-152) flowcontrol (4-155) flowcontrol Use this command to enable flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Flow control enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Command Line Interface shutdown Use this command to disable an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.
Interface Commands • This command can enable or disable broadcast storm control for the selected interface. However, the specified threshold value applies to all ports on the switch. Example The following shows how to configure broadcast storm control at 600 packets per second on port 5: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600...
Command Line Interface show interfaces status Use this command to display the status for an interface. Syntax show interfaces status [interface] interface - ethernet unit/port - unit - This is device 1. - port - Port number. - port-channel channel-id (Range: 1-6) - vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Interface Commands show interfaces counters Use this command to display interface statistics. Syntax show interfaces counters [interface] interface - ethernet unit/port - unit - This is device 1. - port - Port number. - port-channel channel-id (Range: 1-6) Default Setting Shows the counters for all interfaces.
Command Line Interface show interfaces switchport Use this command to display the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface - ethernet unit/port - unit - This is device 1. - port - Port number. - port-channel channel-id (Range: 1-6) Default Setting Shows all interfaces.
Mirror Port Commands Table 4-49. Show Interfaces Switchport Output - Description (Continued) Field Description Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only (See page 4-202.) Native VLAN Indicates the default Port VLAN ID (See page 4-203.) Priority for untagged traffic Indicates the default priority for untagged frames (See page 4-211.) Gvrp status Shows if GARP VLAN Registration Protocol is enabled or disabled (See page...
Command Line Interface Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
Rate Limit Commands Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/1 Source port(monitored port) :Eth1/6 Mode :RX/TX Console# Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface.
Command Line Interface Command Usage • The range is: - Fast Ethernet interface – 1 to 100 Mbps - Gigabit Ethernet interface – 8 to 1000 Mbps • Resolution – The increment of change: - Fast Ethernet interface – 1 Mbps - Gigabit Ethernet interface –...
Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. •...
Command Line Interface Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting...
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Link Aggregation Commands Console#show lacp 1 neighbors Channel group 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Command Line Interface Table 4-56. Show LACP System ID Output Contents Field Description Channel group A link aggregation group configured on this switch. System Priority* LACP system priority for this channel group. System MAC Address* System MAC address. * The LACP system priority and system MAC address are concatenated to form the LAG system ID. Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Address Table Commands Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Command Line Interface show mac-address-table Use this command to view classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Address Table Commands mac-address-table aging-time Use this command to set the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Time in number of seconds (10-1000000, or 0 to disable). Default Setting 300 seconds Command Mode...
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-58. Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-179 spanning-tree mode...
Spanning Tree Commands Table 4-58. Spanning Tree Commands (Continued) Command Function Mode Page show spanning-tree Shows spanning tree configuration for the overall bridge or 4-196 a selected interface show spanning-tree mst Shows the multiple spanning tree configuration 4-198 configuration spanning-tree Use this command to enable the Spanning Tree Algorithm globally for the switch.
Page 414
Command Line Interface Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. - This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Spanning Tree Commands spanning-tree forward-time Use this command to configure the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Command Line Interface Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# spanning-tree max-age Use this command to configure the spanning tree bridge maximum age globally for this switch.
Spanning Tree Commands spanning-tree priority Use this command to configure the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Command Line Interface Example Console(config)#spanning-tree default priority 802.1D-1998 Console(config)# spanning-tree pathcost method Use this command to configure the path cost method used for Rapid Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method •...
Spanning Tree Commands Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# spanning-tree mst-configuration Use this command to change to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. •...
Command Line Interface Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Spanning Tree Commands • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located.
Command Line Interface Command Mode MST Configuration Command Usage The MST region name (page 4-187) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Spanning Tree Commands spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
Command Line Interface • Path cost takes precedence over port priority. • When the spanning-tree pathcost method (page 4-184) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree port-priority Use this command to configure the priority for the specified interface.
Spanning Tree Commands spanning-tree edge-port Use this command to specify an interface as an edge port. Use the no form to restore the default. Syntax [no] spanning-tree edge-port Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. •...
Spanning Tree Commands Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. • When automatic detection is selected, the switch derives the link type from the duplex mode.
Command Line Interface spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Spanning Tree Commands spanning-tree mst port-priority This command configures the interface priority on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance_id port-priority priority no spanning-tree mst instance_id port-priority •...
Command Line Interface Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 431
Spanning Tree Commands • For a description of the items displayed under “Spanning-tree information,” see “Configuring Global Settings” on page 3-127. For a description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-131. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode:...
Command Line Interface show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name:XSTP REGION 0 Revision level:0 Instance Vlans -------------------------------------------------------------- Console# VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
VLAN Commands vlan database Use this command to enter VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Command Line Interface Command Mode VLAN Database Configuration Command Usage • no vlan vlan-id deletes the VLAN. • no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). •...
VLAN Commands Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-156)
Command Line Interface Related Commands switchport acceptable-frame-types (4-202) switchport acceptable-frame-types Use this command to configure the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Command Line Interface Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# switchport allowed vlan Use this command to configure VLAN groups on the selected interface. Use the no form to restore the default.
VLAN Commands Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan Use this command to configure forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
Command Line Interface Displaying VLAN Information Table 4-62. Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE, PE 4-206 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-158 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-160 interface...
GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Command Line Interface show bridge-ext Use this command to show the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See “Displaying Basic VLAN Information” on page 3-147 and “Displaying Bridge Extension Capabilities” on page 3-12 for a description of the displayed items.
GVRP and Bridge Extension Commands show gvrp configuration Use this command to show if GVRP is enabled. Syntax show gvrp configuration [interface] interface - ethernet unit/port - unit - This is device 1. - port - Port number. - port-channel channel-id (Range: 1-6) Default Setting Shows both global and interface-specific configuration.
Command Line Interface Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Priority Commands Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join timer: 20 centiseconds Leave timer: 60 centiseconds Leaveall timer: 1000 centiseconds Console# Related Commands garp timer (4-209) Priority Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion.
Command Line Interface queue mode This command sets the queue mode to strict priority or Weighted Round-Robin (WRR) for the class of service (CoS) priority queues. Use the no form to restore the default value. Syntax queue mode {strict | wrr} no queue mode •...
Priority Commands Default Setting The priority is not set, and the default value for untagged frames received on the interface is zero. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
Command Line Interface Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example The following example shows how to assign WRR weights of 1, 3, 5 and 7 to the CoS priority queues 0, 1, 2 and 3: Console(config)#queue bandwidth 1 3 5 7 Console(config)# Related Commands...
Priority Commands Example The following example shows how to map CoS values 0, 1 and 2 to priority queue 0, value 3 to queue 1, values 4 and 5 to queue 2, and values 6 and 7 to queue 3: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 1 2 Console(config-if)#queue cos-map 1 0 3...
Command Line Interface Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map Use this command to show the class of service priority map. Syntax show queue cos-map [interface] interface - ethernet unit/port - unit - This is device 1. - port - Port number.
Priority Commands Priority Commands (Layer 3 and 4) Table 4-67. Priority Commands (Layer 3 and 4) Command Function Mode Page map ip port Enables TCP class of service mapping 4-217 map ip port Maps TCP socket to a class of service 4-218 map ip precedence Enables IP precedence class of service mapping...
Command Line Interface map ip port (Interface Configuration) Use this command to set IP port priority (i.e., TCP/UDP port priority). Use the no form to remove a specific setting. Syntax map ip port port-number cos cos-value no map ip port port-number •...
Priority Commands Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) Use this command to set IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Command Line Interface map ip dscp (Global Configuration) Use this command to enable IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping. Syntax [no] map ip dscp Default Setting Disabled Command Mode Global Configuration Command Usage •...
Priority Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Mapping IP DSCP to CoS Values IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24 26, 28, 30, 32, 34, 36...
Command Line Interface Default Setting None Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port Port no. COS --------- -------- --- Eth 1/ 5 Console# Related Commands...
Priority Commands Example Console#show map ip precedence ethernet 1/5 Precedence mapping status: disabled Port Precedence COS --------- ---------- --- Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Eth 1/ 5 Console# Related Commands...
Command Line Interface Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-220)
Multicast Filtering Commands IGMP Snooping Commands Table 4-70. IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping 4-225 ip igmp snooping vlan static Adds an interface as a member of a multicast group 4-225 ip igmp snooping version Configures the IGMP version for snooping 4-226 show ip igmp snooping...
Command Line Interface Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# ip igmp snooping version Use this command to configure the IGMP snooping version. Use the no form to restore the default.
Multicast Filtering Commands show ip igmp snooping Use this command to show the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Layer 2 IGMP (Snooping and Query)” on page 2-74 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping...
Command Line Interface Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------- 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) Table 4-71.
Multicast Filtering Commands Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count Use this command to configure the query count. Use the no form to restore the default.
Command Line Interface ip igmp snooping query-interval Use this command to configure the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Multicast Filtering Commands Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-226) ip igmp snooping query-max-response-time (4-230) ip igmp snooping router-port-expire-time Use this command to configure the query timeout. Use the no form of this command to restore the default.
Command Line Interface Static Multicast Routing Commands Table 4-72. Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan Adds a multicast router port 4-232 mrouter show ip igmp snooping Shows multicast router ports 4-233 mrouter ip igmp snooping vlan mrouter Use this command to statically configure a multicast router port.
IP Interface Commands show ip igmp snooping mrouter Use this command to display information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Command Line Interface ip address Use this command to set the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address •...
IP Interface Commands Related Commands ip dhcp restart (4-235) ip default-gateway Use this command to a establish a static route between this device and management stations that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway...
Command Line Interface network portion of the address provided to the client will be based on this new domain. Example In the following example, the device is reassigned the same address Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart Console#show ip interface IP interface vlan IP address and netmask:...
IP Interface Commands Example Console#show ip redirects ip default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-235) ping Use this command to send ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. •...
Command Line Interface Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times:...
DNS Commands ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry. Syntax [no] ip host name address1 [address2 … address8] •...
Command Line Interface Example This example clears all static entries from the DNS table. Console(config)#clear host * Console(config)# ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation).
DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host.
Command Line Interface ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] •...
DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage • At least one name server must be specified before you can enable DNS. •...
Command Line Interface show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Hostname Inet address...
DNS Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache FLAG TYPE DOMAIN CNAME 10.2.44.96 pttch_pc.accton.com.tw CNAME 10.2.44.3 ahten.accton.com.tw CNAME 66.218.71.84 www.yahoo.akadns.net CNAME 66.218.71.83 www.yahoo.akadns.net CNAME 66.218.71.81 www.yahoo.akadns.net CNAME 66.218.71.80 www.yahoo.akadns.net CNAME...
Appendix A: Troubleshooting Problems Accessing the Management Interface Table A-1.Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Appendix B: Software Specifications Software Features Authentication Local, RADIUS, TACACS, Port (802.1x), HTTPS, SSH, Port Security Access Control Lists IP, MAC (up to 32 lists) Cabletron Discovery Protocol Power Over Ethernet (V2H124-24P only) SNMPv3 Management access via MIB database Trap management to specified hosts DHCP Client Port Configuration...
Software Specifications Spanning Tree Protocol Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree (MSTP, IEEE 802.1s) VLAN Support Up to 255 groups; port-based, protocol-based, or tagged (802.1Q), GVRP for automatic VLAN learning, private VLANs Class of Service Supports four levels of priority and Weighted Round Robin Queueing (which can be configured by VLAN tag or port),...
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 488
Glossary GARP VLAN Registration Protocol (GVRP) Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network. Generic Attribute Registration Protocol (GARP) GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so...
Page 489
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 490
Glossary MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 491
Glossary Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
Page 492
Glossary Virtual LAN (VLAN) A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Index DHCP 3-16, 4-234 Numerics client 4-238 802.1x Differentiated Code Point Service See configure 4-99 DSCP port authentication 4-99 Displaying Basic VLAN 802.1x, port authentication 3-65 Information 3-147, 4-208 default domain name 3-178 displaying the cache 3-182 Access Control Lists See ACL domain name list 3-178 enabling lookup 3-178 configuration guidelines 3-74, 4-110...
Page 495
Index show power mainpower 4-83 STP 3-127, 4-179 SNMP STP Also see STA community string 3-37, 4-139 switchport mode 3-154, 4-201 enabling traps 3-38, 4-142 system clock, setting 3-33, 4-54 filtering IP addresses 3-72, 4-149 system software, downloading from trap manager 3-38, 4-142 server 3-18, 4-66, A-1 SNTP 3-33, 4-54 software...