Page 1: Management Guide
Layer 3/4 traffic priority with IP Precedence and IP DSCP Full support for VLANs with GVRP IGMP multicast filtering and snooping Manageable via console, Web, SNMP/RMON Security features: ACL, RADIUS, 802.1x Routing features: IP/RIP routing, CIDR Supports IPv4/IPv6, dual protocol stack Management Guide SMC8824M SMC8848M...
Page 3 TigerStack II 10/100/1000 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 38 Tesla Irvine, CA 92618 April 2006 Phone: (949) 679-8000 Pub. # 150200054400A...
Page 4 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 5 All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
Page 6 RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
Page 7: Table Of Contents
ABLE OF ONTENTS Section I Getting Started Introduction ........1-1 Key Features .
Page 8: Able Of
ABLE OF ONTENTS Section II Switch Management Configuring the Switch ......3-1 Using the Web Interface ........3-1 Navigating the Web Browser Interface .
Page 9 ABLE OF ONTENTS Configuring SNTP ........4-50 Setting the Time Zone .
Page 10 ABLE OF ONTENTS Configuring a Standard IPv6 ACL ......7-9 Configuring an Extended IPv6 ACL ..... 7-10 Binding a Port to an Access Control List .
Page 11 ABLE OF ONTENTS Displaying Current VLANs ......11-7 Creating VLANs ........11-8 Adding Static Members to VLANs (VLAN Index) .
Page 12 ABLE OF ONTENTS Assigning Ports to Multicast Services ....14-9 Domain Name Service ......15-1 Configuring General DNS Service Parameters .
Page 13 ABLE OF ONTENTS Configuring the Routing Information Protocol ....17-30 Configuring General Protocol Settings ....17-31 Specifying Network Interfaces for RIP .
Page 14 ABLE OF ONTENTS end ........... . . 19-6 exit .
Page 15 ABLE OF ONTENTS Event Logging Commands ....... . . 20-34 logging on .
Page 16 ABLE OF ONTENTS snmp-server group ........21-15 show snmp group .
Page 17 ABLE OF ONTENTS ip ssh crypto host-key generate ......22-28 ip ssh crypto zeroize ....... . . 22-29 ip ssh save host-key .
Page 18 ABLE OF ONTENTS ipv6 access-group ........23-15 show ipv6 access-group .
Page 19 ABLE OF ONTENTS Mirror Port Commands ......26-1 port monitor ..........26-1 show port monitor .
Page 20 ABLE OF ONTENTS spanning-tree protocol-migration ......29-24 show spanning-tree ........29-25 show spanning-tree mst configuration .
Page 21 ABLE OF ONTENTS switchport priority default ......31-3 queue bandwidth ........31-4 queue cos-map .
Page 22 ABLE OF ONTENTS IGMP Query Commands ........33-6 ip igmp snooping querier .
Page 23 ABLE OF ONTENTS next-server ......... 35-12 bootfile .
Page 24 ABLE OF ONTENTS show ipv6 neighbors ....... . . 36-43 clear ipv6 neighbors .
Page 25 ABLE OF ONTENTS PPENDICES Section IV Appendices Software Specifications ......A-1 Software Features ......... . . A-1 Management Features .
Page 26 ABLE OF ONTENTS xxvi...
Page 27 ABLES Table 1-1 Key Features ........1-1 Table 1-2 System Defaults .
Page 28 ABLES Table 20-4 Frame Size Commands ......20-11 Table 20-5 Flash/File Commands ......20-13 Table 20-6 File Directory Information .
Page 29 ABLES Table 25-2 show lacp counters - display description ... . 25-11 Table 25-3 show lacp internal - display description ... . . 25-11 Table 25-4 show lacp neighbors - display description .
Page 30 ABLES Table 36-2 Basic IP Configuration Commands ....36-2 Table 36-3 show ipv6 interface - display description ....36-23 Table 36-4 show ipv6 mtu - display description .
Page 31 IGURES Figure 3-1 Home Page ........3-3 Figure 3-2 Front Panel Indicators .
Page 32 IGURES Figure 6-1 User Accounts ........6-2 Figure 6-2 Authentication Server Settings .
Page 33 IGURES Figure 10-5 MSTP VLAN Configuration ....10-22 Figure 10-6 MSTP Port Information ......10-24 Figure 10-7 MSTP Port Configuration .
Page 34 IGURES Figure 16-4 DHCP Server Pool - Network Configuration ..16-9 Figure 16-5 DHCP Server Pool - Host Configuration ... . 16-10 Figure 16-6 DHCP Server - IP Binding .
Page 35: Section I Getting Started
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction ..........1-1 Initial Configuration .
Page 36 ETTING TARTED...
Page 37: Introduction
HAPTER NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 38: Table 1-1 Key Features
EATURES Table 1-1 Key Features (Continued) Feature Description Client and Proxy service Port Configuration Speed and duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 32 trunks using either static or dynamic trunking (LACP)
Page 39: Description Of Software Features
NTRODUCTION Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Untagged (port-based), tagged, and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 40 ESCRIPTION OF OFTWARE EATURES by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. DHCP Server and DHCP Relay – A DHCP server is provided to assign IP addresses to host devices.
Page 41 (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, the SMC8824M and SMC8848M provide 75 MB and 1.5 MB, respectively for frame buffering. This buffer can queue packets awaiting transmission on congested networks.
Page 42 ESCRIPTION OF OFTWARE EATURES this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Page 43 NTRODUCTION • Provide data security by restricting all traffic to the originating VLAN, except where a connection is explicitly defined via the switch’s routing service. • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
Page 44 ESCRIPTION OF OFTWARE EATURES Address Resolution Protocol – The switch uses ARP and Proxy ARP to convert between IP addresses and MAC (i.e., hardware) addresses. This switch supports conventional ARP, which locates the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Page 45: System Defaults
NTRODUCTION System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 5-48). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 46 YSTEM EFAULTS Table 1-2 System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number 443 SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview...
Page 47 NTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Disabled Switchport Mode (Egress Hybrid: tagged/untagged frames Mode) GVRP (global) Disabled GVRP (port interface) Disabled Traffic Ingress Port Priority Prioritization Queue Mode Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14...
Page 48: Table 1-2 System Defaults
YSTEM EFAULTS Table 1-2 System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN Any VLAN configured with an IP address IP Address 0.0.0.0 Subnet Mask 255.0.0.0 Default Gateway 0.0.0.0 DHCP Client: Enabled Relay: Disabled Server: Disabled Clinet/Proxy: Disabled BOOTP Disabled Enabled Cache Timeout: 20 minutes...
Page 49: Initial Configuration
HAPTER NITIAL ONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 50 ONNECTING TO THE WITCH The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • Set user names and passwords • Set an IP interface for any VLAN • Configure SNMP parameters •...
Page 51: Required Connections
NITIAL ONFIGURATION Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Note: When configuring a stack, connect to the console port on the Master unit.
Page 52: Remote Connections
ONNECTING TO THE WITCH ® ® Notes: 1. When using HyperTerminal with Microsoft Windows 2000, make sure that you have Windows 2000 Service Pack 2 or later installed. Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal’s VT100 emulation.
Page 53: Stack Operations
NITIAL ONFIGURATION unit does not have to include an active port member in the VLAN interface used for management access. After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet from any computer attached to the network.
Page 54: Selecting The Backup Unit
TACK PERATIONS - If Master/Slave push button is depressed on more than one unit, the system will select the unit with the lowest MAC address from those with the push button depressed as the stack Master. - If Master/Slave push button is not depressed on any unit, the system will select the unit with the lowest MAC address as the stack Master.
Page 55: Recovering From Stack Failure Or Topology Change
NITIAL ONFIGURATION Recovering from Stack Failure or Topology Change When a link or unit in the stack fails, a trap message is sent and a failure event is logged. The stack will be rebooted after any system failure or topology change. It takes two to three minutes to for the stack to reboot. If the Master unit fails, the backup unit will take over operations as the new Master unit, reboot the stack, and then select another backup unit after the stack finishes rebooting.
Page 56: Resilient Ip Interface For Management Access
TACK PERATIONS Resilient IP Interface for Management Access The stack functions as one integral system for management and configuration purposes. You can therefore manage the stack through any IP interface configured on the stack. The Master unit does not even have to include an active port member in the VLAN interface used for management access.
Page 57: Basic Configuration
NITIAL ONFIGURATION not the same as those on the Master Unit, the stack will operate in Special Stacking Mode in which all backup units are disabled as described below: • The master unit starts normal operation mode in standalone mode. •...
Page 58: Setting Passwords
ASIC ONFIGURATION Note: You can only access the console interface through the Master unit in the stack. Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1.
Page 59: Setting An Ip Address
NITIAL ONFIGURATION 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the TigerStackII 10/100/1000 is opened. To end the CLI session, enter [Exit]. Console#configure 19-3 Console(config)#username guest password 0 [password]...
Page 60 ASIC ONFIGURATION Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IPv4 address to the switch, complete the following steps: 1.
Page 61 NITIAL ONFIGURATION appropriate number of zeros required to fill the undefined fields. For detailed information on the other ways to assign IPv6 addresses, see “Setting the Switch’s IP Address (IP Version 6)” on page 5-29. Link Local Address — All link-local addresses must be configured with a prefix of FE80.
Page 62 ASIC ONFIGURATION Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: • Prefix for this network •...
Page 63: Dynamic Configuration
NITIAL ONFIGURATION 5. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the IPv6 address of the default gateway. Press <Enter>. Console(config)#ipv6 general-prefix rd 2001:DB8:2222::/4836-12 Console(config)#interface vlan 1 24-2 Console(config-if)#ipv6 address rd 0:0:0:7272::72/64...
Page 64 ASIC ONFIGURATION To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. 2.
Page 65 NITIAL ONFIGURATION Obtaining an IPv6 Address Link Local Address — There are several ways to dynamically configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix of FE80). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
Page 66: Enabling Snmp Management Access
ASIC ONFIGURATION 2. From the interface prompt, type “ipv6 address autoconfig” and press <Enter>. Console(config)#interface vlan 1 24-2 Console(config-if)#ipv6 address autoconfig 36-16 Console(config-if)#end Console#show ipv6 interface 36-22 Vlan 1 is up IPv6 is enable. Link-local address: FE80::212:CFFF:FE0B:4600/64 Global unicast address(es): 2005::212:CFFF:FE0B:4600, subnet is 2005:0:0:0::/64 3FFE:501:FFFF:100:212:CFFF:FE0B:4600, subnet is 3FFE:501:FFFF:100::/64...
Page 67: Community Strings (For Snmp Version 1 And 2C Clients)
NITIAL ONFIGURATION entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see page 5-78). Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch.
Page 68: Trap Receivers
ASIC ONFIGURATION Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Page 69: Managing System Files
NITIAL ONFIGURATION the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 21-13 Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 21-15 Console(config)#snmp-server user steve group r&d v3 auth md5...
Page 70: Saving Configuration Settings
ANAGING YSTEM ILES Configuration Settings” on page 5-47 for more information. See “Saving or Restoring Configuration Settings” on page 5-47 for more information. • Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the CLI and web management interfaces.
Page 71 NITIAL ONFIGURATION There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config:<filename>...
Page 72 ANAGING YSTEM ILES 2-24...
Page 73 ECTION WITCH ANAGEMENT This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch ........3-1 Basic Management Tasks .
Page 74 WITCH ANAGEMENT...
Page 75: Configuring The Switch
HAPTER ONFIGURING THE WITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above).
Page 76 ONFIGURING THE WITCH Notes: 1. You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated. 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password.
Page 77: Navigating The Web Browser Interface
Note: The examples in this chapter are based on the SMC8824M. Other than the number of fixed ports, there are no other differences between the SMC8824M and SMC8848M. The panel graphics for both switch types are shown on the following page.
Page 78: Configuration Options
ONFIGURING THE WITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 79: Panel Display
Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 8-4. SMC8824M SMC8848M Figure 3-2 Front Panel Indicators...
Page 80: Main Menu
ONFIGURING THE WITCH Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Switch Main Menu Menu Description Page...
Page 81 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page 4-41 Logs Sends error messages to a logging process 4-45 System Logs Stores and displays error messages 4-41 Remote Logs Configures the logging of messages to a 4-43 remote logging process SMTP...
Page 82 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Authentication Settings Configures authentication sequence, RADIUS and TACACS HTTPS Settings Configures secure HTTP settings 6-10 Settings Configures Secure Shell server settings 6-16 Host-Key Settings Generates the host key pair (public and 6-13 private) Port Security...
Page 83 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page LACP 8-11 Configuration Allows ports to dynamically join trunks 8-11 Aggregation Port Configures parameters for link aggregation 8-13 group members Port Counters Displays statistics for LACP protocol 8-17 Information messages...
Page 84 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Address Aging Sets timeout for dynamically learned entries Spanning Tree 10-1 Information Displays STA values used for the bridge 10-4 Configuration Configures global bridge settings for STP, 10-8 RSTP and MSTP Port Information Displays individual port settings for STA...
Page 85 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Static Table Modifies the settings for an existing VLAN 11-10 Static Membership by Configures membership type for interfaces, 11-13 Port including tagged, untagged or forbidden Port Configuration Specifies default PVID and VLAN attributes 11-14 Trunk Configuration Specifies default trunk VID and VLAN...
Page 86 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page IP Port Priority Status Globally enables or disables IP Port Priority 12-14 IP Port Priority Sets TCP/UDP port priority, defining the 12-10 socket number and associated class-of-service value 13-1 DiffServ Configure QoS classification criteria and...
Page 87 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page 15-1 General Configuration Enables DNS; configures domain name and 15-1 domain list; and specifies IP address of name servers for dynamic lookup Static Host Table Configures static entries for domain name to 15-4 address mapping Cache...
Page 88 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page Other Addresses Shows internal addresses used by the switch 17-16 Statistics Shows statistics on ARP requests sent and 17-17 received Statistics 17-19 Shows statistics for IP traffic, including the 17-19 amount of traffic, address errors, routing, fragmentation and reassembly...
Page 89 AVIGATING THE ROWSER NTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Redistribute Imports external routing information from 17-39 Configuration other routing domains into the autonomous system Statistics Displays general information on update time, 17-41 route changes and number of queries, as well as a list of statistics for known interfaces and neighbors 3-15...
Page 90 ONFIGURING THE WITCH 3-16...
Page 91: Basic Management Tasks
HAPTER ASIC ANAGEMENT ASKS This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 92: Figure 4-1 System Information
ASIC ANAGEMENT ASKS • Web Secure Server Port – Shows the TCP port used by the HTTPS interface. • Telnet Server – Shows if management access via Telnet is enabled. • Telnet Server Port – Shows the TCP port used by the Telnet interface. •...
Page 93 ISPLAYING YSTEM NFORMATION CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 20-2 Console(config)#snmp-server location WC 9 21-5 Console(config)#snmp-server contact Ted 21-5 Console(config)#exit Console#show system 20-8 System Description: 24/48 port 10/100/1000 Stackable Managed Switch with 2 X 10 System OID String: 1.3.6.1.4.1.202.20.57 System Information System Up Time:...
Page 94 ASIC ANAGEMENT ASKS Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 95: Displaying Switch Hardware/Software Versions
ISPLAYING WITCH ARDWARE OFTWARE ERSIONS Web – Click System, Switch Information. Figure 4-2 Switch Information CLI – Use the following command to display version information. Console#show version 20-10 Unit 1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 1.02 Number of Ports: Main Power Status: Redundant Power Status: Not present...
Page 96: Displaying Bridge Extension Capabilities
ASIC ANAGEMENT ASKS Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 97: Figure 4-3 Displaying Bridge Extension Configuration
ISPLAYING RIDGE XTENSION APABILITIES Web – Click System, Bridge Extension. Figure 4-3 Displaying Bridge Extension Configuration CLI – Enter the following command. Console#show bridge-ext 30-3 Max support VLAN numbers: Max support VLAN ID: 4093 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable:...
Page 98: Setting The Switch's Ip Address (Ip Version 4)
ASIC ANAGEMENT ASKS Setting the Switch’s IP Address (IP Version 4) This section describes how to configure an initial IPv4 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types. For information on configuring the switch with an IPv6 address, see “Setting the Switch’s IP Address (IP Version 6)”...
Page 99 ’ IP A (IP V ETTING THE WITCH DDRESS ERSION Command Attributes • VLAN – ID of the configured VLAN (1-4093). By default, all ports on the stack are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 100: Manual Configuration
ASIC ANAGEMENT ASKS Manual Configuration Web – Click IP, General, Routing Interface. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” and specify a “Primary” interface. Enter the IP address, and subnet mask, then click Apply. Figure 4-4 IPv4 Interface Configuration - Manual Click IP, Global Setting.
Page 101: Using Dhcp/Bootp
’ IP A (IP V ETTING THE WITCH DDRESS ERSION CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 24-2 Console(config-if)#ip address 10.1.0.253 255.255.255.0 36-4 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 36-6 Console(config)# Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the stack to be dynamically configured by these services.
Page 102 ASIC ANAGEMENT ASKS CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart client” command. Console#config Console(config)#interface vlan 1 24-2 Console(config-if)#ip address dhcp 36-4 Console(config-if)#end Console#ip dhcp restart client 36-7 Console#show ip interface 36-8...
Page 103: Setting The Switch's Ip Address (Ip Version 6)
’ IP A (IP V ETTING THE WITCH DDRESS ERSION Setting the Switch’s IP Address (IP Version 6) This section describes how to configure an initial IPv6 interface for management access over the network. This switch supports both IPv4 and IPv6, and can be managed through either of these address types.
Page 104 ASIC ANAGEMENT ASKS • All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. •...
Page 105 ’ IP A (IP V ETTING THE WITCH DDRESS ERSION • You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. • If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console.
Page 106 ASIC ANAGEMENT ASKS • IPv6 MTU – Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. (Range: 1280-65535 bytes, Default: 1500 bytes) - If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
Page 107 ’ IP A (IP V ETTING THE WITCH DDRESS ERSION - A global unicast address can be configured by specifying the network prefix and the length of the prefix (in the IPv6 Address and Prefix Length fields), and then selecting the Address Type “EUI-64”...
Page 108 ASIC ANAGEMENT ASKS length of the general prefix. Therefore, depending on the value specified by the Prefix Length, some of the address bits entered in the IPv6 Address field may be appended to the general prefix. However, if the Prefix Length is shorter than the general prefix, then the length of the general prefix takes precedence, and some of the address bits entered in the IPv6 Address field will be ignored.
Page 109 ’ IP A (IP V ETTING THE WITCH DDRESS ERSION converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address. For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A.
Page 110 ASIC ANAGEMENT ASKS A node is also required to compute and join the associated solicited-node multicast addresses for every unicast and anycast address it is assigned. IPv6 addresses that differ only in the high-order bits, e.g. due to multiple high-order prefixes associated with different aggregations, will map to the same solicited-node address, thereby reducing the number of multicast addresses a node must join.
Page 111: Figure 4-7 Ipv6 Interface Configuration
’ IP A (IP V ETTING THE WITCH DDRESS ERSION Web – Click System, IPv6 Configuration, IPv6 Configuration. Set the IPv6 default gateway, specify the VLAN to configure, enable IPv6, and set the MTU. Then enter a global unicast or link-local address and click Add IPv6 Address.
Page 112: Configuring An Ipv6 General Network Prefix
ASIC ANAGEMENT ASKS CLI – This example configures an IPv6 gateway, specifies the management interface, configures a global unicast address, and then sets the MTU. Console#config Console(config)ipv6 default-gateway 2009:DB9:2229::240 36-24 Console(config)#ipv6 general-prefix rd 2009:DB9:2229::/48 36-12 Console(config)#interface vlan 1 24-2 Console(config-if)#ipv6 address rd 7279::79/64 36-14 Console(config-if)#ipv6 mtu 1280 36-26...
Page 113: Figure 4-8 Ipv6 General Prefix Configuration
’ IP A (IP V ETTING THE WITCH DDRESS ERSION subnets. When the general prefix is changed, all of the more specific prefixes based on this prefix will also change. Command Attributes • General Prefix Name – The label assigned to the general prefix. •...
Page 114: Configuring Neighbor Detection Protocol And Static Entries
ASIC ANAGEMENT ASKS CLI – This example creates a general network prefix of 2009:DB9:2229::/ Console(config)#ipv6 general-prefix rd 2009:DB9:2229::/48 36-12 Console(config)#end Console#show ipv6 general-prefix 36-13 IPv6 general prefix: rd 2009:DB9:2229::/48 Console# Configuring Neighbor Detection Protocol and Static Entries IPv6 Neighbor Discovery Protocol supersedes IPv4 Address Resolution Protocol in IPv6 networks.
Page 115 ’ IP A (IP V ETTING THE WITCH DDRESS ERSION - An interface that is re-activated restarts duplicate address detection for all unicast IPv6 addresses on the interface. While duplicate address detection is performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative”...
Page 116 ASIC ANAGEMENT ASKS - STALE - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. While in STALE state, the device takes no action until a packet is sent. - DELAY - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning.
Page 117: Figure 4-9 Ipv6 Neighbor Detection And Neighbor Cache
’ IP A (IP V ETTING THE WITCH DDRESS ERSION Web – Click System, IPv6 Configuration, IPv6 ND Neighbor. To configure the Neighbor Detection protocol settings, select a VLAN interface, set the number of attempts allowed for duplicate address detection, set the interval for neighbor solicitation messages, and click Apply.
Page 118: Configuring Support For Jumbo Frames
ASIC ANAGEMENT ASKS Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 119: Managing Firmware
ANAGING IRMWARE Managing Firmware You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
Page 120: Downloading System Software From A Server
ASIC ANAGEMENT ASKS Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file.
Page 121: Figure 4-12 Setting The Startup Code
ANAGING IRMWARE If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu.
Page 122: Saving Or Restoring Configuration Settings
ASIC ANAGEMENT ASKS CLI – To download new firmware form a TFTP server, enter the IP address of the TFTP server, select “config” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch.
Page 123 AVING OR ESTORING ONFIGURATION ETTINGS - running-config to startup-config – Copies the running config to the startup config. - running-config to tftp – Copies the running configuration to a TFTP server. - startup-config to file – Copies the startup configuration to a file on the switch.
Page 124: Downloading Configuration Settings From A Server
ASIC ANAGEMENT ASKS Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
Page 125: Figure 4-15 Setting The Startup Configuration Settings
AVING OR ESTORING ONFIGURATION ETTINGS If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by using the System/File Management/Set Start-Up page.
Page 126: Console Port Settings
ASIC ANAGEMENT ASKS Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface.
Page 127: Figure 4-16 Configuring The Console Port
ONSOLE ETTINGS device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password –...
Page 128: Telnet Settings
ASIC ANAGEMENT ASKS CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. Console(config)#line console 20-22 Console(config-line)#login local 20-23 Console(config-line)#password 0 secret 20-24...
Page 129 ELNET ETTINGS • Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds) •...
Page 130: Figure 4-17 Configuring The Telnet Interface
ASIC ANAGEMENT ASKS Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 4-17 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Page 131: Table 4-1 Logging Levels
ONFIGURING VENT OGGING Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 132: Figure 4-18 System Logs
ASIC ANAGEMENT ASKS Table 4-1 Logging Levels (Continued) Level Severity Name Description Warning Warning conditions (e.g., return false, unexpected return) Error Error conditions (e.g., invalid input, default used) Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) Alert Immediate action needed Emergency...
Page 133: Configuring Event Logging
ONFIGURING VENT OGGING CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 20-34 Console(config)#logging history ram 0 20-35 Console(config)# Console#show logging ram...
Page 134: Figure 4-19 Remote Logs
ASIC ANAGEMENT ASKS • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add.
Page 135: Displaying Log Messages
ONFIGURING VENT OGGING CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.9 20-36 Console(config)#logging facility 23 20-37 Console(config)#logging trap 4 20-38 Console(config)#logging trap Console(config)#exit Console#show logging trap 20-40 Syslog logging: Enabled REMOTELOG status:...
Page 136: Sending Simple Mail Transfer Protocol Alerts
ASIC ANAGEMENT ASKS CLI – This example shows the event message stored in RAM. Console#show log ram 20-40 [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
Page 137: Figure 4-21 Enabling And Configuring Smtp Alerts
ONFIGURING VENT OGGING Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add.
Page 138: Renumbering The Stack
ASIC ANAGEMENT ASKS CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 139: Resetting The System
ESETTING THE YSTEM therefore remember to save the current configuration after renumbering the stack. • For a line topology, the stack is numbered from top to bottom, with the first unit in the stack designated at unit 1. For a ring topology, the Master unit taken as the top of the stack and is numbered as unit 1, and all other units are numbered sequentially down through the ring.
Page 140: Setting The System Clock
ASIC ANAGEMENT ASKS Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 141: Setting The Time Zone
ETTING THE YSTEM LOCK Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 4-24 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp client 20-48 Console(config)#sntp poll 16...
Page 142: Figure 4-25 Clock Time Zone
ASIC ANAGEMENT ASKS • Minutes (0-59) – The number of minutes before/after UTC. • Direction – Configures the time zone to be before (east) or after (west) UTC. Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC, and click Apply.
Page 143: Simple Network Management Protocol
HAPTER IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
Page 144: Table 5-1 Snmpv3 Security Models And Levels
IMPLE ETWORK ANAGEMENT ROTOCOL Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels.
Page 145 Table 5-1 SNMPv3 Security Models and Levels (Continued) Model Level Group Read View Write Notify Security View View AuthNoPriv user defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms AuthPriv user defined user defined user defined user defined Provides user...
Page 146: Enabling The Snmp Agent
IMPLE ETWORK ANAGEMENT ROTOCOL Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply.
Page 147: Setting Community Access Strings
ETTING OMMUNITY CCESS TRINGS • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive • Access Mode – Specifies the access rights for the community string: - Read-Only –...
Page 148: Specifying Trap Managers And Trap Types
IMPLE ETWORK ANAGEMENT ROTOCOL Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView).
Page 149 PECIFYING ANAGERS AND YPES To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 5-4). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 5-24). 4.
Page 150 IMPLE ETWORK ANAGEMENT ROTOCOL • Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) - Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Page 151: Figure 5-3 Configuring Snmp Trap Managers
PECIFYING ANAGERS AND YPES Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/ down traps, and then click Apply.
Page 152 IMPLE ETWORK ANAGEMENT ROTOCOL Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1.If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 153: Configuring Snmpv3 Management Access
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 5-4 Setting the SNMPv3 Engine ID CLI – This example sets an SNMPv3 engine ID. Console(config)#snmp-server engine-id local 12345abcdef 21-10 Console(config)#exit...
Page 154: Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 5-5 Setting an Engine ID CLI – This example specifies a remote SNMPv3 engine ID. Console(config)#snmp-server engine-id remote 54321 192.168.1.19 21-10 Console(config)#exit...
Page 155 SNMP ONFIGURING ANAGEMENT CCESS - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). • Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) • Authentication Password – A minimum of eight plain text characters is required.
Page 156: Figure 5-6 Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 157: Configuring Remote Snmpv3 Users
SNMP ONFIGURING ANAGEMENT CCESS CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien 21-18 Console(config)#exit Console#show snmp user 21-20 EngineId: 80000034030001f488f5200000 User Name: chris...
Page 158 IMPLE ETWORK ANAGEMENT ROTOCOL • Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1) • Security Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications.
Page 159: Figure 5-7 Configuring Remote Snmpv3 Users
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 160: Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 21-18 Console(config)#exit Console#show snmp user 21-20 No user exist.
Page 161: Table 5-2 Supported Notification Messages
SNMP ONFIGURING ANAGEMENT CCESS • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 5-2 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree;...
Page 162 IMPLE ETWORK ANAGEMENT ROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that linkDown the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the...
Page 163 SNMP ONFIGURING ANAGEMENT CCESS Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description RMON Events (V2) risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps.
Page 164 IMPLE ETWORK ANAGEMENT ROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalRising 1.3.6.1.4.1.202.20.57.84.2.1.0.58 This trap is sent when the Notification temperature exceeds the switchThermalActionRisingThre shold. swThermalFalling 1.3.6.1.4.1.202.20.57.84.2.1.0.59 This trap is sent when the Notification temperature falls below the switchThermalActionFallingThre shold.
Page 165: Figure 5-8 Configuring Snmpv3 Groups
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 166: Setting Snmpv3 Views
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview 21-15 Console(config)#exit Console#show snmp group...
Page 167: Figure 5-9 Configuring Snmpv3 Views
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list.
Page 168 IMPLE ETWORK ANAGEMENT ROTOCOL CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 21-13 Console(config)#exit Console#show snmp view 21-14 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 169: User Authentication
HAPTER UTHENTICATION You can restrict management access to this switch and provide secure network access using the following options: • User Accounts – Manually configure management access rights for users. • Authentication Settings – Use remote authentication to configure access rights.
Page 170: Figure 6-1 User Accounts
UTHENTICATION Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters;...
Page 171 ONFIGURING OCAL EMOTE OGON UTHENTICATION CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password. Console(config)#username bob access-level 15 22-2 Console(config)#username bob password 0 smith Console(config)# Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords.
Page 172 UTHENTICATION Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol.
Page 173: Configuring Local/Remote Logon Authentication
ONFIGURING OCAL EMOTE OGON UTHENTICATION - Server IP Address – Address of authentication server. (Default: 10.1.0.1) - Server Port Number – Network (UDP) port of authentication server used for authentication messages. (Range: 1-65535; Default: 1812) - Secret Text String – Encryption key used to authenticate logon access for client.
Page 174: Figure 6-2 Authentication Server Settings
UTHENTICATION Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 6-2 Authentication Server Settings CLI –...
Page 175: Configuring Https
HTTPS ONFIGURING Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config Console(config)#authentication login tacacs 22-5 Console(config)#tacacs-server host 10.20.30.40 22-13 Console(config)#tacacs-server port 200 22-14 Console(config)#tacacs-server key green 22-14 Console(config)#exit Console#show tacacs-server...
Page 176: Table 6-1 Https System Support
UTHENTICATION • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6...
Page 177: Replacing The Default Secure-Site Certificate
HTTPS ONFIGURING Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 178: Configuring The Secure Shell
UTHENTICATION Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 179 ONFIGURING THE ECURE HELL To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 180 UTHENTICATION 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory.
Page 181: Generating The Host Key Pair
ONFIGURING THE ECURE HELL Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process.
Page 182 UTHENTICATION • Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA, DSA, Both: Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 183: Figure 6-4 Ssh Host-Key Settings
ONFIGURING THE ECURE HELL Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Page 184: Configuring The Ssh Server
UTHENTICATION CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. Console#ip ssh crypto host-key generate 22-28 Console#ip ssh save host-key 22-30 Console#show public-key host 22-32 Host:...
Page 185: Figure 6-5 Ssh Server Settings
ONFIGURING THE ECURE HELL • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Page 186: Configuring Port Security
UTHENTICATION CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 22-24 Console(config)#ip ssh timeout 100 22-25 Console(config)#ip ssh authentication-retries 5 22-26...
Page 187 ONFIGURING ECURITY MAC addresses the selected port will stop learning. The MAC addresses already in the address table will be retained and will not age out. Any other device that attempts to use the port will be prevented from accessing the switch.
Page 188: Figure 6-6 Port Security
UTHENTICATION Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
Page 189 802.1X P ONFIGURING UTHENTICATION Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 190: Figure 6-7 802.1X Global Information
UTHENTICATION method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked.
Page 191: Configuring 802.1X Port Authentication
802.1X P ONFIGURING UTHENTICATION CLI – This example shows the default global setting for 802.1X. Console#show dot1x 22-44 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 26 Console#...
Page 192: Configuring Port Settings For 802.1X
UTHENTICATION Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 193: Figure 6-9 802.1X Port Configuration
802.1X P ONFIGURING UTHENTICATION • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • TX Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) •...
Page 194 UTHENTICATION Console#show dot1x 22-44 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host Auto 1/25 disabled Single-Host ForceAuthorized 1/26 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Disable...
Page 195: Displaying 802.1X Statistics
802.1X P ONFIGURING UTHENTICATION Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 196: Figure 6-10 802.1X Port Statistics
UTHENTICATION Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-10 802.1X Port Statistics CLI – This example displays the dot1x statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 22-44 Eth 1/4 Rx: EAPOL...
Page 197: Filtering Ip Addresses For Management Access
IP A ILTERING DDRESSES FOR ANAGEMENT CCESS Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet.
Page 198: Figure 6-11 Ip Filter
UTHENTICATION • End IP Address – The end address of a range. Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-11 IP Filter CLI –...
Page 199: Access Control Lists
Standard and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs. For the SMC8824M, all ports share this quota. For the SMC8848M, ports 1-24 share a quota of 96 rules, and ports 25-50 share another quota of 96 rules (since there are two switch chips in this...
Page 200: Setting The Acl Name And Type
CCESS ONTROL ISTS The order in which active ACLs are checked is as follows: 1.User-defined rules in IP and MAC ACLs for ingress ports are checked in parallel. 2. Rules within an ACL are checked in the configured order, from top to bottom.
Page 201: Configuring A Standard Ipv4 Acl
ONFIGURING CCESS ONTROL ISTS Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, MAC, IPv6 Standard, IPv6 Extended), and click Add to open the configuration page for the new list. Figure 7-1 Selecting ACL Type CLI –...
Page 202: Configuring An Extended Ipv4 Acl
CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Page 203 ONFIGURING CCESS ONTROL ISTS • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 3.) • Service Type – Packet priority settings based on the following criteria: - Precedence –...
Page 204: Figure 7-3 Acl Configuration - Extended Ipv4
CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 205: Configuring A Mac Acl
ONFIGURING CCESS ONTROL ISTS 3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any 23-5 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-std-acl)# Configuring a MAC ACL Command Attributes...
Page 206: Figure 7-4 Acl Configuration - Mac
CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.
Page 207: Configuring A Standard Ipv6 Acl
ONFIGURING CCESS ONTROL ISTS Configuring a Standard IPv6 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-prefix”...
Page 208: Configuring An Extended Ipv6 Acl
CCESS ONTROL ISTS CLI – This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 23-11 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Configuring an Extended IPv6 ACL Command Attributes •...
Page 209 ONFIGURING CCESS ONTROL ISTS 43: Routing (RFC 2460) 44: Fragment (RFC 2460) 51: Authentication (RFC 2402) 50: Encapsulating Security Payload (RFC 2406) 60: Destination Options (RFC 2460) • DSCP – DSCP priority level. (Range: 0-63) • Flow Label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time”...
Page 210: Figure 7-6 Acl Configuration - Extended Ipv6
CCESS ONTROL ISTS Web – Specify the action (i.e., Permit or Deny). Select the address type (Any or IPv6-prefix). If you select “IPv6-prefix,” enter a subnet address and prefix length. Set any other required criteria, such as next header, DSCP, or flow label. Then click Add. Figure 7-6 ACL Configuration - Extended IPv6 CLI –...
Page 211: Binding A Port To An Access Control List
INDING A ORT TO AN CCESS ONTROL Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can only bind a port to one ACL for each basic type –...
Page 212 CCESS ONTROL ISTS CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2. Console(config)#interface ethernet 1/1 24-2 Console(config-if)#ip access-group tom in 23-8 Console(config-if)#mac access-group jerry in 23-20 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#ip access-group tom in Console(config-if)#...
Page 213: Port Configuration
• Autonegotiation – Shows if auto-negotiation is enabled or disabled. • Media Type – Shows the forced/preferred port type to use for combination ports 21-24 (SMC8824M) or 45-48 (SMC8848M). (Copper-Forced, SFP-Forced, SFP-Preferred-Auto) • Trunk Member – Shows if port is a trunk member.
Page 214: Figure 8-1 Port - Port Information
ONFIGURATION Web – Click Port, Port Information or Trunk Information. Figure 8-1 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (1000BASE-T, SFP, or 10G) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address (IP Version 4)”...
Page 215 • Port security action – Shows the response to take when a security violation is detected. (shutdown, trap, trap-and-shutdown) • Media type – Shows the forced/preferred port type to use for combination ports 21-24 (SMC8824M) or 45-48 (SMC8848M). (copper forced, SFP forced, SFP preferred auto) Current status: •...
Page 216: Configuring Interface Connections
ONFIGURATION CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 24-12 Information of Eth 1/13 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit:...
Page 217 RJ-45: 1000BASE-T – 10half, 10full, 100half, 100full, 1000full; SFP: 1000BASE-SX/LX/LH – 1000full; 10G Modules: 10GBASE-SR/LR/ER – 10Gfull) • Media Type – Shows the forced/preferred port type to use for the combination ports. (SMC8824M: Ports 21-24; SMC8848M: Ports 45-48) - Copper-Forced - Always uses the built-in RJ-45 port.
Page 218: Figure 8-2 Port - Port Configuration
ONFIGURATION - SFP-Forced - Always uses the SFP port (even if module is not installed). - SFP-Preferred-Auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link. • Trunk – Indicates if a port is a member of a trunk. To create trunks and select port members, see “Creating Trunk Groups”...
Page 219 ONFIGURING NTERFACE ONNECTIONS CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 24-2 Console(config-if)#description RD SW#13 24-3 Console(config-if)#shutdown 24-9 Console(config-if)#no shutdown Console(config-if)#no negotiation 24-5 Console(config-if)#speed-duplex 100half 24-3 Console(config-if)#negotiation Console(config-if)#capabilities 100half 24-6 Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)#exit Console(config)#interface ethernet 1/21 Console(config-if)#media-type copper-forced...
Page 220: Creating Trunk Groups
ONFIGURATION Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices (i.e., single switch or a stack). You can create up to 32 trunks.
Page 221: Statically Configuring A Trunk
REATING RUNK ROUPS could connect ports spread across several units that belong VLAN 2 into a common trunk. • The ports at both ends of a connection must be configured as trunk ports. • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard.
Page 222: Figure 8-3 Static Trunk Configuration
ONFIGURATION Command Attributes • Member List (Current) – Shows configured trunks (Trunk ID, Unit, Port). • New – Includes entry fields for creating new trunks. - Trunk – Trunk identifier. (Range: 1-32) - Unit – Stack unit. (Range: 1-8) - Port – Port identifier. (Range: 1-25/49) Web –...
Page 223: Enabling Lacp On Selected Ports
REATING RUNK ROUPS CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 1 24-2 Console(config-if)#exit Console(config)#interface ethernet 1/9 24-2 Console(config-if)#channel-group 1 25-3 Console(config-if)#exit...
Page 224: Figure 8-4 Lacp Trunk Configuration
ONFIGURATION • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 225: Configuring Lacp Parameters
REATING RUNK ROUPS CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 24-2 Console(config-if)#lacp 25-4 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 226 ONFIGURATION Note: Note – If the port channel admin key (lacp admin key, page 25-8) is not set (through the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 25-7).
Page 227: Figure 8-5 Lacp - Aggregation Port
REATING RUNK ROUPS Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 228: Backup Mode
ONFIGURATION CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 24-2 Console(config-if)#lacp actor system-priority 3 25-6 Console(config-if)#lacp actor admin-key 120 25-7 Console(config-if)#lacp actor port-priority 128...
Page 229: Displaying Lacp Port Counters
REATING RUNK ROUPS Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 8-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group.
Page 230: Table 8-2 Lacp Internal Configuration Information
ONFIGURATION CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters 25-10 Port channel: 1 ------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation.
Page 231 REATING RUNK ROUPS Table 8-2 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state Oper State parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 232: Figure 8-7 Lacp - Port Internal Information
ONFIGURATION Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 8-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 25-10 Port channel: 1...
Page 233: Displaying Lacp Settings And Status For The Remote Side
REATING RUNK ROUPS Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 8-3 LACP Neighbor Configuration Information Field Description Partner Admin System LAG partner’s system ID assigned by the user.
Page 234: Figure 8-8 Lacp - Port Neighbors Information
ONFIGURATION Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 8-8 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 25-10 Port channel 1 neighbors...
Page 235: Setting Broadcast Storm Thresholds
ETTING ROADCAST TORM HRESHOLDS Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 236: Figure 8-9 Port Broadcast Control
ONFIGURATION Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 8-9 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
Page 237: Configuring Port Mirroring
ONFIGURING IRRORING Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic Source Single analyzer or RMON probe to the target port(s) target port and study the traffic crossing the port source port in a completely unobtrusive manner.
Page 238: Configuring Rate Limits
ONFIGURATION Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 8-10 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port.
Page 239: Figure 8-11 Rate Limit Configuration
ONFIGURING IMITS Command Attribute Rate Limit – Sets the output rate limit for an interface. Default Status – Disabled Default Rate – Gigabit Ethernet: 1000 Mbps Range – Gigabit Ethernet: 1 - 1000 Mbps Note: Rate limits are not supported for the 10 Gigabit Ethernet ports. Web - Click Port, Rate Limit, Input/Output Port/Trunk Configuration.
Page 240: Showing Port Statistics
ONFIGURATION Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Page 241 HOWING TATISTICS Table 8-4 Port Statistics (Continued) Parameter Description Received Unknown The number of packets received via the interface Packets which were discarded because of an unknown or unsupported protocol. Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol.
Page 242 ONFIGURATION Table 8-4 Port Statistics (Continued) Parameter Description FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too-short error.
Page 243 HOWING TATISTICS Table 8-4 Port Statistics (Continued) Parameter Description RMON Statistics Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Page 244 ONFIGURATION Table 8-4 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets). 65-127 Byte Frames The total number of frames (including bad packets) 128-255 Byte Frames received and transmitted where the number of octets 256-511 Byte Frames...
Page 245: Figure 8-12 Port Statistics
HOWING TATISTICS Figure 8-12 Port Statistics 8-33...
Page 246 ONFIGURATION CLI – This example shows statistics for port 12. Console#show interfaces counters ethernet 1/12 24-13 Ethernet 1/12 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 17027...
Page 247 HAPTER DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 248: Address Table Settings
DDRESS ABLE ETTINGS Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 9-1 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 249: Displaying The Address Table
ISPLAYING THE DDRESS ABLE Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 250: Figure 9-2 Dynamic Addresses
DDRESS ABLE ETTINGS Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 9-2 Dynamic Addresses CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 28-4 Interface Mac Address...
Page 251: Changing The Aging Time
HANGING THE GING Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function. • Aging Time – The time after which a learned entry is discarded. •...
Page 252 DDRESS ABLE ETTINGS...
Page 253: Spanning Tree Algorithm
HAPTER PANNING LGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 254 PANNING LGORITHM Designated Root Root Designated Port Port Designated Bridge Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 255 maintain connectivity among each of the assigned VLAN groups. MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 256: Displaying Global Settings
PANNING LGORITHM MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols. Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
Page 257 ISPLAYING LOBAL ETTINGS make it return to a discarding state; otherwise, temporary data loops might result. • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port –...
Page 258: Figure 10-1 Sta Information
PANNING LGORITHM configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) •...
Page 259 ISPLAYING LOBAL ETTINGS CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 29-25 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 260: Configuring Global Settings
PANNING LGORITHM Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 261 ONFIGURING LOBAL ETTINGS - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Command Attributes Basic Configuration of Global Settings •...
Page 262 PANNING LGORITHM reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Page 263 ONFIGURING LOBAL ETTINGS Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 65) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.
Page 264: Figure 10-2 Sta Global Configuration
PANNING LGORITHM Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 10-2 STA Global Configuration 10-12...
Page 265: Displaying Interface Settings
ISPLAYING NTERFACE ETTINGS CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree 29-3 Console(config)#spanning-tree mode mstp 29-4 Console(config)#spanning-tree priority 40000 29-8 Console(config)#spanning-tree hello-time 5 29-6 Console(config)#spanning-tree max-age 38 29-7 Console(config)#spanning-tree forward-time 20 29-5...
Page 266 PANNING LGORITHM - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
Page 267 ISPLAYING NTERFACE ETTINGS R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port. Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port.
Page 268: Figure 10-3 Sta Port Information
PANNING LGORITHM loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. • Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. •...
Page 269: Configuring Interface Settings
ONFIGURING NTERFACE ETTINGS CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 29-25 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000...
Page 270 PANNING LGORITHM - Discarding - Port receives STA configuration messages, but does not forward packets. - Learning - Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information. Port address table is cleared, and the port begins learning addresses.
Page 271: Table 10-1 Recommended Sta Path Cost Range
ONFIGURING NTERFACE ETTINGS By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. Table 10-1 Recommended STA Path Cost Range Port Type IEEE 802.1w-2001 IEEE 802.1D-1998...
Page 272: Figure 10-4 Sta Port Configuration
PANNING LGORITHM initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device. (Default: Disabled) • Migration – If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode.
Page 273: Configuring Multiple Spanning Trees
ONFIGURING ULTIPLE PANNING REES Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 274: Figure 10-5 Mstp Vlan Configuration
PANNING LGORITHM • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure. (Range: 0-4094; Default: 0) • VLAN ID – VLAN to assign to this selected MST instance. (Range: 1-4093) The other global attributes are described under “Displaying Global Settings,”...
Page 275: Each Port
ONFIGURING ULTIPLE PANNING REES CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 29-25 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enabled/disabled: enabled Instance: VLANs configuration: Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.):...
Page 276: Displaying Interface Settings For Mstp
PANNING LGORITHM CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration 29-10 Console(config-mst)#mst 1 priority 4096 29-12 Console(config-mstp)#mst 1 vlan 1-5 29-11 Console(config-mst)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
Page 277: Spanning Tree
MSTP ISPLAYING NTERFACE ETTINGS FOR CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 10-4), the settings for other instances only apply to the local spanning tree.
Page 278: Configuring Interface Settings For Mstp
PANNING LGORITHM Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 10-13 for additional information.) - Discarding - Port receives STA configuration messages, but does not...
Page 279: Table 10-3 Recommended Sta Path Cost Range
MSTP ONFIGURING NTERFACE ETTINGS FOR • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 280: Figure 10-7 Mstp Port Configuration
PANNING LGORITHM Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 10-7 MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 24-2 Console(config-if)#spanning-tree mst port-priority 0...
Page 281: Vlan Configuration
HAPTER VLAN C ONFIGURATION IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
Page 282 VLAN C ONFIGURATION • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs • End stations can belong to multiple VLANs • Passing traffic between VLAN-aware and VLAN-unaware devices •...
Page 283 IEEE 802.1Q VLAN VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 284 VLAN C ONFIGURATION To implement GVRP in a network, first add the host devices to the required VLANs (using the operating system or other application software), so that these VLANs can be propagated onto the network. For both the edge switches attached directly to these hosts, and core switches in the network, enable GVRP on the links between these devices.
Page 285: Enabling Or Disabling Gvrp (Global Setting)
IEEE 802.1Q VLAN forwarding a frame from this switch along a path that does not contain any VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame. When the switch receives a tagged frame, it will pass this frame onto the VLAN(s) indicated by the frame tag.
Page 286: Displaying Basic Vlan Information
VLAN C ONFIGURATION Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 287: Displaying Current Vlans
IEEE 802.1Q VLAN Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging.
Page 288: Creating Vlans
VLAN C ONFIGURATION Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4093, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. •...
Page 289: Figure 11-4 Vlan Static List - Creating Vlans
IEEE 802.1Q VLAN • VLAN ID – ID of configured VLAN (1-4093). • VLAN Name – Name of the VLAN (1 to 32 characters). • Status (Web) – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. •...
Page 290: Adding Static Members To Vlans (Vlan Index)
VLAN C ONFIGURATION CLI – This example creates a new VLAN. Console(config)#vlan database 30-7 Console(config-vlan)#vlan 2 name R&D media ethernet state active 30-8 Console(config-vlan)#end Console#show vlan 30-16 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S)
Page 291 IEEE 802.1Q VLAN • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. • Trunk – Trunk identifier. • Membership Type – Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk: - Tagged: Interface is a member of the VLAN.
Page 292: Figure 11-5 Vlan Static Table - Adding Static Members
VLAN C ONFIGURATION Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 293: Adding Static Members To Vlans (Port Index)
IEEE 802.1Q VLAN Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 294: Configuring Vlan Behavior For Interfaces
VLAN C ONFIGURATION Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 295 IEEE 802.1Q VLAN - If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 296: Figure 11-7 Vlan Port Configuration
VLAN C ONFIGURATION belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the selected VLAN, use the last table on the VLAN Static Table page.
Page 297: Configuring Private Vlans
VLAN ONFIGURING RIVATE Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Uplink Ports Primary VLAN (promiscuous ports)
Page 298: Configuring Uplink And Downlink Ports
VLAN C ONFIGURATION Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 299: Configuring Protocol-Based Vlans
VLAN ONFIGURING ROTOCOL ASED Configuring Protocol-Based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Page 300: Mapping Protocols To Vlans
VLAN C ONFIGURATION • Frame Type – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, IPv6, ARP, RARP, and user-defined (0801-FFFF hexadecimal).
Page 301: Figure 11-11 Protocol Vlan Port Configuration
VLAN ONFIGURING ROTOCOL ASED Membership by Port menu (page 13), these interfaces will admit traffic of any protocol type into the associated VLAN. • When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: - If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
Page 302 VLAN C ONFIGURATION CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 3 30-21 Console(config-if)# 11-22...
Page 303: Class Of Service
HAPTER LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 304: Figure 12-1 Default Port Priority
LASS OF ERVICE Command Attributes • Default Priority – The priority that is assigned to untagged frames received on the specified interface. (Range: 0 - 7, Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port.
Page 305: Table 12-1 Mapping Cos Values To Egress Queues
AYER UEUE ETTINGS CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 24-2 Console(config-if)#switchport priority default 5 31-3 Console(config-if)#end Console#show interfaces switchport ethernet 1/3 24-15 Information of Eth 1/3 Broadcast threshold: Enabled, 500 packets/second LACP status: Disabled Ingress rate limit:...
Page 306: Table 12-2 Cos Priority Levels
LASS OF ERVICE The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network. Table 12-2 CoS Priority Levels Priority Level Traffic Type...
Page 307: Figure 12-2 Traffic Classes
AYER UEUE ETTINGS Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 12-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping. Console(config)#interface ethernet 1/1 24-2 Console(config)#queue cos-map 0 0...
Page 308: Selecting The Queue Mode
LASS OF ERVICE Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 309: Setting The Service Weight For Traffic Classes
AYER UEUE ETTINGS Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 3, the traffic classes are mapped to one of the eight egress queues provided for each port.
Page 310: Layer 3/4 Priority Settings
LASS OF ERVICE CLI – The following example shows how to assign WRR weights to each of the priority queues. Console(config)#queue bandwidth 1 3 5 7 9 11 13 15 31-4 Console(config)#exit Console#show queue bandwidth 31-7 Information of Eth 1/1 Queue ID Weight --------...
Page 311: Selecting Ip Precedence/Dscp Priority
3/4 P AYER RIORITY ETTINGS Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) •...
Page 312: Mapping Ip Precedence
LASS OF ERVICE Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Page 313: Figure 12-6 Ip Precedence Priority
3/4 P AYER RIORITY ETTINGS Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 12-6 IP Precedence Priority CLI –...
Page 314: Mapping Dscp Priority
LASS OF ERVICE Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping.
Page 315: Figure 12-7 Ip Dscp Priority
3/4 P AYER RIORITY ETTINGS Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 12-7 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 316: Mapping Ip Port Priority
LASS OF ERVICE Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110.
Page 317: Figure 12-9 Ip Port Priority
3/4 P AYER RIORITY ETTINGS Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 12-9 IP Port Priority CLI –...
Page 318 LASS OF ERVICE 12-16...
Page 319: Quality Of Service
HAPTER UALITY OF ERVICE The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis.
Page 320: Configuring Quality Of Service Parameters
UALITY OF ERVICE Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 13-9).
Page 321 ONFIGURING UALITY OF ERVICE ARAMETERS - When the Match Class Settings page opens, specify type of traffic for this class based on an access list, a DSCP or IP Precedence value, or a VLAN, and click the Add button next to the field for the selected traffic criteria.
Page 322 UALITY OF ERVICE Match Class Settings • Class Name – List of class maps. • ACL List – Name of an access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) •...
Page 323: Figure 13-1 Configuring Class Maps
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 13-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Page 324: Creating Qos Policies
Extended ACL), IPv6 Standard ACL, and IPv6 Extended ACL. This limitation applies to each switch chip (SMC8824M: ports 1-26, SMC8848M: ports 1-25, ports 26-50). Also, note that the maximum number of classes that can be applied to a policy map is 16.
Page 325 ONFIGURING UALITY OF ERVICE ARAMETERS Command Attributes Policy Map • Modify Name and Description – Configures the name and a brief description of a policy map. (Range: 1-16 characters for the name; 1-64 characters for the description) • Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry.
Page 326 UALITY OF ERVICE • Remove Class – Deletes a class. - Policy Options - • Class Name – Name of class map. • Action – Configures the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 13-2).
Page 327: Figure 13-2 Configuring Policy Maps
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 13-2 Configuring Policy Maps 13-9...
Page 328: Attaching A Policy Map To Ingress Queues
UALITY OF ERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 32-5 Console(config-pmap)#class rd_class#3 32-6...
Page 329: Figure 13-3 Service Policy Settings
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a Policy Map for a port from the scroll-down box, then click Apply. Figure 13-3 Service Policy Settings CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 24-2 Console(config-if)#service-policy input rd_policy#3...
Page 330 UALITY OF ERVICE 13-12...
Page 331 HAPTER ULTICAST ILTERING Multicasting is used to support real-time Unicast Flow applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local Multicast...
Page 332: Multicast Filtering
ULTICAST ILTERING those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. The purpose of IP multicast filtering is to optimize a switched network’s performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN).
Page 333 2 IGMP (S AYER NOOPING AND UERY Command Usage • IGMP Snooping – This switch can passively snoop on IGMP Query and Report packets transferred between IP multicast routers/switches and IP multicast host groups to identify the IP multicast group members. It simply monitors the IGMP packets passing through it, picks out the group registration information, and configures the multicast filters accordingly.
Page 334: Figure 14-1 Igmp Configuration
ULTICAST ILTERING IGMP Query out of that port and removes the entry from its list. (Range: 5-25 seconds, Default: 10) • IGMP Query Timeout — The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 335: Displaying Interfaces Attached To A Multicast Router
2 IGMP (S AYER NOOPING AND UERY CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 33-2 Console(config)#ip igmp snooping querier 33-6 Console(config)#ip igmp snooping query-count 10 33-7 Console(config)#ip igmp snooping query-interval 100 33-8 Console(config)#ip igmp snooping query-max-response-time 20 33-9...
Page 336: Specifying Static Interfaces For A Multicast Router
ULTICAST ILTERING Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers. Figure 14-2 Multicast Router Port Information CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router.
Page 337: Displaying Port Members Of Multicast Services
2 IGMP (S AYER NOOPING AND UERY • Unit – Stack unit. (Range: 1-8) • Port or Trunk – Specifies the interface attached to a multicast router. Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add.
Page 338: Figure 14-4 Ip Multicast Registration Table
ULTICAST ILTERING Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 14-4 IP Multicast Registration Table CLI –...
Page 339: Assigning Ports To Multicast Services
2 IGMP (S AYER NOOPING AND UERY Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 14-2. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 340: Figure 14-5 Igmp Member Port Table
ULTICAST ILTERING Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Page 341 HAPTER OMAIN ERVICE The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 342: Domain Name Service
OMAIN ERVICE • When more than one name server is specified, the servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. • Note that if all name servers are deleted, DNS will automatically be disabled.
Page 343: Configuring General Dns Service Parameters
DNS S ONFIGURING ENERAL ERVICE ARAMETERS Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 15-1 DNS General Configuration 15-3...
Page 344: Configuring Static Dns Host To Address Entries
OMAIN ERVICE CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com 34-4 Console(config)#ip domain-list sample.com.uk 34-5 Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 34-6 Console(config)#ip domain-lookup...
Page 345: Figure 15-2 Dns Static Host Table
DNS H ONFIGURING TATIC OST TO DDRESS NTRIES Field Attributes • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-64 characters) • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) •...
Page 346: Displaying The Dns Cache
OMAIN ERVICE CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 34-2 Console(config)#ip host rd6 10.1.0.55 Console#show hosts 34-8 Hostname Inet address 10.1.0.55 192.168.1.55 Alias 1.rd6...
Page 347: Figure 15-3 Dns Cache
DNS C ISPLAYING THE ACHE Web – Select DNS, Cache. Figure 15-3 DNS Cache CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache 34-9 FLAG TYPE DOMAIN CNAME 207.46.134.222 www.microsoft.akadns.net CNAME 207.46.134.190 www.microsoft.akadns.net CNAME...
Page 348 OMAIN ERVICE 15-8...
Page 349: Dynamic Host Configuration Protocol
HAPTER YNAMIC ONFIGURATION ROTOCOL Dynamic Host Configuration Protocol (DHCP) can dynamically allocate an IP address and other configuration information to network clients when they boot up. If a subnet does not already include a BOOTP or DHCP server, you can relay DHCP client requests to a DHCP server on another subnet, or configure the DHCP server on this switch to support that subnet.
Page 350: Configuring Dhcp Relay Service
YNAMIC ONFIGURATION ROTOCOL Configuring DHCP Relay Service This switch supports DHCP relay service for attached host devices. If DHCP relay is enabled, DHCP and this switch sees a Server Provides IP address compatible with switch DHCP request broadcast, segment to which client is attached it inserts its own IP address into the request...
Page 351: Figure 16-1 Dhcp Relay Configuration
DHCP R ONFIGURING ELAY ERVICE Web – Click DHCP, Relay Configuration. Enter up to five IP addresses for any VLAN, then click Restart DHCP Relay to start the relay service. Figure 16-1 DHCP Relay Configuration CLI – This example specifies one DHCP relay server for VLAN 1, and enables the relay service.
Page 352: Configuring The Dhcp Server
YNAMIC ONFIGURATION ROTOCOL Configuring the DHCP Server This switch includes a Dynamic Host Configuration Protocol (DHCP) server that can assign temporary IP addresses to any attached host requesting service. It can also provide other network settings such as the domain name, default gateway, Domain Name Servers (DNS), Windows Internet Naming Service (WINS) name servers, or information on the bootup file for the host device to download.
Page 353: Enabling The Server, Setting Excluded Addresses
DHCP S ONFIGURING THE ERVER Enabling the Server, Setting Excluded Addresses Enable the DHCP Server and specify the IP addresses that it should not be assigned to clients. Command Attributes • DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) •...
Page 354: Configuring Address Pools
YNAMIC ONFIGURATION ROTOCOL CLI – This example enables the DHCP and sets an excluded address range. Console(config)#service dhcp 35-7 Console(config)#ip dhcp excluded-address 10.1.0.250 10.1.0.254 35-8 Console# Configuring Address Pools You must configure IP address pools for each IP interface that will provide addresses to attached clients via the DHCP server.
Page 355 DHCP S ONFIGURING THE ERVER • If the subnet mask is not specified for network or host address pools, the class A, B, or C natural mask is used (see page 17-34). The DHCP server assumes that all host addresses are available. You can exclude subsets of the address space by using the IP Excluded Address field on the DHCP Server General configuration page.
Page 356: Figure 16-3 Dhcp Server Pool Configuration
YNAMIC ONFIGURATION ROTOCOL • Netbios Type – NetBIOS node type for Microsoft DHCP clients. (Options: Broadcast, Hybrid, Mixed, Peer to Peer; Default: Hybrid) • Domain Name – The domain name of the client. (Range: 1-32 characters) • Bootfile – The default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified as the Next Server.
Page 357: Figure 16-4 Dhcp Server Pool - Network Configuration
DHCP S ONFIGURING THE ERVER Configuring a Network Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Network.” Enter the IP address and subnet mask for the network pool. Configure the optional parameters such as gateway server and DNS server.
Page 358: Figure 16-5 Dhcp Server Pool - Host Configuration
YNAMIC ONFIGURATION ROTOCOL Configuring a Host Address Pool Web – Click DHCP, Server, Pool Configuration. Click the Configure button for any entry. Click the radio button for “Host.” Enter the IP address, subnet mask, and hardware address for the client device. Configure the optional parameters such as gateway server and DNS server.
Page 359: Displaying Address Bindings
DHCP S ONFIGURING THE ERVER CLI – This example configures a host address pool. Console(config)#ip dhcp pool mgr 35-8 Console(config-dhcp)#host 10.1.0.19 255.255.255.0 35-16 Console(config-dhcp)#hardware-address 00-e0-29-94-34-28 ethernet 35-18 Console(config-dhcp)#client-identifier text bear 35-17 Console(config-dhcp)#default-router 10.1.0.253 35-10 Console(config-dhcp)#dns-server 10.2.3.4 35-11 Console(config-dhcp)#netbios-name-server 10.1.0.33 35-13 Console(config-dhcp)#netbios-node-type hybrid 35-14 Console(config-dhcp)#domain-name example.com...
Page 360: Figure 16-6 Dhcp Server - Ip Binding
YNAMIC ONFIGURATION ROTOCOL Web – Click DHCP, Server, IP Binding. You may use the Delete button to clear an address from the DHCP server’s database. Figure 16-6 DHCP Server - IP Binding CLI – This example displays the current binding, and then clears all automatic binding.
Page 361: Ip Routing
HAPTER IP R OUTING Overview This switch supports IP routing and routing path management via static routing definitions (page 17-26) and dynamic routing such as RIP (page 17-30). When IP routing is enabled (page 17-31), this switch acts as a wire-speed router, passing traffic between VLANs using different IP interfaces, and routing traffic to external IP networks.
Page 362: Ip Switching
IP R OUTING Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP Switching IP Switching (or packet forwarding) encompasses tasks required to forward packets for both Layer 2 and Layer 3, as well as traditional routing.
Page 363 IP S WITCHING If the destination node is on the same subnetwork as the source network, then the packet can be transmitted directly without the help of a router. However, if the MAC address is not yet known to the switch, an Address Resolution Protocol (ARP) packet with the destination IP address is broadcast to get the destination MAC address from the destination node.
Page 364: Routing Path Management
IP R OUTING If the switch determines that a frame must be routed, the route is calculated only during setup. Once the route has been determined, all packets in the current flow are simply switched or forwarded across the chosen path. This takes advantage of the high throughput and low latency of switching by enabling the traffic to bypass the routing engine once the path calculation has been performed.
Page 365: Basic Ip Interface Configuration
IP I ASIC NTERFACE ONFIGURATION Non-IP Protocol Routing The switch supports IP routing only. Non-IP protocols such as IPX and Appletalk cannot be routed by this switch, and will be confined within their local VLAN group unless bridged by an external router. To coexist with a network built on multilayer switches, the subnetworks for non-IP protocols must follow the same logical boundary as that of the IP subnetworks.
Page 366: Figure 17-1 Ip Global Settings
IP R OUTING • Default Gateway – The routing device to which the switch will pass packets for all unknown subnets; i.e., packets that do not match any routing table entry. (Valid IP addresses consist of four numbers, 0 to 255, separated by periods.) Web - Click IP, General, Global Settings.
Page 367: Configuring Ip Routing Interfaces
IP R ONFIGURING OUTING NTERFACES Configuring IP Routing Interfaces You can specify the IP subnets connected to this router by manually assigning an IP address to each VLAN, or by using the RIP dynamic routing protocol to identify routes that lead to other interfaces by exchanging protocol messages with other routers on the network.
Page 368: Figure 17-2 Ip Routing Interface
IP R OUTING - If DHCP/BOOTP is enabled, IP will not function until a reply has been received from the address server. Requests will be broadcast periodically by the router for an IP address. (DHCP/BOOTP values include the IP address and subnet mask.) •...
Page 369: Address Resolution Protocol
DDRESS ESOLUTION ROTOCOL CLI - This example sets a primary IP address for VLAN 1, and then adds a secondary IP address for a different subnet also attached to this router interface. Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 36-4 Console(config-if)#ip address 10.1.9.253 255.255.255.0 secondary Console(config-if)# Address Resolution Protocol...
Page 370: Proxy Arp
IP R OUTING When devices receive this request, they discard it if their address does not match the destination IP address in the message. However, if it does match, they write their own hardware address into the destination MAC address field and send the message back to the source hardware address. When the source device receives a reply, it writes the destination IP address and corresponding MAC address into its cache, and forwards the IP traffic on to the next hop.
Page 371: Basic Arp Configuration
DDRESS ESOLUTION ROTOCOL Basic ARP Configuration You can use the ARP General configuration menu to specify the timeout for ARP cache entries, or to enable Proxy ARP for specific VLAN interfaces. Command Usage • The aging time determines how long dynamic entries remain the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table.
Page 372: Figure 17-3 Arp General
IP R OUTING Web - Click IP, ARP, General. Set the timeout to a suitable value for the ARP cache, enable Proxy ARP for subnetworks that do not have routing or a default gateway, and click Apply. Figure 17-3 ARP General CLI - This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds), and enables Proxy ARP for VLAN 3.
Page 373: Configuring Static Arp Addresses
DDRESS ESOLUTION ROTOCOL Configuring Static ARP Addresses For devices that do not respond to ARP requests, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, you can manually map an IP address to the corresponding physical address in the ARP.
Page 374: Displaying Dynamically Learned Arp Entries
IP R OUTING CLI - This example sets a static entry for the ARP cache. Console(config)#arp 10.1.0.11 00-11-22-33-44-55 36-45 Console(config)# Displaying Dynamically Learned ARP Entries The ARP cache contains entries that map IP addresses to the corresponding physical address. Most of these entries will be dynamically learned through replies to broadcast messages.
Page 375: Figure 17-5 Arp Dynamic Addresses
DDRESS ESOLUTION ROTOCOL Web - Click IP, ARP, Dynamic Addresses. You can use the buttons provided to change a dynamic entry to a static entry, or to clear all dynamic entries in the cache. Figure 17-5 ARP Dynamic Addresses CLI - This example shows all entries in the ARP cache. Console#show arp 36-47 Arp cache timeout: 1200 (seconds)
Page 376: Displaying Local Arp Entries
IP R OUTING Displaying Local ARP Entries The ARP cache also contains entries for local interfaces, including subnet, host, and broadcast addresses. Command Attributes • IP Address – IP address of a local entry in the cache. • MAC Address – MAC address mapped to the corresponding IP address.
Page 377: Displaying Arp Statistics
DDRESS ESOLUTION ROTOCOL CLI - This router uses the Type specification “other” to indicate local cache entries in the ARP cache. Console#show arp 36-47 Arp cache timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 10.1.0.0 ff-ff-ff-ff-ff-ff other 10.1.0.11 00-11-22-33-44-55 static...
Page 378 IP R OUTING CLI - This example provides detailed statistics on common IP-related protocols. Console#show ip traffic 37-7 IP statistics: Rcvd: 5 total, 5 local destination 0 checksum errors 0 unknown protocol, 0 not a gateway Frags: 0 reassembled, 0 timeouts 0 fragmented, 0 couldn't fragment Sent: 9 generated...
Page 379: Table 17-3 Ip Statistics
IP P ISPLAYING TATISTICS FOR ROTOCOLS Displaying Statistics for IP Protocols IP Statistics The Internet Protocol (IP) provides a mechanism for transmitting blocks of data (often called packets or frames) from a source to a destination, where these network devices (i.e., hosts) are identified by fixed length addresses.
Page 380 IP R OUTING Table 17-3 IP Statistics (Continued) Parameter Description Reassembly Failures The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out, errors, etc.). Datagrams Failing The number of datagrams that have been discarded Fragmentation because they needed to be fragmented at this entity but could not be, e.g., because their “Don't Fragment”...
Page 381: Displaying Statistics For Ip Protocols
IP P ISPLAYING TATISTICS FOR ROTOCOLS Web - Click IP, Statistics, IP. Figure 17-8 IP Statistics CLI - See the example on page 17-17. ICMP Statistics Internet Control Message Protocol (ICMP) is a network layer protocol that transmits message packets to report errors in processing IP packets. ICMP is therefore an integral part of the Internet Protocol.
Page 382: Table 17-4 Icmp Statistics
IP R OUTING Table 17-4 ICMP Statistics Parameter Description Messages The total number of ICMP messages which the entity received/sent. Errors The number of ICMP messages which the entity received/sent but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.).
Page 383: Figure 17-9 Icmp Statistics
IP P ISPLAYING TATISTICS FOR ROTOCOLS Web - Click IP, Statistics, ICMP. Figure 17-9 ICMP Statistics CLI - See the example on page 17-17. 17-23...
Page 384: Udp Statistics
IP R OUTING UDP Statistics User Datagram Protocol (UDP) provides a datagram mode of packet-switched communications. It uses IP as the underlying transport mechanism, providing access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets.
Page 385: Tcp Statistics
IP P ISPLAYING TATISTICS FOR ROTOCOLS TCP Statistics The Transmission Control Protocol (TCP) provides highly reliable host-to-host connections in packet-switched networks, and is used in conjunction with IP to support a wide variety of Internet protocols. Table 17-6 TCP Statistics Parameter Description Segments Received...
Page 386: Configuring Static Routes
IP R OUTING Web - Click IP, Statistics, TCP. Figure 17-11 TCP Statistics CLI - See the example on page 17-17. Configuring Static Routes This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP). However, you can also manually enter static routes in the routing table.
Page 387: Figure 17-12 Ip Static Routes
ONFIGURING TATIC OUTES • Metric – Cost for this interface. This cost is only used if a route is imported by a dynamic routing protocol such as RIP. (Range: 1-5, default: 1) • Entry Count – The number of table entries. Web - Click IP, Routing, Static Routes.
Page 388: Displaying The Routing Table
IP R OUTING Displaying the Routing Table You can display all the routes that can be accessed via the local network interfaces, via static routes, or via a dynamically learned route. If route information is available through more than one of these methods, the priority for route selection is local, static, and then dynamic.
Page 389: Figure 17-13 Ip Routing Table
ISPLAYING THE OUTING ABLE Web - Click IP, Routing, Routing Table. Figure 17-13 IP Routing Table CLI - This example shows routes obtained from various methods. Console#show ip route 37-5 Ip Address Netmask Next Hop Protocol Metric Interface --------------- --------------- --------------- -------- ------ --------- 0.0.0.0 0.0.0.0 10.1.0.254...
Page 390: Configuring The Routing Information Protocol
IP R OUTING Configuring the Routing Information Protocol The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost.
Page 391: Configuring General Protocol Settings
ONFIGURING THE OUTING NFORMATION ROTOCOL length subnet masks, and multicast transmissions for route advertising (RFC 1723). • There are several serious problems with RIP that you should consider. First of all, RIP (version 1) has no knowledge of subnets, both RIP versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks.
Page 392 IP R OUTING hand, setting it to an excessively long time will make the routing protocol less sensitive to changes in the network configuration. - The timers must be set to the same values for all routers in the network. Command Attributes Global Settings •...
Page 393: Figure 17-14 Rip General Settings
ONFIGURING THE OUTING NFORMATION ROTOCOL Web - Click Routing Protocol, RIP, General Settings. Enable or disable RIP, set the RIP version used on previously unset interfaces to RIPv1 or RIPv2, set the basic update timer, and then click Apply. Figure 17-14 RIP General Settings CLI - This example sets the router to use RIP Version 2, and sets the basic timer to 15 seconds.
Page 394: Specifying Network Interfaces For Rip
IP R OUTING Specifying Network Interfaces for RIP You must specify network interfaces that will be included in the RIP routing process. Command Usage • RIP only sends updates to interfaces specified by this command. • Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address.
Page 395: Configuring Network Interfaces For Rip
ONFIGURING THE OUTING NFORMATION ROTOCOL CLI - This example includes network interface 10.1.0.0 in the RIP routing process. Console(config)#router-rip 37-9 Console(config-router)#network 10.1.0.0 37-12 Console(config-router)#end Console#show ip rip status 37-22 Peer UpdateTime Version RcvBadPackets RcvBadRoutes --------------- ------------ --------- --------------- ------------- 10.1.0.253 10.1.1.253 Console# Configuring Network Interfaces for RIP...
Page 396 IP R OUTING • You can specify the Send Version based on these options: - Use “RIPv1” or “RIPv2” if all routers in the local network are based on RIPv1 or RIPv2, respectively. - Use “RIPv1 Compatible” to propagate route information by broadcasting to other routers on the network using the RIPv2 advertisement list, instead of multicasting as normally required by RIPv2.
Page 397 ONFIGURING THE OUTING NFORMATION ROTOCOL a simple password. When a router is configured to exchange authentication messages, it will insert the password into all transmitted protocol packets, and check all received packets to ensure that they contain the authorized password. If any incoming protocol messages do not contain the correct password, they are simply dropped.
Page 398: Figure 17-16 Rip Interface Settings
IP R OUTING - Split Horizon: This method never propagates routes back to an interface from which they have been acquired. - Poision Reverse: This method propagates routes back to an interface port from which they have been acquired, but set the distance-vector metrics to infinity.
Page 399: Redistributing Routing Information From Other Domains
ONFIGURING THE OUTING NFORMATION ROTOCOL CLI - This example sets the receive version to accept both RIPv1 or RIPv2 messages, the send mode to RIPv1 compatible (i.e., called v2-broadcast in the CLI), sets the method of preventing instability in the network topology to Split Horizon, enables authentication via a simple password (i.e., called text mode in the CLI).
Page 400: Figure 17-17 Rip Redistribution Configuration
IP R OUTING Command Attributes • Redistribute Protocol – Only static routes can be imported into this routing domain. • Redistribute Metric – Metric value assigned to all external routes for the specified protocol. (Range: 1-15) - The default metric value is set by set by the default-metric command (see page 37-9).
Page 401: Displaying Rip Information And Statistics
ONFIGURING THE OUTING NFORMATION ROTOCOL Displaying RIP Information and Statistics You can display basic information about the current global configuration settings for RIP, statistics about route changes and queries, information about the interfaces on this router that are using RIP, and information about known RIP peer devices.
Page 402: Figure 17-18 Rip Statistics
IP R OUTING Table 17-7 RIP Information and Statistics (Continued) Parameter Description Version Whether RIPv1 or RIPv2 packets were received from this peer. RcvBadPackets Number of bad RIP packets received from this peer. RcvBadRoutes Number of bad routes received from this peer. Web - Click Routing Protocol, RIP, Statistics.
Page 403: C Onfiguring The
ONFIGURING THE OUTING NFORMATION ROTOCOL CLI - The information displayed by the RIP Statistics screen via the web interface can be accessed from the CLI using the following commands. Console#show rip globals 37-22 RIP Process: Enabled Update Time in Seconds: 30 Number of Route Change: 4 Number of Queries: 0 Console#show ip rip configuration...
Page 404 IP R OUTING 17-44...
Page 405 ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of the Command Line Interface ..... . 18-1 General Commands .
Page 406 OMMAND NTERFACE...
Page 407: Using The Command Line Interface
HAPTER VERVIEW OF THE OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at...
Page 408: Telnet Connection
VERVIEW OF THE OMMAND NTERFACE 2. Enter the necessary commands to complete your desired tasks. 3. When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password:...
Page 409: Entering Commands
NTERING OMMANDS After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1. From the remote host, enter the Telnet command and the IP address of the device you want to access. 2.
Page 410: Minimum Abbreviation
VERVIEW OF THE OMMAND NTERFACE You can enter commands as follows: • To enter a simple command, enter the command keyword. • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config...
Page 411: Showing Commands
NTERING OMMANDS Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, DHCP, Interface, Line, Router, VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Page 412: Partial Keyword Lookup
VERVIEW OF THE OMMAND NTERFACE The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters protocol-vlan Protocol-vlan information status Information of interfaces status switchport Information of interfaces switchport Console# Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 413: Understanding Command Modes
NTERING OMMANDS Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes.
Page 414: Configuration Commands
VERVIEW OF THE OMMAND NTERFACE console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super” (page 22-4).
Page 415 NTERING OMMANDS • Class Map Configuration - Creates a DiffServ class map for a specified traffic type. • DHCP Configuration - These commands are used to configure the DHCP server. • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. •...
Page 416: Table 18-2 Configuration Command Modes
VERVIEW OF THE OMMAND NTERFACE To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 18-2 Configuration Command Modes Mode Command Prompt Page Line...
Page 417: Command Line Processing
NTERING OMMANDS Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 418: Command Groups
VERVIEW OF THE OMMAND NTERFACE Command Groups The system commands can be broken down into the functional groups shown below Table 18-4 Command Group Index Command Group Description Page General Basic commands for entering privileged access 19-1 mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic 20-1 modes of operation, maximum frame size, file...
Page 419 OMMAND ROUPS Table 18-4 Command Group Index (Continued) Command Group Description Page Rate Limit Controls the maximum rate for traffic transmitted 27-1 or received on a port Address Table Configures the address table for filtering specified 28-1 addresses, displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch...
Page 420 VERVIEW OF THE OMMAND NTERFACE PE (Privileged Exec) PM (Policy Map Configuration) RC (Router Configuration) VC (VLAN Database Configuration) 18-14...
Page 421 HAPTER ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 19-1 General Commands Command Function Mode Page enable Activates privileged mode 19-2 disable Returns to normal mode from privileged mode PE 19-3 configure Activates global configuration mode...
Page 422: General Commands
ENERAL OMMANDS enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 18-7. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 423: Disable
DISABLE disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes”...
Page 424: Show History
ENERAL OMMANDS Example Console#configure Console(config)# Related Commands end (19-6) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 425: Reload
RELOAD The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config).
Page 426: Prompt
ENERAL OMMANDS prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configuration...
Page 427: Exit
EXIT exit This command returns to the previous configuration mode or exits the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 428 ENERAL OMMANDS Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 19-8...
Page 429 HAPTER YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 20-1 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this 20-2 switch System Status...
Page 430: System Management Commands
YSTEM ANAGEMENT OMMANDS Device Designation Commands This section describes commands used to configure information that uniquely identifies the switch. Table 20-2 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch 20-2 snmp-server Sets the system contact string 21-5 contact snmp-server...
Page 431: Switch Renumber
EVICE ESIGNATION OMMANDS switch renumber This command resets the switch unit identification numbers in the stack. All stack members are numbered sequentially starting from the top unit for a non-loop stack, or starting from the Master unit for a looped stack. Syntax switch all renumber Default Setting...
Page 432: System Status Commands
YSTEM ANAGEMENT OMMANDS System Status Commands This section describes commands used to display system information. Table 20-3 System Status Commands Command Function Mode Page show Displays the contents of the configuration file 20-4 startup-config (stored in flash memory) that is used to start up the system show Displays the configuration data currently in...
Page 433 YSTEM TATUS OMMANDS mode command, and corresponding commands. This command displays the following information: - MAC address for each switch in the stack - SNTP server settings - SNMP community strings - Users (names and access levels) - VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address configured for VLANs...
Page 434: Show Running-Config
YSTEM ANAGEMENT OMMANDS vlan database vlan 1 name DefaultVlan media ethernet state active spanning-tree MST configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 interface vlan 1 ip address dhcp no map IP precedence no map IP DSCP line console line VTY Console#...
Page 435 YSTEM TATUS OMMANDS mode command, and corresponding commands. This command displays the following information: - MAC address for each switch in the stack - SNTP server settings - SNMP community strings - Users (names, access levels, and encrypted passwords) - VLAN database (VLAN ID, name and state) - VLAN configuration settings for each interface - Multiple spanning tree instances (name and interfaces) - IP address configured for VLANs...
Page 436: Show System
YSTEM ANAGEMENT OMMANDS SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community private rw snmp-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active spanning-tree MST-configuration...
Page 437: Show Users
YSTEM TATUS OMMANDS • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: 24/48 port 10/100/1000 Stackable Managed Switch with 2 X 10G System OID String: 1.3.6.1.4.1.202.20.57 System information System Up time: 0 days, 1 hours, 23 minutes, and 44.61 seconds System Name...
Page 438: Show Version
YSTEM ANAGEMENT OMMANDS Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number. Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users:...
Page 439: Frame Size Commands
RAME OMMANDS Example Console#show version Unit1 Serial Number: 0000E8900000 Hardware Version: EPLD Version: 1.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (master) Unit ID: Loader Version: 1.0.0.1 Boot ROM Version: 1.0.0.1 Operation Code Version: 3.30.7.54 Console# Frame Size Commands This section describes commands used to configure the Ethernet frame...
Page 440: File Management Commands
YSTEM ANAGEMENT OMMANDS Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 441: Copy
ANAGEMENT OMMANDS Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from a TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it.
Page 442 YSTEM ANAGEMENT OMMANDS copy unit file • file - Keyword that allows you to copy to/from a file. • running-config - Keyword that allows you to copy to/from the current running configuration. • startup-config - The configuration used for system initialization. •...

This manual is also suitable for:

8824m - annexe 1 Tigerstack ii smc8824m

SMC Networks TigerStack II SMC8848M Management Manual

Section I Getting Started

1 Introduction

2 Initial Configuration

3 Configuring the Switch

4 Basic Management Tasks

5 Simple Network Management Protocol

6 User Authentication

7 Access Control Lists

8 Port Configuration

9 Address Table Settings

10 Spanning Tree Algorithm

11 VLAN Configuration

12 Class of Service

13 Quality of Service

14 Multicast Filtering

15 Domain Name Service

Quick Links

Management Guide

Related Manuals for SMC Networks TigerStack II SMC8848M

Summary of Contents for SMC Networks TigerStack II SMC8848M