TigerSwitch 10/100 24-Port Fast Ethernet Switch ◆ 24 auto-MDI/MDI-X 10/100BASE-TX ports ◆ 10BASE-T/100BASE-TX ports support PoE capabilities ◆ Two 10/100/1000BASE-T RJ-45 ports ◆ Two Gigabit RJ-45/SFP combination ports ◆ 12.8 Gbps of aggregate bandwidth ◆ Supports IP Clustering ◆ Non-blocking switching architecture ◆...
Page 3
TigerSwitch 10/100 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 February 2007 Phone: (949) 679-8000 Pub. # 149100032800A...
Page 4
Irvine, CA 92618 All rights reserved. Printed in Taiwan Trademarks: SMC is a registered trademark; and EZ Switch, TigerStack and TigerSwitch are trademarks of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders.
Page 5
All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
Page 6
RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
HAPTER NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30
NTRODUCTION Table 1-1. Key Features Feature Description DHCP Client Supported DHCP Snooping Supported with Option 82 relay information Port Configuration Speed, duplex mode and flow control Rate Limiting Input rate limiting per port Port Mirroring One port mirrored to a single analysis port Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP)
ESCRIPTION OF OFTWARE EATURES Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and private VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 32
NTRODUCTION security controls by restricting access to specific network resources or protocols. Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections.
Page 33
ESCRIPTION OF OFTWARE EATURES Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 34
NTRODUCTION standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP.
Page 35
ESCRIPTION OF OFTWARE EATURES functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/ 4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame.
NTRODUCTION System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-27). The following table lists some of the basic system defaults. Table 1-2.
Page 37
YSTEM EFAULTS Table 1-2. System Defaults (Continued) Function Parameter Default HTTP Server Enabled Management HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number SNMP Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled Port Admin Status Enabled...
Page 38
NTRODUCTION Table 1-2. System Defaults (Continued) Function Parameter Default Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Enabled Switchport Mode (Egress Hybrid: tagged/untagged frames Mode) GVRP (global) Disabled GVRP (port interface) Disabled Traffic Ingress Port Priority Prioritization Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority...
Page 39
YSTEM EFAULTS Table 1-2. System Defaults (Continued) Function Parameter Default DHCP Snooping Status Disabled IP Source Guard Status Disabled (all ports) Switch Clustering Status Enabled Commander Disabled a. SMC6824MPE and SMC6826MPE only. 1-11...
HAPTER NITIAL ONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
NITIAL ONFIGURATION The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • Set user names and passwords • Set an IP interface for a management VLAN • Configure SNMP parameters • Enable/disable any port •...
Page 43
ONNECTING TO THE WITCH To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.
NITIAL ONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
ASIC ONFIGURATION Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at ]the Privileged Exec level using the default user name and password, perform these steps: 1.
NITIAL ONFIGURATION Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted form. Username: admin Password: CLI session with the SMC6128PL2 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# Setting an IP Address...
ASIC ONFIGURATION • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 48
NITIAL ONFIGURATION If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1.
ASIC ONFIGURATION 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified.
NITIAL ONFIGURATION Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
ASIC ONFIGURATION Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
NITIAL ONFIGURATION used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-148 Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-150 Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien 4-153 Console(config)#...
ANAGING YSTEM ILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 54
NITIAL ONFIGURATION Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
HAPTER ONFIGURING THE WITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Page 56
ONFIGURING THE WITCH 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
AVIGATING THE ROWSER NTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”...
ONFIGURING THE WITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2. Main Menu Menu Description Page...
Page 60
ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Reset Restarts the switch 3-43 SNTP 3-44 Configuration Configures SNTP client settings, including 3-44 broadcast mode or a specified list of servers Clock Time Zone Sets the local time zone for the system clock 3-46 SNMP 3-47...
Page 61
Table 3-2. Main Menu (Continued) Menu Description Page 802.1X Port authentication 3-86 Information Displays global configuration settings 3-89 Configuration Configures the global configuration setting 3-89 Port Configuration Sets parameters for individual ports 3-90 Statistics Displays protocol statistics for the selected port 3-94 3-96 Configuration...
Page 62
ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Port Broadcast Control Sets the broadcast storm threshold for each 3-129 port Trunk Broadcast Sets the broadcast storm threshold for each 3-129 Control trunk Mirror Port Sets the source and target ports for mirroring 3-131 Configuration Rate Limit...
Page 63
Table 3-2. Main Menu (Continued) Menu Description Page Configuration Configures global bridge settings for STA and 3-155 RSTP Port Information Displays individual port settings for STA 3-160 Trunk Information Displays individual trunk settings for STA 3-160 Port Configuration Configures individual port settings for STA 3-164 Trunk Configuration Configures individual trunk settings for STA 3-164...
Page 64
ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Trunk Configuration Specifies default trunk VID and VLAN 3-190 attributes Private VLAN 3-192 Information Displays Private VLAN feature information 3-194 Configuration This page is used to create/remove primary or 3-196 community VLANs Association...
Page 65
Table 3-2. Main Menu (Continued) Menu Description Page IP DSCP Priority Status Globally selects DSCP Priority, or disables it. 3-212 IP DSCP Priority Sets IP Differentiated Services Code Point 3-213 priority, mapping a DSCP tag to a class-of-service value 3-215 DiffServ 3-215 Class Map...
ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Group IP Information Displays the ports attached to an MVR 3-241 multicast stream Port Configuration Configures MVR interface type and immediate 3-243 leave status Trunk Configuration Configures MVR interface type and immediate 3-243 leave status Group Member...
ASIC ONFIGURATION Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem.
ONFIGURING THE WITCH Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3.
ONFIGURING THE WITCH Management Software • EPLD Version – Version number of the Electronically Programmable Logic Device code. • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version –...
Page 71
ASIC ONFIGURATION CLI – Use the following command to display version information. Console#show version 4-85 Unit 1 Serial number: Hardware version: EPLD Version: 4.04 Number of ports: Main power status: Redundant power status: Not present Agent (master) Unit ID: Loader version: 0.0.0.5 Boot ROM version: 0.0.0.8...
ONFIGURING THE WITCH Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services –...
ASIC ONFIGURATION Figure 3-5. Bridge Extension Configuration CLI – Enter the following command. Console#show bridge-ext 4-219 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status:...
Page 74
ONFIGURING THE WITCH You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
ASIC ONFIGURATION Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6. Manual IP Configuration CLI –...
ONFIGURING THE WITCH Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP.
ASIC ONFIGURATION CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart” command. Console#config Console(config)#interface vlan 1 4-156 Console(config-if)#ip address dhcp 4-290 Console(config-if)#end Console#ip dhcp restart 4-292 Console#show ip interface 4-293 IP address and netmask: 192.168.1.1 255.255.255.0 on VLAN 1,...
ONFIGURING THE WITCH Figure 3-8. Bridge Extension Configuration CLI – Enter the following command. Console#config Console(config)#jumbo frame Console(config)# Managing Firmware You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
ASIC ONFIGURATION • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
ONFIGURING THE WITCH If you download to a new destination file, go to the System/File/Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 3-10.
ASIC ONFIGURATION 4-88 Console#copy tftp file TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: V2.2.7.1.bix Destination file name: V2271.F \Write to FLASH Programming. -Write to FLASH finish. Success. Console#config 4-95 Console(config)#boot system opcode:V2271.F Console(config)#exit 4-30 Console#reload...
Page 82
ONFIGURING THE WITCH - running-config to startup-config – Copies the running config to the startup config. - running-config to tftp – Copies the running configuration to a TFTP server. - startup-config to file – Copies the startup configuration to a file on the switch.
ASIC ONFIGURATION Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
ONFIGURING THE WITCH Figure 3-13. Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. 4-88 Console#copy tftp startup-config TFTP server ip address: 192.168.1.19...
ASIC ONFIGURATION This example shows how to copy a PoE controller file from another unit in the stack. Console#copy file controller 4-82 Unit <1-2>: 2 Choose controller type: 1. PoE: 2. VDSL: 3. TBD <1-3>: 1 Source file name: PoE-test Software downloading in progress, please wait...
Page 86
ONFIGURING THE WITCH • Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
ASIC ONFIGURATION Figure 3-14. Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. 4-16 Console(config)#line console 4-16...
ONFIGURING THE WITCH Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the web or CLI interface.
ASIC ONFIGURATION • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
ONFIGURING THE WITCH • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
ASIC ONFIGURATION Figure 3-17. System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 4-59 Console(config)#logging history ram 0 4-61 Console(config)#end Console#show logging flash...
ONFIGURING THE WITCH RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
ONFIGURING THE WITCH exhausted. (Level 2) • Alert – Sends urgent notification that immediate action must be taken. (Level 1) • Emergency – Sends an emergency notification that the system is now unusable. (Level 0) • SMTP Server List – Specifies a list of recipient SMTP servers. •...
ASIC ONFIGURATION CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.19 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email bill@this-company.com...
ONFIGURING THE WITCH Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
ASIC ONFIGURATION Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-21. SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-75 Console(config)#sntp poll 60...
ONFIGURING THE WITCH Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
A network management station can access this information using software such as SMC EliteView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Page 102
ONFIGURING THE WITCH reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
ONFIGURING THE WITCH Setting Community Access Strings You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes •...
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-139 Console(config)# Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
ONFIGURING THE WITCH Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply. Figure 3-24.
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-25. Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1.If you want to change the default engine ID, it must be changed first before configuring other parameters. 2.
ONFIGURING THE WITCH A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value. For example, the value “1234” is equivalent to “1234” followed by 22 zeroes.
IMPLE ETWORK ANAGEMENT ROTOCOL Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 110
ONFIGURING THE WITCH • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the user: - noAuthNoPriv –...
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-28. Configuring SNMPv3 Users Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. 3-57...
Page 112
ONFIGURING THE WITCH To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-29. Configuring Remote SNMPv3 Users Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
ONFIGURING THE WITCH Table 3-5. Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 115
IMPLE ETWORK ANAGEMENT ROTOCOL Table 3-5. Supported Notification Messages (Continued) Object Label Object ID Description linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).
Page 116
ONFIGURING THE WITCH Table 3-5. Supported Notification Messages (Continued) Object Label Object ID Description Private Traps swPowerStatus 1.3.6.1.4.1.202.20.6 This trap is sent when the power state ChangeTrap 5.2.1.0.1 changes. swIpFilterRejectTrap 1.3.6.1.4.1.202.20.6 This trap is sent when an incorrect IP 5.2.1.0.40 address is rejected by the IP Filter.
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-30. Configuring SNMPv3 Groups Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes •...
Page 118
ONFIGURING THE WITCH • Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
ONFIGURING THE WITCH User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure access rights on the switch for specified users. • Authentication Settings – Use remote authentication to configure access rights.
UTHENTICATION - Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) • Change Password – Sets a new password for the specified user name. • Add/Remove – Adds or removes an account from the list. Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it.
ONFIGURING THE WITCH Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 123
UTHENTICATION control management access via the console port, web browser, or Telnet. • RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.
Page 124
ONFIGURING THE WITCH Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only.
Page 125
UTHENTICATION - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI.
ONFIGURING THE WITCH Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33. Authentication Settings 3-72...
ONFIGURING THE WITCH • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
UTHENTICATION Figure 3-34. HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-42 Console(config)#ip http secure-port 443 4-44 Console(config)# Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 130
ONFIGURING THE WITCH When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate 4-88 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name>...
UTHENTICATION Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 132
ONFIGURING THE WITCH 1.Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 133
UTHENTICATION 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-88) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-66.) The clients are subsequently authenticated using these keys.
ONFIGURING THE WITCH connection or manually entered into the known host file. However, you do not need to configure the client’s keys. 2. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
UTHENTICATION Figure 3-35. SSH Server Settings CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-49 Console(config)#ip ssh timeout 100 4-50...
Page 136
ONFIGURING THE WITCH Field Attributes • Public-Key of Host-Key – The public key for the host. - RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus.
UTHENTICATION Figure 3-36. SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. Console#ip ssh crypto host-key generate 4-49 Console#ip ssh save host-key 4-49 Console#show public-key host...
ONFIGURING THE WITCH Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 139
UTHENTICATION • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-111). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-157). •...
ONFIGURING THE WITCH Figure 3-37. Configuring Port Security CLI – This example selects the target port, sets the port security action to send a trap and disable the port and sets the maximum MAC addresses allowed on the port, and then enables port security for the port. Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap-and-shutdown 4-108...
UTHENTICATION This switch uses the Extensible Authentication 802.1x client Protocol over LANs (EAPOL) to 1. Client attempts to access a switch port. exchange 2. Switch sends client an identity request. RADIUS 3. Client sends back identity information. authentication 4. Switch forwards this to authentication server. server 5.
ONFIGURING THE WITCH • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP authentication type –...
UTHENTICATION CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-118 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/52 Console# Configuring 802.1X Global Settings...
ONFIGURING THE WITCH CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control 4-111 Console(config)# Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
UTHENTICATION • Max-Req – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
Page 146
ONFIGURING THE WITCH CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see See “show dot1x” on page 4-118. 3-92...
Page 147
UTHENTICATION Console(config)#interface ethernet 1/2 4-156 Console(config-if)#dot1x port-control auto 4-112 Console(config-if)#dot1x re-authentication 4-114 Console(config-if)#dot1x max-req 5 4-111 Console(config-if)#dot1x timeout quiet-period 30 4-115 Console(config-if)#dot1x timeout re-authperiod 1800 4-116 Console(config-if)#dot1x timeout tx-period 40 4-116 Console(config-if)#exit Console(config)#exit Console#show dot1x 4-118 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status...
ONFIGURING THE WITCH Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7. 802.1X Statistics Parameter Description Rx EAPOL The number of EAPOL Start frames that have been received by Start this Authenticator. Rx EAPOL The number of EAPOL Logoff frames that have been received Logoff...
UTHENTICATION Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-41. Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-118 Eth 1/4 Rx: EAPOL...
ONFIGURING THE WITCH Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
CCESS ONTROL ISTS 3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 4. If no explicit rule is matched, the implicit default is permit all. Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL.
ONFIGURING THE WITCH Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-42. Selecting ACL Type CLI –...
CCESS ONTROL ISTS specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,”...
ONFIGURING THE WITCH Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host”...
Page 155
CCESS ONTROL ISTS - 1 (fin) – Finish - 2 (syn) – Synchronize - 4 (rst) – Reset - 8 (psh) – Push - 16 (ack) – Acknowledgement - 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: - SYN flag valid, use control-code 2, control bitmask 2 - Both SYN and ACK valid, use control-code 18, control bitmask 18...
ONFIGURING THE WITCH Figure 3-44. Configuring Extended IP ACLs CLI – This example adds two rules: (1)Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 &...
CCESS ONTROL ISTS Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC”...
ONFIGURING THE WITCH Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
CCESS ONTROL ISTS • This switch supports ACLs for ingress filtering only. However, you only bind one IP ACL to any port for ingress filtering. In other words, only one ACL can be bound to an interface - Ingress IP ACL. Command Attributes •...
ONFIGURING THE WITCH CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#ip access-group david in 4-128 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# Filtering IP Addresses for Management Access You create a list of up to 16 IP addresses or IP address groups that are...
Page 161
CCESS ONTROL ISTS Command Attributes • Web IP Filter – Configures IP address(es) for the web group. • SNMP IP Filter – Configures IP address(es) for the SNMP group. • Telnet IP Filter – Configures IP address(es) for the Telnet group. •...
ONFIGURING THE WITCH Figure 3-47. Creating an IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-38 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address...
ONFIGURATION • Media Type – Media type used for the combo ports. (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) • Trunk Member – Shows if port is a trunk member. • Creation – Shows if a trunk is manually configured or dynamically set via LACP.
Page 164
ONFIGURING THE WITCH • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-19.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down).
ONFIGURATION Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation speed-duplex – Shows the current speed and duplex mode.
Page 166
ONFIGURING THE WITCH • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons. •...
ONFIGURATION Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-49. Port/Trunk Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-156 Console(config-if)#description RD SW#13 4-157 Console(config-if)#shutdown 4-163...
ONFIGURING THE WITCH Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
ONFIGURATION • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard. • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
ONFIGURING THE WITCH Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
ONFIGURATION CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-156 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-156 Console(config-if)#channel-group 2 4-176 Console(config-if)#exit Console(config)#interface ethernet 1/2...
ONFIGURING THE WITCH • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
ONFIGURATION CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#lacp 4-177 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1 4-165 Information of Trunk 1...
Page 174
ONFIGURING THE WITCH the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 4-180). Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch.
ONFIGURATION the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply. Figure 3-52. LACP Port Configuration 3-121...
ONFIGURING THE WITCH CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#lacp actor system-priority 3 4-179 Console(config-if)#lacp actor admin-key 120 4-180 Console(config-if)#lacp actor port-priority 128 4-181 Console(config-if)#exit Console(config)#interface ethernet 1/4...
ONFIGURATION Table 3-8. LACP Port Counters (Continued) Field Description Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group. Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
ONFIGURING THE WITCH CLI – The following example displays LACP counters. Console#show lacp counters 4-182 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation.
Page 179
ONFIGURATION Table 3-9. LACP Internal Configuration Information (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; •...
ONFIGURING THE WITCH Figure 3-54. LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-182 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0...
ONFIGURATION Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10. LACP Neighbor Configuration Information Field Description Partner Admin System LAG partner’s system ID assigned by the user. Partner Oper System LAG partner’s system ID assigned by the LACP protocol.
ONFIGURING THE WITCH Figure 3-55. LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-182 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 -------------------------------------------------------------------------...
ONFIGURATION Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
ONFIGURING THE WITCH Figure 3-56. Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#no switchport broadcast...
ONFIGURATION Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic Source Single analyzer or RMON probe to the target port(s) target port and study the traffic crossing the port source port in a completely unobtrusive manner.
ONFIGURING THE WITCH Figure 3-57. Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type. Console(config)#interface ethernet 1/10 4-156 Console(config-if)#port monitor ethernet 1/13 tx 4-170 Console(config-if)# Configuring Rate Limits...
ONFIGURATION Command Usage • Input and output rate limits can be enabled or disabled for individual interfaces. Command Attributes • Port/Trunk – Displays the port/trunk number. • Input/Output Rate Limit Status – Enables or disables the rate limit. (Default: Enabled) •...
ONFIGURING THE WITCH Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Page 189
ONFIGURATION Table 3-11. Port Statistics (Continued) Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmit Octets The total number of octets transmitted out of the interface, including framing characters. Transmit Unicast Packets The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address,...
Page 190
ONFIGURING THE WITCH Table 3-11. Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode.
Page 191
ONFIGURATION Table 3-11. Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets.
ONFIGURING THE WITCH .Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to updae the screen Figure 3-59. Port Statistics 3-138...
ONFIGURING THE WITCH the power required by a device exceeds the power budget of the port or the whole switch, power is not supplied. Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical or high priority have power enabled in preference to those ports set at low priority.
OWER THERNET ETTINGS Web – Click PoE, Power Status. Figure 3-60 Displaying the Global PoE Status CLI – This example displays the current power status for the switch. Console#show power mainpower 4-96 Unit 1 Mainpower Status Maximum Available Power : 375 watts System Operation Status : on Mainpower Consumption : 0 watts...
ONFIGURING THE WITCH Web – Click PoE, Power Config. Specify the desired power budget for the switch. Click Apply. Figure 3-61 Setting the Switch Power Budget CLI – Use the power mainpower maximum allocation command to set the PoE power budget for the switch. Console(config)#power mainpower maximum allocation 200 4-91 Console(config)#...
OWER THERNET ETTINGS Web – Click PoE, Power Port Status. Figure 3-62 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-95 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable...
ONFIGURING THE WITCH • If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority ports in sequence starting from port number 1.
DDRESS ABLE ETTINGS CLI – This example sets the PoE power budget for port 1 to 8 watts, the priority to high (2), and then enables the power. Console(config)#interface ethernet 1/1 4-171 Console(config-if)#power inline maximum allocation 8000 4-93 Console(config-if)#power inline priority 2 4-94 Console(config-if)#power inline auto 4-93...
ONFIGURING THE WITCH Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-64. Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
DDRESS ABLE ETTINGS • MAC Address – Physical address associated with this interface. • VLAN – ID of configured VLAN (1-4094). • Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). •...
Page 202
ONFIGURING THE WITCH CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-190 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# 3-148...
PANNING LGORITHM ONFIGURATION Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds;...
Page 204
ONFIGURING THE WITCH The spanning tree algorithms supported by this switch include these versions: • STP – Spanning Tree Protocol (IEEE 802.1D) • RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w) • MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s) Note: MSTP is not supported in the current software.
PANNING LGORITHM ONFIGURATION RSTP is designed as a general replacement for the slower, legacy STP. RSTP is also incorporated into MSTP. RSTP achieves must faster reconfiguration (i.e., around 1 to 3 seconds, compared to 30 seconds or more for STP) by reducing the number of state changes before active ports start learning, predefining an alternate route that can be used when a node or port fails, and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs.
Page 206
ONFIGURING THE WITCH designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) •...
Page 207
PANNING LGORITHM ONFIGURATION • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
ONFIGURING THE WITCH Web – Click Spanning Tree, STA, Information. Figure 3-67. Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-214 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: RSTP Spanning tree enabled/disabled: enabled Priority:...
PANNING LGORITHM ONFIGURATION Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 210
ONFIGURING THE WITCH - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Page 211
PANNING LGORITHM ONFIGURATION - Maximum: The lower of 10 or [(Max. Message Age / 2) -1] • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals.
Page 212
ONFIGURING THE WITCH • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned.
PANNING LGORITHM ONFIGURATION Figure 3-68. Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-194 Console(config)#spanning-tree mode rstp 4-195 Console(config)#spanning-tree priority 45056 4-199 Console(config)#spanning-tree hello-time 5 4-197 Console(config)#spanning-tree max-age 38 4-198...
ONFIGURING THE WITCH Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Field Attributes • Spanning Tree – Shows if STA has been enabled on this interface. •...
Page 215
PANNING LGORITHM ONFIGURATION • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Page 216
ONFIGURING THE WITCH Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. • Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only) These additional parameters are only displayed for the CLI: •...
PANNING LGORITHM ONFIGURATION • Admin Edge Port – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 219
PANNING LGORITHM ONFIGURATION - Forwarding - Port forwards packets, and continues learning addresses. • Trunk – Indicates if a port is a member of a trunk. (STA Port Configuration only) The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled).
Page 220
ONFIGURING THE WITCH • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
PANNING LGORITHM ONFIGURATION Figure 3-70. Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-156 Console(config-if)#spanning-tree port-priority 0 4-207 Console(config-if)#spanning-tree cost 50 4-206 Console(config-if)#spanning-tree link-type auto 4-210 Console(config-if)#no spanning-tree edge-port 4-208 Console(config-if)# Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance.
Page 222
ONFIGURING THE WITCH 1.Set the spanning tree type to MSTP (STA Configuration, page 3-130). 2. Enter the spanning tree priority for the selected MST instance (MSTP VLAN Configuration). 3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration). Note: All VLANs are automatically added to the IST (Instance 0).
PANNING LGORITHM ONFIGURATION Figure 3-71. Configuring Multiple Spanning Trees CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mst)# CLI – This example sets STA attributes for port 1, , followed by settings for each port.
PANNING LGORITHM ONFIGURATION Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-72. Displaying MSTP Interface Settings CLI – This displays STA settings for instance 0, followed by settings for each port.
ONFIGURING THE WITCH Console#show spanning-tree mst 0 4-231 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.) :15...
Page 227
PANNING LGORITHM ONFIGURATION • STA State – Displays current state of this port within the Spanning Tree. ( for additional See “Displaying Interface Settings” on page 3-160. information.) - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning –...
VLAN C ONFIGURATION VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
Page 230
ONFIGURING THE WITCH • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
Page 231
VLAN C ONFIGURATION Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
Page 232
ONFIGURING THE WITCH should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)”...
VLAN C ONFIGURATION Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
ONFIGURING THE WITCH Web – Click VLAN, 802.1Q VLAN, GVRP Status. Enable or disable GVRP, click Apply Figure 3-74. Globally Enabling GVRP CLI – This example enables GVRP for the switch. Console(config)#bridge-ext gvrp 4-168 Console(config)# Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch.
VLAN C ONFIGURATION Web – Click VLAN, 802.1Q VLAN, Basic Information. Figure 3-75. Displaying Basic VLAN Information CLI – Enter the following command. Console#show bridge-ext 4-219 Max support vlan numbers: Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging:...
ONFIGURING THE WITCH • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-76. Displaying Current VLANs Command Attributes (CLI) •...
ONFIGURING THE WITCH • State (CLI) – Enables or disables the specified VLAN. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Add – Adds a new VLAN group to the current list. •...
Page 240
ONFIGURING THE WITCH • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. •...
ONFIGURING THE WITCH Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member –...
VLAN C ONFIGURATION CLI – This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3 from VLAN 2. Console(config)#interface ethernet 1/3 4-156 Console(config-if)#switchport allowed vlan add 1 tagged 4-230 Console(config-if)#switchport allowed vlan remove 2 3-189...
ONFIGURING THE WITCH Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 245
VLAN C ONFIGURATION - If a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. - Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP. However, they do affect VLAN dependent BPDU frames, such as GMRP.
ONFIGURING THE WITCH Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-80. Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, and then sets the switchport mode to hybrid.
Page 247
VLAN C ONFIGURATION VLANs, on the other hand, consist a single stand-alone VLAN that contains one promiscuous port and one or more isolated (or host) ports. In all cases, the promiscuous ports are designed to provide open access to an external network such as the Internet, while the community or isolated ports provide restricted access to local users.
ONFIGURING THE WITCH To configure primary/secondary associated groups, follow these steps: 1.Use the Private VLAN Configuration menu (page 3-196) to designate one or more community VLANs, and the primary VLAN that will channel traffic outside of the VLAN groups. 2. Use the Private VLAN Association menu (page 3-197) to map the secondary (i.e., community) VLAN(s) to the primary VLAN.
VLAN C ONFIGURATION displays the associated primary VLAN, and an isolated VLAN displays the stand-alone VLAN. • Ports List – The list of ports (and assigned port type) in the selected private VLAN. Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu.
ONFIGURING THE WITCH Configuring Private VLANs The Private VLAN Configuration page is used to create/remove primary, community, or isolated VLANs. Command Attributes • VLAN ID – ID of configured VLAN (2-4094). • Type – There are three types of private VLANs: - Primary VLANs –...
VLAN C ONFIGURATION Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
ONFIGURING THE WITCH Web – Click VLAN, Private VLAN, Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) Figure 3-83.
VLAN C ONFIGURATION - Host – The port is a community port and can only communicate with other ports in its own community VLAN, and with the designated promiscuous port(s). Or the port is an isolated port that can only communicate with the lone promiscuous port within its own isolated VLAN.
ONFIGURING THE WITCH CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 255
VLAN C ONFIGURATION • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. Set PVLAN Port Type to “Host,” and then specify the associated Community VLAN. 3-201...
ONFIGURING THE WITCH Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
VLAN C ONFIGURATION Protocol VLANs You can configure VLAN behavior to support multiple protocols to allow traffic to pass through different VLANS. When a packet is received at a port, its VLAN membership is determined by the protocol type of the packet.
ONFIGURING THE WITCH Command Attributes • Interface – Port or Trunk indentifier. • Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) Web –...
LASS OF ERVICE ONFIGURATION Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
ONFIGURING THE WITCH Figure 3-88. Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-156 4-249 Console(config-if)#switchport priority default 5 Console(config-if)#end 4-168 Console#show interfaces switchport ethernet 1/3 Information of Eth 1/3 Broadcast threshold: Enabled, 500 packets/second LACP status:...
LASS OF ERVICE ONFIGURATION priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 3-12. Mapping CoS Values to Egress Queues Queue Priority The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table.
ONFIGURING THE WITCH Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-89. Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#queue cos-map 0 0...
LASS OF ERVICE ONFIGURATION Web – Click Priority, Traffic Classes Status. Figure 3-90. Enable Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
ONFIGURING THE WITCH Figure 3-91. Queue Mode CLI – The following sets the queue mode to strict priority service mode. Console(config)#queue mode wrr 4-248 Console(config)#exit Console#show queue mode 4-252 Queue mode: wrr Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue.
LASS OF ERVICE ONFIGURATION Web – Click Priority, Queue Scheduling. Select the required interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-92. Configuring Queue Scheduling CLI – The following example shows how to display the WRR weights assigned to each of the priority queues.
ONFIGURING THE WITCH Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority. Command Attributes • IP DSCP Priority Status – The following options are: - Disabled – Disables the priority service. (Default Setting: Disabled) - IP DSCP –...
LASS OF ERVICE ONFIGURATION Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping.
ONFIGURING THE WITCH Figure 3-94. Mapping IP DSCP Priority Values CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-254 Console(config)#interface ethernet 1/1...
UALITY OF ERVICE Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis.
ONFIGURING THE WITCH Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.Use the “Class Map” to designate a class name for a specific category of traffic. 2.Edit the rules for each class to specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 271
UALITY OF ERVICE Command Attributes Class Map • Modify Name and Description – Configures the name and a brief description of a class map. (Range: 1-16 characters for the name; 1-64 characters for the description) • Edit Rules – Opens the “Match Class Settings” page for the selected class entry.
Page 272
ONFIGURING THE WITCH • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
UALITY OF ERVICE Figure 3-95. Configuring Class Maps 3-219...
Page 274
ONFIGURING THE WITCH CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any 4-198 Console(config-cmap)#match ip dscp 3 4-199 Console(config-cmap)# 3-220...
UALITY OF ERVICE Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-216. - Open the Policy Map page, and click Add Policy.
Page 276
ONFIGURING THE WITCH Command Attributes Policy Map • Modify Name and Description – Configures the name and a brief description of a policy map. (Range: 1-16 characters for the name; 1-64 characters for the description) • Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry.
Page 277
UALITY OF ERVICE • Exceed Action – Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced. • Remove Class – Deletes a class. - Policy Options - • Class Name – Name of class map. •...
UALITY OF ERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-200 Console(config-pmap)#class rd_class#3 4-200...
ONFIGURING THE WITCH Figure 3-97. Service Policy Settings CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 4-120 Console(config-if)#service-policy input rd_policy#3 4-203 Console(config-if)# Multicast Filtering Multicasting is used to support real-time Unicast Flow applications such as videoconferencing or streaming audio.
ULTICAST ILTERING pruned at every multicast switch/router it passes through to ensure that traffic is only passed on to the hosts which subscribed to this service. This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting to join the service and sends data out to those ports only.
ONFIGURING THE WITCH Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Page 283
ULTICAST ILTERING • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10; Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.
ULTICAST ILTERING group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. IGMP immediate leave improves bandwidth management for all hosts in a switched network.
ONFIGURING THE WITCH Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
ULTICAST ILTERING CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 4-280 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/11 Static Console# Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always...
ONFIGURING THE WITCH Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-101.
ULTICAST ILTERING • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service. Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists.
ONFIGURING THE WITCH Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
VLAN R ULTICAST EGISTRATION Figure 3-103. IGMP Member Port Table CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 4-270 ethernet 1/12 Console(config)#exit...
Page 292
ONFIGURING THE WITCH MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services).
VLAN R ULTICAST EGISTRATION the participating interfaces (see “Assigning Static Multicast Groups to Interfaces” on page 3-245). Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
ONFIGURING THE WITCH Figure 3-104. MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. 4-270 Console(config)#ip igmp snooping 4-283 Console(config)#mvr 4-283 Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN.
VLAN R ULTICAST EGISTRATION • Immediate Leave – Shows if immediate leave is enabled or disabled. • Trunk Member – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Information. Figure 3-105. MVR Port Information CLI –...
ONFIGURING THE WITCH • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information. Figure 3-106. MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN.
VLAN R ULTICAST EGISTRATION Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
ONFIGURING THE WITCH - Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN. - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
VLAN R ULTICAST EGISTRATION Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
ONFIGURING THE WITCH Figure 3-108. MVR Group Member Configuration CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 4-284 Console(config-if)#mvr group 228.1.23.1 Console(config-if)# DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 301
DHCP S NOOPING Filtering rules are implemented as follows: • If the global DHCP snooping is disabled, all DHCP packets are forwarded. • If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port.
ONFIGURING THE WITCH add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
DHCP S NOOPING Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
ONFIGURING THE WITCH In some cases, the switch may receive DHCP packets from a client that already includes DHCP Option 82 information. The switch can be configured to set the action policy for these packets. Either the switch can discard the Option 82 information, keep the existing information, or replace it with the switch’s relay information.
DHCP S NOOPING CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace 4-307 Console(config)#ip dhcp snooping information option 4-307 Console(config)#ip dhcp snooping information policy replace Console(config)# DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
ONFIGURING THE WITCH CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 4-305 Console(config-if)#ip dhcp snooping trust Console(config-if)# DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • No.
IP S OURCE UARD CLI – This example shows how to display the DHCP Snooping binding table entries 4-309 Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Dynamic 1 Eth 1/5 Console# IP Source Guard...
ONFIGURING THE WITCH Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) - None – Disables IP source guard filtering on the port. - SIP –...
IP S OURCE UARD CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 4-296 Console(config-if)#ip source-guard sip Console(config-if)#end 4-300 Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4...
ONFIGURING THE WITCH Web – Click IP Source Guard, Static Configuration. Figure 3-115. Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5 Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 4-298 interface ethernet 1/5...
IP S OURCE UARD • Current Dynamic Binding Table – Displays the IP addresses in the source-guard binding table. Web – Click IP Source Guard, Dynamic Information. Figure 3-116. Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-300 Console#show ip source-guard binding...
ONFIGURING THE WITCH Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. A switch cluster has a “Commander”...
WITCH LUSTERING Command Attributes • Cluster Status – Enables or disables clustering on the switch. • Cluster Commander – Enables or disables the switch as a cluster Commander. • Role – Indicates the current role of the switch in the cluster; either Commander, Member, or Candidate.
ONFIGURING THE WITCH CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. 4-310 Console(config)#cluster 4-311 Console(config)#cluster commander 4-312 Console(config)#cluster ip-pool 10.2.3.4 Console(config)# Cluster Member Configuration Adds Candidate switches to the cluster as Members.
WITCH LUSTERING CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. 4-313 Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# Cluster Member Information Displays current cluster Member switch information. Command Attributes •...
ONFIGURING THE WITCH CLI – This example shows information about cluster Member switches. 4-314 Vty-0#sh cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 317
WITCH LUSTERING CLI – This example shows information about cluster Candidate switches. 4-315 Vty-0#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# 3-263...
HAPTER OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
OMMAND NTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SMC6128PL2 is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address.
Page 321
ELNET ONNECTION After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1.From the remote host, enter the Telnet command and the IP address of the device you want to access. 2.
OMMAND NTERFACE Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
NTERING OMMANDS Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.”...
OMMAND NTERFACE Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database).
NTERING OMMANDS The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
OMMAND NTERFACE Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes.
NTERING OMMANDS (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super”...
OMMAND NTERFACE • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. • Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • VLAN Configuration - Includes the command to create VLAN groups.
Page 329
NTERING OMMANDS For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# 4-11...
OMMAND NTERFACE Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
OMMAND ROUPS Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port 4-15 and Telnet, including baud rate and console time-out General Basic commands for entering privileged access mode, 4-27...
Page 332
OMMAND NTERFACE Table 4-4 Command Groups (Continued) Command Group Description Page Address Table Configures the address table for filtering specified 4-188 addresses, displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 4-193 VLANs Configures VLAN settings, and defines port...
OMMANDS Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 4-5 Line Commands Command Function Mode Page...
OMMAND NTERFACE line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} - console - Console terminal line. - vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 335
OMMANDS local - Selects local password checking. Authentication is based on the user name specified with the username command. Default Setting login local Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: •...
OMMAND NTERFACE password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password - {0 | 7} - 0 means plain password, 7 means encrypted password - password - Character string that specifies the line password.
OMMANDS timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds;...
OMMAND NTERFACE exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes...
OMMANDS password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
OMMAND NTERFACE silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
OMMANDS Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
OMMAND NTERFACE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
OMMANDS stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} - 1 - One stop bit - 2 - Two stop bits Default Setting 1 stop bit Command Mode...
OMMAND NTERFACE Example Console#disconnect 1 Console# Related Commands show ssh (4-55) show users (4-85) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] - console - Console terminal line. - vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
ENERAL OMMANDS General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode 4-27 disable Returns to normal mode from privileged mode 4-28 configure Activates global configuration mode 4-29 show history Shows the command history buffer NE, PE 4-29 reload Restarts the system...
OMMAND NTERFACE Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-37.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
ENERAL OMMANDS enable (4-27) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
OMMAND NTERFACE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
ENERAL OMMANDS Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, and VLAN Database Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode:...
OMMAND NTERFACE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program. Default Setting None Command Mode...
YSTEM ANAGEMENT OMMANDS System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Function Group Device Configures information that uniquely identifies this 4-34 Designation switch...
OMMAND NTERFACE Device Designation Commands Table 4-8 Device Designation Commands Command Function prompt Customizes the prompt used in PE and NE 4-34 mode hostname Specifies the host name for the switch 4-34 snmp-server Sets the system contact string 4-14 contact snmp-server Sets the system location string 4-14...
YSTEM ANAGEMENT OMMANDS Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section.
OMMAND NTERFACE username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
YSTEM ANAGEMENT OMMANDS The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
OMMAND NTERFACE • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
YSTEM ANAGEMENT OMMANDS - start-address - A single IP address, or the starting address of a range. - end-address - The end address of a range. Default Setting All addresses Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
OMMAND NTERFACE show management {all-client | http-client | snmp-client | telnet-client} - all-client - Adds IP address(es) to the SNMP, web and Telnet groups. - http-client - Adds IP address(es) to the web group. - snmp-client - Adds IP address(es) to the SNMP group. - telnet-client - Adds IP address(es) to the Telnet group.
YSTEM ANAGEMENT OMMANDS Web Server Commands Table 4-12 Web Server Commands Command Function ip http port Specifies the port to be used by the web browser 4-41 interface ip http server Allows the switch to be monitored or configured 4-42 from a browser ip http Enables HTTPS for encrypted communications GC...
OMMAND NTERFACE ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-41)
YSTEM ANAGEMENT OMMANDS to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: •...
OMMAND NTERFACE ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535) Default Setting Command Mode...
YSTEM ANAGEMENT OMMANDS Telnet Server Commands Table 4-14 Telnet Server Commands Command Function ip telnet port Specifies the port to be used by the Telnet 4-41 interface ip telnet server Allows the switch to be monitored or configured 4-42 from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface.
OMMAND NTERFACE ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# Related Commands ip telnet port (4-45)
YSTEM ANAGEMENT OMMANDS This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0. Table 4-15 SSH Commands Command Function...
Page 366
OMMAND NTERFACE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-97.
YSTEM ANAGEMENT OMMANDS 1024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178136627 741416898513204911720483033925432410163799759237144901193800609025394840848271781943 72288402533115952134861022902978982721353267131629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
OMMAND NTERFACE Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. •...
YSTEM ANAGEMENT OMMANDS Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
OMMAND NTERFACE Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-55) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
OMMAND NTERFACE Example Console#ip ssh crypto host-key generate dsa Console# Related Commands ip ssh crypto zeroize (4-54) ip ssh save host-key (4-55) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] - dsa –...
OMMAND NTERFACE Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 4-16 show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.
YSTEM ANAGEMENT OMMANDS Table 4-16 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
OMMAND NTERFACE Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. • When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
YSTEM ANAGEMENT OMMANDS Event Logging Commands Table 4-17 Event Logging Commands Command Function logging on Controls logging of error messages 4-59 logging history Limits syslog messages saved to switch memory 4-61 based on severity logging host Adds a syslog server host IP address that will 4-63 receive logging messages logging facility...
Page 378
OMMAND NTERFACE Example Console(config)#logging on Console(config)# Related Commands logging history (4-61) clear logging (4-65) 4-60...
YSTEM ANAGEMENT OMMANDS logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} - flash - Event history stored in flash memory (i.e., permanent memory).
Page 380
OMMAND NTERFACE Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# 4-62...
YSTEM ANAGEMENT OMMANDS logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
OMMAND NTERFACE Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
OMMAND NTERFACE (i.e., memory flushed on power reset). - sendmail - Displays settings for the SMTP event handler (page 4-72). - trap - Displays settings for the trap function. Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors”...
YSTEM ANAGEMENT OMMANDS The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
OMMAND NTERFACE - login - Shows the login record only. Default Setting None Command Mode Privileged Exec Command Usage This command shows the system and event messages stored in memory, including the time stamp, message level (page 4-61), program module, function, and event number. Example The following example shows sample messages stored in RAM.
OMMAND NTERFACE However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
YSTEM ANAGEMENT OMMANDS This example will send email alerts for system errors from level 4 through Console(config)#logging sendmail level 4 Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
OMMAND NTERFACE email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com...
OMMAND NTERFACE Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
YSTEM ANAGEMENT OMMANDS • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
OMMAND NTERFACE Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
YSTEM ANAGEMENT OMMANDS sntp client (4-74) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
YSTEM ANAGEMENT OMMANDS None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode...
OMMAND NTERFACE System Status Commands Table 4-23 System Status Commands Command Function show Displays the contents of the configuration file 4-80 startup-config (stored in flash memory) that is used to start up the system show Displays the configuration data currently in use PE 4-82 running-config show system...
YSTEM ANAGEMENT OMMANDS • SNMP community strings • Users (names and access levels) • VLAN database (VLAN ID, name and state) • VLAN configuration settings for each interface • IP address configured for the switch • Spanning tree settings • Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait..
OMMAND NTERFACE show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
OMMAND NTERFACE show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page -13. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
YSTEM ANAGEMENT OMMANDS show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
OMMAND NTERFACE Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-15 for detailed information on the items displayed by this command. Example Console#show version Unit1 Serial number: S416000937 Service tag: Hardware version: Module A type: 1000BaseT Module B type: 1000BaseT...
LASH OMMANDS Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
OMMAND NTERFACE Table 4-25 Flash/File Commands Command Function Mode Page whichboot Displays the files booted 4-94 boot system Specifies the file or image used to start up the 4-95 system copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server.
Page 407
LASH OMMANDS Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 408
OMMAND NTERFACE operations (on the SMC6824MPE and SMC6826MPE), file types other than PoE controller may be downloaded, but will not adversely affect the system. 4-90...
Page 409
LASH OMMANDS Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 410
OMMAND NTERFACE This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate Source private file name: SS-private Private password: ******** Success.
Page 411
LASH OMMANDS • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1.
OMMAND NTERFACE • File information is shown below: Table 4-26 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
Page 413
LASH OMMANDS Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot file name file type startup size (byte) ------------------------------------- -------------- ------- -----------...
OMMAND NTERFACE Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-93) whichboot (4-94) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
UTHENTICATION OMMANDS Authentication Sequence Authentication Sequence Command Function authentication login Defines logon authentication method and 4-97 precedence authentication enable Defines the authentication method and 4-98 precedence for command mode change authentication login This command defines the login authentication method and precedence. Use the no form to restore the default.
OMMAND NTERFACE • You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server.
Page 417
UTHENTICATION OMMANDS Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
OMMAND NTERFACE RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
UTHENTICATION OMMANDS radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] - index - Allows you to specify up to five servers.
OMMAND NTERFACE radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
UTHENTICATION OMMANDS Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
OMMAND NTERFACE Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings Communication key with RADIUS server: Server port number: 1812 Retransmit times:...
UTHENTICATION OMMANDS authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. TACACS Commands Command Function tacacs-server host Specifies the TACACS+ server 4-10 tacacs-server port Specifies the TACACS+ server network 4-10 port...
OMMAND NTERFACE tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
UTHENTICATION OMMANDS Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Port Security Commands...
OMMAND NTERFACE with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message. Port Security Commands Command Function Page port security Configures a secure port 4-108...
Page 427
UTHENTICATION OMMANDS Command Mode Interface Configuration (Ethernet) Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
OMMAND NTERFACE 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
UTHENTICATION OMMANDS dot1x system-auth-control This command enables 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dotx system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
OMMAND NTERFACE count – The maximum number of requests (Range: 1-10) Default Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default.
UTHENTICATION OMMANDS dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
OMMAND NTERFACE dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) Command Mode Privileged Exec Example Console#dot1x re-authenticate...
UTHENTICATION OMMANDS dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
OMMAND NTERFACE dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2...
Page 435
UTHENTICATION OMMANDS Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# 4-117...
OMMAND NTERFACE show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
Page 437
UTHENTICATION OMMANDS - 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-114). - reauth-period – Time after which a connected client must be re-authenticated (page 4-116). - quiet-period –...
Page 438
OMMAND NTERFACE - Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Page 439
UTHENTICATION OMMANDS Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/52 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
OMMAND NTERFACE Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
CCESS ONTROL OMMANDS 1.User-defined rules in the Ingress IP ACL for ingress ports. 2.Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 3.If no explicit rule is matched, the implicit default is permit all. Access Control Lists Command Function Groups...
OMMAND NTERFACE access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name - standard – Specifies an ACL that filters packets based on the source IP address.
CCESS ONTROL OMMANDS permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} - any –...
OMMAND NTERFACE access-list ip (4-124) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, or source or destination protocol ports. Use the no form to remove a rule.
CCESS ONTROL OMMANDS • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
OMMAND NTERFACE Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.255.0 Console# Related Commands permit, deny 4-125 ip access-group (4-128) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port.
CCESS ONTROL OMMANDS Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-127) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...
OMMAND NTERFACE MAC ACL Commands Command Function Mode show mac Displays the rules for configured MAC 4-13 access-list ACLs mac access-group Adds a port to a MAC ACL 4-13 show mac Shows port assignments for MAC ACLs 4-13 access-group access-list mac This command adds a MAC access list and enters MAC ACL configuration mode.
CCESS ONTROL OMMANDS Related Commands permit, deny (4-131) mac access-group (4-133) show mac access-list (4-133) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 450
OMMAND NTERFACE -tagged-eth2 – Tagged Ethernet II packets. -untagged-eth2 – Untagged Ethernet II packets. -tagged-802.3 – Tagged Ethernet 802.3 packets. -untagged-802.3 – Untagged Ethernet 802.3 packets. -any – Any MAC source or destination address. -host – A specific MAC address. -source –...
CCESS ONTROL OMMANDS Related Commands access-list mac (4-130) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800...
OMMAND NTERFACE Command Usage •A port can only be bound to one ACL. •If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in...
CCESS ONTROL OMMANDS ACL Information ACL Information Command Function Mode show access-list Show all ACLs and associated rules 4-13 show access-group Shows the ACLs assigned to each port 4-13 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
OMMAND NTERFACE Privileged Executive Example Console#show access-group Interface ethernet 1/1 IP access-list jerry in Interface ethernet 1/52 IP access-list jerry in Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP C OMMANDS SNMP Commands (Continued) Command Function Page snmp-server Sets the system location string 4-14 location snmp-server host Specifies the recipient of an SNMP 4-14 notification operation snmp-server enable Enables the device to send SNMP traps (i.e., 4-14 traps SNMP notifications) snmp-server Sets the SNMP engine ID...
OMMAND NTERFACE Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
SNMP C OMMANDS Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
OMMAND NTERFACE -rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting •public - Read-only access. Authorized management stations are only able to retrieve MIB objects. •private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
SNMP C OMMANDS snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 460
OMMAND NTERFACE option is only available for version 2c and 3 hosts. (Default: traps are used) - retries - The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) - seconds - The number of seconds to wait for an acknowledgment before resending an inform message.
Page 461
SNMP C OMMANDS •If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
OMMAND NTERFACE snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-148). 5. Create a group that includes the required notify view (page 4-150). 6. Specify a remote engine ID where the user resides (page 4-145). 7.
SNMP C OMMANDS Issue authentication and link-up-down traps. Command Mode Global Configuration Command Usage •If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 464
OMMAND NTERFACE - local - Specifies the SNMP engine on this switch. - remote - Specifies an SNMP engine on a remote device. - ip-address - The Internet address of the remote device. - engineid-string - String identifying the engine ID. (Range: 10-64 hexadecimal characters) Default Setting A unique engine ID is automatically generated by the switch based on...
SNMP C OMMANDS Example Console(config)#snmp-server engine-id local 12345 Console(config)#snmp-server engineID remote 54321 192.168.1.19 Console(config)# Related Commands snmp-server host (4-141) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1...
OMMAND NTERFACE snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name -view-name - Name of an SNMP view. (Range: 1-64 characters) -oid-tree - Object identifier of a branch within the MIB tree.
SNMP C OMMANDS This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
OMMAND NTERFACE snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname -groupname - Name of an SNMP group.
SNMP C OMMANDS •For additional information on the notification messages supported by this switch, see “Supported Notification Messages” on page 5-13. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 4-144).
Page 470
OMMAND NTERFACE Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
SNMP C OMMANDS show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage •The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.
SNMP C OMMANDS show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Interface Commands Command Function Mode Page interface Configures an interface type and enters interface 4-156 configuration mode description Adds a description to an interface configuration IC 4-157 speed-duplex Configures the speed and duplex operation of a...
NTERFACE OMMANDS interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description...
The following example adds a description to port 24. Console(config)#interface ethernet 1/24 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex...
NTERFACE OMMANDS Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
NTERFACE OMMANDS - symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...
Page 480
Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.
NTERFACE OMMANDS shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.
switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., kilobits per second. (Range: 64-100000 for 100 Mbps ports, 64-1000000 for 1 Gbps ports) Default Setting Enabled for all ports...
NTERFACE OMMANDS interface • ethernet unit/port • unit - Stack unit. (Always unit 1) • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 3-108. Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5...
Page 485
NTERFACE OMMANDS • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics”...
show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port • unit - Stack unit. (Always unit 1) • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting Shows all interfaces.
Page 487
NTERFACE OMMANDS Interfaces Switchport Statistics Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 4-164). Lacp status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 4-177). Ingress rate limit Shows if ingress rate limiting is enabled, and the current rate limit.
Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-170 show port monitor Shows the configuration for a mirror port 4-171 port monitor This command configures a mirror session.
IRROR OMMANDS • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. • All mirror sessions must share the same destination port. • When mirroring port traffic, the target port must be included in the same VLAN as the source port Example The following example configures the switch to mirror received packets...
Page 490
The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# 4-172...
IMIT OMMANDS Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
GGREGATION OMMANDS Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 494
Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports.
GGREGATION OMMANDS Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-8) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
Page 496
• The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
GGREGATION OMMANDS lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
GGREGATION OMMANDS lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link. (Range: 0-65535) Default Setting 32768 Command Mode...
Page 501
GGREGATION OMMANDS • internal - Configuration settings and operational state for local side. • neighbors - Configuration settings and operational state for remote side. • sysid - Summary of system priority and MAC address for all channel groups. Default Setting Port Channel: all Command Mode Privileged Exec...
Page 502
show lacp counters - display description (Continued) Field Description LACPDUs Unknown Number of frames received that either (1) Carry the Slow Pkts Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 503
GGREGATION OMMANDS show lacp internal - display description (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 504
Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------- ------ Eth 1/1 ------------------------------------------------------------------- ------ Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Page 505
GGREGATION OMMANDS show lacp neighbors - display description Field Description Partner Admin LAG partner’s system ID assigned by the user. System ID Partner Oper LAG partner’s system ID assigned by the LACP protocol. System ID Partner Admin Current administrative value of the port number for the Port Number protocol Partner.
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Address Table Commands Command Function Mode Page mac-address-table Maps a static address to a port in a VLAN 4-188 static clear...
DDRESS ABLE OMMANDS - action - • delete-on-reset - Assignment lasts until the switch is reset. • permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN.
Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] - mac-address - MAC address. - mask - Bits to match in the address. - interface •...
DDRESS ABLE OMMANDS example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/1 00-12-cf-94-34-de Delete-on-reset Trunk 2 00-12-cf-8f-aa-1b...
Page 510
Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# 4-192...
PANNING OMMANDS Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-194 spanning-tree mode Configures STP, RSTP or MSTP mode...
Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Disables spanning tree for an interface 4-206 spanning-disabled spanning-tree cost Configures the spanning tree path cost of 4-206 an interface spanning-tree Configures the spanning tree priority of an 4-207 port-priority interface spanning-tree Enables fast forwarding for edge ports 4-208...
PANNING OMMANDS Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over...
Page 514
Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. • This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
PANNING OMMANDS spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-197) spanning-tree max-age (4-198) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch.
PANNING OMMANDS receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Example Console(config)#spanning-tree priority 40000 Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method - long - Specifies 32-bit based values that range from 1-200,000,000.
PANNING OMMANDS spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
mst priority (4-203) name (4-204) revision (4-204) max-hops (4-205) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range - instance_id - Instance identifier of the spanning tree.
PANNING OMMANDS Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority - instance_id - Instance identifier of the spanning tree. (Range: 0-4094) - priority - Priority of the a spanning tree instance.
name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage...
PANNING OMMANDS MST Configuration Command Usage The MST region name (page 4-204) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
PANNING OMMANDS Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. • Ethernet – half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 •...
Default Setting Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
PANNING OMMANDS servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end-node device.) • This command is the same as spanning-tree edge-port, and is only included for backward compatibility with earlier products. Note that this command may be removed for future software versions.
PANNING OMMANDS a shared link. • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the...
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
PANNING OMMANDS Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] - interface • ethernet unit/port •...
Page 533
PANNING OMMANDS description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-132. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
VLAN C OMMANDS VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Note: GVRP is not supported in the current software. GVRP and Bridge Extension Commands Command Function bridge-ext gvrp Enables GVRP globally for the switch 4-21 show bridge-ext Shows the global bridge extension 4-21 configuration switchport gvrp Enables GVRP for an interface 4-21 switchport forbidden Configures forbidden VLANs for an...
VLAN C OMMANDS GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp Console(config)#...
[no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
VLAN C OMMANDS garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} - {join | leave | leaveall} - Which timer to set.
Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (4-222) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
VLAN C OMMANDS Editing VLAN Groups Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and 4-223 delete VLANs vlan Configures a VLAN, including VID, name and 4-224 state vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] - vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) - name - Keyword to be followed by the VLAN name.
VLAN C OMMANDS The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-233) Configuring VLAN Interfaces Configuring VLAN Interfaces Command Function Mode Page...
interface vlan vlan-id vlan-id - ID of the configured VLAN. (Range: 1-4094, no leading zeroes) Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)#...
VLAN C OMMANDS Default Setting All ports are in hybrid mode with the PVID set to VLAN 1. Command Mode Interface Configuration (Ethernet, Port Channel) Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)#...
The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands switchport mode (4-226) switchport ingress-filtering This command enables ingress filtering for an interface. Note: Although the ingress filtering command is available, the switch has ingress filtering permanently set to enable.
VLAN C OMMANDS The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan...
switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.
VLAN C OMMANDS VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged. Setting a VLAN untagged will also change the native VLAN of the port to this VLAN. •...
Page 550
• If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3...
VLAN C OMMANDS Displaying VLAN Information Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information 4-233 show interfaces status Displays status for the specified VLAN 4-165 vlan interface show interfaces Displays the administrative and 4-168 switchport operational status of an interface show vlan This command shows VLAN information.
The following example shows how to display information for VLAN 1: Console#show vlan id 1 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Page 553
VLAN C OMMANDS This section describes commands used to configure private VLANs. Private VLAN Commands Command Function Page Edit Private VLAN Groups private-vlan Adds or deletes primary, community, or 4-236 isolated VLANs private-vlan association Associates a community VLAN with a 4-237 primary VLAN Configure Private VLAN Interfaces...
5. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. 6. Use the show vlan private-vlan command to verify your configuration settings. To configure isolated VLANs, follow these steps: 1.Use the private-vlan command to designate an isolated VLAN that will contain a single promiscuous port and one or more isolated ports.
VLAN C OMMANDS Default Setting None Command Mode VLAN Configuration Command Usage • Private VLANs are used to restrict traffic to ports within the same community or isolated VLAN, and channel traffic passing outside the community through promiscuous ports. When using community VLANs, they must be mapped to an associated “primary”...
(Range: 1-4094, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g., servers configured with promiscuous ports) and to resources outside of the primary VLAN (via promiscuous ports).
VLAN C OMMANDS Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command.
Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan host-association 3 Console(config-if)# switchport private-vlan isolated Use this command to assign an interface to an isolated VLAN. Use the no form to remove this assignment. Syntax switchport private-vlan isolated isolated-vlan-id no switchport private-vlan isolated isolated-vlan-id - ID of isolated VLAN.
VLAN C OMMANDS switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN, and with the group members within any associated secondary VLANs.
Page 560
Command Mode Privileged Executive Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 isolated Console# 4-242...
VLAN C OMMANDS Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
3. Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
VLAN C OMMANDS protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan - group-id - Group identifier of this protocol group.
The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
RIORITY OMMANDS - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting The mapping for all interfaces is displayed. Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port...
Priority Commands (Layer 2) Priority Commands (Layer 2) Command Function Page queue mode Sets the queue mode to strict priority or 4-248 Weighted Round-Robin (WRR) switchport priority Sets a port priority for incoming untagged 4-249 default frames queue bandwidth Assigns round-robin weights to the priority 4-250 queues queue cos map...
RIORITY OMMANDS Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
RIORITY OMMANDS Default Setting Weights 1, 2, 4, 8 are assigned to queues 0-3 respectively. Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands...
This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
RIORITY OMMANDS Privileged Exec Example Console#show queue mode Queue mode: wrr Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight --------...
RIORITY OMMANDS The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp...
• DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP DSCP priority for all interfaces. Example The following example shows how to map IP DSCP value 1 to CoS value Console(config)#interface ethernet 1/5...
UALITY OF ERVICE OMMANDS Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-254)
Page 576
Quality of Service Commands Command Function Page police Defines an enforcer for classified traffic 4-264 service-policy Applies a policy map defined by the policy-map 4-265 command to the input of a particular interface show Displays the QoS class maps which define 4-266 class-map matching criteria used for classifying traffic...
UALITY OF ERVICE OMMANDS 7. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2.
This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Related Commands show class map (4-266) match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria.
UALITY OF ERVICE OMMANDS This example creates a class map called “rd_class#1,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class#1_ match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5...
• A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page -265). • You must create a Class Map (page -261) before assigning it to a Policy Map. Example This example creates a policy called “rd_policy,”...
UALITY OF ERVICE OMMANDS - set command classifies the service that an IP packet will receive. - police command defines the maximum throughput, burst rate, and the action that results from a policy violation. • You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map Example This example creates a policy called “rd_policy,”...
Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
UALITY OF ERVICE OMMANDS • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option. Example This example creates a policy called “rd_policy,”...
• You must first define a class map, then define a policy map, and finally use the service-policy command to bind the policy map to the required interface. Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map...
UALITY OF ERVICE OMMANDS show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] - policy-map-name - Name of the policy map. (Range: 1-16 characters) - class-map-name - Name of the class map.
Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
ULTICAST ILTERING OMMANDS IGMP Snooping Commands IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping 4-270 ip igmp snooping vlan Adds an interface as a member of a 4-270 static multicast group ip igmp snooping Configures the IGMP version for 4-271 version snooping...
ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group.
ULTICAST ILTERING OMMANDS Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
ip igmp snooping leave-proxy This command enables IGMP leave proxy on the switch. Use the no form to disable the feature. Syntax [no] ip igmp snooping leave-proxy Default Setting Disabled Command Mode Global Configuration Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group.
ULTICAST ILTERING OMMANDS Command Usage The IGMP snooping immediate-leave feature enables a Layer 2 LAN interface to be removed from the multicast forwarding table without first sending an IGMP group-specific query to the interface. Upon receiving a group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port.
show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] - vlan-id - VLAN ID (1 to 4094) - user - Display only the user-configured multicast entries. - igmp-snooping - Display only entries learned through IGMP snooping.
ULTICAST ILTERING OMMANDS IGMP Query Commands (Layer 2) IGMP Query Commands (Layer 2) Command Function Mode Page ip igmp snooping Allows this device to act as the querier 4-275 querier for IGMP snooping ip igmp snooping Configures the query count 4-276 query-count ip igmp snooping...
ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
ULTICAST ILTERING OMMANDS ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
• The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
ULTICAST ILTERING OMMANDS Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-271) Static Multicast Routing Commands Static Multicast Routing Commands Command...
Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 599
ULTICAST ILTERING OMMANDS The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Eth 1/12 Static Console# 4-281...
Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
ULTICAST ILTERING OMMANDS mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 603
ULTICAST ILTERING OMMANDS message for that group. - ip-address - Statically configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Default Setting • The port type is not defined. •...
Page 604
Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.
ULTICAST ILTERING OMMANDS The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a multicast group to another receiver port: Console(config)#interface ethernet 1/5 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#mvr type receiver...
Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Page 607
ULTICAST ILTERING OMMANDS show mvr interface - display description Field Description Port Shows interfaces attached to the MVR. Type Shows the MVR port type. Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 609
IP I NTERFACE OMMANDS - bootp - Obtains IP address from BOOTP. - dhcp - Obtains IP address from DHCP. Default Setting DHCP Command Mode Interface Configuration (VLAN) Command Usage • You must assign an IP address to this device to gain management access over the network.
ip dhcp restart (4-292) ip default-gateway This command establishes a static route between this switch and devices that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established.
Page 611
IP I NTERFACE OMMANDS Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-292) ping This command sends ICMP echo request packets to another node on the network.
Page 613
IP I NTERFACE OMMANDS • Normal response - The normal response occurs in one to ten seconds, depending on network traffic. • Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. • Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands”...
Page 615
IP S OURCE UARD OMMANDS Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
• If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded.
Page 617
IP S OURCE UARD OMMANDS Default Setting No configured entries Command Mode Global Configuration Command Usage • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier. • All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command (page -300).
Page 618
ip dhcp snooping (4-301) ip dhcp snooping vlan (4-304) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3...
DHCP S NOOPING OMMANDS DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Page 620
[no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
Page 621
DHCP S NOOPING OMMANDS If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped. If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table.
ip dhcp snooping trust (4-305) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
DHCP S NOOPING OMMANDS ip dhcp snooping trust (4-305) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage...
Related Commands ip dhcp snooping (4-301) ip dhcp snooping vlan (4-304) ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
DHCP S NOOPING OMMANDS ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage •...
ip dhcp snooping information policy <drop | keep | replace> - drop - Discards the Option 82 information in a packet and then floods it to the entire VLAN. - keep - Retains the client’s DHCP information - replace - Overwrites the DHCP client packet information with the switch’s relay information.
DHCP S NOOPING OMMANDS Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface Trusted...
Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...
WITCH LUSTER OMMANDS Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool <ip-address> no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
WITCH LUSTER OMMANDS cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address <mac-address> id <member-id> no cluster member id <member-id> mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
console CLI on the Commander is not supported. There is no need to enter the username and password for access to the Member • switch CLI Example Vty-0#rcommand id 1 CLI session with the 24/48 L2/L4 GE Switch is opened. To end the CLI session, enter [Exit].
WITCH LUSTER OMMANDS show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Console# 4-315...
PPENDIX OFTWARE PECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system Power over Ethernet DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2002...
OFTWARE PECIFICATIONS Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Algorithm Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) VLAN Support Up to 255 groups; port-based or tagged (802.1Q), Private VLANs Protocol-based VLANs Class of Service Supports 4 levels of priority and Weighted Round Robin Queueing (which can be configured by VLAN tag or port), Layer 3/4 priority mapping: IP DSCP...
PPENDIX ROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using • Be sure the switch is powered up. Telnet, web browser, • Check network cabling between the management station or SNMP software and the switch. •...
Page 640
(9600, 19200, 38400, program via a serial 57600, 115200 bps). port connection • Check that the null-modem serial cable conforms to the pin-out connections provided in the Installation Guide. Forgot or lost the • Contact SMC Technical Support for help. password...
SING YSTEM Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1.
LOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, BOOTP is including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 644
LOSSARY Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 645
LOSSARY IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
LOSSARY IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
LOSSARY Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures.
LOSSARY Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Page 649
LOSSARY Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates SNTP from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers.
Page 650
LOSSARY User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.