Page 1: Management Guide
TigerSwitch 10/100 24-Port Fast Ethernet Switch ◆ 24 auto-MDI/MDI-X 10/100BASE-TX ports ◆ 10BASE-T/100BASE-TX ports support PoE capabilities ◆ Two 10/100/1000BASE-T RJ-45 ports ◆ Two Gigabit RJ-45/SFP combination ports ◆ 12.8 Gbps of aggregate bandwidth ◆ Supports IP Clustering ◆ Non-blocking switching architecture ◆...
Page 3 TigerSwitch 10/100 Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 February 2007 Phone: (949) 679-8000 Pub. # 149100032800A...
Page 4 Irvine, CA 92618 All rights reserved. Printed in Taiwan Trademarks: SMC is a registered trademark; and EZ Switch, TigerStack and TigerSwitch are trademarks of SMC Networks, Inc. Other product and company names are trademarks or registered trademarks of their respective holders.
Page 5 All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
Page 6 RIGHTS, WHICH MAY VARY FROM STATE TO STATE. NOTHING IN THIS WARRANTY SHALL BE TAKEN TO AFFECT YOUR STATUTORY RIGHTS. * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase.
Page 7: Table Of Contents
ONTENTS Introduction 1-1 Key Features ..........1-1 Description of Software Features .
Page 8 ONTENTS Displaying System Information ......3-13 Displaying Switch Hardware/Software Versions ... 3-15 Displaying Bridge Extension Capabilities .
Page 9 ONTENTS Replacing the Default Secure-site Certificate ... 3-75 Configuring the Secure Shell ......3-77 Configuring the SSH Server .
Page 10 ONTENTS Displaying Port Power Status ......3-142 Configuring Port PoE Power ......3-143 Address Table Settings .
Page 11 ONTENTS Selecting the Queue Mode ......3-209 Setting the Service Weight for Traffic Classes ..3-210 Layer 3/4 Priority Settings .
Page 12 ONTENTS Cluster Member Configuration ......3-260 Cluster Member Information ......3-261 Cluster Candidate Information .
Page 13 ONTENTS show line ......... . . 4-26 General Commands .
Page 14 ONTENTS show ip ssh ........4-55 show ssh .
Page 15 ONTENTS delete ..........4-92 dir .
Page 16 ONTENTS permit, deny (Standard ACL) ..... 4-125 permit, deny (Extended ACL) ..... 4-126 show ip access-list .
Page 17 ONTENTS shutdown ......... . 4-163 switchport broadcast packet-rate .
Page 18 ONTENTS name ..........4-204 revision .
Page 19 ONTENTS private vlan association ......4-237 switchport mode private-vlan ..... . 4-238 switchport private-vlan host-association .
Page 20 ONTENTS ip igmp snooping ....... 4-270 ip igmp snooping vlan static ..... . . 4-270 ip igmp snooping version .
Page 21 ONTENTS ip dhcp snooping information option ....4-307 ip dhcp snooping information policy ....4-307 ip dhcp snooping database flash .
Page 22 ABLES Table 1-1. Key Features ........1-1 Table 1-2.
Page 23 ABLES Table 4-18 Logging Levels ........4-61 Table 4-19 show logging flash/ram - display description .
Page 24 IGURES Figure 3-1. Home Page ........3-3 Figure 3-2.
Page 25 IGURES Figure 3-34. HTTPS Settings ....... . 3-75 Figure 3-35. SSH Server Settings ......3-81 Figure 3-36.
Page 26 IGURES Figure 3-71. Configuring Multiple Spanning Trees ... . . 3-169 Figure 3-72. Displaying MSTP Interface Settings ....3-171 Figure 3-73.
Page 27 IGURES Figure 3-108. MVR Group Member Configuration ....3-246 Figure 3-109. DHCP Snooping Configuration ....3-248 Figure 3-110.
Page 28 IGURES xxii...
Page 29: Introduction
HAPTER NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 30 NTRODUCTION Table 1-1. Key Features Feature Description DHCP Client Supported DHCP Snooping Supported with Option 82 relay information Port Configuration Speed, duplex mode and flow control Rate Limiting Input rate limiting per port Port Mirroring One port mirrored to a single analysis port Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP)
Page 31: Description Of Software Features
ESCRIPTION OF OFTWARE EATURES Description of Software Features The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and private VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth.
Page 32 NTRODUCTION security controls by restricting access to specific network resources or protocols. Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connections.
Page 33 ESCRIPTION OF OFTWARE EATURES Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 34 NTRODUCTION standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP.
Page 35 ESCRIPTION OF OFTWARE EATURES functions can be used to provide independent priorities for delay-sensitive data and best-effort data. This switch also supports several common methods of prioritizing layer 3/ 4 traffic to meet application requirements. Traffic can be prioritized based on the DSCP field in the IP frame.
Page 36: System Defaults
NTRODUCTION System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-27). The following table lists some of the basic system defaults. Table 1-2.
Page 37 YSTEM EFAULTS Table 1-2. System Defaults (Continued) Function Parameter Default HTTP Server Enabled Management HTTP Port Number HTTP Secure Server Enabled HTTP Secure Port Number SNMP Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled Port Admin Status Enabled...
Page 38 NTRODUCTION Table 1-2. System Defaults (Continued) Function Parameter Default Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Enabled Switchport Mode (Egress Hybrid: tagged/untagged frames Mode) GVRP (global) Disabled GVRP (port interface) Disabled Traffic Ingress Port Priority Prioritization Weighted Round Robin Queue: 0 1 2 3 Weight: 1 2 4 8 IP DSCP Priority...
Page 39 YSTEM EFAULTS Table 1-2. System Defaults (Continued) Function Parameter Default DHCP Snooping Status Disabled IP Source Guard Status Disabled (all ports) Switch Clustering Status Enabled Commander Disabled a. SMC6824MPE and SMC6826MPE only. 1-11...
Page 40 NTRODUCTION 1-12...
Page 41: Initial Configuration
HAPTER NITIAL ONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 42: Required Connections
NITIAL ONFIGURATION The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • Set user names and passwords • Set an IP interface for a management VLAN • Configure SNMP parameters • Enable/disable any port •...
Page 43 ONNECTING TO THE WITCH To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector.
Page 44: Remote Connections
NITIAL ONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 45: Setting Passwords
ASIC ONFIGURATION Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at ]the Privileged Exec level using the default user name and password, perform these steps: 1.
Page 46: Setting An Ip Address
NITIAL ONFIGURATION Note: ‘0’ specifies the password in plain text, ‘7’ specifies the password in encrypted form. Username: admin Password: CLI session with the SMC6128PL2 is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# Setting an IP Address...
Page 47: Dynamic Configuration
ASIC ONFIGURATION • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1”...
Page 48 NITIAL ONFIGURATION If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1.
Page 49: Enabling Snmp Management Access
ASIC ONFIGURATION 6. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: User specified.
Page 50: Community Strings (For Snmp Version 1 And 2C Clients)
NITIAL ONFIGURATION Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 51: Trap Receivers
ASIC ONFIGURATION Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Page 52: Saving Configuration Settings
NITIAL ONFIGURATION used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included 4-148 Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included Console(config)#snmp-server group r&d v3 auth mib-2 802.1d 4-150 Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien 4-153 Console(config)#...
Page 53: Managing System Files
ANAGING YSTEM ILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 54 NITIAL ONFIGURATION Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
Page 55: Configuring The Switch
HAPTER ONFIGURING THE WITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape 6.2 or above).
Page 56 ONFIGURING THE WITCH 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
Page 57: Navigating The Web Browser Interface
AVIGATING THE ROWSER NTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.”...
Page 58: Configuration Options
ONFIGURING THE WITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 59: Main Menu
Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2. Main Menu Menu Description Page...
Page 60 ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Reset Restarts the switch 3-43 SNTP 3-44 Configuration Configures SNTP client settings, including 3-44 broadcast mode or a specified list of servers Clock Time Zone Sets the local time zone for the system clock 3-46 SNMP 3-47...
Page 61 Table 3-2. Main Menu (Continued) Menu Description Page 802.1X Port authentication 3-86 Information Displays global configuration settings 3-89 Configuration Configures the global configuration setting 3-89 Port Configuration Sets parameters for individual ports 3-90 Statistics Displays protocol statistics for the selected port 3-94 3-96 Configuration...
Page 62 ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Port Broadcast Control Sets the broadcast storm threshold for each 3-129 port Trunk Broadcast Sets the broadcast storm threshold for each 3-129 Control trunk Mirror Port Sets the source and target ports for mirroring 3-131 Configuration Rate Limit...
Page 63 Table 3-2. Main Menu (Continued) Menu Description Page Configuration Configures global bridge settings for STA and 3-155 RSTP Port Information Displays individual port settings for STA 3-160 Trunk Information Displays individual trunk settings for STA 3-160 Port Configuration Configures individual port settings for STA 3-164 Trunk Configuration Configures individual trunk settings for STA 3-164...
Page 64 ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Trunk Configuration Specifies default trunk VID and VLAN 3-190 attributes Private VLAN 3-192 Information Displays Private VLAN feature information 3-194 Configuration This page is used to create/remove primary or 3-196 community VLANs Association...
Page 65 Table 3-2. Main Menu (Continued) Menu Description Page IP DSCP Priority Status Globally selects DSCP Priority, or disables it. 3-212 IP DSCP Priority Sets IP Differentiated Services Code Point 3-213 priority, mapping a DSCP tag to a class-of-service value 3-215 DiffServ 3-215 Class Map...
Page 66: Table 3-2. Main Menu
ONFIGURING THE WITCH Table 3-2. Main Menu (Continued) Menu Description Page Group IP Information Displays the ports attached to an MVR 3-241 multicast stream Port Configuration Configures MVR interface type and immediate 3-243 leave status Trunk Configuration Configures MVR interface type and immediate 3-243 leave status Group Member...
Page 67: Basic Configuration
ASIC ONFIGURATION Basic Configuration Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem.
Page 68: Figure 3-3. System Information
ONFIGURING THE WITCH Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3.
Page 69: Displaying Switch Hardware/Software Versions
ASIC ONFIGURATION CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 4-34 Console(config)#snmp-server location WC 9 4-141 Console(config)#snmp-server contact Ted 4-140 Console(config)#exit Console#show system 4-84 System description : 24 10/100 ports and 4 gigabit ports with PoE switch System OID string : 1.3.6.1.4.1.202.20.65 System information...
Page 70: Figure 3-4. Switch Information
ONFIGURING THE WITCH Management Software • EPLD Version – Version number of the Electronically Programmable Logic Device code. • Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version –...
Page 71 ASIC ONFIGURATION CLI – Use the following command to display version information. Console#show version 4-85 Unit 1 Serial number: Hardware version: EPLD Version: 4.04 Number of ports: Main power status: Redundant power status: Not present Agent (master) Unit ID: Loader version: 0.0.0.5 Boot ROM version: 0.0.0.8...
Page 72: Displaying Bridge Extension Capabilities
ONFIGURING THE WITCH Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services –...
Page 73: Setting The Switch's Ip Address
ASIC ONFIGURATION Figure 3-5. Bridge Extension Configuration CLI – Enter the following command. Console#show bridge-ext 4-219 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status:...
Page 74 ONFIGURING THE WITCH You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
Page 75: Manual Configuration
ASIC ONFIGURATION Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6. Manual IP Configuration CLI –...
Page 76: Using Dhcp/Bootp
ONFIGURING THE WITCH Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP.
Page 77: Enabling Jumbo Frames
ASIC ONFIGURATION CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart” command. Console#config Console(config)#interface vlan 1 4-156 Console(config-if)#ip address dhcp 4-290 Console(config-if)#end Console#ip dhcp restart 4-292 Console#show ip interface 4-293 IP address and netmask: 192.168.1.1 255.255.255.0 on VLAN 1,...
Page 78: Managing Firmware
ONFIGURING THE WITCH Figure 3-8. Bridge Extension Configuration CLI – Enter the following command. Console#config Console(config)#jumbo frame Console(config)# Managing Firmware You can upload/download firmware to or from a TFTP server, or copy files to and from switch units in a stack. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation.
Page 79: Downloading System Software From A Server
ASIC ONFIGURATION • File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 80: Figure 3-10. Setting The Startup Code
ONFIGURING THE WITCH If you download to a new destination file, go to the System/File/Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 3-10.
Page 81: Saving Or Restoring Configuration Settings
ASIC ONFIGURATION 4-88 Console#copy tftp file TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: V2.2.7.1.bix Destination file name: V2271.F \Write to FLASH Programming. -Write to FLASH finish. Success. Console#config 4-95 Console(config)#boot system opcode:V2271.F Console(config)#exit 4-30 Console#reload...
Page 82 ONFIGURING THE WITCH - running-config to startup-config – Copies the running config to the startup config. - running-config to tftp – Copies the running configuration to a TFTP server. - startup-config to file – Copies the startup configuration to a file on the switch.
Page 83: Downloading Configuration Settings From A Server
ASIC ONFIGURATION Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg”...
Page 84: Figure 3-13. Setting The Startup Configuration Settings
ONFIGURING THE WITCH Figure 3-13. Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. 4-88 Console#copy tftp startup-config TFTP server ip address: 192.168.1.19...
Page 85: Console Port Settings
ASIC ONFIGURATION This example shows how to copy a PoE controller file from another unit in the stack. Console#copy file controller 4-82 Unit <1-2>: 2 Choose controller type: 1. PoE: 2. VDSL: 3. TBD <1-3>: 1 Source file name: PoE-test Software downloading in progress, please wait...
Page 86 ONFIGURING THE WITCH • Data Bits – Sets the number of data bits per character that are interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 87: Figure 3-14. Console Port Settings
ASIC ONFIGURATION Figure 3-14. Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level. 4-16 Console(config)#line console 4-16...
Page 88: Telnet Settings
ONFIGURING THE WITCH Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password. These parameters can be configured via the web or CLI interface.
Page 89: Figure 3-15. Enabling Telnet
ASIC ONFIGURATION • Password Threshold – Sets the password intrusion threshold, which limits the number of failed logon attempts. When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time (set by the Silent Time parameter) before allowing the next logon attempt.
Page 90: Configuring Event Logging
ONFIGURING THE WITCH 4-16 Console(config)#line vty 4-16 Console(config-line)#login local 4-18 Console(config-line)#password 0 secret 4-19 Console(config-line)#timeout login response 300 4-20 Console(config-line)#exec-timeout 600 4-21 Console(config-line)#password-thresh 3 Console(config-line)#end 4-26 Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate:...
Page 91: System Log Configuration
ASIC ONFIGURATION Figure 3-16. Displaying Logs CLI – This example shows the event message stored in RAM. Console#show log ram 4-65 [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:00:25 2001-01-01 "System coldStart notification."...
Page 92: Table 3-3. Logging Levels
ONFIGURING THE WITCH • Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level. For example, if level 3 is specified, all messages from level 0 to level 3 will be logged to flash.
Page 93: Remote Log Configuration
ASIC ONFIGURATION Figure 3-17. System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings. Console(config)#logging on 4-59 Console(config)#logging history ram 0 4-61 Console(config)#end Console#show logging flash...
Page 94: Figure 3-18. Remote Logs
ONFIGURING THE WITCH RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
Page 95: Simple Mail Transfer Protocol
ASIC ONFIGURATION CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.15 4-63 Console(config)#logging facility 23 4-63 Console(config)#logging trap 4 4-64 Console(config)#end Console#show logging trap 4-64 Syslog logging: Enabled REMOTELOG status: Enabled REMOTELOG facility type:...
Page 96: Figure 3-19. Enabling And Configuring Smtp
ONFIGURING THE WITCH exhausted. (Level 2) • Alert – Sends urgent notification that immediate action must be taken. (Level 1) • Emergency – Sends an emergency notification that the system is now unusable. (Level 0) • SMTP Server List – Specifies a list of recipient SMTP servers. •...
Page 97: Resetting The System
ASIC ONFIGURATION CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.19 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email bill@this-company.com...
Page 98: Setting The System Clock
ONFIGURING THE WITCH Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 99: Figure 3-21. Sntp Configuration
ASIC ONFIGURATION Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 3-21. SNTP Configuration CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-75 Console(config)#sntp poll 60...
Page 100: Setting The Time Zone
ONFIGURING THE WITCH Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 101: Simple Network Management Protocol
A network management station can access this information using software such as SMC EliteView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Page 102 ONFIGURING THE WITCH reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c. The following table shows the security models and levels available and the system default settings.
Page 103: Table 3-4 Snmpv3 Security Models And Levels
IMPLE ETWORK ANAGEMENT ROTOCOL Table 3-4 SNMPv3 Security Models and Levels Model Level Group Read Write Notify Security View View View noAuth public defaultview none none Community string NoPriv (read only only) noAuth private defaultview defaultview none Community string NoPriv (read/ only write)
Page 104: Setting Community Access Strings
ONFIGURING THE WITCH Setting Community Access Strings You may configure up to five community strings authorized for management access. All community strings used for IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes •...
Page 105: Specifying Trap Managers And Trap Types
IMPLE ETWORK ANAGEMENT ROTOCOL CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw 4-139 Console(config)# Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
Page 106: Enabling Snmp Agent Status
ONFIGURING THE WITCH Web – Click SNMP, Configuration. Fill in the IP address and community string for each trap manager that will receive trap messages, and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/down traps, and then click Apply. Figure 3-24.
Page 107: Configuring Snmpv3 Management Access
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-25. Enabling SNMP Agent Status Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1.If you want to change the default engine ID, it must be changed first before configuring other parameters. 2.
Page 108: Figure 3-26. Setting An Engine Id
ONFIGURING THE WITCH A new engine ID can be specified by entering 1 to 26 hexadecimal characters. If less than 26 characters are specified, trailing zeroes are added to the value. For example, the value “1234” is equivalent to “1234” followed by 22 zeroes.
Page 109: Specifying A Remote Engine Id
IMPLE ETWORK ANAGEMENT ROTOCOL Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 110 ONFIGURING THE WITCH • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Model – The user security model; SNMP v1, v2c or v3. • Level – The security level used for the user: - noAuthNoPriv –...
Page 111: Configuring Remote Snmpv3 Users
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-28. Configuring SNMPv3 Users Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. 3-57...
Page 112 ONFIGURING THE WITCH To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 113: Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-29. Configuring Remote SNMPv3 Users Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
Page 114: Table 3-5. Supported Notification Messages
ONFIGURING THE WITCH Table 3-5. Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its...
Page 115 IMPLE ETWORK ANAGEMENT ROTOCOL Table 3-5. Supported Notification Messages (Continued) Object Label Object ID Description linkUp 1.3.6.1.6.3.1.1.5.4 A linkUp trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state (but not into the notPresent state).
Page 116 ONFIGURING THE WITCH Table 3-5. Supported Notification Messages (Continued) Object Label Object ID Description Private Traps swPowerStatus 1.3.6.1.4.1.202.20.6 This trap is sent when the power state ChangeTrap 5.2.1.0.1 changes. swIpFilterRejectTrap 1.3.6.1.4.1.202.20.6 This trap is sent when an incorrect IP 5.2.1.0.40 address is rejected by the IP Filter.
Page 117: Setting Snmpv3 Views
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-30. Configuring SNMPv3 Groups Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes •...
Page 118 ONFIGURING THE WITCH • Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. • Type – Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view.
Page 119: Figure 3-31. Configuring Snmpv3 Views
IMPLE ETWORK ANAGEMENT ROTOCOL Figure 3-31. Configuring SNMPv3 Views 3-65...
Page 120: User Authentication
ONFIGURING THE WITCH User Authentication You can restrict management access to this switch using the following options: • User Accounts – Manually configure access rights on the switch for specified users. • Authentication Settings – Use remote authentication to configure access rights.
Page 121: Figure 3-32. Access Levels
UTHENTICATION - Password – Specifies the user password. (Range: 0-8 characters plain text, case sensitive) • Change Password – Sets a new password for the specified user name. • Add/Remove – Adds or removes an account from the list. Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it.
Page 122: Configuring Local/Remote Logon Authentication
ONFIGURING THE WITCH Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 123 UTHENTICATION control management access via the console port, web browser, or Telnet. • RADIUS and TACACS+ logon authentication assign a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.
Page 124 ONFIGURING THE WITCH Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only.
Page 125 UTHENTICATION - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 20 characters) Note: The local switch user database has to be set up by manually entering user names and passwords using the CLI.
Page 126: Figure 3-33. Authentication Settings
ONFIGURING THE WITCH Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33. Authentication Settings 3-72...
Page 127: Configuring Https
UTHENTICATION CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius 4-97 Console(config)#radius-server port 181 4-102 Console(config)#radius-server key green 4-102 Console(config)#radius-server retransmit 5 4-103 Console(config)#radius-server timeout 10 4-103 Console(config)#radius-server 1 host 192.168.1.25 4-101 Console(config)#end Console#show radius-server 4-104 Remote RADIUS server configuration: Global settings:...
Page 128: Table 3-6. Https System Support
ONFIGURING THE WITCH • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 129: Replacing The Default Secure-Site Certificate
UTHENTICATION Figure 3-34. HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-42 Console(config)#ip http secure-port 443 4-44 Console(config)# Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 130 ONFIGURING THE WITCH When you have obtained these, place them on your TFTP server, and use the following command at the switch's command-line interface to replace the default (unrecognized) certificate with an authorized one: Console#copy tftp https-certificate 4-88 TFTP server ip address: <server ip-address> Source certificate file name: <certificate file name>...
Page 131: Configuring The Secure Shell
UTHENTICATION Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 132 ONFIGURING THE WITCH 1.Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 133 UTHENTICATION 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 4-88) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3-66.) The clients are subsequently authenticated using these keys.
Page 134: Configuring The Ssh Server
ONFIGURING THE WITCH connection or manually entered into the known host file. However, you do not need to configure the client’s keys. 2. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Page 135: Generating The Host Key Pair
UTHENTICATION Figure 3-35. SSH Server Settings CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server 4-49 Console(config)#ip ssh timeout 100 4-50...
Page 136 ONFIGURING THE WITCH Field Attributes • Public-Key of Host-Key – The public key for the host. - RSA (Version 1): The first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 65537), and the last string is the encoded modulus.
Page 137: Figure 3-36. Ssh Host-Key Settings
UTHENTICATION Figure 3-36. SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys. Console#ip ssh crypto host-key generate 4-49 Console#ip ssh save host-key 4-49 Console#show public-key host...
Page 138: Configuring Port Security
ONFIGURING THE WITCH Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 139 UTHENTICATION • If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Port/Port Configuration page (page 3-111). Command Attributes • Port – Port number. • Name – Descriptive text (page 4-157). •...
Page 140: Configuring 802.1X Port Authentication
ONFIGURING THE WITCH Figure 3-37. Configuring Port Security CLI – This example selects the target port, sets the port security action to send a trap and disable the port and sets the maximum MAC addresses allowed on the port, and then enables port security for the port. Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap-and-shutdown 4-108...
Page 141: Authentication Radius Server
UTHENTICATION This switch uses the Extensible Authentication 802.1x client Protocol over LANs (EAPOL) to 1. Client attempts to access a switch port. exchange 2. Switch sends client an identity request. RADIUS 3. Client sends back identity information. authentication 4. Switch forwards this to authentication server. server 5.
Page 142: Displaying 802.1X Global Settings
ONFIGURING THE WITCH • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP authentication type –...
Page 143: Configuring 802.1X Global Settings
UTHENTICATION CLI – This example shows the default global setting for 802.1X. Console#show dot1x 4-118 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is disabled on port 1/52 Console# Configuring 802.1X Global Settings...
Page 144: Configuring Port Settings For 802.1X
ONFIGURING THE WITCH CLI – This example enables 802.1X globally for the switch. Console(config)#dot1x system-auth-control 4-111 Console(config)# Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
Page 145: Figure 3-40. 802.1X Port Configuration
UTHENTICATION • Max-Req – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
Page 146 ONFIGURING THE WITCH CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see See “show dot1x” on page 4-118. 3-92...
Page 147 UTHENTICATION Console(config)#interface ethernet 1/2 4-156 Console(config-if)#dot1x port-control auto 4-112 Console(config-if)#dot1x re-authentication 4-114 Console(config-if)#dot1x max-req 5 4-111 Console(config-if)#dot1x timeout quiet-period 30 4-115 Console(config-if)#dot1x timeout re-authperiod 1800 4-116 Console(config-if)#dot1x timeout tx-period 40 4-116 Console(config-if)#exit Console(config)#exit Console#show dot1x 4-118 Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status...
Page 148: Displaying 802.1X Statistics
ONFIGURING THE WITCH Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7. 802.1X Statistics Parameter Description Rx EAPOL The number of EAPOL Start frames that have been received by Start this Authenticator. Rx EAPOL The number of EAPOL Logoff frames that have been received Logoff...
Page 149: Figure 3-41. Displaying 802.1X Port Statistics
UTHENTICATION Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-41. Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-118 Eth 1/4 Rx: EAPOL...
Page 150: Access Control Lists
ONFIGURING THE WITCH Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 151: Setting The Acl Name And Type
CCESS ONTROL ISTS 3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 4. If no explicit rule is matched, the implicit default is permit all. Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL.
Page 152: Configuring A Standard Ip Acl
ONFIGURING THE WITCH Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 3-42. Selecting ACL Type CLI –...
Page 153: Figure 3-43. Configuring Standard Ip Acls
CCESS ONTROL ISTS specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,”...
Page 154: Configuring An Extended Ip Acl
ONFIGURING THE WITCH Configuring an Extended IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Specifies the source or destination IP address. Use “Any” to include all possible addresses, “Host”...
Page 155 CCESS ONTROL ISTS - 1 (fin) – Finish - 2 (syn) – Synchronize - 4 (rst) – Reset - 8 (psh) – Push - 16 (ack) – Acknowledgement - 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: - SYN flag valid, use control-code 2, control bitmask 2 - Both SYN and ACK valid, use control-code 18, control bitmask 18...
Page 156: Figure 3-44. Configuring Extended Ip Acls
ONFIGURING THE WITCH Figure 3-44. Configuring Extended IP ACLs CLI – This example adds two rules: (1)Accept any incoming packets if the source address is in subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 &...
Page 157: Configuring A Mac Acl
CCESS ONTROL ISTS Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC”...
Page 158: Binding A Port To An Access Control List
ONFIGURING THE WITCH Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 159: Figure 3-46. Configuring Acl Port Binding
CCESS ONTROL ISTS • This switch supports ACLs for ingress filtering only. However, you only bind one IP ACL to any port for ingress filtering. In other words, only one ACL can be bound to an interface - Ingress IP ACL. Command Attributes •...
Page 160: Filtering Ip Addresses For Management Access
ONFIGURING THE WITCH CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#ip access-group david in 4-128 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# Filtering IP Addresses for Management Access You create a list of up to 16 IP addresses or IP address groups that are...
Page 161 CCESS ONTROL ISTS Command Attributes • Web IP Filter – Configures IP address(es) for the web group. • SNMP IP Filter – Configures IP address(es) for the SNMP group. • Telnet IP Filter – Configures IP address(es) for the Telnet group. •...
Page 162: Port Configuration
ONFIGURING THE WITCH Figure 3-47. Creating an IP Filter List CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 4-38 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- SNMP-Client: Start IP address End IP address...
Page 163: Figure 3-48. Displaying Port/Trunk Information
ONFIGURATION • Media Type – Media type used for the combo ports. (Options: Coppper-Forced, SFP-Forced, or SFP-Preferred-Auto; Default: SFP-Preferred-Auto) • Trunk Member – Shows if port is a trunk member. • Creation – Shows if a trunk is manually configured or dynamically set via LACP.
Page 164 ONFIGURING THE WITCH • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-19.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down).
Page 165: Configuring Interface Connections
ONFIGURATION Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation speed-duplex – Shows the current speed and duplex mode.
Page 166 ONFIGURING THE WITCH • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons. •...
Page 167: Figure 3-49. Port/Trunk Configuration
ONFIGURATION Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-49. Port/Trunk Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 4-156 Console(config-if)#description RD SW#13 4-157 Console(config-if)#shutdown 4-163...
Page 168: Creating Trunk Groups
ONFIGURING THE WITCH Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 169: Statically Configuring A Trunk
ONFIGURATION • When configuring static trunks on switches of different types, they must be compatible with the Cisco EtherChannel standard. • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
Page 170: Figure 3-50. Configuring Static Trunks
ONFIGURING THE WITCH Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 171: Enabling Lacp On Selected Ports
ONFIGURATION CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-156 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-156 Console(config-if)#channel-group 2 4-176 Console(config-if)#exit Console(config)#interface ethernet 1/2...
Page 172: Figure 3-51. Lacp Trunk Configuration
ONFIGURING THE WITCH • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
Page 173: Configuring Lacp Parameters
ONFIGURATION CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#lacp 4-177 Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1 4-165 Information of Trunk 1...
Page 174 ONFIGURING THE WITCH the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 4-180). Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch.
Page 175: Figure 3-52. Lacp Port Configuration
ONFIGURATION the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply. Figure 3-52. LACP Port Configuration 3-121...
Page 176: Displaying Lacp Port Counters
ONFIGURING THE WITCH CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#lacp actor system-priority 3 4-179 Console(config-if)#lacp actor admin-key 120 4-180 Console(config-if)#lacp actor port-priority 128 4-181 Console(config-if)#exit Console(config)#interface ethernet 1/4...
Page 177: Figure 3-53. Lacp - Port Counters Information
ONFIGURATION Table 3-8. LACP Port Counters (Continued) Field Description Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group. Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 178: Displaying Lacp Settings And Status For The Local Side
ONFIGURING THE WITCH CLI – The following example displays LACP counters. Console#show lacp counters 4-182 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation.
Page 179 ONFIGURATION Table 3-9. LACP Internal Configuration Information (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; •...
Page 180: Figure 3-54. Lacp - Port Internal Information
ONFIGURING THE WITCH Figure 3-54. LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-182 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0...
Page 181: Displaying Lacp Settings And Status For The Remote Side
ONFIGURATION Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10. LACP Neighbor Configuration Information Field Description Partner Admin System LAG partner’s system ID assigned by the user. Partner Oper System LAG partner’s system ID assigned by the LACP protocol.
Page 182: Figure 3-55. Lacp - Port Neighbors Information
ONFIGURING THE WITCH Figure 3-55. LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-182 Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 -------------------------------------------------------------------------...
Page 183: Setting Broadcast Storm Thresholds
ONFIGURATION Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 184: Figure 3-56. Port Broadcast Control
ONFIGURING THE WITCH Figure 3-56. Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#no switchport broadcast...
Page 185: Configuring Port Mirroring
ONFIGURATION Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic Source Single analyzer or RMON probe to the target port(s) target port and study the traffic crossing the port source port in a completely unobtrusive manner.
Page 186: Configuring Rate Limits
ONFIGURING THE WITCH Figure 3-57. Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type. Console(config)#interface ethernet 1/10 4-156 Console(config-if)#port monitor ethernet 1/13 tx 4-170 Console(config-if)# Configuring Rate Limits...
Page 187: Figure 3-58. Input Rate Limit Port Configuration
ONFIGURATION Command Usage • Input and output rate limits can be enabled or disabled for individual interfaces. Command Attributes • Port/Trunk – Displays the port/trunk number. • Input/Output Rate Limit Status – Enables or disables the rate limit. (Default: Enabled) •...
Page 188: Showing Port Statistics
ONFIGURING THE WITCH Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
Page 189 ONFIGURATION Table 3-11. Port Statistics (Continued) Parameter Description Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmit Octets The total number of octets transmitted out of the interface, including framing characters. Transmit Unicast Packets The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address,...
Page 190 ONFIGURING THE WITCH Table 3-11. Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode.
Page 191 ONFIGURATION Table 3-11. Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets.
Page 192: Figure 3-59. Port Statistics
ONFIGURING THE WITCH .Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to updae the screen Figure 3-59. Port Statistics 3-138...
Page 193: Power Over Ethernet Settings
OWER THERNET ETTINGS CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-166 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 194: Switch Power Status
ONFIGURING THE WITCH the power required by a device exceeds the power budget of the port or the whole switch, power is not supplied. Ports can be set to one of three power priority levels, critical, high, or low. To control the power supply within the switch’s budget, ports set at critical or high priority have power enabled in preference to those ports set at low priority.
Page 195: Setting A Switch Power Budget
OWER THERNET ETTINGS Web – Click PoE, Power Status. Figure 3-60 Displaying the Global PoE Status CLI – This example displays the current power status for the switch. Console#show power mainpower 4-96 Unit 1 Mainpower Status Maximum Available Power : 375 watts System Operation Status : on Mainpower Consumption : 0 watts...
Page 196: Displaying Port Power Status
ONFIGURING THE WITCH Web – Click PoE, Power Config. Specify the desired power budget for the switch. Click Apply. Figure 3-61 Setting the Switch Power Budget CLI – Use the power mainpower maximum allocation command to set the PoE power budget for the switch. Console(config)#power mainpower maximum allocation 200 4-91 Console(config)#...
Page 197: Configuring Port Poe Power
OWER THERNET ETTINGS Web – Click PoE, Power Port Status. Figure 3-62 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-95 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1 enable...
Page 198: Figure 3-63 Configuring Port Poe Power
ONFIGURING THE WITCH • If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is turned on, but the switch drops power to one or more lower-priority ports. Note: Power is dropped from low-priority ports in sequence starting from port number 1.
Page 199: Address Table Settings
DDRESS ABLE ETTINGS CLI – This example sets the PoE power budget for port 1 to 8 watts, the priority to high (2), and then enables the power. Console(config)#interface ethernet 1/1 4-171 Console(config-if)#power inline maximum allocation 8000 4-93 Console(config-if)#power inline priority 2 4-94 Console(config-if)#power inline auto 4-93...
Page 200: Displaying The Address Table
ONFIGURING THE WITCH Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-64. Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Page 201: Figure 3-65. Configuring A Dynamic Address Table
DDRESS ABLE ETTINGS • MAC Address – Physical address associated with this interface. • VLAN – ID of configured VLAN (1-4094). • Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). •...
Page 202 ONFIGURING THE WITCH CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-190 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# 3-148...
Page 203: Changing The Aging Time
PANNING LGORITHM ONFIGURATION Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds;...
Page 204 ONFIGURING THE WITCH The spanning tree algorithms supported by this switch include these versions: • STP – Spanning Tree Protocol (IEEE 802.1D) • RSTP – Rapid Spanning Tree Protocol (IEEE 802.1w) • MSTP – Multiple Spanning Tree Protocol (IEEE 802.1s) Note: MSTP is not supported in the current software.
Page 205: Displaying Global Settings
PANNING LGORITHM ONFIGURATION RSTP is designed as a general replacement for the slower, legacy STP. RSTP is also incorporated into MSTP. RSTP achieves must faster reconfiguration (i.e., around 1 to 3 seconds, compared to 30 seconds or more for STP) by reducing the number of state changes before active ports start learning, predefining an alternate route that can be used when a node or port fails, and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs.
Page 206 ONFIGURING THE WITCH designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) •...
Page 207 PANNING LGORITHM ONFIGURATION • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 208: Figure 3-67. Displaying Spanning Tree Information
ONFIGURING THE WITCH Web – Click Spanning Tree, STA, Information. Figure 3-67. Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-214 Spanning-tree information --------------------------------------------------------------- Spanning tree mode: RSTP Spanning tree enabled/disabled: enabled Priority:...
Page 209: Configuring Global Settings
PANNING LGORITHM ONFIGURATION Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 210 ONFIGURING THE WITCH - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Page 211 PANNING LGORITHM ONFIGURATION - Maximum: The lower of 10 or [(Max. Message Age / 2) -1] • Maximum Age – The maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals.
Page 212 ONFIGURING THE WITCH • Transmission Limit – The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned.
Page 213: Figure 3-68. Configuring Spanning Tree
PANNING LGORITHM ONFIGURATION Figure 3-68. Configuring Spanning Tree CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-194 Console(config)#spanning-tree mode rstp 4-195 Console(config)#spanning-tree priority 45056 4-199 Console(config)#spanning-tree hello-time 5 4-197 Console(config)#spanning-tree max-age 38 4-198...
Page 214: Displaying Interface Settings
ONFIGURING THE WITCH Displaying Interface Settings The STA Port Information and STA Trunk Information pages display the current status of ports and trunks in the Spanning Tree. Field Attributes • Spanning Tree – Shows if STA has been enabled on this interface. •...
Page 215 PANNING LGORITHM ONFIGURATION • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
Page 216 ONFIGURING THE WITCH Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. • Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only) These additional parameters are only displayed for the CLI: •...
Page 217: Figure 3-69. Displaying Spanning Tree Port Information
PANNING LGORITHM ONFIGURATION • Admin Edge Port – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 218: Configuring Interface Settings
ONFIGURING THE WITCH Console#show spanning-tree ethernet 1/5 4-214 1/ 5 information -------------------------------------------------------------- Admin status: enabled Role: disable State: discarding Path cost: 10000 Priority: Designated cost: Designated port : 128.5 Designated root: 32768.0012CF0B0D00 Designated bridge: 32768.0012CF0B0D00 Fast forwarding: disabled Forward transitions: Admin edge port: disabled Oper edge port:...
Page 219 PANNING LGORITHM ONFIGURATION - Forwarding - Port forwards packets, and continues learning addresses. • Trunk – Indicates if a port is a member of a trunk. (STA Port Configuration only) The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled).
Page 220 ONFIGURING THE WITCH • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media.
Page 221: Configuring Multiple Spanning Trees
PANNING LGORITHM ONFIGURATION Figure 3-70. Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-156 Console(config-if)#spanning-tree port-priority 0 4-207 Console(config-if)#spanning-tree cost 50 4-206 Console(config-if)#spanning-tree link-type auto 4-210 Console(config-if)#no spanning-tree edge-port 4-208 Console(config-if)# Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance.
Page 222 ONFIGURING THE WITCH 1.Set the spanning tree type to MSTP (STA Configuration, page 3-130). 2. Enter the spanning tree priority for the selected MST instance (MSTP VLAN Configuration). 3. Add the VLANs that will share this MSTI (MSTP VLAN Configuration). Note: All VLANs are automatically added to the IST (Instance 0).
Page 223: Figure 3-71. Configuring Multiple Spanning Trees
PANNING LGORITHM ONFIGURATION Figure 3-71. Configuring Multiple Spanning Trees CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mst)# CLI – This example sets STA attributes for port 1, , followed by settings for each port.
Page 224: Displaying Interface Settings For Mstp
ONFIGURING THE WITCH Console#show spanning-tree mst 2 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :2 Vlans configuration :2 Priority :4096 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.) :15...
Page 225: Figure 3-72. Displaying Mstp Interface Settings
PANNING LGORITHM ONFIGURATION Web – Click Spanning Tree, MSTP, Port or Trunk Information. Select the required MST instance to display the current spanning tree values. Figure 3-72. Displaying MSTP Interface Settings CLI – This displays STA settings for instance 0, followed by settings for each port.
Page 226: Configuring Interface Settings For Mstp
ONFIGURING THE WITCH Console#show spanning-tree mst 0 4-231 Spanning-tree information --------------------------------------------------------------- Spanning tree mode :MSTP Spanning tree enable/disable :enable Instance :0 Vlans configuration :1-4094 Priority :32768 Bridge Hello Time (sec.) :2 Bridge Max Age (sec.) :20 Bridge Forward Delay (sec.) :15 Root Hello Time (sec.) :2 Root Max Age (sec.) :20 Root Forward Delay (sec.) :15...
Page 227 PANNING LGORITHM ONFIGURATION • STA State – Displays current state of this port within the Spanning Tree. ( for additional See “Displaying Interface Settings” on page 3-160. information.) - Discarding – Port receives STA configuration messages, but does not forward packets. - Learning –...
Page 228: Figure 3-73. Displaying Mstp Interface Settings
ONFIGURING THE WITCH - Range – - Ethernet: 200,000-20,000,000 - Fast Ethernet: 20,000-2,000,000 - Gigabit Ethernet: 2,000-200,000 • Default – - Ethernet – Half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 - Fast Ethernet – Half duplex: 200,000; full duplex: 100,000; trunk: 50,000 - Gigabit Ethernet –...
Page 229: Vlan Configuration
VLAN C ONFIGURATION VLAN Configuration IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
Page 230 ONFIGURING THE WITCH • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you want it to carry traffic for one or more VLANs, and any intermediate network devices or the host at the other end of the connection supports VLANs.
Page 231 VLAN C ONFIGURATION Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch.
Page 232 ONFIGURING THE WITCH should also determine security boundaries in the network and disable GVRP on the boundary ports to prevent advertisements from being propagated, or forbid those ports from joining restricted VLANs. Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)”...
Page 233: Enabling Or Disabling Gvrp (Global Setting)
VLAN C ONFIGURATION Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 234: Displaying Basic Vlan Information
ONFIGURING THE WITCH Web – Click VLAN, 802.1Q VLAN, GVRP Status. Enable or disable GVRP, click Apply Figure 3-74. Globally Enabling GVRP CLI – This example enables GVRP for the switch. Console(config)#bridge-ext gvrp 4-168 Console(config)# Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch.
Page 235: Displaying Current Vlans
VLAN C ONFIGURATION Web – Click VLAN, 802.1Q VLAN, Basic Information. Figure 3-75. Displaying Basic VLAN Information CLI – Enter the following command. Console#show bridge-ext 4-219 Max support vlan numbers: Max support vlan ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging:...
Page 236: Figure 3-76. Displaying Current Vlans
ONFIGURING THE WITCH • Egress Ports – Shows all the VLAN port members. • Untagged Ports – Shows the untagged VLAN port members. Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-76. Displaying Current VLANs Command Attributes (CLI) •...
Page 237: Creating Vlans
VLAN C ONFIGURATION • Ports / Channel groups – Shows the VLAN interface members. CLI – Current VLAN information can be displayed with the following command. Console#show vlan id 1 4-233 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S)
Page 238: Figure 3-77. Configuring A Vlan Static List
ONFIGURING THE WITCH • State (CLI) – Enables or disables the specified VLAN. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Add – Adds a new VLAN group to the current list. •...
Page 239: Adding Static Members To Vlans (Vlan Index)
VLAN C ONFIGURATION Console(config)#vlan database 4-223 Console(config-vlan)#vlan 2 name R&D media ethernet state active 4-224 Console(config-vlan)#end Console#show vlan 4-233 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Page 240 ONFIGURING THE WITCH • Name – Name of the VLAN (1 to 32 characters). • Status – Enables or disables the specified VLAN. - Enable: VLAN is operational. - Disable: VLAN is suspended; i.e., does not pass packets. • Port – Port identifier. •...
Page 241: Figure 3-78. Configuring A Vlan Static Table
VLAN C ONFIGURATION Figure 3-78. Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN Console(config)#interface ethernet 1/1 4-156 Console(config-if)#switchport allowed vlan add 2 tagged 4-230 Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 2 untagged Console(config-if)#exit Console(config)#interface ethernet 1/13 Console(config-if)#switchport allowed vlan add 2 tagged...
Page 242: Adding Static Members To Vlans (Port Index)
ONFIGURING THE WITCH Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member –...
Page 243: Vlan C Onfiguration
VLAN C ONFIGURATION CLI – This example adds Port 3 to VLAN 1 as a tagged port, and removes Port 3 from VLAN 2. Console(config)#interface ethernet 1/3 4-156 Console(config-if)#switchport allowed vlan add 1 tagged 4-230 Console(config-if)#switchport allowed vlan remove 2 3-189...
Page 244: Configuring Vlan Behavior For Interfaces
ONFIGURING THE WITCH Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 245 VLAN C ONFIGURATION - If a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. - Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP. However, they do affect VLAN dependent BPDU frames, such as GMRP.
Page 246: Private Vlans
ONFIGURING THE WITCH Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply. Figure 3-80. Configuring VLANs per Port CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, and then sets the switchport mode to hybrid.
Page 247 VLAN C ONFIGURATION VLANs, on the other hand, consist a single stand-alone VLAN that contains one promiscuous port and one or more isolated (or host) ports. In all cases, the promiscuous ports are designed to provide open access to an external network such as the Internet, while the community or isolated ports provide restricted access to local users.
Page 248: Displaying Current Private Vlans
ONFIGURING THE WITCH To configure primary/secondary associated groups, follow these steps: 1.Use the Private VLAN Configuration menu (page 3-196) to designate one or more community VLANs, and the primary VLAN that will channel traffic outside of the VLAN groups. 2. Use the Private VLAN Association menu (page 3-197) to map the secondary (i.e., community) VLAN(s) to the primary VLAN.
Page 249: Figure 3-81. Private Vlan Information
VLAN C ONFIGURATION displays the associated primary VLAN, and an isolated VLAN displays the stand-alone VLAN. • Ports List – The list of ports (and assigned port type) in the selected private VLAN. Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu.
Page 250: Configuring Private Vlans
ONFIGURING THE WITCH Configuring Private VLANs The Private VLAN Configuration page is used to create/remove primary, community, or isolated VLANs. Command Attributes • VLAN ID – ID of configured VLAN (2-4094). • Type – There are three types of private VLANs: - Primary VLANs –...
Page 251: Associating Vlans
VLAN C ONFIGURATION Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Page 252: Displaying Private Vlan Interface Information
ONFIGURING THE WITCH Web – Click VLAN, Private VLAN, Association. Select the required primary VLAN from the scroll-down box, highlight one or more community VLANs in the Non-Association list box, and click Add to associate these entries with the selected primary VLAN. (A community VLAN can only be associated with one primary VLAN.) Figure 3-83.
Page 253: Figure 3-84. Private Vlan Port Information
VLAN C ONFIGURATION - Host – The port is a community port and can only communicate with other ports in its own community VLAN, and with the designated promiscuous port(s). Or the port is an isolated port that can only communicate with the lone promiscuous port within its own isolated VLAN.
Page 254: Configuring Private Vlan Interfaces
ONFIGURING THE WITCH CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 255 VLAN C ONFIGURATION • Community VLAN – A community VLAN conveys traffic between community ports, and from community ports to their designated promiscuous ports. Set PVLAN Port Type to “Host,” and then specify the associated Community VLAN. 3-201...
Page 256: Figure 3-85. Private Vlan Port Configuration
ONFIGURING THE WITCH Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
Page 257: Protocol Vlans
VLAN C ONFIGURATION Protocol VLANs You can configure VLAN behavior to support multiple protocols to allow traffic to pass through different VLANS. When a packet is received at a port, its VLAN membership is determined by the protocol type of the packet.
Page 258: Class Of Service Configuration
ONFIGURING THE WITCH Command Attributes • Interface – Port or Trunk indentifier. • Protocol Group ID – Protocol Group ID assigned to the Protocol VLAN Group. (Range: 1-2147483647) • VLAN ID – VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) Web –...
Page 259: Layer 2 Queue Settings
LASS OF ERVICE ONFIGURATION Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Page 260: Mapping Cos Values To Egress Queues
ONFIGURING THE WITCH Figure 3-88. Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-156 4-249 Console(config-if)#switchport priority default 5 Console(config-if)#end 4-168 Console#show interfaces switchport ethernet 1/3 Information of Eth 1/3 Broadcast threshold: Enabled, 500 packets/second LACP status:...
Page 261: Table 3-12. Mapping Cos Values To Egress Queues
LASS OF ERVICE ONFIGURATION priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 3-12. Mapping CoS Values to Egress Queues Queue Priority The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table.
Page 262: Enabling Cos
ONFIGURING THE WITCH Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-89. Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-156 Console(config-if)#queue cos-map 0 0...
Page 263: Selecting The Queue Mode
LASS OF ERVICE ONFIGURATION Web – Click Priority, Traffic Classes Status. Figure 3-90. Enable Traffic Classes Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 264: Setting The Service Weight For Traffic Classes
ONFIGURING THE WITCH Figure 3-91. Queue Mode CLI – The following sets the queue mode to strict priority service mode. Console(config)#queue mode wrr 4-248 Console(config)#exit Console#show queue mode 4-252 Queue mode: wrr Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue.
Page 265: Layer 3/4 Priority Settings
LASS OF ERVICE ONFIGURATION Web – Click Priority, Queue Scheduling. Select the required interface, highlight a traffic class (i.e., output queue), enter a weight, then click Apply. Figure 3-92. Configuring Queue Scheduling CLI – The following example shows how to display the WRR weights assigned to each of the priority queues.
Page 266: Enabling Ip Dscp Priority
ONFIGURING THE WITCH Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority. Command Attributes • IP DSCP Priority Status – The following options are: - Disabled – Disables the priority service. (Default Setting: Disabled) - IP DSCP –...
Page 267: Mapping Dscp Priority
LASS OF ERVICE ONFIGURATION Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant will not conflict with the DSCP mapping.
Page 268: Figure 3-94. Mapping Ip Dscp Priority Values
ONFIGURING THE WITCH Figure 3-94. Mapping IP DSCP Priority Values CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp 4-254 Console(config)#interface ethernet 1/1...
Page 269: Quality Of Service
UALITY OF ERVICE Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis.
Page 270: Configuring Quality Of Service Parameters
ONFIGURING THE WITCH Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.Use the “Class Map” to designate a class name for a specific category of traffic. 2.Edit the rules for each class to specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 271 UALITY OF ERVICE Command Attributes Class Map • Modify Name and Description – Configures the name and a brief description of a class map. (Range: 1-16 characters for the name; 1-64 characters for the description) • Edit Rules – Opens the “Match Class Settings” page for the selected class entry.
Page 272 ONFIGURING THE WITCH • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
Page 273: Figure 3-95. Configuring Class Maps
UALITY OF ERVICE Figure 3-95. Configuring Class Maps 3-219...
Page 274 ONFIGURING THE WITCH CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any 4-198 Console(config-cmap)#match ip dscp 3 4-199 Console(config-cmap)# 3-220...
Page 275: Creating Qos Policies
UALITY OF ERVICE Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-216. - Open the Policy Map page, and click Add Policy.
Page 276 ONFIGURING THE WITCH Command Attributes Policy Map • Modify Name and Description – Configures the name and a brief description of a policy map. (Range: 1-16 characters for the name; 1-64 characters for the description) • Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry.
Page 277 UALITY OF ERVICE • Exceed Action – Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced. • Remove Class – Deletes a class. - Policy Options - • Class Name – Name of class map. •...
Page 278: Figure 3-96. Configuring Policy Maps
ONFIGURING THE WITCH Figure 3-96. Configuring Policy Maps 3-224...
Page 279: Attaching A Policy Map To Ingress Queues
UALITY OF ERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 4-200 Console(config-pmap)#class rd_class#3 4-200...
Page 280: Multicast Filtering
ONFIGURING THE WITCH Figure 3-97. Service Policy Settings CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 4-120 Console(config-if)#service-policy input rd_policy#3 4-203 Console(config-if)# Multicast Filtering Multicasting is used to support real-time Unicast Flow applications such as videoconferencing or streaming audio.
Page 281: Layer 2 Igmp (Snooping And Query)
ULTICAST ILTERING pruned at every multicast switch/router it passes through to ensure that traffic is only passed on to the hosts which subscribed to this service. This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting to join the service and sends data out to those ports only.
Page 282: Configuring Igmp Snooping And Query Parameters
ONFIGURING THE WITCH Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Page 283 ULTICAST ILTERING • IGMP Query Count — Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group. (Range: 2-10; Default: 2) • IGMP Query Interval — Sets the frequency at which the switch sends IGMP host-query messages.
Page 284: Enabling Igmp Immediate Leave
ONFIGURING THE WITCH Figure 3-98. IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-270 Console(config)#ip igmp snooping querier 4-275 Console(config)#ip igmp snooping query-count 10 4-276 Console(config)#ip igmp snooping query-interval 100 4-277 Console(config)#ip igmp snooping query-max-response-time 20 4-277...
Page 285: Figure 3-99. Igmp Immediate Leave
ULTICAST ILTERING group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. IGMP immediate leave improves bandwidth management for all hosts in a switched network.
Page 286: Displaying Interfaces Attached To A Multicast Router
ONFIGURING THE WITCH Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 287: Specifying Static Interfaces For A Multicast Router
ULTICAST ILTERING CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 4-280 VLAN M'cast Router Port Type ---- ------------------ ------- Eth 1/11 Static Console# Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always...
Page 288: Displaying Port Members Of Multicast Services
ONFIGURING THE WITCH Web – Click IGMP Snooping, Static Multicast Router Port Configuration. Specify the interfaces attached to a multicast router, indicate the VLAN which will forward all the corresponding multicast traffic, and then click Add. After you have finished adding interfaces to the list, click Apply. Figure 3-101.
Page 289: Figure 3-102. Ip Multicast Registration Table
ULTICAST ILTERING • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service. Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists.
Page 290: Assigning Ports To Multicast Services
ONFIGURING THE WITCH Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch.
Page 291: Multicast Vlan Registration
VLAN R ULTICAST EGISTRATION Figure 3-103. IGMP Member Port Table CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 4-270 ethernet 1/12 Console(config)#exit...
Page 292 ONFIGURING THE WITCH MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services).
Page 293: Configuring Global Mvr Settings
VLAN R ULTICAST EGISTRATION the participating interfaces (see “Assigning Static Multicast Groups to Interfaces” on page 3-245). Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Page 294: Displaying Mvr Interface Status
ONFIGURING THE WITCH Figure 3-104. MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. 4-270 Console(config)#ip igmp snooping 4-283 Console(config)#mvr 4-283 Console(config)#mvr group 228.1.23.1 10 Console(config)# Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN.
Page 295: Displaying Port Members Of Multicast Groups
VLAN R ULTICAST EGISTRATION • Immediate Leave – Shows if immediate leave is enabled or disabled. • Trunk Member – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Information. Figure 3-105. MVR Port Information CLI –...
Page 296: Figure 3-106. Mvr Group Ip Information
ONFIGURING THE WITCH • Group Port List – Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Web – Click MVR, Group IP Information. Figure 3-106. MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN.
Page 297: Configuring Mvr Interface Status
VLAN R ULTICAST EGISTRATION Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
Page 298: Figure 3-107. Mvr Port Configuration
ONFIGURING THE WITCH - Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN. - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
Page 299: Assigning Static Multicast Groups To Interfaces
VLAN R ULTICAST EGISTRATION Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Page 300: Dhcp Snooping
ONFIGURING THE WITCH Figure 3-108. MVR Group Member Configuration CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 4-284 Console(config-if)#mvr group 228.1.23.1 Console(config-if)# DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 301 DHCP S NOOPING Filtering rules are implemented as follows: • If the global DHCP snooping is disabled, all DHCP packets are forwarded. • If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port.
Page 302: Dhcp Snooping Configuration
ONFIGURING THE WITCH add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 303: Dhcp Snooping Information Option Configuration
DHCP S NOOPING Command Attributes • VLAN ID – ID of a configured VLAN. (Range: 1-4094) • DHCP Snooping Status – Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 304: Figure 3-111. Dhcp Snooping Information Option Configuration
ONFIGURING THE WITCH In some cases, the switch may receive DHCP packets from a client that already includes DHCP Option 82 information. The switch can be configured to set the action policy for these packets. Either the switch can discard the Option 82 information, keep the existing information, or replace it with the switch’s relay information.
Page 305: Dhcp Snooping Port Configuration
DHCP S NOOPING CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace 4-307 Console(config)#ip dhcp snooping information option 4-307 Console(config)#ip dhcp snooping information policy replace Console(config)# DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall.
Page 306: Dhcp Snooping Binding Information
ONFIGURING THE WITCH CLI – This example shows how to enable the DHCP Snooping Trust Status for ports Console(config)#interface ethernet 1/5 4-305 Console(config-if)#ip dhcp snooping trust Console(config-if)# DHCP Snooping Binding Information Displays the DHCP snooping binding information. Command Attributes • No.
Page 307: Ip Source Guard
IP S OURCE UARD CLI – This example shows how to display the DHCP Snooping binding table entries 4-309 Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------- 11-22-33-44-55-66 192.168.0.99 0 Dynamic 1 Eth 1/5 Console# IP Source Guard...
Page 308: Figure 3-114. Ip Source Guard Port Configuration
ONFIGURING THE WITCH Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) - None – Disables IP source guard filtering on the port. - SIP –...
Page 309: Static Ip Source Guard Binding Configuration
IP S OURCE UARD CLI – This example shows how to enable IP source guard on port 5 Console(config)#interface ethernet 1/5 4-296 Console(config-if)#ip source-guard sip Console(config-if)#end 4-300 Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4...
Page 310: Dynamic Ip Source Guard Binding Information
ONFIGURING THE WITCH Web – Click IP Source Guard, Static Configuration. Figure 3-115. Static IP Source Guard Binding Configuration CLI – This example shows how to configure a static source-guard binding on port 5 Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.99 4-298 interface ethernet 1/5...
Page 311: Figure 3-116. Dynamic Ip Source Guard Binding Information
IP S OURCE UARD • Current Dynamic Binding Table – Displays the IP addresses in the source-guard binding table. Web – Click IP Source Guard, Dynamic Information. Figure 3-116. Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5 4-300 Console#show ip source-guard binding...
Page 312: Switch Clustering
ONFIGURING THE WITCH Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. A switch cluster has a “Commander”...
Page 313: Figure 3-117. Cluster Configuration
WITCH LUSTERING Command Attributes • Cluster Status – Enables or disables clustering on the switch. • Cluster Commander – Enables or disables the switch as a cluster Commander. • Role – Indicates the current role of the switch in the cluster; either Commander, Member, or Candidate.
Page 314: Cluster Member Configuration
ONFIGURING THE WITCH CLI – This example first enables clustering on the switch, sets the switch as the cluster Commander, and then configures the cluster IP pool. 4-310 Console(config)#cluster 4-311 Console(config)#cluster commander 4-312 Console(config)#cluster ip-pool 10.2.3.4 Console(config)# Cluster Member Configuration Adds Candidate switches to the cluster as Members.
Page 315: Cluster Member Information
WITCH LUSTERING CLI – This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID. 4-313 Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# Cluster Member Information Displays current cluster Member switch information. Command Attributes •...
Page 316: Cluster Candidate Information
ONFIGURING THE WITCH CLI – This example shows information about cluster Member switches. 4-314 Vty-0#sh cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# Cluster Candidate Information Displays information about discovered switches in the network that are already cluster Members or are available to become cluster Members.
Page 317 WITCH LUSTERING CLI – This example shows information about cluster Candidate switches. 4-315 Vty-0#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Vty-0# 3-263...
Page 318 ONFIGURING THE WITCH 3-264...
Page 319: Command Line Interface
HAPTER OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 320: Telnet Connection
OMMAND NTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SMC6128PL2 is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address.
Page 321 ELNET ONNECTION After you configure the switch with an IP address, you can open a Telnet session by performing these steps: 1.From the remote host, enter the Telnet command and the IP address of the device you want to access. 2.
Page 322: Entering Commands
OMMAND NTERFACE Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 323: Command Completion
NTERING OMMANDS Command Completion If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.”...
Page 324: Showing Commands
OMMAND NTERFACE Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database).
Page 325: Partial Keyword Lookup
NTERING OMMANDS The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided.
Page 326: Understanding Command Modes
OMMAND NTERFACE Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes.
Page 327: Configuration Commands
NTERING OMMANDS (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super”...
Page 328: Table 4-2 Configuration Modes
OMMAND NTERFACE • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. • Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits. • VLAN Configuration - Includes the command to create VLAN groups.
Page 329 NTERING OMMANDS For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# 4-11...
Page 330: Command Line Processing
OMMAND NTERFACE Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 331: Command Groups
OMMAND ROUPS Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page Line Sets communication parameters for the serial port 4-15 and Telnet, including baud rate and console time-out General Basic commands for entering privileged access mode, 4-27...
Page 332 OMMAND NTERFACE Table 4-4 Command Groups (Continued) Command Group Description Page Address Table Configures the address table for filtering specified 4-188 addresses, displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 4-193 VLANs Configures VLAN settings, and defines port...
Page 333: Line Commands
OMMANDS Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 4-5 Line Commands Command Function Mode Page...
Page 334: Line
OMMAND NTERFACE line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} - console - Console terminal line. - vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 335 OMMANDS local - Selects local password checking. Authentication is based on the user name specified with the username command. Default Setting login local Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: •...
Page 336: Password
OMMAND NTERFACE password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password - {0 | 7} - 0 means plain password, 7 means encrypted password - password - Character string that specifies the line password.
Page 337: Timeout Login Response
OMMANDS timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds;...
Page 338: Exec-Timeout
OMMAND NTERFACE exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes...
Page 339: Password-Thresh
OMMANDS password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
Page 340: Silent-Time
OMMAND NTERFACE silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 341: Parity
OMMANDS Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 342: Speed
OMMAND NTERFACE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.
Page 343: Stopbits
OMMANDS stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} - 1 - One stop bit - 2 - Two stop bits Default Setting 1 stop bit Command Mode...
Page 344: Show Line
OMMAND NTERFACE Example Console#disconnect 1 Console# Related Commands show ssh (4-55) show users (4-85) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] - console - Console terminal line. - vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
Page 345: General Commands
ENERAL OMMANDS General Commands Table 4-6 General Commands Command Function Mode Page enable Activates privileged mode 4-27 disable Returns to normal mode from privileged mode 4-28 configure Activates global configuration mode 4-29 show history Shows the command history buffer NE, PE 4-29 reload Restarts the system...
Page 346: Disable
OMMAND NTERFACE Normal Exec Command Usage • “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command on page 4-37.) • The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Page 347: Configure
ENERAL OMMANDS enable (4-27) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration.
Page 348: Reload
OMMAND NTERFACE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 349: End
ENERAL OMMANDS Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, and VLAN Database Configuration. Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode:...
Page 350: Quit
OMMAND NTERFACE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program. Default Setting None Command Mode...
Page 351: System Management Commands
YSTEM ANAGEMENT OMMANDS System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-7 System Management Commands Command Function Group Device Configures information that uniquely identifies this 4-34 Designation switch...
Page 352: Device Designation Commands
OMMAND NTERFACE Device Designation Commands Table 4-8 Device Designation Commands Command Function prompt Customizes the prompt used in PE and NE 4-34 mode hostname Specifies the host name for the switch 4-34 snmp-server Sets the system contact string 4-14 contact snmp-server Sets the system location string 4-14...
Page 353: User Access Commands
YSTEM ANAGEMENT OMMANDS Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# User Access Commands The basic commands required for management access are listed in this section.
Page 354: Username
OMMAND NTERFACE username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password}...
Page 355: Enable Password
YSTEM ANAGEMENT OMMANDS The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Page 356: Ip Filter Commands
OMMAND NTERFACE • The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Page 357: Show Management
YSTEM ANAGEMENT OMMANDS - start-address - A single IP address, or the starting address of a range. - end-address - The end address of a range. Default Setting All addresses Command Mode Global Configuration Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 358: Command Mode
OMMAND NTERFACE show management {all-client | http-client | snmp-client | telnet-client} - all-client - Adds IP address(es) to the SNMP, web and Telnet groups. - http-client - Adds IP address(es) to the web group. - snmp-client - Adds IP address(es) to the SNMP group. - telnet-client - Adds IP address(es) to the Telnet group.
Page 359: Web Server Commands
YSTEM ANAGEMENT OMMANDS Web Server Commands Table 4-12 Web Server Commands Command Function ip http port Specifies the port to be used by the web browser 4-41 interface ip http server Allows the switch to be monitored or configured 4-42 from a browser ip http Enables HTTPS for encrypted communications GC...
Page 360: Ip Http Server
OMMAND NTERFACE ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (4-41)
Page 361: Table 4-13 Https System Support
YSTEM ANAGEMENT OMMANDS to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: •...
Page 362: Ip Http Secure-Port
OMMAND NTERFACE ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535) Default Setting Command Mode...
Page 363: Telnet Server Commands
YSTEM ANAGEMENT OMMANDS Telnet Server Commands Table 4-14 Telnet Server Commands Command Function ip telnet port Specifies the port to be used by the Telnet 4-41 interface ip telnet server Allows the switch to be monitored or configured 4-42 from Telnet ip telnet port This command specifies the TCP port number used by the Telnet interface.
Page 364: Ip Telnet Server
OMMAND NTERFACE ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# Related Commands ip telnet port (4-45)
Page 365: Table 4-15 Ssh Commands
YSTEM ANAGEMENT OMMANDS This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0. Table 4-15 SSH Commands Command Function...
Page 366 OMMAND NTERFACE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 4-97.
Page 367: Ip Ssh Server
YSTEM ANAGEMENT OMMANDS 1024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178136627 741416898513204911720483033925432410163799759237144901193800609025394840848271781943 72288402533115952134861022902978982721353267131629432532818915045306393916643 steve@192.168.1.19 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 368: Ip Ssh Timeout
OMMAND NTERFACE Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. •...
Page 369: Ip Ssh Authentication-Retries
YSTEM ANAGEMENT OMMANDS Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 370: Ip Ssh Server-Key Size
OMMAND NTERFACE Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-55) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 371: Ip Ssh Crypto Host-Key Generate
YSTEM ANAGEMENT OMMANDS - rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] - dsa –...
Page 372: Ip Ssh Crypto Zeroize
OMMAND NTERFACE Example Console#ip ssh crypto host-key generate dsa Console# Related Commands ip ssh crypto zeroize (4-54) ip ssh save host-key (4-55) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] - dsa –...
Page 373: Ip Ssh Save Host-Key
YSTEM ANAGEMENT OMMANDS ip ssh save host-key This command saves host key from RAM to flash memory. Syntax ip ssh save host-key [dsa | rsa] - dsa – DSA key type. - rsa – RSA key type. Default Setting Saves both the DSA and RSA key. Command Mode Privileged Exec Example...
Page 374: Table 4-16 Show Ssh - Display Description
OMMAND NTERFACE Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 4-16 show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.
Page 375: Show Public-Key
YSTEM ANAGEMENT OMMANDS Table 4-16 show ssh - display description (Continued) Field Description Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 376: L Ine I Nterface
OMMAND NTERFACE Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. • When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
Page 377: Event Logging Commands
YSTEM ANAGEMENT OMMANDS Event Logging Commands Table 4-17 Event Logging Commands Command Function logging on Controls logging of error messages 4-59 logging history Limits syslog messages saved to switch memory 4-61 based on severity logging host Adds a syslog server host IP address that will 4-63 receive logging messages logging facility...
Page 378 OMMAND NTERFACE Example Console(config)#logging on Console(config)# Related Commands logging history (4-61) clear logging (4-65) 4-60...
Page 379: Logging History
YSTEM ANAGEMENT OMMANDS logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} - flash - Event history stored in flash memory (i.e., permanent memory).
Page 380 OMMAND NTERFACE Global Configuration Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# 4-62...
Page 381: Logging Host
YSTEM ANAGEMENT OMMANDS logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host_ip_address host_ip_address - The IP address of a syslog server. Default Setting None Command Mode...
Page 382: Logging Trap
OMMAND NTERFACE Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 383: Clear Logging
YSTEM ANAGEMENT OMMANDS Example Console(config)#logging trap 4 Console(config)# clear logging This command clears messages from the log buffer. Syntax clear logging [flash | ram] - flash - Event history stored in flash memory (i.e., permanent memory). - ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 384: Table 4-19 Show Logging Flash/Ram - Display Description
OMMAND NTERFACE (i.e., memory flushed on power reset). - sendmail - Displays settings for the SMTP event handler (page 4-72). - trap - Displays settings for the trap function. Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled, the message level for flash memory is “errors”...
Page 385: Show Log
YSTEM ANAGEMENT OMMANDS The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0...
Page 386: Default Setting
OMMAND NTERFACE - login - Shows the login record only. Default Setting None Command Mode Privileged Exec Command Usage This command shows the system and event messages stored in memory, including the time stamp, message level (page 4-61), program module, function, and event number. Example The following example shows sample messages stored in RAM.
Page 387: Smtp Alert Commands
YSTEM ANAGEMENT OMMANDS SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 4-21 SMTP Alert Commands Command Function Page logging sendmail SMTP servers to receive alert messages 4-69 host logging sendmail...
Page 388: Logging Sendmail Level
OMMAND NTERFACE However, you must enter a separate command to specify each server. • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Page 389: Logging Sendmail Source-Email
YSTEM ANAGEMENT OMMANDS This example will send email alerts for system errors from level 4 through Console(config)#logging sendmail level 4 Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Use the no form to delete the source email address. Syntax [no] logging sendmail source-email email-address email-address - The source email address used in alert messages.
Page 390: Logging Sendmail
OMMAND NTERFACE email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com...
Page 391 YSTEM ANAGEMENT OMMANDS Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP minimum severity level: 4 SMTP destination email addresses ----------------------------------------------- 1. geoff@acme.com SMTP source email address: john@acme.com SMTP status: Enabled Console# 4-73...
Page 392: Sntp Client
OMMAND NTERFACE Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 393: Sntp Server
YSTEM ANAGEMENT OMMANDS • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 394: Sntp Poll
OMMAND NTERFACE Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
Page 395: Show Sntp
YSTEM ANAGEMENT OMMANDS sntp client (4-74) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
Page 396: Calendar Set
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 397: Show Calendar
YSTEM ANAGEMENT OMMANDS None Command Mode Privileged Exec Example This example shows how to set the system clock to 15:12:34, April 1st, 2004. Console#calendar set 15 12 34 1 April 2004 Console# show calendar This command displays the system clock. Default Setting None Command Mode...
Page 398: System Status Commands
OMMAND NTERFACE System Status Commands Table 4-23 System Status Commands Command Function show Displays the contents of the configuration file 4-80 startup-config (stored in flash memory) that is used to start up the system show Displays the configuration data currently in use PE 4-82 running-config show system...
Page 399: Snmp Community Strings
YSTEM ANAGEMENT OMMANDS • SNMP community strings • Users (names and access levels) • VLAN database (VLAN ID, name and state) • VLAN configuration settings for each interface • IP address configured for the switch • Spanning tree settings • Any configured settings for the console port and Telnet Example Console#show startup-config building startup-config, please wait..
Page 400: Show Running-Config
OMMAND NTERFACE show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.
Page 401: Related Commands
YSTEM ANAGEMENT OMMANDS Example Console#show running-config building startup-config, please wait..phymap 00-12-cf-ce-2a-20 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 00-00-00-00-00-00 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 clock timezone hours 0 minute 0 after-UTC SNMP-server community private rw SNMP-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4...
Page 402: Show System
OMMAND NTERFACE show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page -13. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
Page 403: Show Users
YSTEM ANAGEMENT OMMANDS show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 404: Frame Size Commands
OMMAND NTERFACE Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Switch Hardware/Software Versions” on page 3-15 for detailed information on the items displayed by this command. Example Console#show version Unit1 Serial number: S416000937 Service tag: Hardware version: Module A type: 1000BaseT Module B type: 1000BaseT...
Page 405: Flash/File Commands
LASH OMMANDS Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 406: Whichboot
OMMAND NTERFACE Table 4-25 Flash/File Commands Command Function Mode Page whichboot Displays the files booted 4-94 boot system Specifies the file or image used to start up the 4-95 system copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server.
Page 407 LASH OMMANDS Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command. • The destination file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names on the TFTP server is 127 characters or 31 characters for files on the switch.
Page 408 OMMAND NTERFACE operations (on the SMC6824MPE and SMC6826MPE), file types other than PoE controller may be downloaded, but will not adversely affect the system. 4-90...
Page 409 LASH OMMANDS Example The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed.
Page 410 OMMAND NTERFACE This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate Source private file name: SS-private Private password: ******** Success.
Page 411 LASH OMMANDS • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. • A colon (:) is required after the specified unit number. Example This example shows how to delete the test2.cfg configuration file from flash memory for unit 1.
Page 412: Table 4-26 File Directory Information
OMMAND NTERFACE • File information is shown below: Table 4-26 File Directory Information Column Heading Description file name The name of the file. file type File types: Boot-Rom, Operation Code, and Config file. startup Shows if this file is used when the system is started. size The length of the file in bytes.
Page 413 LASH OMMANDS Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot file name file type startup size (byte) ------------------------------------- -------------- ------- -----------...
Page 414: Authentication Commands
OMMAND NTERFACE Example Console(config)#boot system config: startup Console(config)# Related Commands dir (4-93) whichboot (4-94) Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
Page 415: Authentication Sequence
UTHENTICATION OMMANDS Authentication Sequence Authentication Sequence Command Function authentication login Defines logon authentication method and 4-97 precedence authentication enable Defines the authentication method and 4-98 precedence for command mode change authentication login This command defines the login authentication method and precedence. Use the no form to restore the default.
Page 416: Authentication Enable
OMMAND NTERFACE • You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server.
Page 417 UTHENTICATION OMMANDS Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 418: Radius Client
OMMAND NTERFACE RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 419: Radius-Server Host
UTHENTICATION OMMANDS radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] - index - Allows you to specify up to five servers.
Page 420: Radius-Server Port
OMMAND NTERFACE radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
Page 421: Radius-Server Retransmit
UTHENTICATION OMMANDS Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 422: Show Radius-Server
OMMAND NTERFACE Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings Communication key with RADIUS server: Server port number: 1812 Retransmit times:...
Page 423: Tacacs-Server Host
UTHENTICATION OMMANDS authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. TACACS Commands Command Function tacacs-server host Specifies the TACACS+ server 4-10 tacacs-server port Specifies the TACACS+ server network 4-10 port...
Page 424: Tacacs-Server Port
OMMAND NTERFACE tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
Page 425: Show Tacacs-Server
UTHENTICATION OMMANDS Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.13 Communication key with TACACS server: ***** Server port number: Console# Port Security Commands...
Page 426: Port Security
OMMAND NTERFACE with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message. Port Security Commands Command Function Page port security Configures a secure port 4-108...
Page 427 UTHENTICATION OMMANDS Command Mode Interface Configuration (Ethernet) Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 428: 802.1X Port Authentication
OMMAND NTERFACE 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 429: Dot1X System-Auth-Control
UTHENTICATION OMMANDS dot1x system-auth-control This command enables 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dotx system-auth-control Default Setting Disabled Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# dot1x default This command sets all configurable dot1x global and port settings to their default values.
Page 430: Dot1X Port-Control
OMMAND NTERFACE count – The maximum number of requests (Range: 1-10) Default Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default.
Page 431: Dot1X Operation-Mode
UTHENTICATION OMMANDS dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 432: Dot1X Re-Authenticate
OMMAND NTERFACE dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) Command Mode Privileged Exec Example Console#dot1x re-authenticate...
Page 433: Dot1X Timeout Quiet-Period
UTHENTICATION OMMANDS dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
Page 434: Dot1X Timeout Re-Authperiod
OMMAND NTERFACE dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535) Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2...
Page 435 UTHENTICATION OMMANDS Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# 4-117...
Page 436: Show Dot1X
OMMAND NTERFACE show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
Page 437 UTHENTICATION OMMANDS - 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: - reauth-enabled – Periodic re-authentication (page 4-114). - reauth-period – Time after which a connected client must be re-authenticated (page 4-116). - quiet-period –...
Page 438 OMMAND NTERFACE - Backend State Machine - State – Current state (including request, response, success, fail, timeout, idle, initialize). - Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. - Identifier(Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Page 439 UTHENTICATION OMMANDS Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/52 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Page 440: Access Control List Commands
OMMAND NTERFACE Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port.
Page 441: Ip Acls
CCESS ONTROL OMMANDS 1.User-defined rules in the Ingress IP ACL for ingress ports. 2.Explicit default rule (permit any any) in the ingress IP ACL for ingress ports. 3.If no explicit rule is matched, the implicit default is permit all. Access Control Lists Command Function Groups...
Page 442: Access-List Ip
OMMAND NTERFACE access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name - standard – Specifies an ACL that filters packets based on the source IP address.
Page 443: Permit, Deny (Standard Acl)
CCESS ONTROL OMMANDS permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} - any –...
Page 444: Permit, Deny (Extended Acl)
OMMAND NTERFACE access-list ip (4-124) permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, or source or destination protocol ports. Use the no form to remove a rule.
Page 445: Show Ip Access-List
CCESS ONTROL OMMANDS • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Page 446: Ip Access-Group
OMMAND NTERFACE Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.255.0 Console# Related Commands permit, deny 4-125 ip access-group (4-128) ip access-group This command binds a port to an IP ACL. Use the no form to remove the port.
Page 447: Show Ip Access-Group
CCESS ONTROL OMMANDS Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-127) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/25 IP access-list david in Console# Related Commands...
Page 448: Access-List Mac
OMMAND NTERFACE MAC ACL Commands Command Function Mode show mac Displays the rules for configured MAC 4-13 access-list ACLs mac access-group Adds a port to a MAC ACL 4-13 show mac Shows port assignments for MAC ACLs 4-13 access-group access-list mac This command adds a MAC access list and enters MAC ACL configuration mode.
Page 449: Permit, Deny (Mac Acl)
CCESS ONTROL OMMANDS Related Commands permit, deny (4-131) mac access-group (4-133) show mac access-list (4-133) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 450 OMMAND NTERFACE -tagged-eth2 – Tagged Ethernet II packets. -untagged-eth2 – Untagged Ethernet II packets. -tagged-802.3 – Tagged Ethernet 802.3 packets. -untagged-802.3 – Untagged Ethernet 802.3 packets. -any – Any MAC source or destination address. -host – A specific MAC address. -source –...
Page 451: Show Mac Access-List
CCESS ONTROL OMMANDS Related Commands access-list mac (4-130) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800...
Page 452: Show Mac Access-Group
OMMAND NTERFACE Command Usage •A port can only be bound to one ACL. •If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in...
Page 453: Acl Information
CCESS ONTROL OMMANDS ACL Information ACL Information Command Function Mode show access-list Show all ACLs and associated rules 4-13 show access-group Shows the ACLs assigned to each port 4-13 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks.
Page 454: Snmp Commands
OMMAND NTERFACE Privileged Executive Example Console#show access-group Interface ethernet 1/1 IP access-list jerry in Interface ethernet 1/52 IP access-list jerry in Console# SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
Page 455: Snmp-Server
SNMP C OMMANDS SNMP Commands (Continued) Command Function Page snmp-server Sets the system location string 4-14 location snmp-server host Specifies the recipient of an SNMP 4-14 notification operation snmp-server enable Enables the device to send SNMP traps (i.e., 4-14 traps SNMP notifications) snmp-server Sets the SNMP engine ID...
Page 456: Show Snmp
OMMAND NTERFACE Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 457: Snmp-Server Community
SNMP C OMMANDS Example Console#show snmp SNMP Agent: enabled SNMP traps: Authentication: enable Link-up-down: enable SNMP communities: 1. private, and the privilege is read-write 2. public, and the privilege is read-only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors...
Page 458: Snmp-Server Contact
OMMAND NTERFACE -rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting •public - Read-only access. Authorized management stations are only able to retrieve MIB objects. •private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Page 459: Snmp-Server Location
SNMP C OMMANDS snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 460 OMMAND NTERFACE option is only available for version 2c and 3 hosts. (Default: traps are used) - retries - The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) - seconds - The number of seconds to wait for an acknowledgment before resending an inform message.
Page 461 SNMP C OMMANDS •If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Page 462: Snmp-Server Enable Traps
OMMAND NTERFACE snmp-server host command as described in this section. 4. Create a view with the required notification messages (page 4-148). 5. Create a group that includes the required notify view (page 4-150). 6. Specify a remote engine ID where the user resides (page 4-145). 7.
Page 463: Snmp-Server Engine-Id
SNMP C OMMANDS Issue authentication and link-up-down traps. Command Mode Global Configuration Command Usage •If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 464 OMMAND NTERFACE - local - Specifies the SNMP engine on this switch. - remote - Specifies an SNMP engine on a remote device. - ip-address - The Internet address of the remote device. - engineid-string - String identifying the engine ID. (Range: 10-64 hexadecimal characters) Default Setting A unique engine ID is automatically generated by the switch based on...
Page 465: Show Snmp Engine-Id
SNMP C OMMANDS Example Console(config)#snmp-server engine-id local 12345 Console(config)#snmp-server engineID remote 54321 192.168.1.19 Console(config)# Related Commands snmp-server host (4-141) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1...
Page 466: Snmp-Server View
OMMAND NTERFACE snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name -view-name - Name of an SNMP view. (Range: 1-64 characters) -oid-tree - Object identifier of a branch within the MIB tree.
Page 467: Show Snmp View
SNMP C OMMANDS This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
Page 468: Snmp-Server Group
OMMAND NTERFACE snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname -groupname - Name of an SNMP group.
Page 469: Show Snmp Group
SNMP C OMMANDS •For additional information on the notification messages supported by this switch, see “Supported Notification Messages” on page 5-13. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 4-144).
Page 470 OMMAND NTERFACE Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c...
Page 471: Snmp-Server User
SNMP C OMMANDS show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Page 472: Global Configuration
OMMAND NTERFACE Default Setting None Command Mode Global Configuration Command Usage •The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.
Page 473: Show Snmp User
SNMP C OMMANDS show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 474: Interface Commands
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Interface Commands Command Function Mode Page interface Configures an interface type and enters interface 4-156 configuration mode description Adds a description to an interface configuration IC 4-157 speed-duplex Configures the speed and duplex operation of a...
Page 475: Description
NTERFACE OMMANDS interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) • vlan vlan-id (Range: 1-4094) Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description...
Page 476: Speed-Duplex
The following example adds a description to port 24. Console(config)#interface ethernet 1/24 Console(config-if)#description RD-SW#3 Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex...
Page 477: Negotiation
NTERFACE OMMANDS Default Setting • Auto-negotiation is enabled by default. • When auto-negotiation is disabled, the default speed-duplex setting is 100half for 100BASE-TX ports and 1000full for Gigabit Ethernet ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Page 478: Capabilities
Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Page 479: Flowcontrol
NTERFACE OMMANDS - symmetric (Gigabit only) - When specified, the port transmits and receives pause frames; when not specified, the port will auto-negotiate to determine the sender and receiver for asymmetric pause frames. (The current switch ASIC only supports symmetric pause frames.) Default Setting •...
Page 480 Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3x for full-duplex operation.
Page 481: Shutdown
NTERFACE OMMANDS shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved.
Page 482: Switchport Broadcast Packet-Rate
switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to disable broadcast storm control. Syntax switchport broadcast octet-rate rate no switchport broadcast rate - Threshold level as a rate; i.e., kilobits per second. (Range: 64-100000 for 100 Mbps ports, 64-1000000 for 1 Gbps ports) Default Setting Enabled for all ports...
Page 483: Show Interfaces Status
NTERFACE OMMANDS interface • ethernet unit/port • unit - Stack unit. (Always unit 1) • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Page 484: Show Interfaces Counters
Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 3-108. Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5...
Page 485 NTERFACE OMMANDS • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics”...
Page 486: Show Interfaces Switchport
show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port • unit - Stack unit. (Always unit 1) • port - Port number. (Range: 1-52) • port-channel channel-id (Range: 1-8) Default Setting Shows all interfaces.
Page 487 NTERFACE OMMANDS Interfaces Switchport Statistics Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 4-164). Lacp status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 4-177). Ingress rate limit Shows if ingress rate limiting is enabled, and the current rate limit.
Page 488: Mirror Port Commands
Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-170 show port monitor Shows the configuration for a mirror port 4-171 port monitor This command configures a mirror session.
Page 489: Show Port Monitor
IRROR OMMANDS • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. • All mirror sessions must share the same destination port. • When mirroring port traffic, the target port must be included in the same VLAN as the source port Example The following example configures the switch to mirror received packets...
Page 490 The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# 4-172...
Page 491: Rate Limit Commands
IMIT OMMANDS Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 492 Example Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 2000 Console(config-if)# 4-174...
Page 493: Link Aggregation Commands
GGREGATION OMMANDS Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 494 Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports.
Page 495: Lacp
GGREGATION OMMANDS Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-8) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
Page 496 • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation. • A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Page 497: Lacp System-Priority
GGREGATION OMMANDS lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. •...
Page 498: Lacp Admin-Key (Ethernet Interface)
lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
Page 499: Lacp Admin-Key (Port Channel)
GGREGATION OMMANDS lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 500: Show Lacp
no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link. (Range: 0-65535) Default Setting 32768 Command Mode...
Page 501 GGREGATION OMMANDS • internal - Configuration settings and operational state for local side. • neighbors - Configuration settings and operational state for remote side. • sysid - Summary of system priority and MAC address for all channel groups. Default Setting Port Channel: all Command Mode Privileged Exec...
Page 502 show lacp counters - display description (Continued) Field Description LACPDUs Unknown Number of frames received that either (1) Carry the Slow Pkts Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 503 GGREGATION OMMANDS show lacp internal - display description (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 504 Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------- ------ Eth 1/1 ------------------------------------------------------------------- ------ Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Page 505 GGREGATION OMMANDS show lacp neighbors - display description Field Description Partner Admin LAG partner’s system ID assigned by the user. System ID Partner Oper LAG partner’s system ID assigned by the LACP protocol. System ID Partner Admin Current administrative value of the port number for the Port Number protocol Partner.
Page 506: Address Table Commands
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Address Table Commands Command Function Mode Page mac-address-table Maps a static address to a port in a VLAN 4-188 static clear...
Page 507: Clear Mac-Address-Table Dynamic
DDRESS ABLE OMMANDS - action - • delete-on-reset - Assignment lasts until the switch is reset. • permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN.
Page 508: Show Mac-Address-Table
Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] - mac-address - MAC address. - mask - Bits to match in the address. - interface •...
Page 509: Mac-Address-Table Aging-Time
DDRESS ABLE OMMANDS example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address Vlan Type --------- ----------------- ---- ----------------- Eth 1/1 00-12-cf-94-34-de Delete-on-reset Trunk 2 00-12-cf-8f-aa-1b...
Page 510 Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# 4-192...
Page 511: Spanning Tree Commands
PANNING OMMANDS Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-194 spanning-tree mode Configures STP, RSTP or MSTP mode...
Page 512: Spanning-Tree
Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Disables spanning tree for an interface 4-206 spanning-disabled spanning-tree cost Configures the spanning tree path cost of 4-206 an interface spanning-tree Configures the spanning tree priority of an 4-207 port-priority interface spanning-tree Enables fast forwarding for edge ports 4-208...
Page 513: Spanning-Tree Mode
PANNING OMMANDS Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over...
Page 514 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. • This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 515: Spanning-Tree Forward-Time
PANNING OMMANDS spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 516: Spanning-Tree Max-Age
Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-197) spanning-tree max-age (4-198) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch.
Page 517: Spanning-Tree Priority
PANNING OMMANDS receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Page 518: Spanning-Tree Pathcost Method
Example Console(config)#spanning-tree priority 40000 Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method - long - Specifies 32-bit based values that range from 1-200,000,000.
Page 519: Spanning-Tree Transmission-Limit
PANNING OMMANDS spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting Command Mode Global Configuration...
Page 520: Mst Vlan
mst priority (4-203) name (4-204) revision (4-204) max-hops (4-205) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range - instance_id - Instance identifier of the spanning tree.
Page 521: Mst Priority
PANNING OMMANDS Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority - instance_id - Instance identifier of the spanning tree. (Range: 0-4094) - priority - Priority of the a spanning tree instance.
Page 522: Name
name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage...
Page 523: Max-Hops
PANNING OMMANDS MST Configuration Command Usage The MST region name (page 4-204) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 524: Spanning-Tree Spanning-Disabled
Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface. Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5.
Page 525: Spanning-Tree Port-Priority
PANNING OMMANDS Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. • Ethernet – half duplex: 2,000,000; full duplex: 1,000,000; trunk: 500,000 •...
Page 526: Spanning-Tree Edge-Port
Default Setting Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 527: Spanning-Tree Portfast
PANNING OMMANDS servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Page 528: Spanning-Tree Link-Type
forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end-node device.) • This command is the same as spanning-tree edge-port, and is only included for backward compatibility with earlier products. Note that this command may be removed for future software versions.
Page 529: Spanning-Tree Mst Cost
PANNING OMMANDS a shared link. • RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree mst cost This command configures the path cost on a spanning instance in the...
Page 530: Spanning-Tree Mst Port-Priority
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
Page 531: Spanning-Tree Protocol-Migration
PANNING OMMANDS Command Usage • This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 532: Show Spanning-Tree
Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] - interface • ethernet unit/port •...
Page 533 PANNING OMMANDS description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 3-132. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: Vlans configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.):...
Page 534: Show Spanning-Tree Mst Configuration
show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- Console# 4-216...
Page 535: Vlan Commands
VLAN C OMMANDS VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 536: Bridge-Ext Gvrp
Note: GVRP is not supported in the current software. GVRP and Bridge Extension Commands Command Function bridge-ext gvrp Enables GVRP globally for the switch 4-21 show bridge-ext Shows the global bridge extension 4-21 configuration switchport gvrp Enables GVRP for an interface 4-21 switchport forbidden Configures forbidden VLANs for an...
Page 537: Show Bridge-Ext
VLAN C OMMANDS GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp Console(config)#...
Page 538: Show Gvrp Configuration
[no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
Page 539: Garp Timer
VLAN C OMMANDS garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} - {join | leave | leaveall} - Which timer to set.
Page 540: Show Garp Timer
Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (4-222) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Always unit 1) - port - Port number.
Page 541: Editing Vlan Groups
VLAN C OMMANDS Editing VLAN Groups Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and 4-223 delete VLANs vlan Configures a VLAN, including VID, name and 4-224 state vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Page 542: Vlan
vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] - vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) - name - Keyword to be followed by the VLAN name.
Page 543: Configuring Vlan Interfaces
VLAN C OMMANDS The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default. Console(config)#vlan database Console(config-vlan)#vlan 105 name RD5 media ethernet Console(config-vlan)# Related Commands show vlan (4-233) Configuring VLAN Interfaces Configuring VLAN Interfaces Command Function Mode Page...
Page 544: Switchport Mode
interface vlan vlan-id vlan-id - ID of the configured VLAN. (Range: 1-4094, no leading zeroes) Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)#...
Page 545: Switchport Acceptable-Frame-Types
VLAN C OMMANDS Default Setting All ports are in hybrid mode with the PVID set to VLAN 1. Command Mode Interface Configuration (Ethernet, Port Channel) Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)#...
Page 546: Switchport Ingress-Filtering
The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# Related Commands switchport mode (4-226) switchport ingress-filtering This command enables ingress filtering for an interface. Note: Although the ingress filtering command is available, the switch has ingress filtering permanently set to enable.
Page 547: Switchport Native Vlan
VLAN C OMMANDS The following example shows how to select port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan...
Page 548: Switchport Allowed Vlan
switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Note: Each port can only have one untagged VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged.
Page 549: Switchport Forbidden Vlan
VLAN C OMMANDS VLAN. If a second VLAN is defined for a port as untagged, the other VLAN that had untagged status will automatically be changed to tagged. Setting a VLAN untagged will also change the native VLAN of the port to this VLAN. •...
Page 550 • If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface. Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3...
Page 551: Displaying Vlan Information
VLAN C OMMANDS Displaying VLAN Information Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information 4-233 show interfaces status Displays status for the specified VLAN 4-165 vlan interface show interfaces Displays the administrative and 4-168 switchport operational status of an interface show vlan This command shows VLAN information.
Page 552: Configuring Private Vlans
The following example shows how to display information for VLAN 1: Console#show vlan id 1 Vlan ID: Type: Static Name: DefaultVlan Status: Active Ports/Port channel: Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Page 553 VLAN C OMMANDS This section describes commands used to configure private VLANs. Private VLAN Commands Command Function Page Edit Private VLAN Groups private-vlan Adds or deletes primary, community, or 4-236 isolated VLANs private-vlan association Associates a community VLAN with a 4-237 primary VLAN Configure Private VLAN Interfaces...
Page 554: Private-Vlan
5. Use the switchport private-vlan mapping command to assign a port to a primary VLAN. 6. Use the show vlan private-vlan command to verify your configuration settings. To configure isolated VLANs, follow these steps: 1.Use the private-vlan command to designate an isolated VLAN that will contain a single promiscuous port and one or more isolated ports.
Page 555: Private Vlan Association
VLAN C OMMANDS Default Setting None Command Mode VLAN Configuration Command Usage • Private VLANs are used to restrict traffic to ports within the same community or isolated VLAN, and channel traffic passing outside the community through promiscuous ports. When using community VLANs, they must be mapped to an associated “primary”...
Page 556: Switchport Mode Private-Vlan
(Range: 1-4094, no leading zeroes). Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g., servers configured with promiscuous ports) and to resources outside of the primary VLAN (via promiscuous ports).
Page 557: Switchport Private-Vlan Host-Association
VLAN C OMMANDS Command Usage • To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. • To assign a promiscuous port or host port to an isolated VLAN, use the switchport private-vlan isolated command.
Page 558: Switchport Private-Vlan Isolated
Example Console(config)#interface ethernet 1/3 Console(config-if)#switchport private-vlan host-association 3 Console(config-if)# switchport private-vlan isolated Use this command to assign an interface to an isolated VLAN. Use the no form to remove this assignment. Syntax switchport private-vlan isolated isolated-vlan-id no switchport private-vlan isolated isolated-vlan-id - ID of isolated VLAN.
Page 559: Show Vlan Private-Vlan
VLAN C OMMANDS switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN, and with the group members within any associated secondary VLANs.
Page 560 Command Mode Privileged Executive Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 isolated Console# 4-242...
Page 561: Configuring Protocol-Based Vlans
VLAN C OMMANDS Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Page 562: Protocol-Vlan Protocol-Group (Configuring Groups)
3. Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
Page 563: Protocol-Vlan Protocol-Group (Configuring Interfaces)
VLAN C OMMANDS protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan - group-id - Group identifier of this protocol group.
Page 564: Show Protocol-Vlan Protocol-Group
The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
Page 565: Priority Commands
RIORITY OMMANDS - unit - Stack unit. (Range: 1-8) - port - Port number. (Range: 1-26/50) • port-channel channel-id (Range: 1-32) Default Setting The mapping for all interfaces is displayed. Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port...
Page 566: Queue Mode
Priority Commands (Layer 2) Priority Commands (Layer 2) Command Function Page queue mode Sets the queue mode to strict priority or 4-248 Weighted Round-Robin (WRR) switchport priority Sets a port priority for incoming untagged 4-249 default frames queue bandwidth Assigns round-robin weights to the priority 4-250 queues queue cos map...
Page 567: Switchport Priority Default
RIORITY OMMANDS Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue.
Page 568: Queue Bandwidth
switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
Page 569: Queue Cos-Map
RIORITY OMMANDS Default Setting Weights 1, 2, 4, 8 are assigned to queues 0-3 respectively. Command Mode Global Configuration Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights. Example This example shows how to assign WRR weights to priority queues 0 - 2: Console(config)#queue bandwidth 6 9 12 Console(config)# Related Commands...
Page 570: Show Queue Mode
This switch supports Class of Service by using four priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown below.
Page 571: Show Queue Bandwidth
RIORITY OMMANDS Privileged Exec Example Console#show queue mode Queue mode: wrr Console# show queue bandwidth This command displays the weighted round-robin (WRR) bandwidth allocation for the four priority queues. Default Setting None Command Mode Privileged Exec Example Console#show queue bandwidth Queue ID Weight --------...
Page 572: Map Ip Dscp (Global Configuration)
None Command Mode Privileged Exec Example Console#show queue cos-map ethernet 1/1 Information of Eth 1/1 Traffic Class : 0 1 2 3 4 5 6 7 Priority Queue: 1 0 0 1 2 2 3 3 Console# Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) Command Function...
Page 573: Map Ip Dscp (Interface Configuration)
RIORITY OMMANDS The following example shows how to enable IP DSCP mapping globally: Console(config)#map ip dscp Console(config)# map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp...
Page 574: Show Map Ip Dscp
• DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802.1p standard, and then subsequently mapped to the four hardware priority queues. • This command sets the IP DSCP priority for all interfaces. Example The following example shows how to map IP DSCP value 1 to CoS value Console(config)#interface ethernet 1/5...
Page 575: Quality Of Service Commands
UALITY OF ERVICE OMMANDS Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --- Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Eth 1/ 1 Console# Related Commands map ip dscp (Global Configuration) (4-254)
Page 576 Quality of Service Commands Command Function Page police Defines an enforcer for classified traffic 4-264 service-policy Applies a policy map defined by the policy-map 4-265 command to the input of a particular interface show Displays the QoS class maps which define 4-266 class-map matching criteria used for classifying traffic...
Page 577: Class-Map
UALITY OF ERVICE OMMANDS 7. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2.
Page 578: Match
This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Related Commands show class map (4-266) match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria.
Page 579: Policy-Map
UALITY OF ERVICE OMMANDS This example creates a class map called “rd_class#1,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class#1_ match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd_class#2,” and sets it to match packets marked for IP Precedence service value 5: Console(config)#class-map rd_class#2 match-any Console(config-cmap)#match ip precedence 5...
Page 580: Class
• A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command (page -265). • You must create a Class Map (page -261) before assigning it to a Policy Map. Example This example creates a policy called “rd_policy,”...
Page 581: Set
UALITY OF ERVICE OMMANDS - set command classifies the service that an IP packet will receive. - police command defines the maximum throughput, burst rate, and the action that results from a policy violation. • You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map Example This example creates a policy called “rd_policy,”...
Page 582: Police
Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 583: Service-Policy
UALITY OF ERVICE OMMANDS • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the burst-byte field, and the average rate tokens are removed from the bucket is by specified by the rate-bps option. Example This example creates a policy called “rd_policy,”...
Page 584: Show Class-Map
• You must first define a class map, then define a policy map, and finally use the service-policy command to bind the policy map to the required interface. Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map...
Page 585: Show Policy-Map
UALITY OF ERVICE OMMANDS show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] - policy-map-name - Name of the policy map. (Range: 1-16 characters) - class-map-name - Name of the class map.
Page 586: Multicast Filtering Commands
Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
Page 587: Igmp Snooping Commands
ULTICAST ILTERING OMMANDS IGMP Snooping Commands IGMP Snooping Commands Command Function Mode Page ip igmp snooping Enables IGMP snooping 4-270 ip igmp snooping vlan Adds an interface as a member of a 4-270 static multicast group ip igmp snooping Configures the IGMP version for 4-271 version snooping...
Page 588: Ip Igmp Snooping
ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group.
Page 589: Ip Igmp Snooping Version
ULTICAST ILTERING OMMANDS Global Configuration Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet Console(config)# ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default.
Page 590: Ip Igmp Snooping Leave-Proxy
ip igmp snooping leave-proxy This command enables IGMP leave proxy on the switch. Use the no form to disable the feature. Syntax [no] ip igmp snooping leave-proxy Default Setting Disabled Command Mode Global Configuration Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group.
Page 591: Show Ip Igmp Snooping
ULTICAST ILTERING OMMANDS Command Usage The IGMP snooping immediate-leave feature enables a Layer 2 LAN interface to be removed from the multicast forwarding table without first sending an IGMP group-specific query to the interface. Upon receiving a group-specific IGMPv2 leave message, the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port.
Page 592: Show Mac-Address-Table Multicast
show mac-address-table multicast This command shows known multicast addresses. Syntax show mac-address-table multicast [vlan vlan-id] [user | igmp-snooping] - vlan-id - VLAN ID (1 to 4094) - user - Display only the user-configured multicast entries. - igmp-snooping - Display only entries learned through IGMP snooping.
Page 593: Igmp Query Commands (Layer 2)
ULTICAST ILTERING OMMANDS IGMP Query Commands (Layer 2) IGMP Query Commands (Layer 2) Command Function Mode Page ip igmp snooping Allows this device to act as the querier 4-275 querier for IGMP snooping ip igmp snooping Configures the query count 4-276 query-count ip igmp snooping...
Page 594: Ip Igmp Snooping Query-Count
ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
Page 595: Ip Igmp Snooping Query-Interval
ULTICAST ILTERING OMMANDS ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Page 596: Ip Igmp Snooping Router-Port-Expire-Time
• The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of queries defined by the ip igmp snooping query-count, but a client has not responded, a countdown timer is started using an initial value set by this command.
Page 597: Static Multicast Routing Commands
ULTICAST ILTERING OMMANDS Command Usage The switch must use IGMPv2 for this command to take effect. Example The following shows how to configure the default timeout to 300 seconds: Console(config)#ip igmp snooping router-port-expire-time 300 Console(config)# Related Commands ip igmp snooping version (4-271) Static Multicast Routing Commands Static Multicast Routing Commands Command...
Page 598: Show Ip Igmp Snooping Mrouter
Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 599 ULTICAST ILTERING OMMANDS The following shows that port 11 in VLAN 1 is attached to a multicast router: Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Eth 1/12 Static Console# 4-281...
Page 600: Multicast Vlan Registration Commands
Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
Page 601: Mvr (Global Configuration)
ULTICAST ILTERING OMMANDS mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 602: Mvr (Interface Configuration)
Command Usage • Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 603 ULTICAST ILTERING OMMANDS message for that group. - ip-address - Statically configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Default Setting • The port type is not defined. •...
Page 604 Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering. • MVR receiver ports cannot be members of a trunk. Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN.
Page 605: Show Mvr
ULTICAST ILTERING OMMANDS The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a multicast group to another receiver port: Console(config)#interface ethernet 1/5 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#mvr type receiver...
Page 606: Mvr Vlan
Enter this command without any keywords to display the global settings for MVR. Use the interface keyword to display information about interfaces attached to the MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Page 607 ULTICAST ILTERING OMMANDS show mvr interface - display description Field Description Port Shows interfaces attached to the MVR. Type Shows the MVR port type. Status Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
Page 608: Ip Interface Commands
IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 609 IP I NTERFACE OMMANDS - bootp - Obtains IP address from BOOTP. - dhcp - Obtains IP address from DHCP. Default Setting DHCP Command Mode Interface Configuration (VLAN) Command Usage • You must assign an IP address to this device to gain management access over the network.
Page 610: Ip Default-Gateway
ip dhcp restart (4-292) ip default-gateway This command establishes a static route between this switch and devices that exist on another network segment. Use the no form to remove the static route. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No static route is established.
Page 611 IP I NTERFACE OMMANDS Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
Page 612: Ping
show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-292) ping This command sends ICMP echo request packets to another node on the network.
Page 613 IP I NTERFACE OMMANDS • Normal response - The normal response occurs in one to ten seconds, depending on network traffic. • Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. • Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
Page 614: Ip Source Guard Commands
IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands”...
Page 615 IP S OURCE UARD OMMANDS Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 616: Ip Source-Guard Binding
• If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded.
Page 617 IP S OURCE UARD OMMANDS Default Setting No configured entries Command Mode Global Configuration Command Usage • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier, and port identifier. • All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command (page -300).
Page 618 ip dhcp snooping (4-301) ip dhcp snooping vlan (4-304) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3...
Page 619: Dhcp Snooping Commands
DHCP S NOOPING OMMANDS DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Page 620 [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
Page 621 DHCP S NOOPING OMMANDS If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped. If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table.
Page 622: Ip Dhcp Snooping Vlan
ip dhcp snooping trust (4-305) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
Page 623: Ip Dhcp Snooping Trust
DHCP S NOOPING OMMANDS ip dhcp snooping trust (4-305) ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage...
Page 624: Ip Dhcp Snooping Verify Mac-Address
Related Commands ip dhcp snooping (4-301) ip dhcp snooping vlan (4-304) ip dhcp snooping verify mac-address This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
Page 625: Ip Dhcp Snooping Information Option
DHCP S NOOPING OMMANDS ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 626: Ip Dhcp Snooping Database Flash
ip dhcp snooping information policy <drop | keep | replace> - drop - Discards the Option 82 information in a packet and then floods it to the entire VLAN. - keep - Retains the client’s DHCP information - replace - Overwrites the DHCP client packet information with the switch’s relay information.
Page 627: Show Ip Dhcp Snooping
DHCP S NOOPING OMMANDS Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface Trusted...
Page 628: Switch Cluster Commands
Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster. The management station uses Telnet to communicate directly with the Commander throught its IP address, and the Commander manages Member switches using cluster “internal”...
Page 629: Cluster Commander
WITCH LUSTER OMMANDS Command Mode Global Configuration Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
Page 630: Cluster Ip-Pool
to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool <ip-address> no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 631: Cluster Member
WITCH LUSTER OMMANDS cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address <mac-address> id <member-id> no cluster member id <member-id> mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
Page 632: Show Cluster
console CLI on the Commander is not supported. There is no need to enter the username and password for access to the Member • switch CLI Example Vty-0#rcommand id 1 CLI session with the 24/48 L2/L4 GE Switch is opened. To end the CLI session, enter [Exit].
Page 633: Show Cluster Candidates
WITCH LUSTER OMMANDS show cluster candidates This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role Description --------------- ----------------- ----------------------------------------- ACTIVE MEMBER 00-12-cf-23-49-c0 24/48 L2/L4 IPV4/IPV6 GE Switch CANDIDATE 00-12-cf-0b-47-a0 24/48 L2/L4 IPV4/IPV6 GE Switch Console# 4-315...
Page 634 4-316...
Page 635: Software Specifications
PPENDIX OFTWARE PECIFICATIONS Software Features Authentication Local, RADIUS, TACACS, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC; 100 rules per system Power over Ethernet DHCP Client Port Configuration 100BASE-TX: 10/100 Mbps, half/full duplex 1000BASE-T: 10/100 Mbps at half/full duplex, 1000 Mbps at full duplex 1000BASE-SX/LX/LH - 1000 Mbps at full duplex (SFP) Flow Control Full Duplex: IEEE 802.3-2002...
Page 636: Management Features
OFTWARE PECIFICATIONS Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Algorithm Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) VLAN Support Up to 255 groups; port-based or tagged (802.1Q), Private VLANs Protocol-based VLANs Class of Service Supports 4 levels of priority and Weighted Round Robin Queueing (which can be configured by VLAN tag or port), Layer 3/4 priority mapping: IP DSCP...
Page 637: Standards
OFTWARE PECIFICATIONS Software Loading TFTP in-band or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) Standards IEEE 802.1D Spanning Tree Protocol and traffic priorities IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1w Rapid Spanning Tree Protocol...
Page 638: Management Information Bases
OFTWARE PECIFICATIONS Management Information Bases Bridge MIB (RFC 1493) Differentiated Services MIB (RFC 3289) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs...
Page 639: Troubleshooting
PPENDIX ROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using • Be sure the switch is powered up. Telnet, web browser, • Check network cabling between the management station or SNMP software and the switch. •...
Page 640 (9600, 19200, 38400, program via a serial 57600, 115200 bps). port connection • Check that the null-modem serial cable conforms to the pin-out connections provided in the Installation Guide. Forgot or lost the • Contact SMC Technical Support for help. password...
Page 641: Using System Logs
SING YSTEM Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1.
Page 642 ROUBLESHOOTING...
Page 643: Glossary
LOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, BOOTP is including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 644 LOSSARY Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network. DHCP is based on the Bootstrap Protocol (BOOTP), adding the capability of automatic allocation of reusable network addresses and additional configuration options. Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch.
Page 645 LOSSARY IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 646: Ip Multicast Filtering
LOSSARY IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong.
Page 647: Multicast Switching
LOSSARY Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Management Information Base (MIB) An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MD5 Message-Digest Algorithm An algorithm that is used to create digital signatures.
Page 648: Port Mirroring
LOSSARY Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Page 649 LOSSARY Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services. Simple Network Time Protocol (SNTP) allows a device to set its internal clock based on periodic updates SNTP from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers.
Page 650 LOSSARY User Datagram Protocol (UDP) provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Page 651: Index
NDEX Numerics configuring 3-204 4-247 4-257 802.1X, port authentication 3-86 3-96 DSCP 3-213 4-254 layer 3/4 priorities 3-211 4-254 queue mapping 3-206 4-251 queue mode 3-209 4-248 traffic class weights 3-210 4-250 acceptable frame type 3-190 4-227 Access Control List See ACL Extended IP 4-122 4-123 4-126...
Page 652 NDEX IP address BOOTP/DHCP 3-22 4-290 4-292 edge port, STA 3-163 3-166 4-208 setting 2-6 3-19 4-290 event logging 4-59 IP precedence enabling 3-212 IP source guard configuring static entries 4-298 setting filter criteria 4-296 firmware isolated ports 3-193 4-234 displaying version 3-15 4-85 upgrading 3-25...
Page 653 NDEX MSTP 4-195 ports global settings 4-193 autonegotiation 3-112 4-159 interface settings 4-194 broadcast storm threshold 3-129 multicast filtering 3-226 3-237 3-258 4-164 4-268 capabilities 3-112 4-160 multicast groups 3-234 4-274 duplex mode 3-112 4-158 displaying 4-274 flow control 3-112 4-161 static 3-234 4-270...
Page 654 NDEX RSTP 3-149 4-195 startup files global configuration 3-151 4-195 creating 3-29 displaying 3-25 4-80 setting 3-25 4-95 static addresses, setting 3-145 4-188 statistics secure shell 3-77 4-46 port 3-134 4-166 configuration 3-77 4-50 4-51 STP 3-155 4-195 serial port STP Also see STA configuring 4-15 system clock, setting 3-44...
Page 655 NDEX 4-219 displaying port members 3-181 4-233 egress mode 3-191 4-226 interface configuration 3-190 – 4-227 4-231 private 3-192 3-203 4-234 protocol 4-243 Web interface access requirements 3-1 configuration buttons 3-4 home page 3-3 menu list 3-5 panel display 3-4 Index-5...
Page 656 NDEX Index-6...
Page 658 Fax 82-2-553-7202 Japan: 81-45-224-2332 Fax 81-45-224-2331 Australia: 61-2-8875-7887 Fax 61-2-8875-7777 India: 91-22-8204437 Fax 91-22-8204443 If you are looking for further contact information, please visit www.smc.com. 20 Mason Model Numbers: SMC6128PL2 Irvine, CA 92618 Publication Number: 149100032800A E022007-JC-R01 Phone: (949) 679-8000...

This manual is also suitable for:

6128pl2 - annexe 1

SMC Networks TigerSwitch SMC6128PL2 Management Manual

Introduction

Initial Configuration

Configuring the Switch

Quick Links

Management Guide

Related Manuals for SMC Networks TigerSwitch SMC6128PL2

Summary of Contents for SMC Networks TigerSwitch SMC6128PL2