Page 1: Management Guide
Management Guide TigerSwitch 10/100 SMC6128PL2 24-Port 10/100 Switch with PoE, SMC6152PL2 IP Clustering and 4 Gigabit Ports...
Page 3 TigerSwitch 10/100 Management Guide From SMC's Tiger line of feature-rich workgroup LAN solutions 20 Mason May 2009 Pub. # 149100000007A Irvine, CA 92618 E052009-MW-R01 Phone: (949) 679-8000...
Page 4 No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice.
Page 5 Warranty and Product Registration To register SMC products and to review the detailed warranty statement, please refer to the Support Section of the SMC Website at http://www.smc.com.
Page 7: About This Guide
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 8 viii...
Page 9: Table Of Contents
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers...
Page 10 Contents Downloading System Software from a Server 3-26 Saving or Restoring Configuration Settings 3-28 Downloading Configuration Settings from a Server 3-29 Uploading and Downloading Files Using HTTP 3-30 Console Port Settings 3-32 Telnet Settings 3-34 Configuring Event Logging 3-36 System Log Configuration 3-36 Remote Log Configuration 3-37...
Page 11 Contents Authorization Settings 3-85 Authorization EXEC Settings 3-86 Authorization Summary 3-87 Configuring HTTPS 3-88 Replacing the Default Secure-site Certificate 3-89 Configuring the Secure Shell 3-90 Generating the Host Key Pair 3-93 Importing User Public Keys 3-95 Configuring the SSH Server 3-97 Configuring 802.1X Port Authentication 3-99...
Page 12 Contents Displaying DHCP Snooping Binding Information 3-149 IP Source Guard 3-150 Configuring Ports for IP Source Guard 3-150 Configuring Static Binding for IP Source Guard 3-152 Displaying Information for Dynamic IP Source Guard Bindings 3-154 Port Configuration 3-155 Displaying Connection Status 3-155 Configuring Interface Connections 3-157...
Page 13 Contents Enabling or Disabling GVRP (Global Setting) 3-219 Displaying Basic VLAN Information 3-220 Displaying Current VLANs 3-221 Creating VLANs 3-222 Adding Static Members to VLANs (VLAN Index) 3-224 Adding Static Members to VLANs (Port Index) 3-226 Configuring VLAN Behavior for Interfaces 3-227 Configuring IEEE 802.1Q Tunneling 3-229...
Page 14 Contents Configuring a Class Map 3-273 Creating QoS Policies 3-275 Attaching a Policy Map to Ingress Queues 3-278 VoIP Traffic Configuration 3-279 Configuring VoIP Traffic 3-279 Configuring VoIP Traffic Ports 3-280 Configuring Telephony OUI 3-282 Multicast Filtering 3-284 Layer 2 IGMP (Snooping and Query) 3-285 Configuring IGMP Snooping and Query Parameters 3-286...
Page 15 Contents Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Command Groups 4-10 General Commands 4-11...
Page 16 Contents show running-config 4-30 show system 4-33 show users 4-33 show version 4-34 Frame Size Commands 4-35 jumbo frame 4-35 File Management Commands 4-36 copy 4-37 delete 4-40 4-40 whichboot 4-41 boot system 4-42 upgrade opcode auto 4-42 upgrade opcode path 4-43 Line Commands 4-44...
Page 17 Contents logging sendmail source-email 4-64 logging sendmail destination-email 4-65 logging sendmail 4-65 show logging sendmail 4-65 Time Commands 4-67 sntp client 4-68 sntp server 4-69 sntp poll 4-69 show sntp 4-70 ntp client 4-70 ntp server 4-71 ntp poll 4-72 ntp authenticate 4-72 ntp authentication-key...
Page 18 Contents show snmp engine-id 4-97 snmp-server view 4-97 show snmp view 4-98 snmp-server group 4-99 show snmp group 4-100 snmp-server user 4-101 show snmp user 4-102 Flow Sampling Commands 4-103 sflow 4-104 sflow source 4-104 sflow sample 4-105 sflow polling-interval 4-105 sflow owner 4-106...
Page 19 Contents server 4-125 aaa accounting dot1x 4-126 aaa accounting exec 4-127 aaa accounting commands 4-128 aaa accounting update 4-129 accounting dot1x 4-129 accounting exec 4-130 accounting commands 4-130 aaa authorization exec 4-131 authorization exec 4-132 show accounting 4-132 Web Server Commands 4-133 ip http port 4-133...
Page 20 Contents management 4-156 show management 4-157 General Security Measures 4-158 Port Security Commands 4-159 port security 4-159 Network Access (MAC Address Authentication) 4-161 network-access aging 4-162 network-access mac-filter 4-162 network-access port-mac-filter 4-163 network-access max-mac-count 4-163 network-access mode 4-164 mac-authentication reauth-time 4-165 mac-authentication intrusion-action 4-166...
Page 21 Contents show ip dhcp snooping 4-186 show ip dhcp snooping binding 4-186 IP Source Guard Commands 4-187 ip source-guard 4-187 ip source-guard binding 4-189 show ip source-guard 4-190 show ip source-guard binding 4-190 ARP Inspection Commands 4-191 ip arp inspection 4-191 ip arp inspection vlan 4-192...
Page 22 Contents show mac access-group 4-218 ACL Information 4-219 show access-list 4-219 show access-group 4-219 Interface Commands 4-220 interface 4-221 description 4-221 speed-duplex 4-222 negotiation 4-223 capabilities 4-224 flowcontrol 4-225 media-type 4-226 giga-phy-mode 4-226 shutdown 4-227 switchport packet-rate 4-228 clear counters 4-229 show interfaces brief 4-229...
Page 23 Contents lacp active/passive 4-255 show lacp 4-255 Mirror Port Commands 4-260 port monitor 4-260 show port monitor 4-261 Rate Limit Commands 4-263 rate-limit 4-263 Power over Ethernet Commands 4-264 power mainpower maximum allocation 4-264 power inline compatible 4-265 power inline 4-266 power inline maximum allocation 4-266...
Page 24 Contents spanning-tree root-guard 4-291 spanning-tree link-type 4-292 spanning-tree loopback-detection 4-292 spanning-tree loopback-detection release-mode 4-293 spanning-tree loopback-detection trap 4-294 spanning-tree mst cost 4-294 spanning-tree mst port-priority 4-295 spanning-tree protocol-migration 4-296 show spanning-tree 4-297 show spanning-tree mst configuration 4-299 VLAN Commands 4-299 GVRP and Bridge Extension Commands 4-300 bridge-ext gvrp...
Page 25 Contents private vlan association 4-324 switchport mode private-vlan 4-324 switchport private-vlan host-association 4-325 switchport private-vlan mapping 4-326 show vlan private-vlan 4-326 Configuring Protocol-based VLANs 4-327 protocol-vlan protocol-group (Configuring Groups) 4-328 protocol-vlan protocol-group (Configuring VLANs) 4-328 show protocol-vlan protocol-group 4-329 show protocol-vlan protocol-group-vid 4-330 Configuring IP Subnet VLANs 4-330...
Page 26 Contents lldp dot3-tlv link-agg 4-353 lldp dot3-tlv mac-phy 4-354 lldp dot3-tlv max-frame 4-354 lldp dot3-tlv poe 4-355 lldp medtlv extpoe 4-355 lldp medtlv inventory 4-356 lldp medtlv location 4-356 lldp medtlv med-cap 4-357 lldp medtlv network-policy 4-357 show lldp config 4-358 show lldp info local-device 4-360...
Page 27 Contents show ip igmp snooping 4-384 show mac-address-table multicast 4-384 IGMP Query Commands (Layer 2) 4-385 ip igmp snooping querier 4-385 ip igmp snooping query-count 4-386 ip igmp snooping query-interval 4-387 ip igmp snooping query-max-response-time 4-387 ip igmp snooping router-port-expire-time 4-388 Static Multicast Routing Commands 4-389...
Page 28 Contents Appendix A: Software Specifications Software Features Management Features Standards Management Information Bases Appendix B: Troubleshooting Problems Accessing the Management Interface Using System Logs Glossary Index xxviii...
Page 29 Tables Table 1-1 Key Features Table 1-2 System Defaults Table 3-1 Configuration Options Table 3-2 Main Menu Table 3-3 Logging Levels 3-36 Table 3-4 Supported Notification Messages 3-61 Table 3-5 HTTPS System Support 3-88 Table 3-6 802.1X Statistics 3-104 Table 3-7 Dynamic QoS Profiles 3-115 Table 3-8...
Page 30 Tables Table 4-21 SNMP Commands 4-88 Table 4-22 show snmp engine-id - display description 4-97 Table 4-23 show snmp view - display description 4-98 Table 4-24 show snmp group - display description 4-101 Table 4-26 sFlow Commands 4-103 Table 4-25 show snmp user - display description 4-103 Table 4-27...
Page 31 Tables Table 4-73 VLAN Command Groups 4-299 Table 4-74 GVRP and Bridge Extension Commands 4-300 Table 4-75 Editing VLAN Groups 4-304 Table 4-76 Configuring VLAN Interfaces 4-306 Table 4-77 Show VLAN Commands 4-313 Table 4-78 IEEE 802.1Q Tunneling Commands 4-314 Table 4-79 Traffic Segmentation Commands 4-318...
Page 32 Tables xxxii...
Page 33 Figures Figure 3-1 Home Page Figure 3-2 Panel Display Figure 3-3 System Information 3-14 Figure 3-4 Switch Information 3-15 Figure 3-5 Bridge Extension Configuration 3-17 Figure 3-6 Manual IP Configuration 3-19 Figure 3-7 DHCP IP Configuration 3-20 Figure 3-8 Jumbo Frames Configuration 3-21 Figure 3-9 Configuring Automatic Code Upgrade...
Page 34 Figures Figure 3-43 AAA Radius Group Settings 3-77 Figure 3-44 AAA TACACS+ Group Settings 3-78 Figure 3-45 AAA Accounting Settings 3-79 Figure 3-46 AAA Accounting Update 3-80 Figure 3-47 AAA Accounting 802.1X Port Settings 3-81 Figure 3-48 AAA Accounting Exec Command Privileges 3-82 Figure 3-49 AAA Accounting Exec Settings...
Page 35 Figures Figure 3-88 DHCP Snooping Binding Information 3-149 Figure 3-89 IP Source Guard Port Configuration 3-151 Figure 3-90 Static IP Source Guard Binding Configuration 3-153 Figure 3-91 Dynamic IP Source Guard Binding Information 3-154 Figure 3-92 Displaying Port/Trunk Information 3-155 Figure 3-93 Port/Trunk Configuration 3-159...
Page 36 Figures Figure 3-133 Traffic Segmentation Status Configuration 3-236 Figure 3-134 Traffic Segmentation Session Configuration 3-237 Figure 3-135 Private VLAN Information 3-239 Figure 3-136 Private VLAN Configuration 3-240 Figure 3-137 Private VLAN Association 3-240 Figure 3-138 Private VLAN Port Information 3-241 Figure 3-139 Private VLAN Port Configuration 3-243...
Page 37 Figures Figure 3-178 MVR Receiver VLAN Configuration 3-307 Figure 3-179 MVR Receiver Group Address Table 3-308 Figure 3-180 Static MVR Receiver Group Member Configuration 3-309 Figure 3-181 DNS General Configuration 3-311 Figure 3-182 DNS Static Host Table 3-313 Figure 3-183 DNS Cache 3-314 Figure 3-184...
Page 38 Figures xxxviii...
Page 39: Chapter 1: Introduction
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch.
Page 40: Description Of Software Features
Introduction Table 1-1 Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, and private...
Page 41 Description of Software Features MAC address filtering and IP source guard also provide authenticated port access. While DHCP snooping is provided to prevent malicious attacks from insecure ports. Access Control Lists – ACLs provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Page 42 Introduction IEEE 802.1D Bridge – The switch supports IEEE 802.1D transparent bridging. The address table facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses. Store-and-Forward Switching – The switch copies each frame into its memory before forwarding them to another port.
Page 43 Description of Software Features • Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured. •...
Page 44: System Defaults
Introduction System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 3-28). The following table lists some of the basic system defaults. Table 1-2 System Defaults Function Parameter...
Page 45 System Defaults Table 1-2 System Defaults (Continued) Function Parameter Default SNMP Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None...
Page 46 Introduction Table 1-2 System Defaults (Continued) Function Parameter Default IP Settings IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.0 DHCP Client: Enabled Client/Proxy service: Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping: Enabled Querier: Enabled Multicast VLAN Registration Disabled System Log Status...
Page 47: Chapter 2: Initial Configuration
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9), and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 48: Required Connections
Initial Configuration • Configure up to 8 static or LACP trunks • Enable port mirroring • Set broadcast, multicast or unknown unicast storm control on any port • Display system information and statistics • Configure attached CPEs using the OAM protocol Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch.
Page 49: Remote Connections
Basic Configuration Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see ?$paratext>? on page 2-4.
Page 50: Setting Passwords
Initial Configuration Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive.
Page 51: Dynamic Configuration
Basic Configuration Note: The IP address for this switch is obtained via DHCP by default. Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch •...
Page 52: Enabling Snmp Management Access
Initial Configuration If network connections are normaly slow, type “ip dhcp restart” to re-start broadcasting service requests. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup-config.”...
Page 53: Trap Receivers
Basic Configuration The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
Page 54: Configuring Access For Snmp Version 3 Clients
Initial Configuration Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2”...
Page 55: Saving Configuration Settings
Managing System Files files as available flash memory space allows. The switch has a total of 16 Mbytes of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Page 56 Initial Configuration 2-10...
Page 57: Chapter 3: Configuring The Switch
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 58: Navigating The Web Browser Interface
Configuring the Switch Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
Page 59: Configuration Options
Panel Display Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 60: Main Menu
Configuring the Switch Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 3-2 Main Menu Menu Description Page...
Page 61: Table 3-2 Main Menu
Main Menu Table 3-2 Main Menu (Continued) Menu Description Page Time Zone Sets the local time zone for the system clock 3-46 Summer Time Configures summer time settings 3-47 SNMP Simple Network Management Protocol 3-49 Configuration Configures community strings and related trap functions 3-51 Agent Status Enables or disables SNMP Agent Status...
Page 62 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Authorization 3-85 Settings Configures authorization of requested services 3-85 EXEC Settings Specifies console or Telnet authorization method 3-86 Summary Displays authorization information 3-87 HTTPS Settings Configures secure HTTP settings 3-88 Secure Shell 3-90...
Page 63 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page ARP Inspection Validates the MAC-to-IP address bindings in ARP packets 3-136 Configuration Enables inspection globally and per VLAN, specifies ACL filter 3-123 containing address bindings, configures validation of additional address components, sets trust mode for ports, and sets rate limit for packet inspection Information Displays information on results of inspection process...
Page 64 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Output Trunk Configuration Sets the output rate limit for trunks 3-179 Port Statistics Lists Ethernet and RMON port statistics 3-180 3-184 Power Status Displays the status of global power parameters 3-185 Power Config Configures the power budget for the switch...
Page 65 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page GVRP Status Enables GVRP on the switch 3-219 Basic Information Displays information on the VLAN type supported by this switch 3-220 Current Table Shows the current port members of each VLAN and whether or 3-221 not the port is tagged or untagged Static List...
Page 66 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page MAC Based VLAN 3-248 Configuration Maps traffic with specified source MAC address to a VLAN 3-248 LLDP 3-249 Configuration Configures global LLDP timing parameters 3-249 Port Configuration Configures parameters for individual ports 3-251 Trunk Configuration Configures parameters for trunks...
Page 67 Main Menu Table 3-2 Main Menu (Continued) Menu Description Page OUI Configuration Defines OUI settings 3-282 IGMP Snooping 3-285 IGMP Configuration Enables multicast filtering; configures parameters for multicast 3-286 query IGMP Immediate Leave Enables the immediate leave function 3-288 Multicast Router Port Displays the ports that are attached to a neighboring multicast 3-290 Information...
Page 68 Configuring the Switch Table 3-2 Main Menu (Continued) Menu Description Page Domain Name Service 3-310 General Configuration Enables DNS; configures domain name and domain list; and 3-310 specifies IP address of name servers for dynamic lookup Static Host Table Configures static entries for domain name to address mapping 3-312 Cache Displays cache entries discovered by designated name servers...
Page 69: Basic Configuration
Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 70: Figure 3-3 System Information
Configuring the Switch Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI –...
Page 71: Displaying Switch Hardware/Software Versions
Basic Configuration Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • Serial Number – The serial number of the switch. •...
Page 72 Configuring the Switch CLI – Use the following command to display version information. Console#show version 4-34 Unit 1 Serial Number: A749023132 Hardware Version: Chip Device ID: Marvell 98DX106-B0, 88E6095[F] EPLD Version: 0.02 Number of Ports: Main Power Status: Redundant Power Status: Not present Agent (Master) Unit ID:...
Page 73: Displaying Bridge Extension Capabilities
Basic Configuration Displaying Bridge Extension Capabilities The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables. Field Attributes • Extended Multicast Filtering Services – This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Page 74: Setting The Switch's Ip Address
Configuring the Switch CLI – Enter the following command. Console#show bridge-ext 4-301 Max support VLAN numbers: Max support VLAN ID: 4094 Extended multicast filtering services: No Static entry individual port: VLAN learning: Configurable PVID tagging: Local VLAN capable: Traffic classes: Enabled Global GVRP status: Disabled...
Page 75: Manual Configuration
Basic Configuration Manual Configuration Web – Click System, IP Configuration. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway, then click Apply. Figure 3-6 Manual IP Configuration CLI –...
Page 76: Using Dhcp/Bootp
Configuring the Switch Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes.
Page 77: Enabling Jumbo Frames
Basic Configuration Renewing DHCP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
Page 78: Managing Firmware
Configuring the Switch Managing Firmware You can upload/download firmware to or from an FTP or TFTP server. Just specify the method of file transfer, along with the file type and file names as required. By saving run-time code to a file on an FTP or TFTP server, that file can later be downloaded to the switch to restore operation.
Page 79 Basic Configuration • The host portion of the upgrade file location URL must be a valid IPv4 IP address. DNS host names are not recognized. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. • The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/”...
Page 80 Configuring the Switch • The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures. • The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image. Command Attributes •...
Page 81: Figure 3-9 Configuring Automatic Code Upgrade
Apply. Figure 3-9 Configuring Automatic Code Upgrade CLI – This example specifies the URL of a TFTP server, and the directory containing the new operation code. Console(config)#upgrade opcode auto 4-42 Console(config)#upgrade opcode path tftp://192.168.0.1/SMC/ 4-43 Console(config)# 3-25...
Page 82: Downloading System Software From A Server
Configuring the Switch If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.3.5.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...
Page 83: Figure 3-11 Setting The Startup Code
Basic Configuration If you download to a new destination file, go to the System/File/Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 3-11 Setting the Startup Code To delete a file, select System, File, Delete.
Page 84: Saving Or Restoring Configuration Settings
Configuring the Switch Saving or Restoring Configuration Settings You can upload/download configuration settings to/from an FTP/TFTP server. The configuration files can be later downloaded to restore the switch’s settings. Command Attributes • File Transfer Method – The configuration copy operation includes these options: - file to file –...
Page 85: Downloading Configuration Settings From A Server
Basic Configuration Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch.
Page 86: Uploading And Downloading Files Using Http
Configuring the Switch CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config 4-37 TFTP server ip address: 192.168.1.1 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming.
Page 87: Figure 3-15 Uploading Files Using Http
Basic Configuration Web – To upload files using HTTP: Click System, File Management, HTTP Upgrade. Select “opcode” or “config” as the file type and then use the Browse button to locate the file on the local web management station. Specify the name of a file on the switch to overwrite or specify a new file name, then click Apply.
Page 88: Console Port Settings
Configuring the Switch Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings.
Page 89: Figure 3-17 Console Port Settings
Basic Configuration Web – Click System, Line, Console. Specify the console port connection parameters as required, then click Apply. Figure 3-17 Console Port Settings CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
Page 90: Telnet Settings
Configuring the Switch Telnet Settings You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other various parameters set, including the TCP port number, timeouts, and a password.
Page 91: Figure 3-18 Enabling Telnet
Basic Configuration Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-18 Enabling Telnet CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Page 92: Configuring Event Logging
Configuring the Switch Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Page 93: Remote Log Configuration
Basic Configuration Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-19 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory.
Page 94: Figure 3-20 Remote Logs
Configuring the Switch Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-20 Remote Logs CLI –...
Page 95: Displaying Log Messages
Basic Configuration Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 96: Figure 3-22 Enabling And Configuring Smtp
Configuring the Switch configured email recipients. For example, using Level 7 will report all events from level 7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails.
Page 97: Resetting The System
Basic Configuration CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration.
Page 98: Setting The System Clock
Configuring the Switch Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset.
Page 99: Setting The Time Manually
Basic Configuration Setting the Time Manually You can set the system time on the switch manually without using SNTP. Command Attributes • Hours – Sets the hour. (Range: 0-23; Default: 0) • Minutes – Sets the minute value. (Range: 0-59; Default: 0) •...
Page 100: Figure 3-25 Sntp Configuration
Configuring the Switch Web – Select SNTP, Configuration. Modify any of the required SNTP parameters, and click Apply. Figure 3-25 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 4-69 Console(config)#sntp poll 60...
Page 101: Figure 3-26 Ntp Client Configuration
Basic Configuration • Version – Specifies the NTP version supported by the server. (Range: 1-3; Default: 3) • Authenticate Key – Specifies the number of the key in the NTP Authentication Key List to use for authentication with the configured server. The authentication key must match the key configured on the NTP server.
Page 102: Setting The Time Zone
Configuring the Switch CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 4-73 4-71 4-72 4-70 4-72 4-74 Current Time : Jan 1 03:33:25 2001 Poll Interval : 16 Current Mode...
Page 103: Figure 3-27 Setting The System Clock
Basic Configuration Web – Select SNTP, Clock Time Zone. Set the offset for your time zone relative to the UTC using either a predefined or custom definition, and click Apply. Figure 3-27 Setting the System Clock CLI - This example shows how to set the time zone for the system clock using one of the predefined time zone configurations.
Page 104 Configuring the Switch Date Mode – Sets the start, end, and offset times of summer time for the switch on a one-time basis. This mode sets the summer-time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone.
Page 105: Simple Network Management Protocol
Simple Network Management Protocol Web – Select SNTP, Summer Time. Select one of the configuration modes, configure the relevant attributes, enable summer time status, and click Apply. Figure 3-28 Summer Time CLI - This example configures summer time to take effect for a predefined zone. Console(config)#clock summer-time MESZ predefined usa 4-77 Console#...
Page 106 This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as SMC EliteView. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
Page 107: Enabling The Snmp Agent
Simple Network Management Protocol Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Figure 3-29 Enabling SNMP Agent Status CLI –...
Page 108: Specifying Trap Managers And Trap Types
Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as SMC EliteView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
Page 109 Simple Network Management Protocol To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (page 3-51). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-64). 4.
Page 110: Figure 3-31 Configuring Ip Trap Managers
Configuring the Switch • Enable Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps – Issues a notification message whenever a port link is established or broken.
Page 111: Configuring Snmpv3 Management Access
Simple Network Management Protocol Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3.
Page 112: Specifying A Remote Engine Id
Configuring the Switch Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host.
Page 113: Configuring Snmpv3 Users
Simple Network Management Protocol Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes •...
Page 114: Figure 3-34 Configuring Snmpv3 Users
Configuring the Switch Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 115: Configuring Remote Snmpv3 Users
Simple Network Management Protocol Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 116: Figure 3-35 Configuring Remote Snmpv3 Users
Configuring the Switch Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 117: Configuring Snmpv3 Groups
Simple Network Management Protocol Configuring SNMPv3 Groups An SNMPv3 group sets the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views. Command Attributes •...
Page 118 Configuring the Switch Table 3-4 Supported Notification Messages (Continued) Object Label Object ID Description 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, linkDown acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state).
Page 119: Figure 3-36 Configuring Snmpv3 Groups
Simple Network Management Protocol Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 120: Setting Snmpv3 Views
Configuring the Switch Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) •...
Page 121: Sampling Traffic Flows
Sampling Traffic Flows CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 4-97 Console(config)#exit Console#show snmp view 4-98 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.*...
Page 122: Configuring Sflow Global Parameters
Configuring the Switch Configuring sFlow Global Parameters Flow sampling must be enabled globally on the switch, as well as for those ports where it is required. Due to the switch’s hardware design, flow sampling and the sampling rate can only be enabled for specific port groups as shown in the following table.
Page 123: Figure 3-38 Sflow Global Configuration
Sampling Traffic Flows Web – Click sFlow, Configuration. Set the global status for flow sampling, the ports or port groups to be sampled, the sampling rate, and then click Apply. Figure 3-38 sFlow Global Configuration CLI – This example enables sFlow globally, and then enables sampling and sets the sampling rate for Port 1 (which effectively configures the same sFlow settings for all port members in Group 1).
Page 124: Configuring Sflow Port Parameters
Configuring the Switch Configuring sFlow Port Parameters Use the sFlow Port Configuration page to set the destination parameters for the sampled data, payload parameters, and sampling interval. Command Usage • Port – Choose the port to configure. (Range: 1-28/52; Default: 1) •...
Page 125: Figure 3-39 Sflow Port Configuration
Sampling Traffic Flows Web – Click sFlow, Port Configuration. Set the parameters for flow Collector, the reset timeout, the payload, and flow interval. Then click Apply. Figure 3-39 sFlow Port Configuration CLI – This example enables sFlow globally, and then enables sampling and sets the sampling rate for Port 1 (which effectively configures the same sFlow settings for all port members in Group 1).
Page 126: User Authentication
Configuring the Switch User Authentication You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports. This switch provides secure network management access using the following options: •...
Page 127: Figure 3-40 Access Levels
User Authentication • Add/Remove – Adds or removes an account from the list. Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List.
Page 128: Configuring Local/Remote Logon Authentication
Configuring the Switch Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Page 129 User Authentication Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] –...
Page 130: Figure 3-41 Authentication Settings
Configuring the Switch Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-41 Authentication Settings CLI –...
Page 131: Configuring Encryption Keys
User Authentication Console#configure Console(config)#authentication login tacacs 4-114 Console(config)#tacacs-server 1 host 10.20.30.40 4-121 Console(config)#tacacs-server port 200 4-121 Console(config)#tacacs-server retransmit 5 4-122 Console(config)#tacacs-server timeout 10 4-123 Console(config)#tacacs-server key green 4-122 Console#show tacacs-server 4-123 Remote TACACS+ server configuration: Global Settings: Server Port Number: Retransmit Times Request Times Server 1:...
Page 132: Aaa Authorization And Accounting
Configuring the Switch - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web –...
Page 133: Configuring Aaa Radius Group Settings
User Authentication • Accounting for users that access management interfaces on the switch through the console and Telnet. • Accounting for commands that users enter at specific CLI privilege levels. • Authorization of users that access management interfaces on the switch through the console and Telnet.
Page 134: Configuring Aaa Tacacs+ Group Settings
Configuring the Switch CLI – Specify the group name for a list of RADIUS servers, and then specify the index number of a RADIUS server to add it to the group. Console(config)#aaa group server radius tps-radius 4-124 Console(config-sg-radius)#server 1 4-125 Console(config-sg-radius)#server 2 4-125 Console(config-sg-radius)#...
Page 135: Figure 3-45 Aaa Accounting Settings
User Authentication The method name is only used to describe the accounting method(s) configured on the specified accounting servers, and do not actually send any information to the servers about the methods to use. • Service Request – Specifies the service as either 802.1X (user accounting) or Exec (administrative accounting for local console, Telnet, or SSH connections).
Page 136: Aaa Accounting Update
Configuring the Switch CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius 4-126 Console(config)# AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers.
Page 137: Aaa Accounting 802.1X Port Settings
User Authentication AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-77).
Page 138: Aaa Accounting Exec Command Privileges
Configuring the Switch AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level.
Page 139: Aaa Accounting Exec Settings
User Authentication AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply.
Page 140: Figure 3-50 Aaa Accounting Summary
Configuring the Switch Web – Click Security, AAA, Summary. Management Guide SMC6128PL2 TigerSwitch 10/100 24-Port 10/100 Switch with PoE, SMC6152PL2 IP Clustering and 4 Gigabit Ports Figure 3-50 AAA Accounting Summary 3-84...
Page 141: Authorization Settings
User Authentication CLI – Use the following command to display the currently applied accounting methods, and registered users. Console#show accounting 4-132 Accounting Type : dot1x Method List : default Group List : radius Interface Method List : tps-method Group List : tps-radius Interface Accounting Type : Exec...
Page 142: Authorization Exec Settings
Configuring the Switch Web – Click Security, AAA, Authorization, Settings. To configure a new authorization method, specify a method name and a group name, select the service, then click Add. Figure 3-51 AAA Authorization Settings CLI – Specify the authorization method required and the server group. Console(config)#aaa authorization exec default group tacacs+ 4-131 Console(config)#...
Page 143: Authorization Summary
User Authentication CLI – Specify the authorization method to use for Console and Telnet interfaces. Console(config)#line console 4-45 Console(config-line)#authorization exec tps-auth 4-132 Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec tps-auth Console(config-line)# Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied.
Page 144: Configuring Https
Configuring the Switch Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port.
Page 145: Replacing The Default Secure-Site Certificate
User Authentication Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-54 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server 4-134 Console(config)#ip http secure-port 443 4-135 Console(config)#...
Page 146: Configuring The Secure Shell
Configuring the Switch • Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate.
Page 147 User Authentication Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
Page 148 Configuring the Switch 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Page 149: Generating The Host Key Pair
User Authentication Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section Importing User Public Keys on page 3-95.
Page 150: Figure 3-56 Ssh Host-Key Settings
Configuring the Switch Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-56 SSH Host-Key Settings CLI –...
Page 151: Importing User Public Keys
User Authentication Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication.
Page 152: Figure 3-57 Ssh User Public-Key Settings
Configuring the Switch Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-57 SSH User Public-Key Settings 3-96...
Page 153: Configuring The Ssh Server
User Authentication CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. 4-37 Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download...
Page 154: Figure 3-58 Ssh Server Settings
Configuring the Switch • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits;...
Page 155: Configuring 802.1X Port Authentication
User Authentication Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 156: Displaying 802.1X Global Settings
Configuring the Switch • Each switch port that will be used must be set to dot1X “Auto” mode. • Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) •...
Page 157: Configuring 802.1X Global Settings
User Authentication Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 158: Figure 3-61 802.1X Port Configuration
Configuring the Switch • Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Page 159 User Authentication CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see show dot1x on page 4-153. Console(config)#interface ethernet 1/2 4-221 Console(config-if)#dot1x port-control auto 4-147 Console(config-if)#dot1x re-authentication 4-149 Console(config-if)#dot1x max-req 5 4-147...
Page 160: Displaying 802.1X Statistics
Configuring the Switch Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-6 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
Page 161: Figure 3-62 Displaying 802.1X Port Statistics
User Authentication Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-62 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-153 Eth 1/4 Rx: EAPOL...
Page 162: Filtering Ip Addresses For Management Access
Configuring the Switch Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage •...
Page 163: Figure 3-63 Creating An Ip Filter List
User Authentication Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add Web IP Filtering Entry to update the filter list. Figure 3-63 Creating an IP Filter List CLI –...
Page 164: General Security Measures
Configuring the Switch General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 165: Configuring Port Security
General Security Measures Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port. When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Page 166: Web Authentication
Configuring the Switch Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply. Figure 3-64 Configuring Port Security CLI –...
Page 167: Configuring Web Authentication
General Security Measures Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) •...
Page 168: Figure 3-66 Web Authentication Port Configuration
Configuring the Switch Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. •...
Page 169: Figure 3-67 Web Authentication Port Information
General Security Measures This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. • Status – Indicates the authorization status of each connected host. •...
Page 170: Network Access (Mac Address Authentication)
Configuring the Switch Web – Click Security, Web Authentication, Re-authentication. Figure 3-68 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 171: Table 3-7 Dynamic Qos Profiles
General Security Measures • Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. •...
Page 172 Configuring the Switch - The Filter-ID attribute is empty. - The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute). • Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: - Illegal characters found in a profile value (for example, a non-digital character in an 802.1p profile value).
Page 173: Figure 3-69 Network Access Configuration
General Security Measures Web – Click Security, Network Access, Configuration. Figure 3-69 Network Access Configuration CLI – This example sets and displays the reauthentication time. Configures MAC authentication on switch ports, including setting the maximum MAC count, applying a MAC address filter, and enabling dynamic VLAN or dynamic QoS assignments.
Page 174: Figure 3-70 Network Access Port Configuration
Configuring the Switch • Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Page 175: Configuring Port Link Detection
General Security Measures CLI – This example configures MAC authentication for port 1. 4-163 4-167 4-168 4-167 4-169 4-170 Configuring Port Link Detection The Port Link Detection feature can send an SNMP trap and/or shut down a port when a link event occurs. Command Attributes •...
Page 176: Figure 3-71 Network Access Port Link Detection Configuration
Configuring the Switch Web – Click Security, Network Access, Port Link Detection Configuration. Modify the Status, Condition and Action. Click Apply. Figure 3-71 Network Access Port Link Detection Configuration CLI – This example configures Port Link Detection to send an SNMP trap for all link events on port 1.
Page 177: Mac Filter Configuration
General Security Measures • Attribute – Indicates a static or dynamic address. • Remove – Click the Remove button to remove selected MAC addresses from the secure MAC address table. Web – Click Security, Network Access, MAC Address Information. Restrict the displayed addresses by port, MAC Address, or attribute, then select the method of sorting the displayed addresses.
Page 178: Figure 3-73 Network Access Mac Filter Configuration
Configuring the Switch Command Attributes • Filter ID (1-64) - top - ALL – Displays all configured MAC filter tables. - Filter ID – Displays all entries associated with the specified MAC Filter ID. - Query – Displays all entries in the specified table(s). •...
Page 179: Access Control Lists
General Security Measures CLI – This example adds Filter ID 22 and configures it to block traffic from MAC address 11-22-33-44-55-66. 4-162 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Page 180: Setting The Acl Name And Type
Configuring the Switch Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – The following filter modes are supported: - IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
Page 181: Configuring A Standard Ipv4 Acl
General Security Measures Configuring a Standard IPv4 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields.
Page 182 Configuring the Switch host address in the Address field, or “IP” to specify a range of addresses with the Address and SubMask fields. (Options: Any, Host, IP; Default: Any) • Source/Destination IP Address – Source or destination IP address. • Source/Destination Subnet Mask – Subnet mask for source or destination address.
Page 183: Figure 3-76 Acl Configuration - Extended Ipv4
General Security Measures Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range.
Page 184: Configuring A Standard Ipv6 Acl
Configuring the Switch Configuring a Standard IPv6 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-prefix”...
Page 185: Configuring An Extended Ipv6 Acl
General Security Measures Configuring an Extended IPv6 ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-prefix”...
Page 186: Figure 3-78 Acl Configuration - Extended Ipv6
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Select the address type (Any or IPv6-prefix). If you select “IPv6-prefix,” enter a subnet address and prefix length. Set any other required criteria, such as next header, DSCP, or flow label. Then click Add. Figure 3-78 ACL Configuration - Extended IPv6 CLI –...
Page 187: Configuring A Mac Acl
General Security Measures Configuring a MAC ACL Use this page to configure ACLs based on hardware addresses, packet format, and Ethernet type. Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host”...
Page 188: Figure 3-79 Acl Configuration - Mac
Configuring the Switch Tagged-802.3 – Tagged Ethernet 802.3 packets.Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66).
Page 189: Configuring An Arp Acl
General Security Measures Configuring an ARP ACL Use this page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see Configuring ARP Inspection on page 3-136). Command Attributes • Action – An ACL can contain any combination of permit or deny rules. •...
Page 190: Figure 3-80 Acl Configuration - Arp
Configuring the Switch Web – Specify the action (i.e., Permit or Deny). Specify the packet type, the address type (Any, Host, or MAC), the source and/or destination addresses. If you select “Host,” enter a specific address. If you select “IP” or “MAC,” enter a base address and a hexadecimal bitmask for an address range.
Page 191: Figure 3-81 Configuring Acl Port Binding
General Security Measures After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules. •...
Page 192 Configuring the Switch CLI – This example assigns an IP access list to port 1, and an IP access list to port 3. Console(config)#interface ethernet 1/1 4-221 Console(config-if)#ip access-group david in 4-205 Console(config-if)#exit Console(config)#interface ethernet 1/3 Console(config-if)#ip access-group david in Console(config-if)# ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets.
Page 193: Arp Inspection
General Security Measures - When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. - Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs.
Page 194 Configuring the Switch ARP Inspection Logging • By default, logging is active for ARP Inspection, and cannot be disabled. • The administrator can configure the log facility rate. • When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis.
Page 195 General Security Measures not selected, the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database. (Default: Disabled) • ARP Inspection Validation – Enables extended ARP Inspection Validation if any of the following options are enabled. (Default: Disabled) - Dst-MAC –...
Page 196: Figure 3-82 Configuring Arp Inspection
Configuring the Switch Web – Click Security, ARP Inspection, Configuration. Enable inspection both globally and for the required VLANs, select an ARP ACL filter to check for statically configured addresses, select any required additional validation, adjust the logging parameters if required, specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate.
Page 197 General Security Measures Use the ARP Inspection Port Information page to display a list of trusted ports and statistics about the number of ARP packets processed, or dropped for various reasons. Command Attributes • Trusted Port List – Displays all ports configured as trusted. •...
Page 198: Figure 3-83 Displaying Statistics For Arp Inspection
Configuring the Switch Web – Click Security, ARP Inspection, Information. Figure 3-83 Displaying Statistics for ARP Inspection CLI – This example displays statistics for ARP Inspection. Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address...
Page 199 General Security Measures The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server.
Page 200: Dhcp Snooping
Configuring the Switch - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. - If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.
Page 201: Dhcp Snooping Vlan Configuration
General Security Measures Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
Page 202 Configuring the Switch DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 203: Figure 3-86 Dhcp Snooping Information Option Configuration
General Security Measures Web – Click DHCP Snooping, Information Option Configuration. Figure 3-86 DHCP Snooping Information Option Configuration CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace Console(config)#ip dhcp snooping information option 4-184 Console(config)#ip dhcp snooping information policy replace 4-185 Console(config)#exit Console#show ip dhcp snooping...
Page 204: Figure 3-87 Dhcp Snooping Port Configuration
Configuring the Switch Command Attributes • Trust Status – Enables or disables a port as trusted. Web – Click DHCP Snooping, Port Configuration. Set any ports within the local network or firewall to trusted, and click Apply. Figure 3-87 DHCP Snooping Port Configuration CLI –...
Page 205: Displaying Dhcp Snooping Binding Information
General Security Measures Displaying DHCP Snooping Binding Information Binding table entries can be displayed on the Binding Information page. Command Attributes • Store DHCP snooping binding entries to flash. – Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 206: Ip Source Guard
Configuring the Switch IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see DHCP Snooping on page 3-143).
Page 207: Figure 3-89 Ip Source Guard Port Configuration
General Security Measures Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. •...
Page 208 Configuring the Switch Use the IP Source Guard Static Configuration page to bind a static address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
Page 209: Figure 3-90 Static Ip Source Guard Binding Configuration
General Security Measures Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-90 Static IP Source Guard Binding Configuration CLI –...
Page 210: Figure 3-91 Dynamic Ip Source Guard Binding Information
Configuring the Switch Use the Dynamic Information page to display the source-guard binding table for a selected interface. Command Attributes • Query by – Select an interface to display the source-guard binding. (Options: Port, VLAN, MAC Address, or IP Address) •...
Page 211: Port Configuration
Port Configuration Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. •...
Page 212 Configuring the Switch Field Attributes (CLI) Basic Information: • Port Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC Address – The physical layer address for this port. (To access this item on the web, see ?$paratext>? on page 3-18.) Configuration: •...
Page 213: Configuring Interface Connections
Port Configuration Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. •...
Page 214 Configuring the Switch trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the Giga Phy Mode attribute described below.
Page 215: Figure 3-93 Port/Trunk Configuration
Port Configuration Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub. (Default: Autonegotiation enabled; Advertised capabilities for 100BASE-TX – 10half, 10full, 100half, 100full;...
Page 216: Creating Trunk Groups
Configuring the Switch Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices.
Page 217: Statically Configuring A Trunk
Port Configuration Statically Configuring a Trunk Command Usage • When configuring static trunks, you may not be statically able to link switches of different types, configured depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 218 Configuring the Switch CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 2 4-221 Console(config-if)#exit Console(config)#interface ethernet 1/1 4-221 Console(config-if)#channel-group 2 4-249 Console(config-if)#exit...
Page 219: Figure 3-95 Lacp Trunk Configuration
Port Configuration • Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu (see page 3-161). Command Attributes • Member List (Current) – Shows configured trunks (Port). • New – Includes entry fields for creating new trunks. - Port –...
Page 220 Configuring the Switch Console#show interfaces status port-channel 1 4-230 Information of Trunk 1 Basic Information: Port Type: 100TX MAC Address: 00-12-CF-12-34-89 Configuration: Name: Port Admin: Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full Flow Control: Disabled VLAN Trunking: Disabled Port Security: Disabled Max MAC Count: Giga PHY Mode:...
Page 221: Figure 3-96 Lacp Port Configuration
Port Configuration • Port Priority – If a link goes down, LACP port priority is used to select a backup link. (Range: 0-65535; Default: 32768) Set Port Partner – This menu sets the remote side of an aggregate link; i.e., the ports on the attached device.
Page 222 Configuring the Switch Console#show lacp sysid 4-255 Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 00-12-CF-31-31-31 32768 00-12-CF-31-31-31 32768 00-12-CF-31-31-31 32768 00-12-CF-31-31-31 Console#show lacp 1 internal 4-255 Port Channel: 1 ------------------------------------------------------------------------- Oper Key: 120 Admin Key: 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal: 30 sec LACP System Priority: 3...
Page 223: Table 3-8 Lacp Port Counters
Port Configuration Web – Click Port, LACP, Aggregation Group . Set the Admin Key for the required LACP group, and click Apply. Figure 3-97 LACP Aggregation Group Configuration CLI – The following example sets the LACP admin key for port channel 1. Console(config)#interface port-channel 1 4-221 Console(config-if)#lacp actor admin-key 3...
Page 224: Table 3-9 Lacp Internal Configuration Information
Configuring the Switch Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information. Figure 3-98 LACP - Port Counters Information CLI – The following example displays LACP counters. Console#show lacp counters 4-255 Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 -------------------------------------------------------------------------...
Page 225: Figure 3-99 Lacp - Port Internal Information
Port Configuration Table 3-9 LACP Internal Configuration Information (Continued) Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Page 226: Table 3-10 Lacp Neighbor Configuration Information
Configuring the Switch CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal 4-255 Port channel : 1 ------------------------------------------------------------------------- Oper Key : 120 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal:...
Page 227: Figure 3-100 Lacp - Port Neighbors Information
Port Configuration Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 3-100 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors 4-255 Port channel 1 neighbors...
Page 228 Configuring the Switch Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 229: Figure 3-101 Port Broadcast Control
Port Configuration Web – Click Port, Port/Trunk Broadcast Control. Set the threshold, mark the Enabled field for the desired interface and click Apply. Figure 3-101 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Page 230 Configuring the Switch You can protect your network from excess multicast traffic by setting thresholds for each port. Any multicast packets exceeding the specified threshold will then be dropped. Command Usage • Multicast Storm Control is disabled by default. • Due to an ASIC chip limitation, the supported storm control modes include: - broadcast - broadcast + multicast - broadcast + multicast + unknown unicast...
Page 231: Figure 3-102 Port Multicast Control
Port Configuration Web – Click Configuration, Port, Port Multicast Control or Trunk Multicast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 3-102 Port Multicast Control CLI – Specify any interface, and then enter the threshold. The following example sets the multicast threshold at 600 packets per second for port 1.
Page 232: Figure 3-103 Port Unknown Unicast Control
Configuring the Switch automatic storm control which triggers various control responses. This control type is only supported by the Command Line Interface as described under Automatic Traffic Control Commands on page 4-234. However, note that only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
Page 233: Figure 3-104 Mirror Port Configuration
Port Configuration You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the Source Single source port in a completely unobtrusive manner. port(s) target port...
Page 234: Figure 3-105 Mac Address Mirror Configuration
Configuring the Switch You can mirror traffic matching a specified source address from any port on the switch, except for the target port, to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 235: Figure 3-106 Input Rate Limit Port Configuration
Port Configuration This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port. Rate limiting is configured on ports at the edge of a network to limit traffic coming in and out of the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 236: Table 3-11 Port Statistics
Statistics are refreshed every 60 seconds by default. Note: RMON groups 2, 3 and 9 can only be accessed using SNMP management software such as SMC EliteView. Table 3-11 Port Statistics Parameter Description...
Page 237 Port Configuration Table 3-11 Port Statistics (Continued) Parameter Description Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Page 238 Configuring the Switch Table 3-11 Port Statistics (Continued) Parameter Description Received Frames The total number of frames (bad, broadcast and multicast) received. Broadcast Frames The total number of good frames received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Frames The total number of good frames received that were directed to this multicast address.
Page 239: Figure 3-107 Port Statistics
Port Configuration Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-107 Port Statistics 3-183...
Page 240: Power Over Ethernet Settings
Configuring the Switch CLI – This example shows statistics for port 13. Console#show interfaces counters ethernet 1/13 4-231 Ethernet 1/13 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats:...
Page 241: Switch Power Status
Power Over Ethernet Settings dropped to some low-priority ports and later the power demands on the switch fall back within its budget, the dropped power is automatically restored. Switch Power Status Displays the Power over Ethernet parameters for the switch. Command Attributes •...
Page 242: Setting A Switch Power Budget
Configuring the Switch Setting a Switch Power Budget A maximum PoE power budget for the switch (power available to all switch ports) can be defined so that power can be centrally managed, preventing overload conditions at the power source. If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Page 243: Configuring Port Poe Power
Power Over Ethernet Settings Web – Click PoE, Power Port Status. Figure 3-110 Displaying Port PoE Status CLI – This example displays the PoE status and priority of port 1. Console#show power inline status 4-268 Interface Admin Oper Power(mWatt) Power(used) Priority ---------- ------- ---- ------------ ------------ -------- 1/ 1...
Page 244: Figure 3-111 Configuring Port Poe Power
Configuring the Switch Command Attributes • Port – The port number on the switch. • Admin Status – Enables PoE power on the port. Power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the switch or port power budget.
Page 245: Address Table Settings
Address Table Settings Address Table Settings Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 246: Displaying The Address Table
Configuring the Switch CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset. Console(config)#mac-address-table static 00-12-cf-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset 4-270 Console(config)# Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch.
Page 247: Changing The Aging Time
Address Table Settings CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 4-271 Interface MAC Address VLAN Type --------- ----------------- ---- ----------------- Eth 1/ 1 00-12-CF-48-82-93 1 Delete-on-reset Eth 1/ 1 00-12-CF-94-34-DE 2 Learned Console# Changing the Aging Time...
Page 248: Spanning Tree Algorithm Configuration
Configuring the Switch Spanning Tree Algorithm Configuration The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 249 Spanning Tree Algorithm Configuration MSTP – When using STP or RSTP, it may be difficult to maintain a stable path between all VLAN members. Frequent changes in the tree structure can easily isolate some of the group members. MSTP (which is based on RSTP for fast convergence) is designed to support independent spanning trees based on VLAN groups.
Page 250: Configuring Port And Trunk Loopback Detection
Configuring the Switch Configuring Port and Trunk Loopback Detection When Port Loopback Detection is enabled and a port receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the port in discarding mode. This loopback state can be released manually or automatically.
Page 251: Displaying Global Settings For Sta
Spanning Tree Algorithm Configuration CLI – This command enables loopback detection for port 1/5, configures automatic release-mode, and enables SNMP trap notification for detected loopback BPDUs. 4-221 Console(config)#interface ethernet 1/5 4-292 Console(config-if)#spanning-tree loopback-detection Console(config-if)#spanning-tree loopback-detection 4-293 release-mode auto 4-294 Console(config-if)#spanning-tree loopback-detection trap Console(config-if)# Displaying Global Settings for STA You can display a summary of the current bridge STA information that applies to the...
Page 252 Configuring the Switch • Configuration Changes – The number of times the Spanning Tree has been reconfigured. • Last Topology Change – Time since the Spanning Tree was last reconfigured. These additional parameters are only displayed for the CLI: • Spanning Tree Mode – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D) - RSTP: Rapid Spanning Tree (IEEE 802.1w) - MSTP: Multiple Spanning Tree (IEEE 802.1s)
Page 253: Figure 3-116 Displaying Spanning Tree Information
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Information. Figure 3-116 Displaying Spanning Tree Information CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 4-297 Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode: RSTP Spanning Tree Enabled/Disabled: Enabled...
Page 254 Configuring the Switch Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 255 Spanning Tree Algorithm Configuration • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 256 Configuring the Switch Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.
Page 257: Figure 3-117 Configuring Spanning Tree
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-117 Configuring Spanning Tree 3-201...
Page 258 Configuring the Switch CLI – This example enables Spanning Tree Protocol, sets the mode to RSTP, and then configures the STA and RSTP parameters. Console(config)#spanning-tree 4-275 Console(config)#spanning-tree mode mstp 4-276 Console(config)#spanning-tree priority 45056 4-279 Console(config)#spanning-tree hello-time 5 4-277 Console(config)#spanning-tree max-age 38 4-278 Console(config)#spanning-tree forward-time 20 4-277...
Page 259 Spanning Tree Algorithm Configuration • Designated Port – The port priority and number of the port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree. • Oper Path Cost – V The contribution of this port to the path cost of paths towards the spanning tree root which include this port.
Page 260: Figure 3-118 Displaying Spanning Tree Port Information
Configuring the Switch • Admin status – Shows if this interface is enabled. • External Admin Path Cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 261 Spanning Tree Algorithm Configuration CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 4-297 1/ 5 information -------------------------------------------------------------- Admin Status: Enabled Role: Disabled State: Discarding Admin Path Cost: Oper Path Cost: 200000 Priority: Designated Cost: Designated Port: 128.5 Designated Root:...
Page 262: Table 3-12 Recommended Sta Path Cost Range
Configuring the Switch The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 3-198) or when spanning tree is disabled on specific port.
Page 263: Table 3-14 Default Sta Path Costs
Spanning Tree Algorithm Configuration Table 3-13 Recommended STA Path Costs Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Fast Ethernet Half Duplex 200,000 Full Duplex 100,000 Trunk 50,000 Gigabit Ethernet Full Duplex 10,000 Trunk 5,000 Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001...
Page 264: Figure 3-119 Configuring Spanning Tree Per Port
Configuring the Switch Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-119 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 4-221 Console(config-if)#no spanning-tree port-bpdu-flooding 4-290...
Page 265: Configuring Global Settings For Sta
Spanning Tree Algorithm Configuration link type is point-to-point; otherwise it equals the spanning-tree’s maximum age (see Configuring Global Settings for STA on page 3-198). An interface cannot function as an edge port under the following conditions: - If spanning tree mode is set to STP (page 3-198), edge-port mode can be manually enabled or set to auto, but will have no effect.
Page 266 Configuring the Switch CLI – This example sets edge port attributes for port 5. Console(config)#interface ethernet 1/5 4-221 4-287 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard 4-290 Console(config-if)#spanning-tree bpdu-filter 4-289 Console(config-if)# MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 267: Figure 3-121 Configuring Multiple Spanning Trees
Spanning Tree Algorithm Configuration Web – Click Spanning Tree, MSTP, VLAN Configuration. Select an instance identifier from the list, set the instance priority, and click Apply. To add the VLAN members to an MSTI instance, enter the instance identifier, the VLAN identifier, and click Add.
Page 268 Configuring the Switch Remaining Hops: Designated Root: 32768.00201A25AC00 Current Root Port: Current Root Cost: Number of Topology Changes: Last Topology Change Time (sec.): 164 Transmission Limit: Path Cost Method: Long Flooding Behavior: To VLAN --------------------------------------------------------------- 1/ 1 Information --------------------------------------------------------------- Admin Status: Enabled Role: Disabled...
Page 269: Figure 3-122 Displaying Mstp Interface Settings
Spanning Tree Algorithm Configuration The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Command Attributes MST Instance ID – Instance identifier to configure. (Default: 0) Note: The other attributes are described under Displaying Interface Settings for STA on page 3-202 Web –...
Page 270 Configuring the Switch CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 4-297 Spanning Tree Information...
Page 271 Spanning Tree Algorithm Configuration You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. ( for additional information.) ?$paratext>? on page 3-202 - Discarding –...
Page 272: Vlan Configuration
Configuring the Switch Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-123 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50...
Page 273: Assigning Ports To Vlans
VLAN Configuration This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.1Q standard • Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol • Port overlapping, allowing a port to participate in multiple VLANs •...
Page 274 Configuring the Switch Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security. A group of network users assigned to a VLAN form a broadcast domain that is separate from other VLANs configured on the switch.
Page 275: Enabling Or Disabling Gvrp (Global Setting)
VLAN Configuration Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 276: Figure 3-125 Displaying Basic Vlan Information
Configuring the Switch The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. •...
Page 277: Figure 3-126 Displaying Current Vlans
VLAN Configuration The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging. Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging. However, if you just want to create a small port-based VLAN for one or two switches, you can disable tagging.
Page 278 Configuring the Switch • Name – Name of the VLAN (1-100 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e., does not pass packets. • Ports / Channel groups – Shows the VLAN interface members. CLI –...
Page 279: Figure 3-127 Configuring A Vlan Static List
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-127 Configuring a VLAN Static List CLI –...
Page 280 Configuring the Switch (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol.
Page 281: Figure 3-128 Configuring A Vlan Static Table
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks.
Page 282: Figure 3-129 Vlan Static Membership By Port
Configuring the Switch (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 283 VLAN Configuration You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 284: Figure 3-130 Configuring Vlans Per Port
Configuring the Switch • GARP Leave Timer – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group.
Page 285 VLAN Configuration CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid. Console(config)#interface ethernet 1/3 4-221 Console(config-if)#switchport acceptable-frame-types tagged 4-308 Console(config-if)#switchport ingress-filtering...
Page 286 Configuring the Switch processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 287 VLAN Configuration 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags. Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: •...
Page 288: Creating Vlans
Configuring the Switch Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
Page 289: Enabling Qinq Tunneling On The Switch
VLAN Configuration Enabling QinQ Tunneling on the Switch The switch can be configured to operate in normal VLAN mode or IEEE 802.1Q (QinQ) tunneling mode which is used for passing Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 290: Adding An Interface To A Qinq Tunnel
Configuring the Switch CLI – This example sets the switch to operate in QinQ mode. 4-315 Console(config)#dot1q-tunnel system-tunnel-control 4-316 Console(config-if)#switchport dot1q-tunnel tpid 8100 Console(config)#exit 4-317 Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x9100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x9100.
Page 291: Figure 3-132 Tunnel Port Configuration
VLAN Configuration Web – Click VLAN, 802.1Q VLAN, 802.1Q Tunnel Configuration or Tunnel Trunk Configuration. Set the mode for a tunnel access port to 802.1Q Tunnel and a tunnel uplink port to 802.1Q Tunnel Uplink. Click Apply. Figure 3-132 Tunnel Port Configuration CLI –...
Page 292: Traffic Segmentation
Configuring the Switch If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.
Page 293: Figure 3-134 Traffic Segmentation Session Configuration
VLAN Configuration Use the Traffic Segmentation Session Configuration page to create a client session, and assign the downlink and uplink ports to service the traffic associated with each session. Command Attributes • Session ID – Traffic segmentation session. (Range: 1-15) •...
Page 294: Private Vlans
Configuring the Switch Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the promiscuous ports in the associated primary VLAN.
Page 295: Figure 3-135 Private Vlan Information
VLAN Configuration Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-135 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6.
Page 296: Figure 3-136 Private Vlan Configuration
Configuring the Switch Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary, Isolated or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted.
Page 297: Figure 3-138 Private Vlan Port Information
VLAN Configuration CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database 4-304 Console(config-vlan)#private-vlan 5 association 6 4-324 Console(config-vlan)#private-vlan 5 association 7 4-324 Console(config)# Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs.
Page 298 Configuring the Switch CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6.
Page 299: Figure 3-139 Private Vlan Port Configuration
VLAN Configuration Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply.
Page 300: Figure 3-140 Protocol Vlan Configuration
Configuring the Switch Command Usage • To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 3-222). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2.
Page 301: Figure 3-141 Protocol Vlan System Configuration
VLAN Configuration CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip 4-328 Console(config)# Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN.
Page 302: Figure 3-142 Vlan Mirror Configuration
Configuring the Switch You can mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner. Command Usage •...
Page 303: Figure 3-143 Ip Subnet Vlan Configuration
VLAN Configuration When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table. If an entry is found for that subnet, these frames are assigned to the VLAN indicated in the entry.
Page 304: Figure 3-144 Mac-Based Vlan Configuration
Configuring the Switch CLI – This example maps all traffic from the IP subnet of 192.168.2.0 to VLAN 2. Console(config)#subnet-vlan subnet 192.168.1.0 255.255.255.0 vlan 2 4-331 Console(config)# Configuring MAC-based VLANs The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses.
Page 305: Link Layer Discovery Protocol
Link Layer Discovery Protocol CLI – This example maps all traffic matching the specified address to VLAN 2. Console(config)#mac-vlan mac-address 00-ab-cd-11-22-33 vlan 2 4-332 Console(config)# Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
Page 306 Configuring the Switch • Delay Interval – Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. (Range: 1-8192 seconds; Default: 2 seconds) The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Page 307: Figure 3-145 Lldp Configuration
Link Layer Discovery Protocol Web – Click LLDP, Configuration. Enable LLDP, modify any of the timing parameters as required, and click Apply. Figure 3-145 LLDP Configuration CLI – This example sets several attributes which control basic LLDP message timing. Console(config)#lldp 4-343 Console(config)#lldp refresh-interval 60 4-345...
Page 308 Configuring the Switch notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. For information on defining SNMP trap destinations, see Specifying Trap Managers and Trap Types on page 3-52. Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 309: Figure 3-146 Lldp Port Configuration
Link Layer Discovery Protocol • MED TLV Type – Configures the information included in the MED TLV field of advertised messages. - Port Capabilities – This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Page 310: Table 3-15 Chassis Id Subtype
Configuring the Switch CLI – This example sets the interface to both transmit and receive LLDP messages, enables SNMP trap messages, enables MED notification, and specifies the TLV, MED-TLV, dot1-TLV and dot3-TLV parameters to advertise. Console(config)#interface ethernet 1/1 4-221 Console(config-if)#lldp admin-status tx-rx 4-347 Console(config-if)#lldp notification 4-347...
Page 311 Link Layer Discovery Protocol • Chassis ID – An octet string indicating the specific identifier for the particular chassis in this system. • System Name – An string that indicates the system’s administratively assigned name (see Displaying System Information on page 3-13). •...
Page 312: Table 3-16 System Capabilities
Configuring the Switch Web – Click LLDP, Local Information. Figure 3-147 LLDP Local Device Information CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-360 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-20-1A-25-AC-00 System Name...
Page 313: Figure 3-148 Lldp Remote Port Information
Link Layer Discovery Protocol This example displays detailed information for a specific port on the local switch. Console#show lldp info local-device ethernet 1/1 4-360 LLDP Port Information Detail Port : Eth 1/1 Port Type : MAC Address Port ID : 00-01-02-03-04-06 Port Desc : Ethernet Port on unit 1, port 1 Console# Use the LLDP Remote Port/Trunk Information screen to display information about...
Page 314: Table 3-17 Port Id Subtype
Configuring the Switch Use the LLDP Remote Information Details screen to display detailed information about an LLDP-enabled device connected to a specific port on the local switch. Field Attributes • Local Port – The local port to which a remote LLDP-capable device is attached. •...
Page 315: Figure 3-149 Lldp Remote Information Details
Link Layer Discovery Protocol Web – Click LLDP, Remote Information Details. Select an interface from the drop down lists, and click Query. Figure 3-149 LLDP Remote Information Details CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Page 316 Configuring the Switch Use the LLDP Device Statistics screen to display general statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces. Field Attributes General Statistics on Remote Devices • Neighbor Entries List Last Updated – The time the LLDP neighbor entry list was last updated.
Page 317: Figure 3-150 Lldp Device Statistics
Link Layer Discovery Protocol CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-362 LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count...
Page 318: Figure 3-151 Lldp Device Statistics Details
Configuring the Switch Web – Click LLDP, Device Statistics Details. Figure 3-151 LLDP Device Statistics Details CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch. switch#show lldp info statistics detail ethernet 1/1 4-362 LLDP Port Statistics Detail PortName...
Page 319: Class Of Service Configuration
Class of Service Configuration Class of Service Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 320: Figure 3-152 Port Priority Configuration
Configuring the Switch Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-152 Port Priority Configuration CLI – This example assigns a default priority of 5 to port 3. Console(config)#interface ethernet 1/3 4-221 Console(config-if)#switchport priority default 5...
Page 321: Mapping Cos Values To Egress Queues
Class of Service Configuration Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 322: Selecting The Queue Mode
Configuring the Switch Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-153 Traffic Classes CLI – The following example shows how to change the CoS assignments. Console(config)#interface ethernet 1/1 4-221 Console(config-if)#queue cos-map 0 0...
Page 323: Displaying The Service Weight For Traffic Classes
Class of Service Configuration weighting. This prevents the head-of-line blocking that can occur with strict priority queuing. Command Attributes • WRR - Weighted Round-Robin shares bandwidth at the egress ports by using scheduling weights with default values of 1, 2, 4, 8 for queues 0 through 3, respectively.
Page 324: Figure 3-155 Displaying Queue Scheduling
Configuring the Switch Web – Click Priority, Queue Scheduling. Figure 3-155 Displaying Queue Scheduling CLI – The following example shows how to display the WRR weights assigned to each of the priority queues. Console#show queue bandwidth 4-366 Queue ID Weight -------- ------ Console...
Page 325: Layer 3/4 Priority Settings
Class of Service Configuration Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values This switch supports one method of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet or the number of the TCP port.
Page 326: Mapping Dscp Priority
Configuring the Switch CLI – The following example globally enables DSCP Priority service on the switch. Console(config)#map ip dscp 4-368 Console(config)#end Console#show map ip dscp 4-370 dscp Mapping Status: Enabled DSCP COS ---- --- Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
Page 327: Figure 3-157 Mapping Ip Dscp Priority Values
Class of Service Configuration Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 3-157 Mapping IP DSCP Priority Values CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 328: Quality Of Service
Configuring the Switch Quality of Service The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
Page 329: Configuring A Class Map
Quality of Service Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name”...
Page 330: Figure 3-158 Configuring Class Maps
Configuring the Switch • VLAN – A VLAN. (Range:1-4094) • Add – Adds specified criteria to the class. Up to 16 items are permitted per class. • Remove – Deletes the selected criteria from the class. Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class.
Page 331: Creating Qos Policies
Quality of Service CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3. 4-372 Console(config)#class-map rd_class match-any 4-373 Console(config-cmap)#match ip dscp 3 Console(config-cmap)# Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage •...
Page 332 Configuring the Switch Policy Configuration • Policy Name – Name of policy map. (Range: 1-16 characters) • Description – A brief description of a policy map. (Range: 1-64 characters) • Add – Adds the specified policy. • Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings - •...
Page 333: Figure 3-159 Configuring Policy Maps
Quality of Service Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-159 Configuring Policy Maps 3-277...
Page 334: Attaching A Policy Map To Ingress Queues
Configuring the Switch CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. 4-375 Console(config)#policy-map rd_policy#3 4-375 Console(config-pmap)#class rd_class#3...
Page 335 Quality of Service When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter.
Page 336: Figure 3-161 Configuring Voip Traffic
Configuring the Switch Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-161 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
Page 337: Figure 3-162 Voip Traffic Port Configuration
Quality of Service address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit”...
Page 338 Configuring the Switch CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status. Console(config)#interface ethernet 1/2 4-337 Console(config-if)#switchport voice vlan auto 4-338 Console(config-if)#switchport voice vlan security 4-337 Console(config-if)#switchport voice vlan rule oui 4-339 Console(config-if)#switchport voice vlan priority 5 Console(config-if)#exit...
Page 339: Figure 3-163 Telephony Oui List
Quality of Service Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Page 340: Multicast Filtering
Configuring the Switch Multicast Filtering Multicasting is used to support real-time Unicast applications such as videoconferencing or Flow streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/ router.
Page 341: Specifying Static Interfaces For A Multicast Router
Multicast Filtering (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-286) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic.
Page 342 Configuring the Switch Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 3-293). You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic.
Page 343: Figure 3-164 Igmp Configuration
Multicast Filtering Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
Page 344 Configuring the Switch CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping 4-381 Console(config)#ip igmp snooping querier 4-385 Console(config)#ip igmp snooping leave-proxy 4-382 Console(config)#ip igmp snooping query-count 10 4-386 Console(config)#ip igmp snooping query-interval 100 4-387 Console(config)#ip igmp snooping query-max-response-time 20 4-387...
Page 345: Figure 3-165 Igmp Immediate Leave
Multicast Filtering Command Attributes • VLAN ID – VLAN Identifier. (Range: 1-4094). • Immediate Leave – Sets the status for immediate leave on the specified VLAN. (Default: Disabled) Web – Click IGMP Snooping, IGMP Immediate Leave. Select the VLAN interface to configure, set the status for immediate leave, and click Apply.
Page 346: Figure 3-166 Displaying Multicast Router Port Information
Configuring the Switch Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
Page 347: Figure 3-167 Static Multicast Router Port Configuration
Multicast Filtering Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 348: Figure 3-168 Ip Multicast Registration Table
Configuring the Switch You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) • Multicast IP Address – The IP address for a specific multicast service. •...
Page 349: Figure 3-169 Igmp Member Port Table
Multicast Filtering Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Page 350 Configuring the Switch CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 4-381 Console(config)#exit Console#show mac-address-table multicast vlan 1 4-384 VLAN M'cast IP addr.
Page 351: Figure 3-170 Enabling Igmp Filtering And Throttling
Multicast Filtering Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile group by entering a number in the text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-170 Enabling IGMP Filtering and Throttling CLI –...
Page 352: Figure 3-171 Igmp Profile Configuration
Configuring the Switch • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering a start and end IP address. Specify a single multicast group by entering the same IP address for the start and end of the range.
Page 353 Multicast Filtering Once you have configured IGMP profiles, you can assign them to interfaces on the switch. Also you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage •...
Page 354: Figure 3-172 Igmp Filter And Throttling Port Configuration
Configuring the Switch Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-172 IGMP Filter and Throttling Port Configuration CLI –...
Page 355: Multicast Vlan Registration
Multicast VLAN Registration Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 356: Configuring Global Mvr Settings
Configuring the Switch Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN.
Page 357: Figure 3-173 Mvr Global Configuration
Multicast VLAN Registration Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-173 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Page 358: Displaying Mvr Interface Status
Configuring the Switch Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • Type – Shows the MVR port type. • Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
Page 359: Displaying Port Members Of Multicast Groups
Multicast VLAN Registration Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration. Field Attributes • Group IP – Multicast groups assigned to the MVR VLAN. •...
Page 360: Configuring Mvr Interface Status
Configuring the Switch Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage •...
Page 361: Figure 3-176 Mvr Port Configuration
Multicast VLAN Registration - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) •...
Page 362: Assigning Static Multicast Groups To Interfaces
Configuring the Switch Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Page 363: Configuring Mvr Receiver Vlan And Group Addresses
Multicast VLAN Registration Configuring MVR Receiver VLAN and Group Addresses Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent hosts from discovering the identity of the MVR VLAN. An MVR Receiver VLAN and the multicast services supported by this VLAN can be configured to hide the MVR VLAN, while allowing multicast traffic with frame tags to be forwarded to subscribers.
Page 364: Displaying Mvr Receiver Groups
Configuring the Switch Displaying MVR Receiver Groups Interfaces assigned to the MVR receiver groups can be displayed using the Receiver Group IP Information page. Field Attributes • Group IP Address – Multicast groups assigned to the MVR Receiver VLAN. • Group Port List – Interfaces with subscribers for multicast services provided through the MVR Receiver VLAN.
Page 365: Figure 3-180 Static Mvr Receiver Group Member Configuration
Multicast VLAN Registration You can statically assign a multicast reciever group to the selected interface using the Receiver Group Member Configuration page. Field Attributes • Interface – Indicates a port or trunk. • Group Address List – Multicast receiver groups assigned to the selected interface.
Page 366: Domain Name Service
Configuring the Switch Domain Name Service The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 367: Figure 3-181 Dns General Configuration
Domain Name Service Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 3-181 DNS General Configuration CLI - This example sets a default domain name and a domain list.
Page 368: Configuring Static Dns Host To Address Entries
Configuring the Switch Configuring Static DNS Host to Address Entries You can manually configure static entries in the DNS table that are used to map domain names to IP addresses. Command Usage • Static entries may be used for local devices connected directly to the attached network, or for commonly used resources located elsewhere on the network.
Page 369: Figure 3-182 Dns Static Host Table
Domain Name Service Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply. Figure 3-182 DNS Static Host Table CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses.
Page 370: Displaying The Dns Cache
Configuring the Switch Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record. • Flag – The flag is always “4” indicating a cache entry and therefore unreliable. •...
Page 371: Switch Clustering
Switch Clustering Switch Clustering IP Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 372: Figure 3-185 Cluster Configuration
Configuring the Switch • Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
Page 373: Cluster Member Configuration
Switch Clustering Cluster Member Configuration Adds Candidate switches to the cluster as Members. Command Attributes • Member ID – Specify a Member ID number for the selected Candidate switch. (Range: 1-36) • MAC Address – Select a discovered switch MAC address from the Candidate Table, or enter a specific MAC address of a known switch.
Page 374: Figure 3-187 Cluster Member Information
Configuring the Switch Use the Cluster Member Information page to display information on current cluster Member switches. Command Attributes • Member ID – The ID number of the Member switch. (Range: 1-36) • Role – Indicates the current status of the switch in the cluster. •...
Page 375: Figure 3-188 Cluster Candidate Information
Switch Clustering Use the Cluster Candidate Information page to display information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. •...
Page 376: Upnp
Configuring the Switch UPnP Universal Plug and Play (UPnP) is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks. UPnP achieves this by issuing UPnP device control protocols designed upon open, Internet-based communication standards.
Page 377 UPnP CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration. Console(config)#upnp device 4-86 Console(config)#upnp device advertise duration 200 4-87 Console(config)#upnp device ttl 6 4-86 Console(config)#end Console#show upnp...
Page 378 Configuring the Switch 3-322...
Page 379: Chapter 4: Command Line Interface
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 380: Telnet Connection
Command Line Interface Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 381: Entering Commands
Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Page 382: Showing Commands
Command Line Interface Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
Page 383: Partial Keyword Lookup
Entering Commands startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server settings tech-support Technical information upnp UPnP settings users Information about terminal lines version System hardware and software versions vlan Virtual LAN settings voice Shows the voice VLAN information web-auth Shows web authentication configuration...
Page 384: Understanding Command Modes
Command Line Interface Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Page 385: Configuration Commands
Entering Commands Username: guest Password: [guest login password] CLI session with the SMC6128PL2 is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings.
Page 386: Table 4-2 Configuration Modes
Command Line Interface To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 4-2 Configuration Modes Mode Command Prompt Page Line line {console | vty} Console(config-line) 4-44...
Page 387: Command Line Processing
Entering Commands Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 388: Command Groups
Command Line Interface Command Groups The system commands can be broken down into the functional groups shown below Table 4-4 Command Groups Command Group Description Page General Basic commands for entering privileged access mode, restarting the 4-11 system, or quitting the CLI System Management Display and setting of system information, basic modes of operation, 4-18...
Page 389: General Commands
General Commands Table 4-4 Command Groups (Continued) Command Group Description Page Quality of Service Configures Differentiated Services classification criteria and service 4-371 policies Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports 4-380 attached to a multicast router, and enables multicast VLAN registration Domain Name Service Configures DNS services 4-405...
Page 390: Enable
Command Line Interface enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See ?$paratext>? on page 4-6. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 391: Configure
General Commands Example Console#disable Console> Related Commands enable (4-12) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, and VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 392 Command Line Interface The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
Page 393 General Commands • reload in - An interval after which to reload the switch. - hours - The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) - minutes - The number of minutes, combined with the hours, before the switch resets.
Page 394: Show Reload
Command Line Interface This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 395: Exit
General Commands exit This command returns to the previous configuration mode or exit the configuration program. Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 396: System Management Commands
Command Line Interface System Management Commands These commands are used to control system logs, passwords, user names, browser configuration options, and display or configure a variety of other system information. Table 4-6 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4-18 Banner Information...
Page 397: Banner Information Commands
System Management Commands Example Console(config)#hostname RD#1 Console(config)# Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager.
Page 398: Banner Configure
Command Line Interface banner configure This command is used to interactively specify administrative information for this device. Syntax banner configure Default Setting None Command Mode Global Configuration Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered.
Page 399: Banner Configure Company
System Management Commands Example Console(config)#banner configure Company: Edgecore Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment.
Page 400: Banner Configure Dc-Power-Info
Command Line Interface Example Console(config)#banner configure company Edgecore Networks Console(config)# banner configure dc-power-info This command is use to configure DC power information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] •...
Page 401: Banner Configure Equipment-Info
System Management Commands Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 402: Banner Configure Equipment-Location
Command Line Interface Example Console(config)#banner configure equipment-info manufacturer-id SMC6128PL2 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edgecore Networks Console(config)# banner configure equipment-location This command is used to configure the equipment location information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure equipment-location location no banner configure equipment-location...
Page 403: Banner Configure Lp-Number
System Management Commands Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 404: Banner Configure Manager-Info
Command Line Interface banner configure manager-info This command is used to configure the manager contact information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] •...
Page 405: Banner Configure Note
System Management Commands Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 406: Show Banner
Command Line Interface show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner WARNING - MONITORED ACTIONS AND ACCESSES R&D_Dept Albert_Einstein - 123-555-1212 Steve - 123-555-9876 Lamar - 123-555-3322 Station's information: 710_Network_Path,Indianapolis Edgecore Networks - SMC6128PL2 Floor / Row / Rack / Sub-Rack 7 / 10 / 15 / 6 DC power supply:...
Page 407: System Status Commands
System Management Commands System Status Commands This section describes commands used to display system information. Table 4-9 System Status Commands Command Function Mode Page show startup-config Displays the contents of the configuration file (stored in flash 4-29 memory) that is used to start up the system show running-config Displays the configuration data currently in use 4-30...
Page 408: Show Running-Config
Command Line Interface Example Console#show startup-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-12-34-56_01</stackingMac> phymap 00-12-cf-12-34-56 sntp server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...
Page 409 System Management Commands • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - Switch’s MAC address - SNTP server settings - SNMP community strings - Users (names and access levels) - VLAN database (VLAN ID, name and state)
Page 410 Command Line Interface Example Console#show running-config !<stackingDB>00</stackingDB> !<stackingMac>01_00-12-cf-12-34-56_01</stackingMac> phymap 00-12-cf-12-34-56 sntp server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...
Page 411: Show System
System Management Commands show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to ?$paratext>? on page 3-13. • The POST results should all display “PASS.” If any POST test indicates “FAIL,”...
Page 412: Show Version
Command Line Interface Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------- admin None guest None steve Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14 VTY 0 admin 0:00:00 192.168.1.19 SSH 1 steve...
Page 413: Frame Size Commands
System Management Commands Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-10 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames 4-35 jumbo frame This command enables support for jumbo frames. Use the no form to disable it. Syntax [no] jumbo frame Default Setting...
Page 414: File Management Commands
Command Line Interface File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving run-time code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 415 System Management Commands copy This command moves (uploads/downloads) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. It can also download a diagnostics file or loader file from an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 416 Command Line Interface • The maximum number of user-defined configuration files depends on available memory. • You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. • To replace the startup configuration, you must use startup-config as the destination.
Page 417 System Management Commands The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Page 418 Command Line Interface This command deletes a file or image. Syntax delete filename filename - Name of the configuration file or image name. Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. •...
Page 419: Table 4-12 File Directory Information
System Management Commands • File information is shown below: Table 4-12 File Directory Information Column Heading Description File name The name of the file. File type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started. Size The length of the file in bytes.
Page 420 Command Line Interface This command specifies the image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. • config* - Configuration file. •...
Page 421 System Management Commands Command Usage • This command is used to enable or disable automatic upgrade of the operational code. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up: 1.
Page 422: Line
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage • This command is used in conjunction with the upgrade opcode auto command (page 4-42) to facilitate automatic upgrade of new operational code stored at the location indicated by this command. •...
Page 423 System Management Commands Table 4-13 Line Commands (Continued) Command Function Mode Page exec-timeout Sets the interval that the command interpreter waits until user 4-48 input is detected password-thresh Sets the password intrusion threshold, which limits the number 4-49 of failed logon attempts silent-time* Sets the amount of time the management console is 4-50...
Page 424 Command Line Interface Example To enter console line mode, enter the following command: Console(config)#line console Console(config-line)# Related Commands show line (4-56) show users (4-33) This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login...
Page 425: Login
System Management Commands Related Commands username (4-110) password (4-47) This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 426 Command Line Interface This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval. (Range: 0 - 300 seconds;...
Page 427: Timeout Login Response
System Management Commands Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. • This command applies to both the local console and Telnet connections. •...
Page 428: Password-Thresh
Command Line Interface Related Commands silent-time (4-50) timeout login response (4-13) This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Page 429: Parity
System Management Commands Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 430: Speed
Command Line Interface This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400 bps) Default Setting 9600...
Page 431: Terminal Length
System Management Commands This command sets the number of lines displayed on a terminal. Use the no form to restore the default setting. Syntax terminal length screen-length no terminal length screen-length – The number of lines displayed on a terminal. (Range: 0-512, where 0 means no pause for output displays) Default Setting Command Mode...
Page 432: Terminal Escape-Character
Command Line Interface This command sets the escape character used to break display output. Use the no form to restore the default setting. Syntax terminal escape-character {character | ASCII-number ASCII-number} no terminal escape-character • characters – The escape character. • ASCII-number – ASCII decimal equivalent of the escape character. (Range: 0-255) Default Setting 27 (ASCII equivalent of the backspace key)
Page 433: Terminal History
System Management Commands Example Console#terminal terminal-type vt-102 Console# This command configures parameters for storing previously entered commands. Use the no form to restore the default setting. Syntax terminal history [size number-of-lines] no terminal history [size] Default Setting Enabled 10 lines Command Mode Privileged Exec Command Usage...
Page 434: Show Line
Command Line Interface Example Console#disconnect 1 Console# Related Commands show ssh (4-144) show users (4-33) This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode...
Page 435: Logging On
System Management Commands Table 4-14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages 4-57 logging history Limits syslog messages saved to switch memory based on 4-58 severity logging host Adds a syslog server host IP address that will receive logging 4-59 messages logging facility...
Page 436: Table 4-15 Logging Levels
Command Line Interface This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 437 System Management Commands This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. Default Setting None Command Mode...
Page 438 Command Line Interface This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 439: Show Log
System Management Commands Related Commands show log (4-62) This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail} •...
Page 440 Command Line Interface This command displays the system and event messages stored in memory. Syntax show log {flash | ram} [login] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 441: Logging Sendmail Host
System Management Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 4-17 SMTP Alert Commands Command Function Mode Page logging sendmail host SMTP servers to receive alert messages 4-63 logging sendmail level Severity threshold used to trigger alert messages...
Page 442 Command Line Interface This command sets the severity threshold used to trigger alert messages. Syntax logging sendmail level level level - One of the system message levels (page 4-58). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7) Default Setting Level 7 Command Mode...
Page 443 System Management Commands This command specifies the email recipients of alert messages. Use the no form to remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration...
Page 444 Command Line Interface Example Console#show logging sendmail SMTP servers ----------------------------------------------- 1. 192.168.1.200 SMTP Minimum Severity Level: 4 SMTP destination email addresses ----------------------------------------------- 1. geoff@acme.com SMTP Source Email Address: john@acme.com SMTP status: Enabled Console# 4-66...
Page 445: Table 4-18 Time Commands
System Management Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 446 Command Line Interface This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp servers command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 447: Sntp Client
System Management Commands This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Syntax sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Page 448: Ntp Client
Command Line Interface Example Console(config)#sntp poll 60 Console(config)# Related Commands sntp client (4-68) This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending...
Page 449: Ntp Server
System Management Commands • This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. Example Console(config)#ntp client Console(config)# Related Commands sntp client (4-68) ntp poll (4-72) ntp server (4-71)
Page 450: Ntp Authenticate
Command Line Interface Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.22 version 2 Console(config)#ntp server 192.168.5.23 version 3 key 19 Console(config)# Related Commands ntp client (4-70) ntp poll (4-72) show ntp (4-74) This command sets the interval between sending time requests when the switch is set to NTP client mode.
Page 451: Ntp Authentication-Key
System Management Commands Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Page 452: Show Ntp
Command Line Interface Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (4-72) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage...
Page 453: Clock Timezone-Predefined
System Management Commands clock timezone-predefined This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. Syntax clock timezone-predefined offset-city no clock timezone-predefined • offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-Greenwich-Mean-Time;...
Page 454: Clock Summer-Time (Date)
Command Line Interface Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 455: Clock Summer-Time (Predefined)
System Management Commands • e-minute - The minute summer time will end. (Range: 0-59 minutes) • offset - Summer time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 456: Table 4-19 Predefined Summer-Time Parameters
Command Line Interface Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
Page 457 System Management Commands • b-hour - The hour when summer time will begin. (Range: 0-23 hours) • b-minute - The minute when summer time will begin. (Range: 0-59 minutes) • e-week - The week of the month when summer time will end. (Range: 1-5) •...
Page 458: Calendar Set
Command Line Interface This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 459: Cluster
System Management Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 460 Command Line Interface Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Page 461 System Management Commands This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 462 Command Line Interface Command Usage • The maximum number of cluster Members is 36. The maximum number of cluster Candidates is 100 • Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Page 463: Show Cluster Candidates
System Management Commands This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24/48 L2/L4 IPV4/IPV6 GE Switch Console# This command shows the discovered Candidate switches in the network. Command Mode Privileged Exec Example...
Page 464: Upnp Device Ttl
Command Line Interface This command enables UPnP on the device. Use the no form to disable UPnP. Syntax [no] upnp device Default Setting Enabled Command Mode Global Configuration Command Usage You must enable UPnP before you can configure time-out settings for sending UPnP messages.
Page 465: Show Upnp
System Management Commands Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# This command sets the duration for which a device will advertise its presence on the local network. Syntax upnp device advertise duration value value - A time out value expressed in seconds.
Page 466: Snmp Commands
Command Line Interface Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 467 SNMP Commands Table 4-21 SNMP Commands (Continued) Command Function Mode Page ATC Trap Commands snmp-server Sends a trap when broadcast traffic exceeds the upper IC (Port) 4-242 enable port-traps atc threshold for automatic storm control broadcast-alarm-fire snmp-server Sends a trap when multicast traffic exceeds the upper IC (Port) 4-243 enable port-traps atc...
Page 468 Command Line Interface This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 469 SNMP Commands This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 470: Snmp-Server Contact
Command Line Interface Related Commands snmp-server location (4-92) This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 471 SNMP Commands This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr •...
Page 472 Command Line Interface • The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Page 473: Snmp-Server Host
SNMP Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-95) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
Page 474: Snmp-Server Engine-Id
Command Line Interface snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • local - Specifies the SNMP engine on this switch. •...
Page 475: Show Snmp Engine-Id
SNMP Commands Related Commands snmp-server host (4-93) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID IP address 80000000030004e2b316c54321...
Page 476: Show Snmp View
Command Line Interface Command Usage Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2.
Page 477: Snmp-Server Group
SNMP Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Page 478: Show Snmp Group
Command Line Interface show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name: r&d Security Model: v3 Read View: defaultview Write View: daily Notify View: none Storage Type: permanent...
Page 479: Snmp-Server User
SNMP Commands Table 4-24 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Page 480: Show Snmp User
Command Line Interface Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-96) to specify the engine ID for the remote device where the user resides.
Page 481: Flow Sampling Commands
Flow Sampling Commands Table 4-25 show snmp user - display description Field Description EngineId String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry.
Page 482 Command Line Interface This command enables sFlow globally for the switch. Use the no form to disable this feature. Syntax [no] sflow Default Setting Disabled Command Mode Global Configuration Command Usage Flow sampling must be enabled globally on the switch, as well as for those ports where it is required (see the sflow source command on page 4-104).
Page 483 Flow Sampling Commands This command configures the packet sampling rate. Use the no form to restore the default rate. Syntax sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.
Page 484 Command Line Interface This command configures the name of the receiver (i.e., sFlow Collector). Use the no form to remove this name. Syntax sflow owner name no sflow owner name - The name of the receiver. (Range: 1-256 characters) Default Setting None Command Mode Interface Configuration (Ethernet)
Page 485 Flow Sampling Commands Example This example sets the time out to 1000 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow timeout 10000 Console(config-if)# This command configures the IP address and UDP port used by the Collector. Use the no form to restore the default settings. Syntax sflow destination ipv4 ip-address [destination-udp-port] no sflow destination...
Page 486: Sflow Max-Datagram-Size
Command Line Interface Example Console(config)#interface ethernet 1/9 Console(config-if)#sflow max-header-size 256 Console(config-if)# This command configures the maximum size of the sFlow datagram payload. Use the no form to restore the default setting. Syntax sflow max-datagram-size max-datagram-size no max-datagram-size max-datagram-size - The maximum size of the sFlow datagram payload. (Range: 200-1500 bytes) Default Setting 1400 bytes...
Page 487: Authentication Commands
Authentication Commands Example Console#show sflow sFlow global status : Enabled Console#sh sf int e 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 10000 Maximum header size : 256 Maximum datagram size : 1500 Sample rate...
Page 488: Username
Command Line Interface The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 4-44), user authentication via a remote authentication server (page 4-109), and host access authentication for specific ports (page 4-146). Table 4-28 User Access Commands Command Function...
Page 489 Authentication Commands Command Mode Global Configuration Command Usage • Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Level 8 provides access to all display status and configuration commands, except for those controlling various authentication and security features.
Page 490: Authentication Enable
Command Line Interface settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/ TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands...
Page 491 Authentication Commands This command updates all privilege commands entered during the current session to the running configuration. Command Mode Privileged Exec Command Usage Due to system limitations in the current software, privilege commands (page 4-112) entered during the current switch session will not be stored properly in the running-config file (see show running-config on page 4-30).
Page 492: Table 4-30 Authentication Sequence
Command Line Interface Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 4-30 Authentication Sequence Command Function Mode Page authentication login...
Page 493 Authentication Commands Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-110) This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-12).
Page 494: Radius-Server Host
Command Line Interface Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Page 495 Authentication Commands Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default. Syntax radius-server acct-port port_number no radius-server acct-port port_number - RADIUS server UDP port used for accounting messages.
Page 496 Command Line Interface This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Default Setting None Command Mode...
Page 497 Authentication Commands This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 498: Tacacs+ Client
Command Line Interface This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port : 1812 Accounting Port : 1813 Retransmit Times Request Timeout : 5 seconds Attributes: NAS-IP-Address (4)
Page 499: Tacacs-Server Host
Authentication Commands tacacs-server host This command specifies the TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) •...
Page 500: Tacacs-Server Key
Command Line Interface Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client.
Page 501: Tacacs-Server Timeout
Authentication Commands tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Page 502: Aaa Commands
Command Line Interface AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-33 AAA Commands Command Function Mode...
Page 503: Server
Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) •...
Page 504: Aaa Accounting Dot1X
Command Line Interface aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} •...
Page 505: Aaa Accounting Exec
Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} •...
Page 506: Aaa Accounting Commands
Command Line Interface aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} •...
Page 507: Aaa Accounting Update
Authentication Commands aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Page 508: Accounting Exec
Command Line Interface Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec •...
Page 509: Aaa Authorization Exec
Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} •...
Page 510: Authorization Exec
Command Line Interface authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-131).
Page 511: Web Server Commands
Authentication Commands Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
Page 512: Ip Http Server
Command Line Interface Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-134) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled...
Page 513: Ip Http Secure-Port
Authentication Commands • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate. - The client and server negotiate a set of security protocols to use for the connection.
Page 514: Telnet Server Commands
Command Line Interface Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 515: Secure Shell Commands
Authentication Commands Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
Page 516 Command Line Interface Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example: 10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206...
Page 517: Ip Ssh Server
Authentication Commands d) The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e) The switch compares the checksum sent from the client against that computed for the original string it sent. If the two checksums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Page 518: Ip Ssh Timeout
Command Line Interface Related Commands ip ssh crypto host-key generate (4-142) show ssh (4-144) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...
Page 519: Ip Ssh Server-Key Size
Authentication Commands Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (4-143) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size –...
Page 520: Ip Ssh Crypto Host-Key Generate
Command Line Interface Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private). Syntax ip ssh crypto host-key generate [dsa | rsa] • dsa – DSA (Version 2) key type. •...
Page 521: Ip Ssh Save Host-Key
Authentication Commands Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. •...
Page 522: Show Ssh
Command Line Interface Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username...
Page 523: Show Public-Key
Authentication Commands show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage...
Page 524: 802.1X Port Authentication
Command Line Interface 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 525: Dot1X Default
Authentication Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 526: Dot1X Operation-Mode
Command Line Interface Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 527: Dot1X Re-Authenticate
Authentication Commands dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Page 528: Dot1X Timeout Quiet-Period
Command Line Interface Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (4-150) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Page 529: Dot1X Timeout Tx-Period
Authentication Commands Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 530: Dot1X Intrusion-Action
Command Line Interface Command Usage This command sets the timeout for EAP-request frames other than EAP-request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 531: Show Dot1X
Authentication Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 532 Command Line Interface - Max Count – The maximum number of hosts allowed to access this port (page 4-148). - Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 4-147). - Supplicant – MAC address of authorized client. - Current Identifier –...
Page 533 Authentication Commands Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status Operation Mode Mode Authorized disabled Single-Host ForceAuthorized enabled Single-Host auto 1/28 disabled Single-Host ForceAuthorized 802.1X Port Details 802.1X is disabled on port 1/1 802.1X is enabled on port 1/2 reauth-enabled: Enable reauth-period: 1800...
Page 534: Management Ip Filter Commands
Command Line Interface Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-40 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-156 show management Displays the switch to be monitored or configured from a 4-157...
Page 535: Show Management
Authentication Commands Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} •...
Page 536: General Security Measures
Command Line Interface General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 537: Port Security Commands
General Security Measures Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 538 Command Line Interface Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 539: Network-Access Aging
General Security Measures (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 540 Command Line Interface Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging. Syntax [no] network-access aging Default Setting Disabled Command Mode Global Configuration Command Usage •...
Page 541 General Security Measures • This command is different from configuring static addresses with the mac-address-table static command (page 4-270) in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command (page 4-163).
Page 542 Command Line Interface Default Setting 2048 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 543 General Security Measures • When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. • The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,”...
Page 544 Command Line Interface Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. Syntax mac-authentication intrusion-action [block traffic | pass traffic] no mac-authentication intrusion-action Default Setting Block Traffic Command Mode Interface Configuration...
Page 545 General Security Measures Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage • When enabled, the VLAN identifiers returned by the RADIUS server will be applied to the port, providing the VLANs have already been created on the switch.
Page 546: Table 4-44 Dynamic Qos Profiles
Command Line Interface Command Mode Interface Configuration Command Usage • The VLAN to be used as the guest VLAN must be defined and set as active (?$paratext>? on page 4-304). • When used with 802.1X authentication, the intrusion-action must be set for ‘guest-vlan’...
Page 547: Network-Access Link-Detection Link-Down
General Security Measures Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file. Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable link detection for the selected port. Use the no form of this command to restore the default.
Page 548: Network-Access Link-Detection Link-Up
Command Line Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Page 549: Clear Network-Access
General Security Measures Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • static - Specifies static address entries. • dynamic - Specifies dynamic address entries. •...
Page 550: Show Network-Access Mac-Address-Table
Command Line Interface Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 -------------------------------------------------- -------------------------------------------------- Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts : 2048 Dynamic VLAN Assignment...
Page 551: Show Network-Access Mac-Filter
General Security Measures Example Console#show network-access mac-address-table ---- ----------------- --------------- --------- ------------------------- Port MAC-Address RADIUS-Server Attribute Time ---- ----------------- --------------- --------- ------------------------- 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s Console# Use this command to display information for entries in the MAC filter tables. Syntax show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table.
Page 552: Web-Auth Login-Attempts
Command Line Interface Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Page 553 General Security Measures Default Setting 3 login attempts Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Page 554 Command Line Interface Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the no form to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 555 General Security Measures (Port) This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port • unit - This is unit 1. •...
Page 556 Command Line Interface This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters and statistics.
Page 557: Table 4-46 Dhcp Snooping Commands
General Security Measures This command displays a summary of web authentication port parameters and statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------ 1/ 1 Disabled 1/ 2 Enabled...
Page 558: Ip Dhcp Snooping
Command Line Interface This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
Page 559: Ip Dhcp Snooping Vlan
General Security Measures MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. * If the DHCP packet is not a recognizable type, it is dropped. - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
Page 560 Command Line Interface packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-182). • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
Page 561: Ip Dhcp Snooping Verify Mac-Address
General Security Measures • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Related Commands ip dhcp snooping (4-180) ip dhcp snooping vlan (4-181)
Page 562: Ip Dhcp Snooping Information Option
Command Line Interface This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
Page 563 General Security Measures This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drops the client’s request packet instead of relaying it. •...
Page 564: Show Ip Dhcp Snooping
Command Line Interface This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example This command shows the DHCP snooping configuration settings. Command Mode Privileged Exec Example DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace Eth 1/5 This command shows the DHCP snooping binding table entries.
Page 565: Table 4-47 Ip Source Guard Commands
General Security Measures IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see ?$paratext>? on page 4-179).
Page 566: Ip Source-Guard Binding
Command Line Interface • When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. • Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
Page 567 General Security Measures This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id •...
Page 568: Show Ip Source-Guard
Command Line Interface Related Commands ip source-guard (4-187) ip dhcp snooping (4-180) ip dhcp snooping vlan (4-181) This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type --------- ----------- Eth 1/1...
Page 569: Ip Arp Inspection
General Security Measures ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
Page 570 Command Line Interface Command Mode Global Configuration Command Usage • When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command (page 4-192). •...
Page 571 General Security Measures • When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. • When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Page 572 Command Line Interface • If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. Example Console(config)#ip arp inspection filter sales vlan 1 Console(config)#...
Page 573 General Security Measures This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs •...
Page 574 Command Line Interface This command sets a port as trusted, and thus exempted from ARP Inspection. Use the no form to restore the default setting. Syntax [no] ip arp inspection trust Default Setting Untrusted Command Mode Interface Configuration (Port) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks.
Page 575 General Security Measures Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150 Console(config-if)# This command displays the global configuration settings for ARP Inspection. Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 576 Command Line Interface This command shows the configuration settings for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] •...
Page 577: Access Control List Commands
Access Control List Commands This command shows statistics about the number of ARP packets processed, or dropped for various reasons. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address...
Page 578: Access-List Rule-Mode
Command Line Interface The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 579 Access Control List Commands • When using mixed rule mode, either standard or extended rules can be used. However, the rules used in the same ACL must either be all standard or all extended rules. If standard rules are used for all ACLs, the maximum number of rules permitted by the system can be used.
Page 580: Access-List Ip
Command Line Interface Related Commands permit, deny 4-202 ip access-group (4-205) show ip access-list (4-205) (Standard IPv4 ACL) This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 581 Access Control List Commands (Extended IPv4 ACL) This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 582 Command Line Interface Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 583: Permit, Deny (Extended Ipv4 Acl)
Access Control List Commands Related Commands access-list ip (4-201) This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. •...
Page 584: Show Ip Access-List
Command Line Interface • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-205)
Page 585: Access-List Ipv6
Access Control List Commands access-list ipv6 This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ipv6 {standard | extended} acl_name •...
Page 586 Command Line Interface permit deny (Standard IPv6 ACL) This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source-ipv6-address[/prefix-length] | host source-ipv6-address} •...
Page 587 Access Control List Commands (Extended IPv6 ACL) This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific destination IP addresses, next header type, or flow label. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | destination-ipv6-address[/prefix-length]}...
Page 588 Command Line Interface of a source address and a non-zero flow label. Packets that do not belong to a flow carry a flow label of zero. • Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Page 589 Access Control List Commands Example Related Commands permit, deny (4-208) ipv6 access-group (4-211) This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax [no] ipv6 access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) •...
Page 590: Table 4-52 Arp Acl Commands
Command Line Interface Example Related Commands ipv6 access-group (4-211) The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command (page 4-192).
Page 591 Access Control List Commands Example Related Commands permit, deny (4-213) show arp access-list (4-214) (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Page 592: Access-List Arp
Command Line Interface Command Usage New rules are added to the end of the list. Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands...
Page 593: Table 4-53 Mac Acl Commands
Access Control List Commands The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 594 Command Line Interface (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 595: Mac Acls
Access Control List Commands • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. •...
Page 596: Show Mac Access-List
Command Line Interface This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode...
Page 597: Table 4-54 Acl Information
Access Control List Commands Table 4-54 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules 4-219 show access-group Shows the ACLs assigned to each port 4-219 This command shows all ACLs and associated rules. Command Mode Privileged Exec Example Console#show access-list...
Page 598: Interface Commands
Command Line Interface Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 4-55 Interface Commands Command Function Mode Page interface Configures an interface type and enters interface configuration 4-221 mode description...
Page 599: Interface
Interface Commands interface This command configures an interface type and enters interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 600: Speed-Duplex
Command Line Interface Command Usage The description is displayed by the show interfaces status command (page 4-230) and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 601: Negotiation
Interface Commands speed/duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (4-223) capabilities (4-224) negotiation...
Page 602: Capabilities
Command Line Interface capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values. Syntax [no] capabilities {1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric} •...
Page 603: Flowcontrol
Interface Commands Related Commands negotiation (4-223) speed-duplex (4-222) flowcontrol (4-225) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
Page 604: Media-Type
Command Line Interface media-type This command forces the port type selected for combination ports 25-28 (SMC6128PL2) and 49-52 (SMC6152PL2). Use the no form to restore the default mode. Syntax media-type mode no media-type mode • copper-forced - Always uses the built-in RJ-45 port. •...
Page 605: Shutdown
Interface Commands Interface Configuration (Ethernet - Ports 25-28/49-52) Command Usage • The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Page 606: Switchport Packet-Rate
Command Line Interface Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport packet-rate This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} •...
Page 607: Clear Counters
Interface Commands • The rate limits set by this command are also used by automatic storm control when the control response is set to rate limiting by the auto-traffic-control action command (page 4-241). Example The following shows how to configure broadcast storm control at 500 kilobits per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 500...
Page 608: Show Interfaces Status
Command Line Interface Example Console#show interfaces brief Console#sh interfaces brief Interface Name Status PVID Pri Speed/Duplex Type Trunk --------- ------------------ -------- ---- --- ------------- ------------ ----- Eth 1/ 1 0 Auto-100full 100TX None Eth 1/ 2 Down 0 Auto 100TX None Eth 1/ 3 Down...
Page 609: Show Interfaces Counters
Interface Commands Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic Information: Port Type: 100TX Mac Address: 00-12-CF-12-34-57 Configuration: Name: Port Admin: Speed-duplex: 100full Capabilities: 100full Broadcast Storm: Enabled Broadcast Storm Limit: 64 Kbits/second Multicast Storm: Disabled Multicast Storm Limit: 64 Kbits/second UnknownUnicast Storm: Disabled...
Page 610: Show Interfaces Switchport
Command Line Interface Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see ?$paratext>? on page 3-180. Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable Stats: Octets Input: 335955, Octets Output: 359180 Unicast Input: 0, Unicast Output: 0 Discard Input: 0, Discard Output: 0...
Page 611: Command Mode
Interface Commands Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24. Console#show interfaces switchport ethernet 1/24 Broadcast Threshold: Enabled, 64 Kbits/second Multicast Threshold: Disabled Unknown-unicast Threshold:...
Page 612: Table 4-56 Interfaces Switchport Statistics
Command Line Interface Table 4-56 Interfaces Switchport Statistics (Continued) Field Description Priority for untagged traffic Indicates the default priority for untagged frames (page 4-363). GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled (page 4-301). Allowed VLAN Shows the VLANs this interface has joined, where “(u)”...
Page 613: Table 4-57 Atc Commands
Automatic Traffic Control Commands Table 4-57 ATC Commands (Continued) Command Function Mode Page SNMP Trap Commands snmp-server Sends a trap when broadcast traffic exceeds the upper IC (Port) 4-242 enable port-traps atc threshold for automatic storm control broadcast-alarm-fire snmp-server Sends a trap when multicast traffic exceeds the upper IC (Port) 4-243 enable port-traps atc...
Page 614 Command Line Interface Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Storm control by limiting the traffic rate: The key elements of this diagram are described below: •...
Page 615: Auto-Traffic-Control Apply-Timer
Automatic Traffic Control Commands The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Page 616: Auto-Traffic-Control Release-Timer
Command Line Interface auto-traffic-control release-timer This command sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold. Use the no form to restore the default setting. Syntax auto-traffic-control {broadcast | multicast} release-timer seconds no auto-traffic-control {broadcast | multicast} release-timer •...
Page 617: Auto-Traffic-Control Alarm-Fire-Threshold
Automatic Traffic Control Commands Command Usage • Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time. • Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the switchport packet-rate command (page 4-228).
Page 618: Auto-Traffic-Control Alarm-Clear-Threshold
Command Line Interface Example This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255 Console(config-if)# auto-traffic-control alarm-clear-threshold This command sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent.
Page 619: Auto-Traffic-Control Action
Automatic Traffic Control Commands auto-traffic-control action This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting. Syntax auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action •...
Page 620: Auto-Traffic-Control Control-Release
Command Line Interface auto-traffic-control control-release This command manually releases a control response. Syntax auto-traffic-control {broadcast | multicast} control-release • broadcast - Specifies automatic storm control for broadcast traffic. • multicast - Specifies automatic storm control for multicast traffic. Command Mode Interface Configuration (Ethernet) Command Usage •...
Page 621: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire
Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-alarm-fire This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-fire Default Setting Disabled Command Mode...
Page 622: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Clear
Command Line Interface snmp-server enable port-traps atc multicast-alarm-clear This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-alarm-clear Default Setting Disabled Command Mode...
Page 623: Snmp-Server Enable Port-Traps Atc Multicast-Control-Apply
Automatic Traffic Control Commands snmp-server enable port-traps atc multicast-control-apply This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap. Syntax [no] snmp-server enable port-traps atc multicast-control-apply Default Setting Disabled Command Mode...
Page 624: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release
Command Line Interface Related Commands auto-traffic-control alarm-clear-threshold (4-240) auto-traffic-control action (4-241) auto-traffic-control release-timer (4-238) snmp-server enable port-traps atc multicast-control-release This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. Use the no form to disable this trap.
Page 625: Show Auto-Traffic-Control Interface
Automatic Traffic Control Commands show auto-traffic-control interface This command shows interface configuration settings and storm control status for the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...
Page 626: Link Aggregation Commands
Command Line Interface Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 627: Channel-Group
Link Aggregation Commands • STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel. Dynamically Creating a Port Channel – Ports assigned to a common port channel must meet the following criteria: • Ports must have the same LACP system priority. •...
Page 628: Lacp
Command Line Interface lacp This command enables Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • The ports on both ends of an LACP trunk must be configured for full duplex, and auto-negotiation.
Page 629: Lacp System-Priority
Link Aggregation Commands Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established. Console(config)#interface ethernet 1/11 Console(config-if)#lacp Console(config-if)#exit...
Page 630: Lacp Admin-Key (Ethernet Interface)
Command Line Interface Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 631: Lacp Admin-Key (Port Channel)
Link Aggregation Commands • Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 632: Lacp Port-Priority
Command Line Interface lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. •...
Page 633: Lacp Active/Passive
Link Aggregation Commands lacp active/passive This command configures active or passive LACP initiation mode. Use the no form to restore the default setting. Syntax lacp {actor | partner} {active | passive} no lacp {actor | partner} • actor - The local side of an aggregate link. •...
Page 634: Table 4-59 Show Lacp Counters - Display Description
Command Line Interface Command Mode Privileged Exec Example Console#show lacp 1 counters Port channel : 1 ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Sent : 21 LACPDUs Received : 21 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 4-59 show lacp counters - display description...
Page 635 Link Aggregation Commands Console#show lacp 1 internal Port channel : 1 ------------------------------------------------------------------------- Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------- LACPDUs Internal : 30 sec LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key : 4 Oper Key : 4 Admin State : defaulted, aggregation, long timeout, LACP-activity Oper State : distributing, collecting, synchronization, aggregation,...
Page 636: Table 4-61 Show Lacp Neighbors - Display Description
Command Line Interface Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-00-00-00-00-01 Partner Admin Port Number : 1 Partner Oper Port Number : 1 Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key : 0...
Page 637 Link Aggregation Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------- 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 32768 00-12-CF-8F-2C-A7 Console# Table 4-62 show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group.
Page 638: Mirror Port Commands
Command Line Interface Mirror Port Commands This section describes how to mirror traffic from a source port to a target port. Table 4-63 Mirror Port Commands Command Function Mode Page port monitor Configures a mirror session 4-260 show port monitor Shows the configuration for a mirror port 4-261 port monitor...
Page 639: Show Port Monitor
Mirror Port Commands • When mirroring traffic from a port, the mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. When mirroring traffic from a VLAN, traffic may also be dropped under heavy loads. •...
Page 640 Command Line Interface Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 rx Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/11 Source port(monitored port) :Eth1/6 Mode Console# 4-262...
Page 641: Rate Limit Commands
Rate Limit Commands Rate Limit Commands This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped.
Page 642: Power Over Ethernet Commands
Command Line Interface Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the switch ports. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Page 643: Power Inline Compatible
Power over Ethernet Commands Example Console(config)#power mainpower maximum allocation 180 Console(config)# Related Commands power inline priority (4-267) power inline compatible This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature.
Page 644: Power Inline
Command Line Interface power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port. Syntax [no] power inline Default Setting...
Page 645: Power Inline Priority
Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Page 646: Show Power Inline Status
Command Line Interface show power inline status This command displays the current power status for all ports or for specific ports. Syntax show power inline status [interface] interface ethernet • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...
Page 647: Show Power Mainpower
Address Table Commands show power mainpower Use this command to display the current power status for the switch. Command Mode Privileged Exec Example Console#show power mainpower Unit 1 Mainpower Status Maximum Available Power : 180 watts System Operation Status : on Mainpower Consumption : 15 watts Software Version...
Page 648: Mac-Address-Table Static
Command Line Interface mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id •...
Page 649: Clear Mac-Address-Table Dynamic
Address Table Commands clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries. Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address-table This command shows classes of entries in the bridge-forwarding database.
Page 650: Mac-Address-Table Aging-Time
Command Line Interface means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface Mac Address...
Page 651 Address Table Commands Example Console#show mac-address-table aging-time Aging time: 100 sec. Console# 4-273...
Page 652: Spanning Tree Commands
Command Line Interface Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 4-69 Spanning Tree Commands Command Function Mode Page spanning-tree Enables the spanning tree protocol 4-275 spanning-tree mode...
Page 653: Spanning-Tree
Spanning Tree Commands Table 4-69 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree Configures loopback release mode for a port 4-293 loopback-detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a port IC 4-294 loopback-detection trap spanning-tree mst cost Configures the path cost of an instance in the MST 4-294 spanning-tree mst...
Page 654: Spanning-Tree Mode
Command Line Interface This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) •...
Page 655 Spanning Tree Commands Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Page 656: Spanning-Tree Forward-Time
Command Line Interface Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-277) spanning-tree max-age (4-278) This command configures the spanning tree bridge maximum age globally for this switch.
Page 657: Spanning-Tree Priority
Spanning Tree Commands This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) Default Setting...
Page 658: Spanning-Tree Pathcost Method
Command Line Interface Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-290). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree.
Page 659: Spanning-Tree Mst-Configuration
Spanning Tree Commands Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. •...
Page 660 Command Line Interface Command Usage • Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Page 661: Revision
Spanning Tree Commands Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...
Page 662: Max-Hops
Command Line Interface Command Usage The MST region name (page 4-283) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 663: Spanning-Tree Cost
Spanning Tree Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default.
Page 664: Spanning-Tree Port-Priority
Command Line Interface Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 665: Spanning-Tree Edge-Port
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 666: Spanning-Tree Portfast
Command Line Interface edge delay time expires without receiving any RSTP or MSTP BPDUs. Note that edge delay time (802.1D-2004 17.20.4) equals the protocol migration time if a port's link type is point-to-point; otherwise it equals the spanning-tree’s maximum age (page 4-278). An interface cannot function as an edge port under the following conditions: - If spanning tree mode is set to STP (page 4-276), edge-port mode can be manually enabled or set to auto, but will have no effect.
Page 667: Spanning-Tree Bpdu-Filter
Spanning Tree Commands • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time. Fast forwarding can achieve quicker convergence for end-node workstations and servers, and also overcome other STA related timeout problems.
Page 668: Spanning-Tree Bpdu-Guard
Command Line Interface Related Commands spanning-tree edge-port (4-287) spanning-tree portfast (4-288) This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-guard Default Setting Disabled Command Mode...
Page 669: Spanning-Tree Root-Guard
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the spanning-tree system-bpdu-flooding command (page 4-279).
Page 670: Spanning-Tree Link-Type
Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type •...
Page 671: Spanning-Tree Loopback-Detection Release-Mode
Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). •...
Page 672: Spanning-Tree Loopback-Detection Trap
Command Line Interface Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. Syntax spanning-tree loopback-detection trap no spanning-tree loopback-detection trap Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)
Page 673 Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
Page 674: Spanning-Tree Mst Cost
Command Line Interface Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (4-294) This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit.
Page 675: Show Spanning-Tree
Spanning Tree Commands This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 676: Command Line Interface
Command Line Interface Example Console#show spanning-tree Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.): Max Hops: Remaining Hops:...
Page 677: Show Spanning-Tree Mst Configuration
VLAN Commands This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- 1,3-4094 Console# A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment.
Page 678: Gvrp And Bridge Extension Commands
Command Line Interface GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 679: Show Bridge-Ext
VLAN Commands show bridge-ext This command shows the configuration for bridge extension commands. Default Setting None Command Mode Privileged Exec Command Usage See ?$paratext>? on page 3-220 and ?$paratext>? on page 3-17 for a description of the displayed items. Example Console#show bridge-ext Max support vlan numbers: Max support vlan ID:...
Page 680: Show Gvrp Configuration
Command Line Interface show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Default Setting Shows both global and interface-specific configuration.
Page 681: Show Garp Timer
VLAN Commands Command Usage • Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate.
Page 682: Editing Vlan Groups
Command Line Interface Related Commands garp timer (4-302) Editing VLAN Groups Table 4-75 Editing VLAN Groups Command Function Mode Page vlan database Enters VLAN database mode to add, change, and delete 4-304 VLANs vlan Configures a VLAN, including VID, name and state 4-305 vlan database This command enters VLAN database mode.
Page 683: Vlan
VLAN Commands vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4094, no leading zeroes) •...
Page 684: Configuring Vlan Interfaces
Command Line Interface Configuring VLAN Interfaces Table 4-76 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN 4-306 switchport mode Configures VLAN membership mode for an interface 4-307 switchport Configures frame types to be accepted by an interface 4-308 acceptable-frame-types switchport ingress-filtering...
Page 685: Switchport Mode
VLAN Commands switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk | private-vlan} no switchport mode • access - Specifies an access VLAN interface. The port transmits and receives untagged frames only.
Page 686: Switchport Acceptable-Frame-Types
Command Line Interface switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. •...
Page 687: Switchport Native Vlan
VLAN Commands • If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). •...
Page 688: Switchport Allowed Vlan
Command Line Interface switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 689: Switchport Forbidden Vlan
VLAN Commands switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. •...
Page 690 Command Line Interface Command Usage • Use this command to configure a tunnel across one or more intermdiate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.
Page 691: Displaying Vlan Information
VLAN Commands Displaying VLAN Information Table 4-77 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-313 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-230 show interfaces switchport Displays the administrative and operational status of an NE, PE 4-232 interface...
Page 692: Configuring Ieee 802.1Q Tunneling
Command Line Interface Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 693: Show Dot1Q-Tunnel
VLAN Commands reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports. dot1q-tunnel system-tunnel-control This command sets the switch to operate in QinQ mode. Use the no form to disable QinQ operating mode. Syntax [no] dot1q-tunnel system-tunnel-control Default Setting...
Page 694 Command Line Interface • When a tunnel uplink port receives a packet from a customer, the customer tag (regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag. •...
Page 695 VLAN Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (4-232) This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel...
Page 696: Configuring Port-Based Traffic Segmentation
Command Line Interface Configuring Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions.
Page 697: Pvlan Uplink/Downlink
VLAN Commands Command Usage • When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 4-80 Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2 Normal Downlinks Uplinks...
Page 698: Pvlan Session
Command Line Interface Command Usage • A port cannot be configured in both an uplink and downlink list. • A port can only be assigned to one traffic-segmentation session. • A downlink port can only communicate with an uplink port in the same session.
Page 699: Pvlan Up-To-Up
VLAN Commands pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default. Syntax [no] pvlan up-to-up {blocking | forwarding} • blocking – Blocks traffic between uplink ports assigned to different sessions.
Page 700: Configuring Private Vlans
Command Line Interface Configuring Private VLANs Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the...
Page 701: Private-Vlan
VLAN Commands Use the show vlan private-vlan command to verify your configuration settings. private-vlan Use this command to create a primary or community private VLAN. Use the no form to remove the specified private VLAN. Syntax private-vlan vlan-id {community | primary} no private-vlan vlan-id •...
Page 702: Private Vlan Association
Command Line Interface private vlan association Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the specified primary VLAN. Syntax private-vlan primary-vlan-id association {secondary-vlan-id | add secondary-vlan-id | remove secondary-vlan-id} no private-vlan primary-vlan-id association •...
Page 703: Switchport Private-Vlan Host-Association
VLAN Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage To assign a promiscuous port to a primary VLAN, use the switchport private-vlan mapping command. To assign a host port to a community VLAN, use the private-vlan host association command. Example Console(config)#interface ethernet 1/2 Console(config-if)#switchport mode private-vlan promiscuous...
Page 704: Switchport Private-Vlan Mapping
Command Line Interface switchport private-vlan mapping Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. Syntax switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4094, no leading zeroes). Default Setting None Command Mode...
Page 705: Table 4-82 Protocol-Based Vlan Commands
VLAN Commands Example Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 706: Protocol-Vlan Protocol-Group (Configuring Groups)
Command Line Interface protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or adds specific protocols to a group. Only one frame type and protocol type can be added to a protocol group. Use the no form to remove a protocol group. Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol]...
Page 707: Show Protocol-Vlan Protocol-Group
VLAN Commands Command Usage • When creating a protocol-based VLAN, do not assign interfaces to the protocol VLAN via any of the standard VLAN commands. If you assign interfaces using any of the other VLAN commands (such as vlan on page 4-305), the switch will admit traffic of any protocol type into the associated VLAN.
Page 708: Show Protocol-Vlan Protocol-Group-Vid
Command Line Interface show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs. Syntax show protocol-vlan protocol-group-vid Default Setting The mapping for all protocol groups is displayed. Command Mode Privileged Exec Example This shows that traffic matching the specifications for protocol group 2 will be mapped to VLAN 2: Console#show protocol-vlan protocol-group-vid ProtocolGroup ID...
Page 709 VLAN Commands This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id no subnet-vlan subnet {ip-address mask | all} • ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 710: Configuring Mac Based Vlans
Command Line Interface Example The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP address Mask VLAN ID ----------------- ----------------- --------- 192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.12.192 255.255.255.224 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs...
Page 711: Show Mac-Vlan
VLAN Commands Command Mode Global Configuration Command Usage • The MAC-to-VLAN mapping applies to all ports on the switch. • Source MAC addresses can be mapped to only one VLAN ID. • Configured MAC addresses cannot be broadcast or multicast addresses. •...
Page 712: Configuring Voice Vlans
Command Line Interface Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Page 713: Voice Vlan Aging
VLAN Commands devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. • Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Page 714: Voice Vlan Mac-Address
Command Line Interface voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address •...
Page 715: Switchport Voice Vlan
VLAN Commands switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan • manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 716: Switchport Voice Vlan Security
Command Line Interface Command Mode Interface Configuration Command Usage • When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command on page 4-336). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
Page 717: Switchport Voice Vlan Priority
VLAN Commands switchport voice vlan priority This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority •...
Page 718 Command Line Interface Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority -------- -------- -------- --------- -------- Eth 1/ 1 Auto Enabled Eth 1/ 2 Disabled Disabled OUI...
Page 719: Lldp Commands
LLDP Commands LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 720 Command Line Interface Table 4-86 LLDP Commands (Continued) Command Function Mode Page lldp basic-tlv Configures an LLDP-enabled port to advertise its system 4-351 system-name name lldp dot1-tlv Configures an LLDP-enabled port to advertise the supported 4-351 proto-ident* protocols lldp dot1-tlv Configures an LLDP-enabled port to advertise port related 4-352 proto-vid*...
Page 721: Lldp
LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
Page 722: Lldp Medfaststartcount
Command Line Interface lldp medFastStartCount This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp medfaststartcount packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode...
Page 723: Lldp Refresh-Interval
LLDP Commands notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
Page 724: Lldp Tx-Delay
Command Line Interface Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Page 725: Lldp Admin-Status
LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status • rx-only - Only receive LLDP PDUs. •...
Page 726: Lldp Mednotification
Command Line Interface therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes.
Page 727: Lldp Basic-Tlv Management-Ip-Address
LLDP Commands lldp basic-tlv management-ip-address This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature. Syntax [no] lldp basic-tlv management-ip-address Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 728: Lldp Basic-Tlv System-Capabilities
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description...
Page 729: Lldp Basic-Tlv System-Name
LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description...
Page 730: Lldp Dot1-Tlv Proto-Vid
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# This command configures an LLDP-enabled port to advertise port-related VLAN information.
Page 731: Lldp Dot1-Tlv Vlan-Name
LLDP Commands Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see ?$paratext>? on page 4-309). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature.
Page 732: Lldp Dot3-Tlv Mac-Phy
Command Line Interface Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the IEEE 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical...
Page 733: Lldp Dot3-Tlv Poe
LLDP Commands Command Usage Refer to ?$paratext>? on page 4-35 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities.
Page 734: Lldp Medtlv Inventory
Command Line Interface Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Page 735: Lldp Medtlv Med-Cap
LLDP Commands Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp medtlv med-cap...
Page 736: Show Lldp Config
Command Line Interface Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv network-policy Console(config-if)#...
Page 737 LLDP Commands Example Console#show lldp config LLDP Global Configuation LLDP Enable : Yes LLDP Transmit interval : 30 LLDP Hold Time Multiplier LLDP Delay Interval LLDP Reinit Delay LLDP Notification Interval : 5 LLDP MED fast start counts : 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- -------------------...
Page 738: Show Lldp Info Local-Device
Command Line Interface show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 739: Show Lldp Info Remote-Device
LLDP Commands show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit.
Page 740: Show Lldp Info Statistics
Command Line Interface show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 741: Class Of Service Commands
Class of Service Commands Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 742: Switchport Priority Default
Command Line Interface Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
Page 743: Queue Cos-Map
Class of Service Commands frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin by default, which can be viewed with the show queue bandwidth command.
Page 744: Show Queue Mode
Command Line Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments: Priority Queue: 0 1 2 1 2 2 3 3 Console# Related Commands...
Page 745: Show Queue Cos-Map
Class of Service Commands Example Console#show queue bandwidth Queue ID Weight -------- ------ Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 746: Table 4-90 Priority Commands (Layer 3 And 4)
Command Line Interface (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-90 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping 4-368 map ip dscp Maps IP DSCP value to a class of service...
Page 747: Table 4-91 Ip Dscp To Cos Vales
Class of Service Commands Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-91 IP DSCP to CoS Vales IP DSCP Value CoS Value 10, 12, 14, 16 18, 20, 22, 24...
Page 748: Map Ip Dscp (Global Configuration)
Command Line Interface This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28/52) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode...
Page 749: Quality Of Service Commands
Quality of Service Commands Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 750: Class-Map
Command Line Interface any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate. Use the service-policy command to assign a policy map to a specific interface. Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map.
Page 751: Match
Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} • acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
Page 752: Rename
Command Line Interface This example creates a class map call “rd_class#3,” and sets it to match packets marked for VLAN 1: Console(config)#class-map rd_class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Page 753: Policy-Map
Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 754: Set
Command Line Interface Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set and police commands to specify the match criteria, where the: - set command classifies the service that an IP packet will receive.
Page 755: Police
Quality of Service Commands average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic based on the metered flow rate.
Page 756: Service-Policy
Command Line Interface service-policy This command applies a policy map defined by the policy-map command to the ingress queue of a particular interface. Use the no form to remove the policy map from this interface. Syntax [no] service-policy input policy-map-name •...
Page 757: Show Policy-Map
Quality of Service Commands Example Console#show class-map Class Map match-any rd_class#1 Match ip dscp 3 Class Map match-any rd_class#2 Match ip precedence 5 Class Map match-any rd_class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Page 758: Multicast Filtering Commands
Command Line Interface Command Mode Privileged Exec Example Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 759 Multicast Filtering Commands This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# This command adds a port to a multicast group.
Page 760 Command Line Interface Example The following shows how to statically configure a multicast group on a port: Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5 Console(config)# This command configures the IGMP snooping version. Use the no form to restore the default.
Page 761 Multicast Filtering Commands Default Setting Disabled Command Mode Global Configuration Command Usage • This function is only effective if IGMP snooping is enabled. • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group.
Page 762: Show Ip Igmp Snooping
Command Line Interface query-max-response-time (see 4-387). • If immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 763: Table 4-95 Igmp Query Commands (Layer 2)
Multicast Filtering Commands • user - Display only the user-configured multicast entries. • igmp-snooping - Display only entries learned through IGMP snooping. Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options.
Page 764: Ip Igmp Snooping Query-Count
Command Line Interface Command Mode Global Configuration Command Usage • IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version, page 4-382). • If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Page 765: Ip Igmp Snooping Query-Interval
Multicast Filtering Commands This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds Command Mode...
Page 766: Ip Igmp Snooping Version
Command Line Interface Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-382) This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time...
Page 767: Table 4-96 Static Multicast Routing Commands
Multicast Filtering Commands This section describes commands used to configure static multicast routing on the switch. Table 4-96 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port 4-389 show ip igmp snooping mrouter Shows multicast router ports 4-390 This command statically configures a multicast router port.
Page 768: Show Ip Igmp Snooping Mrouter
Command Line Interface This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage...
Page 769: Igmp Filtering And Throttling Commands
Multicast Filtering Commands IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 770: Ip Igmp Profile
Command Line Interface • The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic. Example ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 771: Range
Multicast Filtering Commands mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Example range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile.
Page 772: Ip Igmp Max-Groups
Command Line Interface Command Usage • The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. • Only one profile can be assigned to an interface. • A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
Page 773: Ip Igmp Max-Groups Action
Multicast Filtering Commands ip igmp max-groups action This command sets the IGMP throttling action for an interface on the switch. Syntax ip igmp max-groups action {replace | deny} • replace - The new multicast group replaces an existing group. • deny - The new multicast group join report is dropped. Default Setting Deny Command Mode...
Page 774: Show Ip Igmp Profile
Command Line Interface Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number.
Page 775: Multicast Vlan Registration Commands
Multicast Filtering Commands Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands...
Page 776: Mvr (Global Configuration)
Command Line Interface This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, specifies the MVR VLAN identifier using the vlan keyword, or permits the use of tagged multicast traffic using the receiver-group and receiver-vlan attributes. Use the no form of this command without any keywords to globally disable MVR, the no form with the group keyword to remove a specific address or range of addresses, the no form with the vlan keyword restore the default MVR VLAN, the no form with...
Page 777 Multicast Filtering Commands • MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command (page 4-310) and switchport native vlan command (page 4-309), but MVR receiver ports should not be statically configured as members of this VLAN. •...
Page 778: Mvr (Interface Configuration)
Command Line Interface This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, configures an interface as a static member of the MVR VLAN using the group keyword, or as a static member of the MVR Receiver VLAN using the static-receiver-group keyword.
Page 779 Multicast Filtering Commands • One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through IGMP snooping or which have been statically assigned using the group keyword.
Page 780: Show Mvr
Command Line Interface show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, the multicast groups assigned to the MVR VLAN using the members keyword, or the interfaces assigned to MVR receiver groups using the receiver-group members keyword.
Page 781: Table 4-100 Show Mvr Interface - Display Description
Multicast Filtering Commands Table 4-99 show mvr - display description Field Description MVR Status Shows if MVR is globally enabled on the switch. MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied. MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic.
Page 782: Table 4-101 Show Mvr Members - Display Description
Command Line Interface The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status Receiver VLAN Members ---------------- -------- ------------- ------- 225.0.0.1 ACTIVE VLAN2 eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None None 225.0.0.3...
Page 783: Domain Name Service Commands
Domain Name Service Commands Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Page 784: Clear Host
Command Line Interface Command Usage Servers or other network devices may support one or more connections via multiple IP addresses. If more than one IP address is associated with a host name using this command, a DNS client can try each address in succession, until it establishes a connection with the target device.
Page 785: Ip Domain-List
Domain Name Service Commands Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (4-407) ip name-server (4-408) ip domain-lookup (4-409) This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted...
Page 786: Ip Name-Server
Command Line Interface Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List:...
Page 787: Ip Domain-Lookup
Domain Name Service Commands Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55...
Page 788: Show Hosts
Command Line Interface Related Commands ip domain-name (4-406) ip name-server (4-408) This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.
Page 789: Show Dns Cache
Domain Name Service Commands This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache FLAG TYPE DOMAIN Address www.times.com 199.239.136.200 Address a1116.x.akamai.net 61.213.189.120 Address a1116.x.akamai.net 61.213.189.104 CNAME graphics8.nytimes.com POINTER TO:2 CNAME graphics478.nytimes.com.edgesui 19 POINTER TO:2 Console# Table 4-104 show dns cache - display description Field...
Page 790: Ip Interface Commands
Command Line Interface IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 791: Ip Default-Gateway
IP Interface Commands • If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask).
Page 792: Ip Dhcp Restart
Command Line Interface Related Commands show ip redirects (4-415) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.
Page 793: Show Ip Redirects
IP Interface Commands Related Commands show ip redirects (4-415) show ip redirects This command shows the default gateway configured for this device. Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (4-413) show arp This command displays the Address Resolution Protocol cache.
Page 794 Command Line Interface • count - Number of packets to send. (Range: 1-16) • size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting count: 5 size: 32...
Page 795: Appendix A: Software Specifications
Appendix A: Software Specifications Software Features Authentication and General Security Measures Local, RADIUS, TACACS, Port (802.1X, MAC Authentication, Web Authentication), AAA, HTTPS, SSH, Port Security, IP Filter, ARP Inspection, DHCP Snooping, IP Source Guard Access Control Lists IP, MAC; 1000 rules per system DHCP Client Port Configuration 100BASE-BX: 100 Mbps full duplex...
Page 796: Management Features
Software Specifications Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts DHCP Snooping IP Source Guard...
Page 797: Management Information Bases
Management Information Bases IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging DHCP Client (RFC 2131) DHCP Options (RFC 2132) FTP (RFC 959) HTTPS IGMP (RFC 1112) IGMPv2 (RFC 2236) IGMPv3 (RFC 3376) - partial support RADIUS+ (RFC 2618) RMON (RFC 2819 groups 1,2,3,9)
Page 798 Software Specifications SNMPv2 IP MIB (RFC 2011) SNMP Community MIB (RFC 3584) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215)
Page 799: Appendix B: Troubleshooting
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software •...
Page 800: Using System Logs
Troubleshooting Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 801: Glossary
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, including IP BOOTP is address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 802 Glossary DHCP Option 82 A relay option for sending information about the requesting client (or an intermediate relay agent) in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server. This information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients.
Page 803 Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 804 Glossary Internet Group Management Protocol A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 805 Glossary one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
Page 806 Glossary Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QinQ Tunneling QinQ is designed for service providers carrying traffic for multiple customers across their networks.
Page 807 Glossary (SNTP) allows a device to set its internal clock based on periodic updates from a SNTP Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. (STA) A technology that checks your network for any loops.
Page 808 Glossary A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. Glossary-8...
Page 809: Index
Index IPv4 Extended 3-124, 3-125, 4-200, 4-203 802.1Q tunnel 3-229, 4-314 IPv4 Standard 3-124, 3-125, 4-200, access 3-234, 4-315 4-202 configuration, guidelines 3-232 IPv6 Extended 3-124, 3-129, 4-206, configuration, limitations 3-232 4-209 description 3-229 IPv6 Standard 3-124, 3-128, 4-206, ethernet type 3-233, 4-316 4-208 interface configuration 3-234, MAC 3-131, 4-215...
Page 810 Index flooding when STA globally information option 3-146, 4-184 disabled 3-199, 4-279 information option policy 3-146, ignoring superior BPDUs 3-207, 4-185 4-291 information option, enabling 3-146, selecting protocol based on message 4-184 format 3-207, 4-296 policy selection 3-146, 4-185 shut down port on receipt 3-209, specifying trusted interfaces 3-147, 4-290 4-182...
Page 811 Index RSA 3-93, 3-95, 4-142 filtering & throttling 3-294, 4-391 event logging 3-36, 4-57 filtering & throttling, configuring exec command privileges, profile 4-392, 4-393 accounting 3-82, 4-130 filtering & throttling, creating exec settings profile 3-294, 4-392 accounting 3-83, 4-130 filtering & throttling, enabling 3-294, authorization 3-86, 4-131 4-391 filtering &...
Page 812 Index group attributes, configuring 3-166, TLV, port capabilities 3-253, 4-357 4-253 logging group members, configuring 3-164 syslog traps 3-37, 4-60 local parameters 3-168, 4-255 to syslog servers 3-37, 4-59 partner parameters 3-168, 4-255 log-in, web interface 3-2 protocol message statistics 3-168, logon authentication 3-70, 4-109 4-255 encryption keys 3-75, 4-118, 4-122...
Page 813 Index displaying 3-292, 4-384 maximum allocation 3-186, 4-266 multicast storm, threshold 3-174, priority 3-188, 4-267 4-228 showing mainpower 3-186, 4-269 multicast, filtering and throttling 3-294, port priority 4-391 configuring 3-263, 4-363 multicast, static router port 3-291, default ingress 3-263, 4-364 4-389 STA 3-204, 4-286 port security, configuring 3-109, 4-159...
Page 814 Index PVLAN flow configuration 3-68, association 3-240, 4-324 4-104–4-108 community ports 3-238, 4-322 port groups, source 3-66, 4-104 configuring 3-238, 3-239, 4-322 target device 3-68, 4-107 displaying 3-238, 4-326 Simple Mail Transfer Protocol See interface configuration 3-242, 4-324, SMTP 4-325 Simple Network Management Protocol primary VLAN 3-238, 4-323 See SNMP...
Page 815 Index MSTP path cost 3-215, 4-294 enabling 3-236, 4-318 MSTP settings, configuring 3-215, sessions, assigning ports 3-237, 4-281–4-284 4-319 path cost 3-195, 3-204, 4-285 sessions, creating 3-237, 4-320 path cost method 3-200, 4-280 uplink-to-uplink, blocking 3-236, port priority 3-204, 4-286 4-321 port/trunk loopback detection 3-194, uplink-to-uplink, forwarding 3-236,...
Page 816 Index IP subnet-based 3-247, 4-330 telephony OUI, configuring 3-282, MAC-based 3-248, 4-332 4-336 mirroring 3-246, 4-260 voice VLAN, configuring 3-279, private 3-238, 4-322 4-334 protocol 3-243, 4-327 protocol, configuring 3-244, 4-328 protocol, configuring groups 3-244, web authentication 3-110, 4-176 4-328 address, re-authenticating 3-113, protocol, system 4-177...
Page 818 SMC6128PL2 SMC6152PL2 149100000007A R01...

This manual is also suitable for:

Smc6128pl2 Smc6152pl2

SMC Networks 6152PL2 Management Manual

Chapter 1: Introduction

Chapter 2: Initial Configuration

Chapter 3: Configuring the Switch

Quick Links

Management Guide

Related Manuals for SMC Networks 6152PL2

Summary of Contents for SMC Networks 6152PL2