Page 1 10-Port Layer 2 Management Guide Fast Ethernet Switch www.edge-core.com...
Page 3 ANAGEMENT UIDE ECS3510-10PD F THERNET WITCH Layer 2 Switch with 8 10/100BASE-TX (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP) ECS3510-10PD E032014/ST-R03 149100000179A...
Page 5: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6 BOUT UIDE This section summarizes the changes in each revision of this guide. EVISION ISTORY 2014 R ARCH ELEASE This is the third release of this guide. This guide is valid for software release v1.4.2.1. It includes the following changes: Added the command "clock timezone-predefined"...
Page 7 BOUT UIDE Updated parameter list under "Configuring Port Security" on page 387. ◆ Added the section "IPv6 Source Guard" on page 409. ◆ Updated parameter list under "DHCP Snooping Configuration" on ◆ page 418 "Configuring Ports for DHCP Snooping" on page 420.
Page 8 BOUT UIDE Added the command "terminal" on page 747. ◆ Added UDP port parameter for the command "logging host" on ◆ page 751. Added the command "clock summer-time (date)" on page 766, "clock ◆ summer-time (predefined)" on page 768, and "clock summer-time (recurring)"...
Page 9 BOUT UIDE Added the commands "discard" on page 985 "show discard" on ◆ page 991. Added the commands "transceiver-monitor" on page 996, "transceiver- ◆ threshold-auto" on page 996, "transceiver-threshold current" on page 997, "transceiver-threshold rx-power" on page 998, "transceiver- threshold temperature" on page 999, "transceiver-threshold tx-power"...
Page 10 BOUT UIDE Updated display text for the command “show mvr statistics query” on ◆ page 1278, and “show mvr statistics summary” on page 1278. Added the section "MVR for IPv6" on page 1283. ◆ Added commands "clear efm oam event-log" on page 1374, "efm oam ◆...
Page 11: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Disabling PSE Check for Network Connections Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access...
Page 12 ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-Up File Showing System Files...
Page 13 ONTENTS Configuring Transceiver Thresholds Performing Cable Diagnostics Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Traffic Segmentation...
Page 14 ONTENTS Configuring MAC Address Mirroring PANNING LGORITHM Overview Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting...
Page 15 ONTENTS 13 S ECURITY EASURES AAA Authentication, Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports...
Page 16 ONTENTS ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X...
Page 17 ONTENTS Displaying LLDP Local Device Information Displaying LLDP Remote Device Information Displaying Device Statistics Power over Ethernet Configuring the Power Source Check Simple Network Management Protocol Configuring Global Settings for SNMP Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings...
Page 18 ONTENTS Configuring Remote Maintenance End Points Transmitting Link Trace Messages Transmitting Loop Back Messages Transmitting Delay-Measure Requests Displaying Local MEPs Displaying Details for Local MEPs Displaying Local MIPs Displaying Remote MEPs Displaying Details for Remote MEPs Displaying the Link Trace Cache Displaying Fault Notification Settings Displaying Continuity Check Errors OAM Configuration...
Page 19 ONTENTS 16 IP S ERVICES Domain Name Service Configuring General DNS Service Parameters Configuring a List of Domain Names Configuring a List of Name Servers Configuring Static DNS Host to Address Entries Displaying the DNS Cache Dynamic Host Configuration Protocol Specifying a DHCP Client Identifier Configuring DHCP Relay Service Configuring the PPPoE Intermediate Agent...
Page 20 ONTENTS Configuring MVR Domain Settings Configuring MVR Group Address Profiles Configuring MVR Interface Status Assigning Static MVR Multicast Groups to Interfaces Displaying MVR Receiver Groups Displaying MVR Statistics Multicast VLAN Registration for IPv6 Configuring MVR6 Global Settings Configuring MVR6 Domain Settings Configuring MVR6 Group Address Profiles Configuring MVR6 Interface Status Assigning Static MVR6 Multicast Groups to Interfaces...
Page 21 ONTENTS reload (Global Configuration) enable quit show history configure disable reload (Privileged Exec) show reload exit 20 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number...
Page 22 ONTENTS show watchdog watchdog software Frame Size jumbo frame File Management General Commands boot system copy delete whichboot Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade TFTP Configuration Commands ip tftp retry ip tftp timeout show ip tftp Line line...
Page 23 ONTENTS Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client sntp poll sntp server...
Page 24 ONTENTS Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates Powered Device power-source-check show power-source-check show power-source-status 21 SNMP C OMMANDS General SNMP Commands snmp-server snmp-server community snmp-server contact...
Page 25 ONTENTS show snmp group show snmp user show snmp view Notification Log Commands snmp-server notify-filter show nlm oper-status show snmp notify-filter Additional Trap Commands memory process cpu 22 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history...
Page 26 ONTENTS show radius-server TACACS+ Client tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting commands accounting exec authorization exec show accounting...
Page 27 ONTENTS delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control...
Page 28 ONTENTS PPPoE Intermediate Agent pppoe intermediate-agent pppoe intermediate-agent format-type pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 24 G ENERAL ECURITY EASURES Port Security mac-learning port security port security mac-address-as-permanent...
Page 29 ONTENTS Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping limit rate ip dhcp snooping verify mac-address ip dhcp snooping vlan...
Page 30 ONTENTS show ipv6 dhcp snooping statistics IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding ip source-guard mode clear ip source-guard binding blocked show ip source-guard show ip source-guard binding IPv6 Source Guard ipv6 source-guard binding ipv6 source-guard ipv6 source-guard max-binding show ipv6 source-guard show ipv6 source-guard binding...
Page 31 ONTENTS dos-protection win-nuke show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 25 A CCESS ONTROL ISTS IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6...
Page 32 ONTENTS show access-list 26 I NTERFACE OMMANDS Interface Configuration interface alias capabilities description discard flowcontrol media-type negotiation shutdown speed-duplex clear counters show discard show interfaces brief show interfaces counters show interfaces status show interfaces switchport Transceiver Threshold Configuration transceiver-monitor transceiver-threshold-auto transceiver-threshold current transceiver-threshold rx-power transceiver-threshold temperature...
Page 33 ONTENTS 27 L 1009 GGREGATION OMMANDS Manual Configuration Commands 1010 port channel load-balance 1010 channel-group 1012 Dynamic Configuration Commands 1012 lacp 1012 lacp admin-key (Ethernet Interface) 1014 lacp port-priority 1015 lacp system-priority 1016 lacp admin-key (Port Channel) 1016 lacp timeout 1017 Trunk Status Display Commands 1018...
Page 34 ONTENTS auto-traffic-control alarm-clear-threshold 1043 auto-traffic-control alarm-fire-threshold 1044 auto-traffic-control auto-control-release 1045 auto-traffic-control control-release 1045 SNMP Trap Commands 1046 snmp-server enable port-traps atc broadcast-alarm-clear 1046 snmp-server enable port-traps atc broadcast-alarm-fire 1046 snmp-server enable port-traps atc broadcast-control-apply 1047 snmp-server enable port-traps atc broadcast-control-release 1047 snmp-server enable port-traps atc multicast-alarm-clear 1048...
Page 35 ONTENTS 33 S 1071 PANNING OMMANDS spanning-tree 1072 spanning-tree cisco-prestandard 1073 spanning-tree forward-time 1073 spanning-tree hello-time 1074 spanning-tree max-age 1075 spanning-tree mode 1075 spanning-tree pathcost method 1077 spanning-tree priority 1077 spanning-tree mst configuration 1078 spanning-tree system-bpdu-flooding 1079 spanning-tree transmission-limit 1079 max-hops 1080 mst priority...
Page 36 ONTENTS show spanning-tree mst configuration 1098 34 ERPS C 1099 OMMANDS erps 1101 erps domain 1101 control-vlan 1102 enable 1103 guard-timer 1104 holdoff-timer 1104 major-domain 1105 meg-level 1106 mep-monitor 1106 node-id 1107 non-erps-dev-protect 1108 non-revertive 1109 propagate-tc 1113 raps-def-mac 1114 raps-without-vc 1114 ring-port...
Page 37 ONTENTS Editing VLAN Groups 1137 vlan database 1137 vlan 1138 Configuring VLAN Interfaces 1139 interface vlan 1139 switchport acceptable-frame-types 1140 switchport allowed vlan 1140 switchport ingress-filtering 1141 switchport mode 1142 switchport native vlan 1143 vlan-trunking 1144 Displaying VLAN Information 1145 show vlan 1145 Configuring IEEE 802.1Q Tunneling...
Page 38 ONTENTS voice vlan aging 1166 voice vlan mac-address 1166 switchport voice vlan 1167 switchport voice vlan priority 1168 switchport voice vlan rule 1169 switchport voice vlan security 1169 show voice vlan 1170 36 C 1173 LASS OF ERVICE OMMANDS Priority Commands (Layer 2) 1173 queue mode 1174...
Page 39 ONTENTS service-policy 1202 show class-map 1203 show policy-map 1203 show policy-map interface 1204 38 M 1205 ULTICAST ILTERING OMMANDS IGMP Snooping 1206 ip igmp snooping 1207 ip igmp snooping priority 1208 ip igmp snooping proxy-reporting 1208 ip igmp snooping querier 1209 ip igmp snooping router-alert-option-check 1209...
Page 40 ONTENTS IGMP Filtering and Throttling 1229 ip igmp filter (Global Configuration) 1230 ip igmp profile 1231 permit, deny 1231 range 1232 ip igmp authentication 1232 ip igmp filter (Interface Configuration) 1234 ip igmp max-groups 1235 ip igmp max-groups action 1235 ip igmp query-drop 1236 ip multicast-data-drop...
Page 41 ONTENTS MLD Filtering and Throttling 1251 ipv6 mld filter (Global Configuration) 1252 ipv6 mld profile 1253 permit, deny 1253 range 1254 ipv6 mld filter (Interface Configuration) 1254 ipv6 mld max-groups 1255 ipv6 mld max-groups action 1256 ipv6 mld query-drop 1256 ipv6 multicast-data-drop 1257 show ipv6 mld filter...
Page 42 ONTENTS show mvr profile 1278 show mvr statistics 1278 MVR for IPv6 1283 mvr6 associated-profile 1284 mvr6 domain 1285 mvr6 profile 1285 mvr6 proxy-query-interval 1286 mvr6 proxy-switching 1287 mvr6 robustness-value 1288 mvr6 source-port-mode dynamic 1289 mvr6 upstream-source-ip 1289 mvr6 vlan 1290 mvr6 immediate-leave 1291...
Page 43 ONTENTS lldp basic-tlv system-name 1312 lldp dot1-tlv proto-ident 1312 lldp dot1-tlv proto-vid 1313 lldp dot1-tlv pvid 1313 lldp dot1-tlv vlan-name 1314 lldp dot3-tlv link-agg 1314 lldp dot3-tlv mac-phy 1315 lldp dot3-tlv max-frame 1315 lldp med-location civic-addr 1316 lldp med-notification 1317 lldp med-tlv inventory 1318 lldp med-tlv location...
Page 44 ONTENTS show ethernet cfm maintenance-points local detail mep 1343 show ethernet cfm maintenance-points remote detail 1345 Continuity Check Operations 1347 ethernet cfm cc ma interval 1347 ethernet cfm cc enable 1348 snmp-server enable traps ethernet cfm cc 1349 mep archive-hold-time 1350 clear ethernet cfm maintenance-points remote 1350...
Page 45 ONTENTS efm oam link-monitor frame threshold 1372 efm oam link-monitor frame window 1372 efm oam mode 1373 clear efm oam counters 1374 clear efm oam event-log 1374 efm oam remote-loopback 1375 efm oam remote-loopback test 1376 show efm oam counters interface 1377 show efm oam event-log interface 1377...
Page 46 ONTENTS ip dhcp relay information option 1398 ip dhcp relay information policy 1401 show ip dhcp relay 1402 44 IP I 1403 NTERFACE OMMANDS IPv4 Interface 1403 Basic IPv4 Configuration 1404 ip address 1404 ip default-gateway 1406 show ip default-gateway 1406 show ip interface 1407...
Page 47 ONTENTS ipv6 nd raguard 1435 ipv6 nd reachable-time 1436 clear ipv6 neighbors 1437 show ipv6 nd raguard 1437 show ipv6 neighbors 1437 ND Snooping 1439 ipv6 nd snooping 1440 ipv6 nd snooping auto-detect 1441 ipv6 nd snooping auto-detect retransmit count 1442 ipv6 nd snooping auto-detect retransmit interval 1442...
Page 48 ONTENTS – 48 –...
Page 49: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 50 IGURES Figure 32: Configuring Local Port Mirroring Figure 33: Configuring Local Port Mirroring Figure 34: Displaying Local Port Mirror Sessions Figure 35: Configuring Remote Port Mirroring Figure 36: Configuring Remote Port Mirroring (Source) Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Figure 39: Showing Port Statistics (Table) Figure 40: Showing Port Statistics (Chart)
Page 51 IGURES Figure 68: Using GVRP Figure 69: Creating Static VLANs Figure 70: Modifying Settings for Static VLANs Figure 71: Showing Static VLANs Figure 72: Configuring Static Members by VLAN Index Figure 73: Configuring Static VLAN Members by Interface Figure 74: Configuring Static VLAN Members by Interface Range Figure 75: Configuring Global Status of GVRP Figure 76: Configuring GVRP for an Interface Figure 77: Showing Dynamic VLANs Registered on the Switch...
Page 52 IGURES Figure 104: Spanning Tree – Common Internal, Common, Internal Figure 105: Configuring Port Loopback Detection Figure 106: Configuring Global Settings for STA (STP) Figure 107: Configuring Global Settings for STA (RSTP) Figure 108: Configuring Global Settings for STA (MSTP) Figure 109: Displaying Global Settings for STA Figure 110: Configuring Interface Settings for STA Figure 111: STA Port Roles...
Page 53 IGURES Figure 140: Adding Rules to a Class Map Figure 141: Showing the Rules for a Class Map Figure 142: Configuring a Policy Map Figure 143: Showing Policy Maps Figure 144: Adding Rules to a Policy Map Figure 145: Showing the Rules for a Policy Map Figure 146: Attaching a Policy Map to a Port Figure 147: Configuring a Voice VLAN Figure 148: Configuring an OUI Telephony List...
Page 54 IGURES Figure 176: Configuring a MAC Address Filter for Network Access Figure 177: Showing the MAC Address Filter Table for Network Access Figure 178: Showing Addresses Authenticated for Network Access Figure 179: Configuring HTTPS Figure 180: Downloading the Secure-Site Certificate Figure 181: Configuring the SSH Server Figure 182: Generating the SSH Host Key Pair Figure 183: Showing the SSH Host Key Pair...
Page 55 IGURES Figure 212: Configuring Global Settings for 802.1X Port Authentication Figure 213: Configuring Interface Settings for 802.1X Port Authenticator Figure 214: Configuring Interface Settings for 802.1X Port Supplicant Figure 215: Showing Statistics for 802.1X Port Authenticator Figure 216: Showing Statistics for 802.1X Port Supplicant Figure 217: Protecting Against DoS Attacks Figure 218: Setting the Filter Type for IPv4 Source Guard Figure 219: Configuring Static Bindings for IPv4 Source Guard...
Page 56 IGURES Figure 248: Configuring the Local Engine ID for SNMP Figure 249: Configuring a Remote Engine ID for SNMP Figure 250: Showing Remote Engine IDs for SNMP Figure 251: Creating an SNMP View Figure 252: Showing SNMP Views Figure 253: Adding an OID Subtree to an SNMP View Figure 254: Showing the OID Subtree Configured for SNMP Views Figure 255: Creating an SNMP Group Figure 256: Showing SNMP Groups...
Page 57 IGURES Figure 284: Managing a Cluster Member Figure 285: ERPS Ring Components Figure 286: Ring Interconnection Architecture (Multi-ring/Ladder Network) Figure 287: Setting ERPS Global Status Figure 288: Sub-ring with Virtual Channel Figure 289: Sub-ring without Virtual Channel Figure 290: Creating an ERPS Ring Figure 291: Creating an ERPS Ring Figure 292: Showing Configured ERPS Rings Figure 293: Blocking an ERPS Ring Port...
Page 58 IGURES Figure 320: Displaying Statistics for OAM Messages Figure 321: Displaying the OAM Event Log Figure 322: Displaying Status of Remote Interfaces Figure 323: Running a Remote Loop Back Test Figure 324: Displaying the Results of Remote Loop Back Testing Figure 325: Pinging a Network Device Figure 326: Tracing the Route to a Network Device Figure 327: Setting the ARP Timeout...
Page 59 IGURES Figure 356: Showing PPPoE Intermediate Agent Statistics Figure 357: Multicast Filtering Concept Figure 358: Configuring General Settings for IGMP Snooping Figure 359: Configuring a Static Interface for a Multicast Router Figure 360: Showing Static Interfaces Attached a Multicast Router Figure 361: Showing Current Interfaces Attached a Multicast Router Figure 362: Assigning an Interface to a Multicast Service Figure 363: Showing Static Interfaces Assigned to a Multicast Service...
Page 60 IGURES Figure 392: Assigning an MVR Group Address Profile to a Domain Figure 393: Showing the MVR Group Address Profiles Assigned to a Domain Figure 394: Configuring Interface Settings for MVR Figure 395: Assigning Static MVR Groups to a Port Figure 396: Showing the Static MVR Groups Assigned to a Port Figure 397: Displaying MVR Receiver Groups Figure 398: Displaying MVR Statistics –...
Page 61: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Options 60, 66 and 67 Statements Table 4: Options 55 and 124 Statements Table 5: Web Page Configuration Buttons Table 6: Switch Main Menu Table 7: Port Statistics Table 8: LACP Port Counters Table 9: LACP Internal Configuration Information Table 10: LACP Remote Device Configuration Information Table 11: Traffic Segmentation Forwarding...
Page 62 ABLES Table 32: ERPS Request/State Priority Table 33: Remote MEP Priority Levels Table 34: MEP Defect Descriptions Table 35: OAM Operation State Table 36: OAM Operation State Table 37: Address Resolution Protocol Table 38: Show IPv6 Neighbors - display description Table 39: Show IPv6 Statistics - display description Table 40: Show MTU - display description Table 41: General Command Modes...
Page 63 ABLES Table 68: show snmp view - display description Table 69: RMON Commands Table 70: Authentication Commands Table 71: User Access Commands Table 72: Default Login Settings Table 73: Authentication Sequence Commands Table 74: RADIUS Client Commands Table 75: TACACS+ Client Commands Table 76: AAA Commands Table 77: Web Server Commands Table 78: HTTPS System Support...
Page 64 ABLES Table 104: MAC ACL Commands Table 105: ARP ACL Commands Table 106: ACL Information Commands Table 107: Interface Commands Table 108: show interfaces switchport - display description Table 109: Link Aggregation Commands 1009 Table 110: show lacp counters - display description 1019 Table 111: show lacp internal - display description 1019...
Page 65 ABLES Table 140: Protocol-based VLAN Commands 1157 Table 141: IP Subnet VLAN Commands 1161 Table 142: MAC Based VLAN Commands 1163 Table 143: Voice VLAN Commands 1164 Table 144: Priority Commands 1173 Table 145: Priority Commands (Layer 2) 1173 Table 146: Priority Commands (Layer 3 and 4) 1178 Table 147: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 1179...
Page 66 ABLES Table 176: show mvr6 statistics query - display description 1301 Table 177: LLDP Commands 1303 Table 178: LLDP MED Location CA Types 1316 Table 179: CFM Commands 1327 Table 180: show ethernet cfm configuration traps - display description 1341 Table 181: show ethernet cfm maintenance-points local detail mep - display 1344 Table 182: show ethernet cfm maintenance-points remote detail - display...
Page 67: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 69 ◆...
Page 68 | Getting Started ECTION – 68 –...
Page 69: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 70: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Congestion Control Rate Limiting Throttling for broadcast, multicast, unknown unicast storms Random Early Detection Address Table 8K MAC addresses in the forwarding table, 1K static MAC addresses, 255 L2 multicast groups IP Version 4 and 6 Supports IPv4 and IPv6 addressing, and management...
Page 71 | Introduction HAPTER Description of Software Features You can save the current configuration settings to a file on the ONFIGURATION management station (using the web interface) or an FTP/TFTP server ACKUP AND (using the web or console interface), and later download this file to restore ESTORE the switch configuration settings.
Page 72 | Introduction HAPTER Description of Software Features Ports can be combined into an aggregate connection. Trunks can be RUNKING manually set up or dynamically configured using Link Aggregation Control Protocol (LACP – IEEE 802.3-2005). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail.
Page 73 | Introduction HAPTER Description of Software Features to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops. However, if the chosen path should fail for any reason, an alternate path will be activated to maintain the connection.
Page 74 | Introduction HAPTER Description of Software Features This feature is designed for service providers carrying traffic for multiple IEEE 802.1Q customers across their networks. QinQ tunneling is used to maintain UNNELING customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 75: System Defaults
| Introduction HAPTER System Defaults registration. It also supports Multicast VLAN Registration (MVR for IPv4 and MVR6 for IPv6) which allows common multicast traffic, such as television channels, to be transmitted across a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, while preserving security and data isolation for normal traffic.
Page 76 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication and Web Authentication Disabled Security Measures MAC Authentication Disabled (continued) PPPoE Intermediate Agent Disabled HTTPS Enabled Disabled Port Security Disabled IP Filtering Disabled DHCP Snooping Disabled DHCPv6 Snooping Disabled IP Source Guard...
Page 77 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Status Disabled Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid GVRP (global) Disabled GVRP (port interface) Disabled QinQ Tunneling Disabled Traffic Prioritization Ingress Port Priority...
Page 78 | Introduction HAPTER System Defaults – 78 –...
Page 79: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 80: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 81: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 82: Basic Configuration
| Initial Switch Configuration HAPTER Basic Configuration ASIC ONFIGURATION The CLI program provides two different command levels — normal access ONSOLE level (Normal Exec) and privileged access level (Privileged Exec). The ONNECTION commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Page 83: Disabling Pse Check For Network Connections
| Initial Switch Configuration HAPTER Basic Configuration Username: admin Password: CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# Disable the Power Source Equipment (PSE) check on Fast Ethernet ports...
Page 84 | Initial Switch Configuration HAPTER Basic Configuration SSIGNING AN DDRESS Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: IP address for the switch ◆ ◆ Network mask for this network Default gateway for the network ◆...
Page 85 | Initial Switch Configuration HAPTER Basic Configuration To configure an IPv6 link local address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local”...
Page 86 | Initial Switch Configuration HAPTER Basic Configuration To generate an IPv6 global unicast address for the switch, complete the following steps: From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address ipv6-address/prefix-length,”...
Page 87 | Initial Switch Configuration HAPTER Basic Configuration YNAMIC ONFIGURATION Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Page 88 | Initial Switch Configuration HAPTER Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-12-CF-DA-FC-E8 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 89: Downloading A Configuration File Referenced By Adhcp Server
| Initial Switch Configuration HAPTER Basic Configuration the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 will also be supported in future software releases.) To dynamically generate an IPv6 host address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1”...
Page 90: Table 3: Options 60, 66 And 67 Statements
| Initial Switch Configuration HAPTER Basic Configuration Note the following DHCP client behavior: The bootup configuration file received from a TFTP server is stored on ◆ the switch with the original file name. If this file name already exists in the switch, the file is overwritten.
Page 91: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file). In the “Vendor class” section, the server will always send Option 66 and 67 to tell the switch to download the “test” configuration file from server 192.168.255.101.
Page 92 | Initial Switch Configuration HAPTER Basic Configuration “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see "Setting SNMPv3 Views" on page 459).
Page 93: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files where “host-address” is the IP address for the trap receiver, “community- string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv”...
Page 94: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named “startup1.cfg”...
Page 95 | Initial Switch Configuration HAPTER Managing System Files To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 96 | Initial Switch Configuration HAPTER Managing System Files – 96 –...
Page 97: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 99 ◆ "Basic Management Tasks" on page 119 ◆...
Page 98 | Web Configuration ECTION – 98 –...
Page 99: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions).
Page 100: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the vendor’s web site by clicking on the Edge-Core logo. – 100 –...
Page 101: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 102: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Interface Port General Configure by Port List Configures connection settings per port Configure by Port Range Configures connection settings for a range of ports Show Information Displays port connection status Mirror...
Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Neighbors Displays configuration settings and operational state for the remote side of a link aggregation Configure Trunk Configure Configures connection settings Show Displays port connection status Show Member...
Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface Maps a protocol group to a VLAN Show Shows the protocol groups mapped to each VLAN IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping...
Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Configures global settings for an MST instance Add Member Adds VLAN members for an MST instance Show Member Adds or deletes VLAN members for an MST instance Show Information Displays MSTP values used for the bridge Configure Interface...
Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Policy Creates a policy map to apply to multiple interfaces Show Shows configured policy maps Modify Modifies the name of a policy map Add Rule Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic...
Page 108 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Authorization Enables authorization of requested services Configure Method Configures authorization for various service types Show Shows the authorization settings used for various service types Configure Service Sets the authorization method applied used for the console port, and for Telnet...
Page 109 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Access Control Lists Configure Time Range Configures the time to apply an ACL Specifies the name of a time range Show Shows the name of configured time ranges Add Rule...
Page 110 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Static Binding Adds a static addresses to the source-guard binding table Show Shows static addresses in the source-guard binding table Dynamic Binding Displays the source-guard binding table for a selected interface IPv6 Source Guard...
Page 111 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page SNMP Simple Network Management Protocol Configure Global Enables SNMP agent status, and sets related trap functions Configure Engine Set Engine ID Sets the SNMP v3 engine ID on this switch Add Remote Engine Sets the SNMP v3 engine ID for a remote device...
Page 112 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface History Periodically samples statistics on a physical interface Statistics Enables collection of statistics on a physical interface Show History Shows sampling parameters for each entry in the history group Statistics...
Page 113 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure MEP Configures Maintenance End Points Configures MEPs at the domain boundary to provide management access for each maintenance association Show Shows list of configured maintenance end points Configure Remote MEP...
Page 114 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IPv6 Configuration Configure Global Sets an IPv6 default gateway for traffic with no known next hop Configure Interface VLAN Configures IPv6 interface address using auto-configuration or link-local address, and sets related protocol settings RA Guard Blocks incoming Router Advertisement and Router Redirect...
Page 115 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure VLAN Enables DHCP snooping on a VLAN Configure Interface Sets the trust mode for an interface Show Information Displays the DHCP Snooping binding information PPPoE Intermediate Agent Configure Global Enables PPPoE IA on the switch, sets access node identifier, sets...
Page 116 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action Statistics Show Query Statistics Shows statistics for query-related messages Show VLAN Statistics Shows statistics for protocol messages, number of active groups Show Port Statistics...
Page 117 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Member Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active subscribers Show Statistics Show Query Statistics...
Page 118 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 118 –...
Page 119: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 120: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 121 | Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ ◆ Hardware Version – Hardware version of the main board. Main Power Status –...
Page 122: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet.
Page 123: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 124: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 125 | Basic Management Tasks HAPTER Managing System Files ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: ◆ FTP Upload – Copies a file from an FTP server to the switch. ■ FTP Download – Copies a file from the switch to an FTP server. ■...
Page 126: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files If FTP Upload is used, enter the user name and password for your account on the FTP server. Set the file type to Operation Code. Enter the name of the file to download. Select a file on the switch to overwrite or specify a new file name.
Page 127: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files The maximum number of user-defined configuration files is limited only by available flash memory space. NTERFACE To save the running configuration file: Click System, then File. Select Copy from the Action list. Select Running-Config from the Copy Type list.
Page 128: Showing System Files
| Basic Management Tasks HAPTER Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. Use the System > File (Show) page to show the files in the system HOWING directory, or to delete a file.
Page 129: Automatic Operation Code Upgrade
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Automatic Operation Code Upgrade) page to UTOMATIC automatically download an operation code file when a file newer than the PERATION currently installed one is discovered on the file server. After the file is PGRADE transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Page 130 | Basic Management Tasks HAPTER Managing System Files Note that the switch itself does not distinguish between upper and ◆ lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. If two operation code image files are already stored on the switch’s file ◆...
Page 131 | Basic Management Tasks HAPTER Managing System Files ftp://[username[:password@]]host[/filedir]/ ftp:// – Defines FTP protocol for the server connection. ■ username – Defines the user name for the FTP connection. If the ■ user name is omitted, then “anonymous” is the assumed user name for the connection.
Page 132 | Basic Management Tasks HAPTER Managing System Files ftp://switches:upgrade@192.168.0.1/switches/opcode/ ■ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. NTERFACE To configure automatic code upgrade: Click System, then File.
Page 133: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock ETTING THE YSTEM LOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Page 134: Setting The Sntp Polling Interval
| Basic Management Tasks HAPTER Setting the System Clock Figure 12: Manually Setting the System Clock Use the System > Time (Configure General - SNTP) page to set the polling SNTP ETTING THE interval at which the switch will query the specified time servers. OLLING NTERVAL CLI R...
Page 135: Configuring Ntp
| Basic Management Tasks HAPTER Setting the System Clock Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure General - NTP) page to configure NTP ONFIGURING authentication and show the polling interval at which the switch will query the specified time servers.
Page 136: Configuring Time Servers
| Basic Management Tasks HAPTER Setting the System Clock Figure 14: Configuring NTP Use the System > Time (Configure Time Server) pages to specify the IP ONFIGURING address for NTP/SNTP time servers, or to set the authentication key for ERVERS NTP time servers.
Page 137 | Basic Management Tasks HAPTER Setting the System Clock Figure 15: Specifying SNTP Time Servers NTP T PECIFYING ERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI R EFERENCES "ntp server"...
Page 138 | Basic Management Tasks HAPTER Setting the System Clock Click Apply. Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: Click System, then Time. Select Configure Time Server from the Step list. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List NTP A PECIFYING...
Page 139 | Basic Management Tasks HAPTER Setting the System Clock NTERFACE To add an entry to NTP authentication key list: Click System, then Time. Select Configure Time Server from the Step list. Select Add NTP Authentication Key from the Action list. Enter the index number and MD5 authentication key string.
Page 140: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 141: Configuring The Console Port
| Basic Management Tasks HAPTER Configuring the Console Port ONFIGURING THE ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 142 | Basic Management Tasks HAPTER Configuring the Console Port The password for the console connection can only be configured through the CLI (see "password" on page 742). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 143: Configuring Telnet Settings
| Basic Management Tasks HAPTER Configuring Telnet Settings ONFIGURING ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 144: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. NTERFACE To configure parameters for the console port: Click System, then Telnet.
Page 145: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization NTERFACE To display CPU utilization: Click System, then CPU Utilization. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 23: Displaying CPU Utilization ISPLAYING EMORY TILIZATION...
Page 146: Resetting The System
| Basic Management Tasks HAPTER Resetting the System NTERFACE To display memory utilization: Click System, then Memory Status. Figure 24: Displaying Memory Utilization ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)"...
Page 147 | Basic Management Tasks HAPTER Resetting the System System Reload Configuration Reset Mode – Restarts the switch immediately or at the specified ◆ time(s). Immediately – Restarts the system immediately. ■ In – Specifies an interval after which to reload the switch. ■...
Page 148 | Basic Management Tasks HAPTER Resetting the System For any option other than to reset immediately, fill in the required parameters Click Apply. When prompted, confirm that you want reset the switch. Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) –...
Page 149 | Basic Management Tasks HAPTER Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 149 –...
Page 150 | Basic Management Tasks HAPTER Resetting the System – 150 –...
Page 151: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 152: Port Configuration
| Interface Configuration HAPTER Port Configuration ONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Use the Interface > Port > General (Configure by Port List) page to enable/ ONFIGURING BY disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 153 | Interface Configuration HAPTER Port Configuration SFP-Forced 1000SFP - Always uses the SFP port (even if a ■ module is not installed), and configured for a 1000BASE SFP transceiver. SFP-Forced 100FX - Always uses the SFP port (even if a module is ■...
Page 154: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Click Apply. Figure 29: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 155: Displaying Connection Status
| Interface Configuration HAPTER Port Configuration Figure 30: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES ◆...
Page 156: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration Figure 31: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis. You can then attach a logic OCAL analyzer or RMON probe to the target port and study the traffic crossing IRRORING...
Page 157 | Interface Configuration HAPTER Port Configuration Note that Spanning Tree BPDU packets are not mirrored to the target ◆ port. The destination port cannot be a trunk or trunk member port. ◆ ARAMETERS These parameters are displayed: ◆ Source Port – The port whose traffic will be monitored. Target Port –...
Page 158: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration Figure 34: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING analysis at a destination port on the local switch. This feature, also called EMOTE Remote Switched Port Analyzer (RSPAN), carries traffic generated on the IRRORING...
Page 159 | Interface Configuration HAPTER Port Configuration Configuration Guidelines ◆ Take the following step to configure an RSPAN session: Use the VLAN Static List (see "Configuring VLAN Groups" on page 200) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN”...
Page 160 | Interface Configuration HAPTER Port Configuration Port Security – If port security is enabled on any port, that port ■ cannot be set as an RSPAN uplink port, source port, or destination port. Also, when a port is configured as an RSPAN uplink port, source port, or destination port, port security cannot be enabled on that port.
Page 161 | Interface Configuration HAPTER Port Configuration Destination Port – Specifies the destination port to monitor the ◆ traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
Page 162: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 163 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher- layer protocol.
Page 164 | Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular interface fails Errors due to an internal MAC sublayer receive error. Internal MAC Transmit A count of frames for which transmission on a particular interface Errors fails due to an internal MAC sublayer transmit error.
Page 165 | Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). Select a port from the drop-down list. Use the Clear button to reset statistics, or the Refresh button to update the screen.
Page 166: Displaying Transceiver Data
| Interface Configuration HAPTER Port Configuration Figure 40: Showing Port Statistics (Chart) Use the Interface > Port > Transceiver page to display identifying ISPLAYING information, and operational for optical transceivers which support Digital RANSCEIVER Diagnostic Monitoring (DDM). CLI R EFERENCES "show interfaces transceiver"...
Page 167: Configuring Transceiver Thresholds
| Interface Configuration HAPTER Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
Page 168 | Interface Configuration HAPTER Port Configuration "transceiver-threshold temperature" on page 999 ◆ "transceiver-threshold tx-power" on page 1000 ◆ ◆ "transceiver-threshold tx-power" on page 1000 "show interfaces transceiver-threshold" on page 1003 ◆ ARAMETERS These parameters are displayed: ◆ Port – Port number. (Range: 1-10) General –...
Page 169 | Interface Configuration HAPTER Port Configuration The threshold value for Rx and Tx power is calculated as the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Threshold values for alarm and warning messages can be configured as described below.
Page 170: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Figure 42: Configuring Transceiver Thresholds Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING port. The cable test will check for any cable faults (short, open, etc.). If a ABLE IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 171 | Interface Configuration HAPTER Port Configuration Impedance mismatch: Terminating impedance is not in the ■ reference range. Ports are linked down while running cable diagnostics. ◆ ARAMETERS These parameters are displayed: ◆ Port – Switch port identifier. Type – Displays media type. (FE – Fast Ethernet, GE – Gigabit ◆...
Page 172: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING port. The cable test will check for any cable faults (short, open, etc.). If a ABLE IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 173: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics. For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters.
Page 174: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them.
Page 175 | Interface Configuration HAPTER Trunk Configuration CLI R EFERENCES ◆ "Link Aggregation Commands" on page 1009 "Interface Commands" on page 981 ◆ OMMAND SAGE When configuring static trunks, you may not be able to link switches of ◆ different types, depending on the vendor’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 176 | Interface Configuration HAPTER Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.
Page 177: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 49: Showing Information for Static Trunks Use the Interface > Trunk > Dynamic pages to set the administrative key ONFIGURING A for an aggregation group, enable LACP on a port, configure protocol YNAMIC...
Page 178 | Interface Configuration HAPTER Trunk Configuration All ports on both ends of an LACP trunk must be configured for full ◆ duplex, and auto-negotiation. Ports are only allowed to join the same Link Aggregation Group (LAG) if ◆ (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured).
Page 179 | Interface Configuration HAPTER Trunk Configuration Configure Aggregation Port - Actor/Partner Port – Port number. (Range: 1-10) ◆ Admin Key – The LACP administration key must be set to the same ◆ value for ports that belong to the same LAG. (Range: 0-65535; Default –...
Page 180 | Interface Configuration HAPTER Trunk Configuration NTERFACE To configure the admin key for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Aggregator from the Step list. Set the Admin Key and timeout mode for the required LACP group. Click Apply. Figure 51: Configuring the LACP Aggregator Admin Key To enable LACP for a port: Click Interface, Trunk, Dynamic.
Page 181 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 53: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 182 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List" on page 152 for a description of the interface settings.) Click Apply.
Page 183: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 1018 ◆...
Page 184: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Figure 57: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 185 | Interface Configuration HAPTER Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Aggregation – The system considers this link to be aggregatable; ◆ Oper State i.e., a potential candidate for aggregation. (continued) Long timeout – Periodic transmission of LACPDUs uses a slow ◆...
Page 186: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation. FOR THE EMOTE CLI R...
Page 187: Configuring Load Balancing
| Interface Configuration HAPTER Trunk Configuration Figure 59: Displaying LACP Port Remote Information Use the Interface > Trunk > Load Balance page to set the load-distribution ONFIGURING method used among ports in aggregated links. ALANCING CLI R EFERENCES "port channel load-balance" on page 1010 ◆...
Page 188 | Interface Configuration HAPTER Trunk Configuration trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. Source and Destination MAC Address: All traffic with the same ■ source and destination MAC address is output on the same link in a trunk.
Page 189: Saving Power
| Interface Configuration HAPTER Saving Power Figure 60: Configuring Load Balancing AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI R EFERENCES "power-save" on page 1006 ◆ "show power-save" on page 1007 ◆...
Page 190 | Interface Configuration HAPTER Saving Power Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Page 191: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 192: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Figure 62: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 193 | Interface Configuration HAPTER Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. If a downlink port is not configured for the session, the assigned uplink ◆ ports will operate as normal ports. ARAMETERS These parameters are displayed: Session ID –...
Page 194: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 64: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface >...
Page 195 | Interface Configuration HAPTER VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
Page 196 | Interface Configuration HAPTER VLAN Trunking Figure 66: Configuring VLAN Trunking – 196 –...
Page 197: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 198 | VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4094 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or ◆...
Page 199 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 200: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 68: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 201 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 158). Modify VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆...
Page 202: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 203 | VLAN Configuration HAPTER IEEE 802.1Q VLANs CLI R EFERENCES ◆ "Configuring VLAN Interfaces" on page 1139 "Displaying VLAN Information" on page 1145 ◆ ARAMETERS These parameters are displayed: Edit Member by VLAN VLAN – ID of configured VLAN (1-4094). ◆...
Page 204 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for ■ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 205 | VLAN Configuration HAPTER IEEE 802.1Q VLANs NTERFACE To configure static members by the VLAN index: Click VLAN, Static. Select Edit Member by VLAN from the Action list. Set the Interface type to display as Port or Trunk. Modify the settings for any interface as required. Click Apply.
Page 206 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Action list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 73: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.
Page 207: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 74: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
Page 208 | VLAN Configuration HAPTER IEEE 802.1Q VLANs GVRP Timers – Timer settings must follow this rule: ◆ ≤ 3 x (join timer) leave timer < leaveAll timer Join – The interval between transmitting requests/queries to ■ participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave –...
Page 209 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 75: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface.
Page 210: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 77: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN Members from the Action list. Figure 78: Showing the Members of a Dynamic VLAN IEEE 802.1Q T UNNELING...
Page 211 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging). A port configured to support QinQ tunneling must be set to tunnel port mode.
Page 212 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling egress process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: An SPVLAN tag is added to all outbound packets on the SPVLAN interface, no matter how many tags they already have. The switch constructs and inserts the outer tag (SPVLAN) into the packet based on the default VLAN ID and Tag Protocol Identifier (TPID, that is, the ether-type of the tag), unless otherwise defined as described under...
Page 213 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling uplink port is not the member of the outer VLAN of the incoming packets, the packet will be dropped when ingress filtering is enabled. If ingress filtering is not enabled, the packet will still be forwarded. If the VLAN is not listed in the VLAN table, the packet will be dropped.
Page 214: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ Enable Tunnel Status, and set the Tag Protocol Identifier (TPID) value of the tunnel access port (in the Ethernet Type field). This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 215: Creating Cvlan To Spvlan Mapping Entries
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. The specified ethertype only applies to ports configured in Uplink mode (see "Adding an Interface to a QinQ Tunnel"...
Page 216 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel. Rather than relying on standard service paths and priority queuing, ◆ QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.
Page 217: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling To show the mapping table: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Show from the Action list. Select an interface from the Port list. Figure 82: Showing CVLAN to SPVLAN Mapping Entries The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2.
Page 218 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Trunk – Trunk Identifier. (Range: 1-5) ◆ Mode – Sets the VLAN membership mode of the port. ◆ None – The port operates in its normal VLAN mode. (This is the ■ default.) Access –...
Page 219: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 220 | VLAN Configuration HAPTER Protocol VLANs Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN (VLAN 1) that has been configured with the switch's administrative IP. IP Protocol Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch.
Page 221: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Figure 85: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING protocol group to a VLAN for each interface that will participate in the ROTOCOL ROUPS group.
Page 222 | VLAN Configuration HAPTER Protocol VLANs VLAN ID – VLAN to which matching protocol traffic is forwarded. ◆ (Range: 1-4094) Priority – The priority assigned to untagged ingress traffic. ◆ (Range: 0-3, where 3 is the highest priority) NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol.
Page 223: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs Figure 87: Showing the Interface to Protocol Group Mapping IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 224 | VLAN Configuration HAPTER Configuring IP Subnet VLANs ARAMETERS These parameters are displayed: IP Address – The IP address for a subnet. Valid IP addresses consist of ◆ four decimal numbers, 0 to 255, separated by periods. ◆ Subnet Mask – This mask identifies the host address bits of the IP subnet.
Page 225: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs Figure 89: Showing IP Subnet VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 226 | VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 227: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 228 | VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 92: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
Page 229: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 230 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the ◆ following conditions exist: 802.1X Port Authentication has been globally enabled on the switch ■ (see "Configuring 802.1X Global Settings" on page 391).
Page 231: Setting Static Addresses
| Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 232: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 95: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 96: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
Page 233: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 234: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 235: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring NTERFACE To clear the entries in the dynamic address table: Click MAC Address, Dynamic. Select Clear Dynamic MAC from the Action list. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface).
Page 236 | Address Table Settings HAPTER Configuring MAC Address Mirroring cannot be set to the same target ports as that used for port mirroring (see "Configuring Local Port Mirroring" on page 156). When traffic matches the rules for both port mirroring, and for ◆...
Page 237 | Address Table Settings HAPTER Configuring MAC Address Mirroring To show the MAC addresses to be mirrored: Click MAC Address, Mirror. Select Show from the Action list. Figure 101: Showing the Source MAC Addresses to Mirror – 237 –...
Page 238 | Address Table Settings HAPTER Configuring MAC Address Mirroring – 238 –...
Page 239: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 240 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 102: STP Root Ports and Designated Ports Designated Root...
Page 241 | Spanning Tree Algorithm HAPTER Overview Figure 103: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 242: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 243 | Spanning Tree Algorithm HAPTER Configuring Loopback Detection Shutdown Interval – The duration to shut down the interface. ◆ (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
Page 244: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA ONFIGURING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI R EFERENCES ◆...
Page 245 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Page 246 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: Path Cost Method –...
Page 247 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. It is able to confirm that a port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
Page 248 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 106: Configuring Global Settings for STA (STP) Figure 107: Configuring Global Settings for STA (RSTP) – 248 –...
Page 249: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 108: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
Page 250: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the ◆ root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
Page 251: Table 12: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES ◆ "Spanning Tree Commands" on page 1071 ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. ◆...
Page 252: Table 13: Default Sta Path Costs
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 13: Default STA Path Costs Port Type Short Path Cost Long Path Cost (IEEE 802.1D-1998) (IEEE 802.1w-2001) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ◆...
Page 253 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 244), edge-port mode ■ cannot automatically transition to operational edge-port state using the automatic setting.
Page 254: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 110: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 255 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 256 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 111: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
Page 257: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 1071 ◆...
Page 258 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 259 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. Figure 114: Displaying MST Instances To modify the priority for an MST instance: Click Spanning Tree, MSTP.
Page 260 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To display global settings for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Information from the Action list. Select an MST ID. The attributes displayed on this page are described under "Displaying Global Settings for STA"...
Page 261: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To show the VLAN members of an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show Member from the Action list. Figure 118: Displaying Members of an MST Instance MSTP ONFIGURING NTERFACE...
Page 262 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Priority – Defines the priority used for this port in the Spanning Tree ◆ Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 263 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP To display MSTP parameters for a port or trunk: Click Spanning Tree, MSTP. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 120: Displaying MSTP Interface Settings –...
Page 264 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 264 –...
Page 265: Congestion Control
ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 266: Storm Control
| Congestion Control HAPTER Storm Control Rate – Sets the rate limit level. ◆ (Range: 64 - 100000 kbits per second for Fast Ethernet ports; 64 - 1000000 kbits per second for Gigabit Ethernet ports) NTERFACE To configure rate limits: Click Traffic, Rate Limit.
Page 267 | Congestion Control HAPTER Storm Control When traffic exceeds the threshold specified for broadcast and ◆ multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. Traffic storms can be controlled at the hardware level using Storm ◆...
Page 268: Automatic Traffic Control
| Congestion Control HAPTER Automatic Traffic Control Click Apply. Figure 122: Configuring Storm Control UTOMATIC RAFFIC ONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES "Automatic Traffic Control Commands"...
Page 269 | Congestion Control HAPTER Automatic Traffic Control The key elements of this diagram are described below: Alarm Fire Threshold – The highest acceptable traffic rate. When ◆ ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. When traffic exceeds the alarm fire threshold and the apply timer ◆...
Page 270: Setting The Atc Timers
| Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Auto Traffic Control (Configure Global) page to set the ETTING THE time at which to apply the control response after ingress traffic has ATC T IMERS exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
Page 271: Configuring Atc Thresholds And Responses
| Congestion Control HAPTER Automatic Traffic Control Figure 125: Configuring ATC Timers Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
Page 272 | Congestion Control HAPTER Automatic Traffic Control Auto Release Control – Automatically stops a traffic control response ◆ of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 123 on page 268.
Page 273 | Congestion Control HAPTER Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Auto Traffic Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 274 | Congestion Control HAPTER Automatic Traffic Control – 274 –...
Page 275: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 276: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 277 | Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 278 | Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
Page 279: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values"...
Page 280: Table 16: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings The default internal PHB to output queue mapping is shown below. ◆ Table 16: Mapping Internal Per-hop Behavior to Hardware Queues Per-hop Behavior Hardware Queues ◆ The specified mapping applies to all interfaces. ARAMETERS These parameters are displayed: Port –...
Page 281: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings Select an interface. Figure 132: Showing CoS Values to Egress Queue Mapping 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
Page 282: Setting Priority Processing To Dscp Or Cos
| Class of Service HAPTER Layer 3/4 Priority Settings The switch allows a choice between using DSCP or CoS priority processing ETTING RIORITY methods. Use the Priority > Trust Mode page to select the required ROCESSING TO processing method. DSCP CLI R EFERENCES "qos map trust-mode"...
Page 283: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 133: Setting the Trust Mode Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in APPING NGRESS incoming packets to per-hop behavior and drop precedence values for DSCP V ALUES TO internal priority processing.
Page 284: Table 17: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings PHB – Per-hop behavior, or the priority used for this router hop. ◆ (Range: 0-7) Drop Precedence – Drop precedence used for Random Early Detection ◆ in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values ingress- dscp1...
Page 285: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings To show the DSCP to internal PHB/drop precedence map: Click Traffic, Priority, DSCP to DSCP. Select Show from the Action list. Select a port. Figure 135: Showing DSCP to DSCP Internal Mapping Use the Traffic >...
Page 286: Table 18: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings ports, and then starts dropping any packets regardless of color when the buffer fills up to 58 packets on Fast Ethernet ports and 80 packets on Gigabit Ethernet ports. ARAMETERS These parameters are displayed: Port –...
Page 287 | Class of Service HAPTER Layer 3/4 Priority Settings Figure 136: Configuring CoS to DSCP Internal Mapping To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select a port. Figure 137: Showing CoS to DSCP Internal Mapping –...
Page 288 | Class of Service HAPTER Layer 3/4 Priority Settings – 288 –...
Page 289: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 290: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN, or a CoS value.
Page 291 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set ◆...
Page 292 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 139: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 293: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 141: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 294 | Quality of Service HAPTER Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
Page 295 | Quality of Service HAPTER Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B ≥ 0, the ■...
Page 296 | Quality of Service HAPTER Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: If Tp(t)-B <...
Page 297 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification ◆ upon which a policy can act. Action – This attribute is used to set an internal QoS value in hardware ◆...
Page 298 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Violate –...
Page 299 | Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the maximum ■ rate (CIR) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of ■...
Page 300 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Exceed –...
Page 301 | Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 143: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 302 | Quality of Service HAPTER Creating QoS Policies Figure 144: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 145: Showing the Rules for a Policy Map –...
Page 303: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 1187 ◆...
Page 304 | Quality of Service HAPTER Attaching a Policy Map to a Port – 304 –...
Page 305: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 306: Configuring Voip Traffic
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic IP T ONFIGURING RAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
Page 307: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 147: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
Page 308: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply. Figure 148: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP.
Page 309 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 310 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port.
Page 311: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 312: Aaa Authentication, Authorization And Accounting
| Security Measures HAPTER AAA Authentication, Authorization and Accounting IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the ◆ source address cannot be identified via DHCPv4 snooping nor static source bindings. IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the ◆...
Page 313: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To configure AAA on the switch, you need to follow this general process: Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 313. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services.
Page 314: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Authentication Sequence – Select the authentication, or ◆ authentication sequence required: Local – User authentication is performed only locally by the switch. ■ RADIUS – User authentication is performed using a RADIUS server ■...
Page 315 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 152: Authentication Server Operation console Telnet 1. Client attempts management access. 2. Switch contacts authentication server. RADIUS/ 3. Authentication server challenges client. 4. Client responds with proper password or key. TACACS+ 5.
Page 316 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Server IP Address – Address of authentication server. ■ (A Server Index entry must be selected to display this item.) Accounting Server UDP Port – Network (UDP) port on ■ authentication server used for accounting messages. (Range: 1-65535;...
Page 317 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Authentication Key – Encryption key used to authenticate logon ■ access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key – Re-type the string entered in the ■...
Page 318 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 153: Configuring Remote Authentication Server (RADIUS) Figure 154: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list.
Page 319: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 155: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 156: Showing AAA Server Groups Use the Security >...
Page 320 | Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Configure Global Periodic Update - Specifies the interval at which the local accounting ◆ service updates information for all users on the system to the accounting server. (Range: 1-2147483647 minutes) Configure Method Accounting Type –...
Page 321 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Console Method Name – Specifies a user-defined method name ■ to apply to commands entered at the specified CLI privilege level through the console interface. VTY Method Name – Specifies a user-defined method name to ■...
Page 322 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 157: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list.
Page 323 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 159: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list.
Page 324 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 161: Configuring AAA Accounting Service for Command Service Figure 162: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting.
Page 325: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Statistics. Figure 164: Displaying Statistics for AAA Accounting Sessions Use the Security >...
Page 326 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Server Group Name - Specifies the authorization server group. ◆ (Range: 1-64 characters) The group name “tacacs+” specifies all configured TACACS+ hosts (see "Configuring Local/Remote Logon Authentication" on page 313). Any other group name refers to a server group configured on the TACACS+ Group Settings page.
Page 327 | Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 165: Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Select Show from the Action list.
Page 328: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts Figure 167: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list. Figure 168: Displaying the Applied AAA Authorization Method ONFIGURING CCOUNTS...
Page 329 | Security Measures HAPTER Configuring User Accounts Access Level – Specifies command access privileges. (Range: 0-15) ◆ Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles. Level 0-7 provide the same default access to a limited number of commands which display the current status of the switch, as well as several database clear and reset functions.
Page 330: Web Authentication
| Security Measures HAPTER Web Authentication Click Apply. Figure 169: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 170: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 331: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 313.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
Page 332: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Figure 171: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
Page 333: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate. Figure 172: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
Page 334: Table 19: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) The user name and password are both equal to the MAC address being authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Page 335 | Security Measures HAPTER Network Access (MAC Address Authentication) For example, the attribute “service-policy-in=pp1;rate-limit- input=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. If duplicate profiles are passed in the Filter-ID attribute, then only the ◆...
Page 336: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) MAC address authentication is configured on a per-port basis, however ONFIGURING there are two configurable parameters that apply globally to all ports on LOBAL ETTINGS the switch. Use the Security > Network Access (Configure Global) page to ETWORK configure MAC address authentication aging and reauthentication time.
Page 337: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 173: Configuring Global Settings for Network Access Use the Security > Network Access (Configure Interface - General) page to ONFIGURING configure MAC authentication on switch ports, including enabling address ETWORK CCESS authentication, setting the maximum MAC count, and enabling dynamic ORTS...
Page 338 | Security Measures HAPTER Network Access (MAC Address Authentication) Dynamic VLAN – Enables dynamic VLAN assignment for an ◆ authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch.
Page 339: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 174: Configuring Interface Settings for Network Access Use the Security > Network Access (Configure Interface - Link Detection) ONFIGURING page to send an SNMP trap and/or shut down a port when a link event ETECTION occurs.
Page 340: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 341 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 342: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 343: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 178: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 344: Table 20: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support ◆...
Page 345: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Figure 179: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
Page 346 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on ◆ the TFTP server. Private Password – Password stored in the private key file. This ◆ password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.
Page 347: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
Page 348 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 352, or use the copy tftp public-key command (page 728) to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Page 349: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 350 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, ◆ but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that ◆...
Page 351: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...
Page 352: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell Figure 182: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
Page 353 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed: User Name – This drop-down box selects the user who’s public key ◆ you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...
Page 354: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 355 | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 64. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, ◆...
Page 356: Setting A Time Range
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure Time Range) page to sets a time range ETTING A during which ACL functions are applied. ANGE CLI R EFERENCES "Time Range" on page 773 ◆ OMMAND SAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if...
Page 357 | Security Measures HAPTER Access Control Lists Figure 186: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL. Select Configure Time Range from the Step list. Select Show from the Action list. Figure 187: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL.
Page 358: Showing Tcam Utilization
| Security Measures HAPTER Access Control Lists Figure 188: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list. Figure 189: Showing the Rules Configured for a Time Range Use the Security >...
Page 359: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Page 360 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ◆ IP Standard: IPv4 ACL mode filters packets based on the source ■...
Page 361: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 192: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL.
Page 362: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an IPv4 Standard ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list.
Page 363 | Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type. ◆ Action – An ACL can contain any combination of permit or deny rules. ◆...
Page 364 | Security Measures HAPTER Access Control Lists For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use control-code 2, control bit mask 2 ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■...
Page 365: Configuring A Standard Ipv6 Acl
| Security Measures HAPTER Access Control Lists Figure 194: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
Page 366 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. ◆ NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
Page 367: Configuring An Extended Ipv6 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 966 ◆...
Page 368 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Extended from the Type list. Select the name of an ACL from the Name list.
Page 369: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)"...
Page 370 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 371: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING ACLs based on ARP message addresses. ARP Inspection can then use these ARP ACL ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 372 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 373: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface – INDING A ORT TO AN Configure) page to bind the ports that need to filter traffic to the CCESS ONTROL appropriate ACLs. You can assign one IP access list and one MAC access list to any port.
Page 374: Configuring Acl Mirroring
| Security Measures HAPTER Access Control Lists Figure 199: Binding a Port to an ACL After configuring ACLs, use the Security > ACL (Configure Interface – Add ONFIGURING Mirror) page to mirror traffic matching an ACL from one or more source ACL M IRRORING ports to a target port for real-time analysis.
Page 375 | Security Measures HAPTER Access Control Lists Select Add Mirror from the Action list. Select a port. Select the name of an ACL from the ACL list. Click Apply. Figure 200: Configuring ACL Mirroring To show the ACLs to be mirrored: Select Configure Interface from the Step list.
Page 376: Showing Acl Hardware Counters
| Security Measures HAPTER Access Control Lists Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ACL H ARDWARE OUNTERS CLI R EFERENCES "show access-list" on page 980 ◆ "clear access-list hardware counters"...
Page 377: Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 202: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
Page 378: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets ■ will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect ■...
Page 379 | Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, ◆...
Page 380: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 381 | Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the ◆ selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed: ARP Inspection VLAN ID –...
Page 382: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 938 ◆...
Page 383: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection Figure 205: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or ARP I NSPECTION dropped for various reasons.
Page 384: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 206: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated ARP I...
Page 385: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 207: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 386 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode ◆ Web –...
Page 387: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 209: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 388 | Security Measures HAPTER Configuring Port Security When the port security state is changed from enabled to disabled, all ◆ dynamically learned entries are cleared from the address table. If port security is enabled, and the maximum number of allowed ◆...
Page 389: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication The maximum address count is effective when port security is enabled or disabled. Current MAC Count – The number of MAC addresses currently ◆ associated with this interface. MAC Filter – Shows if MAC address filtering has been set under ◆...
Page 390 | Security Measures HAPTER Configuring 802.1X Port Authentication ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network. This switch uses the Extensible Authentication Protocol over LANs (EAPOL) to exchange authentication protocol messages with the client, and a remote RADIUS authentication server to verify user identity and access rights.
Page 391: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication Each client that needs to be authenticated must have dot1X client ◆ software installed and properly configured. The RADIUS server and 802.1X client support EAP. (The switch only ◆ supports EAPOL in order to pass the EAP packets from the server to the client.) The RADIUS server and client also have to support the same EAP ◆...
Page 392: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Identity Profile Password – The dot1x supplicant password used to ◆ identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. (Range: 1-8 characters) Confirm Profile Password – This field is used to confirm the dot1x ◆...
Page 393 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When the switch functions as a local authenticator between supplicant devices attached to the switch and the authentication server, configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page.
Page 394 | Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Page 395 | Security Measures HAPTER Configuring 802.1X Port Authentication Re-authentication Period – Sets the time period after which a ◆ connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) Re-authentication Max Retries – The maximum number of times the ◆...
Page 396: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Authenticator. Modify the authentication settings for each port as required. Click Apply Figure 213: Configuring Interface Settings for 802.1X Port Authenticator Use the Security >...
Page 397 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 391) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 398: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 214: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 399 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 400 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 215: Showing Statistics for 802.1X Port Authenticator – 400 –...
Page 401: Dos Protection
| Security Measures HAPTER DoS Protection To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 216: Showing Statistics for 802.1X Port Supplicant ROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks.
Page 402 | Security Measures HAPTER DoS Protection Echo/Chargen Attack Rate – Maximum allowed rate. ◆ (Range: 64-2000 kbits/second; Default: 1000 kbits/second) Smurf Attack – Attacks in which a perpetrator generates a large ◆ amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Page 403 | Security Measures HAPTER DoS Protection URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost.
Page 404: Ipv4 Source Guard
| Security Measures HAPTER IPv4 Source Guard OURCE UARD IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 405 | Security Measures HAPTER IPv4 Source Guard If DHCP snooping is enabled, IP source guard will check the VLAN ■ ID, source IP address, port number, and source MAC address (for the SIP-MAC option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
Page 406: Configuring Static Bindings For Ipv4 Source Guard
| Security Measures HAPTER IPv4 Source Guard NTERFACE To set the IP Source Guard filter for ports: Click Security, IP Source Guard, Port Configuration. Set the required filtering type for each port. Click Apply Figure 218: Setting the Filter Type for IPv4 Source Guard Use the Security >...
Page 407 | Security Measures HAPTER IPv4 Source Guard ARAMETERS These parameters are displayed: Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ ◆ MAC Address – A valid unicast MAC address. IP Address –...
Page 408: Displaying Information For Dynamic Ipv4 Source Guard Bindings
| Security Measures HAPTER IPv4 Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Binding. Select Show from the Action list. Figure 220: Displaying Static Bindings for IPv4 Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface.
Page 409: Ipv6 Source Guard
| Security Measures HAPTER IPv6 Source Guard NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 221: Showing the IPv4 Source Guard Binding Table OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non-...
Page 410 | Security Measures HAPTER IPv6 Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) enables this function on the selected port. Use the SIP option to check the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table.
Page 411 | Security Measures HAPTER IPv6 Source Guard Filter Type – Configures the switch to filter inbound traffic based on ◆ the following options. (Default: Disabled) Disabled – Disables IPv6 source guard filtering on the port. ■ SIP – Enables traffic filtering based on IPv6 global unicast source ■...
Page 412: Configuring Static Bindings For Ipv6 Source Guard
| Security Measures HAPTER IPv6 Source Guard Use the Security > IPv6 Source Guard > Static Configuration page to bind ONFIGURING TATIC a static address to a port. Table entries include a MAC address, IPv6 global INDINGS FOR unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, OURCE UARD Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier.
Page 413 | Security Measures HAPTER IPv6 Source Guard Show VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – The port to which this entry is bound. ◆ IPv6 Address – IPv6 address corresponding to the client. ◆...
Page 414: Displaying Information For Dynamic Ipv6 Source Guard Bindings
| Security Measures HAPTER IPv6 Source Guard To display static bindings for Iv6 Source Guard: Click Security, IPv6 Source Guard, Static Configuration. Select Show from the Action list. Figure 224: Displaying Static Bindings for IPv6 Source Guard Use the Security > IPv6 Source Guard > Dynamic Binding page to display ISPLAYING the source-guard binding table for a selected interface.
Page 415: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IPv6 Source Guard: Click Security, IPv6 Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 225: Showing the IPv6 Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
Page 416 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed ◆ by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an ◆...
Page 417 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its ◆ DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 418: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification. CLI R EFERENCES "DHCPv4 Snooping" on page 905 ◆...
Page 419: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Replace – Replaces the Option 82 information circuit-id and ■ remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports. (This is the default policy.) NTERFACE To configure global settings for DHCP Snooping:...
Page 420: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping When DHCP snooping is globally enabled, and DHCP snooping is then ◆ disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. ARAMETERS These parameters are displayed: VLAN –...
Page 421 | Security Measures HAPTER DHCP Snooping When an untrusted port is changed to a trusted port, all the dynamic ◆ DHCP snooping bindings associated with this port are removed. Set all ports connected to DHCP servers within the local network or fire ◆...
Page 422: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Show Information) page to display DHCP ISPLAYING entries in the binding table. NOOPING INDING NFORMATION CLI R EFERENCES "show ip dhcp snooping binding" on page 916 ◆...
Page 423 | Security Measures HAPTER DHCP Snooping Figure 229: Displaying the Binding Table for DHCP Snooping – 423 –...
Page 424 | Security Measures HAPTER DHCP Snooping – 424 –...
Page 425: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 426: Configuring Event Logging
| Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
Page 427 | Basic Administration Protocols HAPTER Configuring Event Logging Table 24: Logging Levels (Continued) Level Severity Name Description Alert Immediate action needed Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release. RAM Level –...
Page 428: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging To show the error messages logged to system or flash memory: Click Administration, Log, System. Select Show System Logs from the Step list. Click RAM to display log messages stored in system memory, or Flash to display messages stored in flash memory.
Page 429: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database. (Range: 16-23, Default: 23) Logging Trap Level – Limits log messages that are sent to the remote ◆...
Page 430 | Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed: SMTP Status – Enables/disables the SMTP function. (Default: Enabled) ◆ Severity – Sets the syslog severity threshold level (see table on ◆ page 426) used to trigger alert messages. All events at this level or higher will be sent to the configured email recipients.
Page 431: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 233: Configuring SMTP Alert Messages AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 432 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol ARAMETERS These parameters are displayed: LLDP – Enables LLDP globally on the switch. (Default: Enabled) ◆ Transmission Interval – Configures the periodic transmit interval for ◆ LLDP advertisements. (Range: 5-32768 seconds; Default: 30 seconds) Hold Time Multiplier –...
Page 433: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port. LLDP- MED Fast Start is critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service.
Page 434 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/ TIA-1057), or vendor-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 435 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Description – The system description is taken from the ■ sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software. System Name –...
Page 436 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Network Policy – This option advertises network policy ■ configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Page 437: Configuring Lldp Interface Civic-Address
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 235: Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface – Add CA-Type) page ONFIGURING to specify the physical location of the device attached to an interface. LLDP I NTERFACE IVIC DDRESS...
Page 438 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 25: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room...
Page 439: Table 26: Chassis Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information. NFORMATION CLI R EFERENCES...
Page 440: Table 28: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: System Capabilities (Continued) ID Basis Reference WLAN Access Point IEEE 802.11 MIB Router IETF RFC 1812 Telephone IETF RFC 2011 DOCSIS cable device IETF RFC 2669 and IETF RFC 2670 End Station Only IETF RFC 2011 ◆...
Page 441 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port/Trunk ID – A string that contains the specific identifier for the ◆ local interface based on interface subtype used by this switch. Port/Trunk Description – A string that indicates the port or trunk ◆...
Page 442 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 238: Displaying Local Device Information for LLDP (Port) Figure 239: Displaying Local Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE...
Page 443 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Name – A string that indicates the system’s administratively ◆ assigned name. Port Details Port – Port identifier on local switch. ◆ Remote Index – Index of remote device attached to this port. ◆...
Page 444: Table 29: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Port-Protocol VLAN List – The port-based protocol VLANs ◆ configured on this interface, whether the given port (associated with the remote system) supports port-based protocol VLANs, and whether the port-based protocol VLANs are enabled on the given port associated with the remote system.
Page 445 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol integer value derived from the list position of the corresponding dot3MauType as listed in IETF RFC 3636 and is equal to the last number in the respective dot3MauType OID. Port Details – 802.3 Extension Power Information Remote Power Class –...
Page 446 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Class 2 – Endpoint devices that supports media stream capabilities. ■ Class 3 – Endpoint devices that directly supports end users of the IP ■ communication systems. Network Connectivity Device – Devices that provide access to the ■...
Page 447 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Unknown Policy Flag – Indicates that an endpoint device wants to ◆ explicitly advertise that this policy is required by the device, but is currently unknown. VLAN ID – The VLAN identifier (VID) for the port as defined in IEEE ◆...
Page 448 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Serial Number – The serial number of the end-point device. ◆ Model Name – The model name of the end-point device. ◆ NTERFACE To display LLDP information for a remote port: Click Administration, LLDP.
Page 449 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 241: Displaying Remote Device Information for LLDP (Port Details) – 449 –...
Page 450 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 242: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING statistics for LLDP-capable devices attached to the switch, and for LLDP EVICE...
Page 451 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Age-out Count – The number of times that a ◆ neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired. Port/Trunk Frames Discarded –...
Page 452 | Basic Administration Protocols HAPTER Power over Ethernet Figure 244: Displaying LLDP Device Statistics (Port) OWER OVER THERNET This switch supports IEEE 802.3af-2003 and IEEE 802.3at-2009 Power over Ethernet (PoE) specifications. Ports 1~10 support the IEEE 802.3at- 2009 PoE Powered Device (PD) specification that enables DC power to be supplied to the switch using wires in the connecting Ethernet cable.
Page 453 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To check for power supplied from PSE on Ports 1-10: Click Administration, PoE, PD. Select Configure from the Action list. Enable or disable the PSE check as required. Click Apply. Figure 245: Configuring the PSE Check To show the power source status for all ports Click Administration, PoE, PD.
Page 454: Table 30: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device.
Page 455 | Basic Administration Protocols HAPTER Simple Network Management Protocol The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration >...
Page 456 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Global) page to enable SNMPv3 ONFIGURING LOBAL service for all management clients (i.e., versions 1, 2c, 3), and to enable SNMP ETTINGS FOR trap messages. CLI R EFERENCES "snmp-server"...
Page 457 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE change the local engine ID. An SNMPv3 engine is an independent SNMP OCAL NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 458 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A page to configure a engine ID for a remote management station. To allow EMOTE NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 459 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 460 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Add View View Name – The name of the SNMP view. (Range: 1-64 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within ◆...
Page 461 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 252: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 462 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 463: Table 31: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. ◆ (Range: 1-32 characters) Write View – The configured view for write access. ◆ (Range: 1-32 characters) Notify View – The configured view for notifications. ◆...
Page 464 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group Private Traps swPowerStatus ChangeTrap 1.3.6.1.4.1.259.10.1.25.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.25.2.1.0.36 This trap is sent when the port is being intruded. This trap will only be sent when the portSecActionTrap is enabled.
Page 465 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.25.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold. swMemoryUtiRisingThreshold 1.3.6.1.4.1.259.10.1.25.2.1.0.109 This notification indicates that the memory Notification utilization has risen from memoryUtiFallingThreshold to...
Page 466 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 255: Creating an SNMP Group To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list. Select Show from the Action list. Figure 256: Showing SNMP Groups Use the Administration >...
Page 467 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Community String – A community string that acts like a password ◆ and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public” (Read-Only), “private” (Read/Write) Access Mode –...
Page 468 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 258: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch.
Page 469 | Basic Administration Protocols HAPTER Simple Network Management Protocol Privacy Protocol – The encryption algorithm use for data privacy; ◆ only 56-bit DES is currently available. Privacy Password – A minimum of eight plain text characters is ◆ required. NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP.
Page 470 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 260: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch.
Page 471 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 472 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 261: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 262: Showing Remote SNMPv3 Users –...
Page 473 | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 474 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 475 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 476 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 263: Configuring Trap Managers (SNMPv1) Figure 264: Configuring Trap Managers (SNMPv2c)
Page 477 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 265: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 266: Showing Trap Managers Use the Administration >...
Page 478 | Basic Administration Protocols HAPTER Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. Given the service provided by the NLM, individual MIBs can now bear ◆...
Page 479 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 267: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list. Select Show from the Action list. Figure 268: Showing SNMP Notification Logs Use the Administration >...
Page 480 | Basic Administration Protocols HAPTER Simple Network Management Protocol Illegal operation for community name supplied – The total ◆ number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message.
Page 481 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To show SNMP statistics: Click Administration, SNMP. Select Show Statistics from the Step list. Figure 269: Showing SNMP Statistics EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 482 | Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Alarm) page to ONFIGURING define specific criteria that will generate response events. Alarms can be RMON A LARMS set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
Page 483 | Basic Administration Protocols HAPTER Remote Monitoring Falling Threshold – If the current value is less than or equal to the ◆ falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 484 | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 271: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered.
Page 485 | Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Index – Index to this entry. (Range: 1-65535) ◆ Type – Specifies the type of event to initiate: ◆ None – No event is generated. ■ Log – Generates an RMON log entry when the event is triggered. ■...
Page 486 | Basic Administration Protocols HAPTER Remote Monitoring Figure 272: Configuring an RMON Event To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 273: Showing Configured RMON Events Use the Administration >...
Page 487 | Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE ◆ Each index number equates to a port on the switch. If history collection is already enabled on an interface, the entry must ◆ be deleted before any changes can be made. ◆...
Page 488 | Basic Administration Protocols HAPTER Remote Monitoring Click Apply Figure 274: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.
Page 489 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click History. Figure 276: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
Page 490 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 277: Configuring an RMON Statistical Sample...
Page 491 | Basic Administration Protocols HAPTER Remote Monitoring Figure 278: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.
Page 492 | Basic Administration Protocols HAPTER Switch Clustering WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 493 | Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Configure Global) page to create a ONFIGURING switch cluster. ENERAL ETTINGS LUSTERS CLI R EFERENCES "Switch Clustering" on page 776 ◆ OMMAND SAGE First be sure that clustering is enabled on the switch (the default is disabled), then set the switch as a Cluster Commander.
Page 494 | Basic Administration Protocols HAPTER Switch Clustering Figure 280: Configuring a Switch Cluster Use the Administration > Cluster (Configure Member - Add) page to add LUSTER EMBER Candidate switches to the cluster as Members. ONFIGURATION CLI R EFERENCES "Switch Clustering" on page 776 ◆...
Page 495 | Basic Administration Protocols HAPTER Switch Clustering Figure 281: Configuring a Cluster Members To show the cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Show from the Action list. Figure 282: Showing Cluster Members To show cluster candidates: Click Administration, Cluster.
Page 496 | Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Show Member) page to manage another ANAGING switch in the cluster. LUSTER EMBERS CLI R EFERENCES "Switch Clustering" on page 776 ◆ ARAMETERS These parameters are displayed: ◆ Member ID –...
Page 497 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching THERNET ROTECTION WITCHING Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links.
Page 498 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching and all nodes to flush their forwarding database. The ring is now in protection state, but it remains connected in a logical topology. When the failed link recovers, the traffic is kept blocked on the nodes adjacent to the recovered link.
Page 499 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching not form a closed loop. A closed loop may be formed by the ring links of ERP2 and the ring link between the interconnection nodes that is controlled by ERP1. ERP2 is a sub-ring. Ring node A is the RPL owner node for ERP1, and ring node E is the RPL owner node for ERP2.
Page 500 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configuration Guidelines for ERPS Create an ERPS ring (Configure Domain – Add): The ring name is used as an index in the G.8032 database. Configure the east and west interfaces (Configure Domain – Configure Details): Each node on the ring connects to it through two ring ports.
Page 501 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configuration Limitations for ERPS The following configuration limitations apply to ERPS: One switch supports up to five ERPS rings – each ring must have one ◆ Control VLAN, and at most 255 Data VLANs. Ring ports can not be a member of a trunk, nor an LACP-enabled port.
Page 502 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 287: Setting ERPS Global Status Use the Administration > ERPS (Configure Domain) pages to configure ERPS R ERPS rings. ONFIGURATION CLI R EFERENCES "ERPS Commands" on page 1099 ◆ OMMAND SAGE Ring Initialization An ERPS ring containing one Control VLAN and one or more protected Data...
Page 503 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Control VLAN – Shows the Control VLAN ID. ◆ Node State – Shows the following ERPS states: ◆ Init – The ERPS ring has started but has not yet determined the ■...
Page 504 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configure Details Domain Name – Name of a configured ERPS ring. (Range: 1-12 ◆ characters) Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 505 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier.
Page 506 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching the west ring port is automatically set as being connected to the RPL. RPL Neighbor – Specifies a ring node to be the RPL neighbor. ■ The RPL neighbor node, when configured, is a ring node ■...
Page 507 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The ring nodes stop transmitting R-APS (NR) messages when they accept an R-APS (NR, RB – RPL Blocked), or when another higher priority request is received. Recovery with Revertive Mode – When all ring links and ring ■...
Page 508 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The ring node where the Forced Switch was cleared continuously transmits the R-APS (NR) message on both ring ports, informing other nodes that no request is present at this ring node. The ring nodes stop transmitting R-APS (NR) messages when they accept an RAPS (NR, RB) message, or when another higher priority request is received.
Page 509 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery for Manual Switching – A Manual Switch command is ■ removed by issuing the Clear command (Configure Operation page) at the same ring node where the Manual Switch is in effect.
Page 510 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition.
Page 511 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Sub-ring with R-APS Virtual Channel – When using a virtual channel ■ to tunnel R-APS messages between interconnection points on a sub- ring, the R-APS virtual channel may or may not follow the same path as the traffic channel over the network.
Page 512 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching means that it is not necessary to take precautions against forming a loop which is potentially composed of a whole interconnected network. Figure 289: Sub-ring without Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring...
Page 513 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching CCMs are propagated by the Connectivity Fault Management (CFM) protocol as described under "Connectivity Fault Management" on page 522. If the standard recovery procedure were used as shown in the following figure, and node E detected CCM loss, it would send an R-APS (SF) message to the RPL owner and block the link to node D, isolating that non-ERPS device.
Page 514 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes.
Page 515 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Interface – The port or trunk attached to the west or east ring port. ◆ Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk. Port State –...
Page 516 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Click Apply. Figure 290: Creating an ERPS Ring To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node.
Page 517 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 291: Creating an ERPS Ring To show the configured ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 292: Showing Configured ERPS Rings –...
Page 518 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES "erps forced-switch" on page 1121 ◆...
Page 519: Table 32: Erps Request/State Priority
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Page 520 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Manual Switch – Blocks specified ring port, in the absence of a ■ failure or an FS command. (Options: West or East) A ring with no request has a logical topology with the traffic ■...
Page 521 | Basic Administration Protocols HAPTER Ethernet Ring Protection Switching An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request.
Page 522 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 293: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 523 | Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a ◆ hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 524 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 295: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 525 | Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
Page 526 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1327 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. ◆ (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 527 | Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache ◆ entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
Page 528 | Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP ◆ comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.
Page 529 | Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 530 | Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1327 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must ◆ have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Page 531: Table 33: Remote Mep Priority Levels
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the ◆...
Page 532 | Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric ◆ characters) MD Level – Authorized maintenance level for this domain. ◆...
Page 533 | Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.
Page 534 | Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 300: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 535 | Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on ◆ the same VLAN (see "Configuring CFM Maintenance Domains" on page 529). Before removing an MA, first remove the MEPs assigned to it (see ◆...
Page 536 | Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for ◆ maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port ■...
Page 537 | Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. ◆ (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. ◆...
Page 538 | Basic Administration Protocols HAPTER Connectivity Fault Management Figure 302: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Configure Details from the Action list. Select an entry from MD Index and MA Index. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters.
Page 539 | Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
Page 540: Configuring Remote Maintenance End Points
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Figure 304: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 305: Showing Maintenance End Points Use the Administration >...
Page 541 | Basic Administration Protocols HAPTER Connectivity Fault Management OMMAND SAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access ◆...
Page 542: Transmitting Link Trace Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 306: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 307: Showing Remote Maintenance End Points Use the Administration >...
Page 543 | Basic Administration Protocols HAPTER Connectivity Fault Management LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, ◆ with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. LTMs are used to isolate faults.
Page 544: Transmitting Loop Back Messages
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 308: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs).
Page 545 | Basic Administration Protocols HAPTER Connectivity Fault Management MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the ◆ loopback message. (Range: 1-8191) Target ◆ MEP ID – The identifier of a remote MEP that is the target of a ■...
Page 546: Transmitting Delay-Measure Requests
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES "ethernet cfm delay-measure two-way" on page 1366 ◆...
Page 547 | Basic Administration Protocols HAPTER Connectivity Fault Management Count – The number of times to retry sending the message if no ◆ response is received before the specified timeout. (Range: 1-5; Default: 5) Packet Size – The size of the delay-measure message. ◆...
Page 548: Displaying Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING to show information for the MEPs configured on this device. OCAL CLI R EFERENCES "show ethernet cfm maintenance-points local" on page 1342 ◆...
Page 549: Displaying Details For Local Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES "show ethernet cfm maintenance-points local detail mep"...
Page 550 | Basic Administration Protocols HAPTER Connectivity Fault Management Suppress Alarm – Shows if the specified MEP is configured to ◆ suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms – Shows if the specified MEP is currently ◆...
Page 551: Displaying Local Mips
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MIP) page ISPLAYING to show the MIPs on this device discovered by the CFM protocol. (For a OCAL description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".) CLI R...
Page 552: Displaying Details For Remote Meps
| Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: MEP ID – Maintenance end point identifier. ◆ MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ ◆ Primary VLAN – Service VLAN ID. MEP Up –...
Page 553 | Basic Administration Protocols HAPTER Connectivity Fault Management MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Maintenance end point identifier. (Range: 1-8191) ◆ MD Name – Maintenance domain name. ◆ MA Name – Maintenance association name. ◆ Level –...
Page 554: Displaying The Link Trace Cache
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show detailed information for remote MEPs: Click Administration, CFM. Select Show Information from the Step list. Select Show Remote MEP Details from the Action list. Select an entry from MD Index and MA Index. Select a MEP ID.
Page 555 | Basic Administration Protocols HAPTER Connectivity Fault Management MA – Maintenance association name. ◆ IP/Alias – IP address or DNS alias of the target device’s CPU. ◆ Forwarded – Shows whether or not this link trace message was ◆ forwarded. A message is not forwarded if received by the target MEP. Ingress MAC Address –...
Page 556: Displaying Fault Notification Settings
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information about link trace operations launched from this device: Click Administration, CFM. Select Show Information from the Step list. Select Show Link Trace Cache from the Action list. Figure 316: Showing the Link Trace Cache Use the Administration >...
Page 557: Displaying Continuity Check Errors
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 317: Showing Settings for the Fault Notification Generator Use the Administration >...
Page 558: Oam Configuration
| Basic Administration Protocols HAPTER OAM Configuration VIDS – MA x is associated with a specific VID list , an MEP is ■ configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port.
Page 559: Table 35: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration CLI R EFERENCES ◆ "OAM Commands" on page 1369 ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-10) ◆ Admin Status – Enables or disables OAM functions. ◆ (Default: Disabled) Operation State – Shows the operational state between the local and ◆...
Page 560 | Basic Administration Protocols HAPTER OAM Configuration Critical Link Event – Controls reporting of critical link events to its ◆ OAM peer. Dying Gasp – If an unrecoverable condition occurs, the local OAM ■ entity (i.e., this switch) indicates this by immediately sending a trap message.
Page 561: Displaying Statistics For Oam Messages
| Basic Administration Protocols HAPTER OAM Configuration Click Apply. Figure 319: Enabling OAM for Local Ports Use the Administration > OAM > Counters page to display statistics for the ISPLAYING various types of OAM messages passed across each port. TATISTICS FOR OAM M ESSAGES CLI R...
Page 562: Displaying The Oam Event Log
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters. Figure 320: Displaying Statistics for OAM Messages Use the Administration > OAM > Event Log page to display link events for ISPLAYING THE the selected port.
Page 563: Displaying The Status Of Remote Interfaces
| Basic Administration Protocols HAPTER OAM Configuration Figure 321: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING information about attached OAM-enabled devices. TATUS OF EMOTE NTERFACES CLI R EFERENCES ◆ "show efm oam status remote interface" on page 1380 ARAMETERS These parameters are displayed: Port –...
Page 564: Configuring A Remote Loop Back Test
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display information about attached OAM-enabled devices: Click Administration, OAM, Remote Interface. Figure 322: Displaying Status of Remote Interfaces Use the Administration > OAM > Remote Loopback (Remote Loopback ONFIGURING A Test) page to initiate a loop back test to the peer device attached to the EMOTE selected port.
Page 565: Table 36: Oam Operation State
| Basic Administration Protocols HAPTER OAM Configuration ARAMETERS These parameters are displayed: Loopback Mode of Remote Device Port – Port identifier. (Range: 1-10) ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. ◆ This attribute must be enabled before starting the loopback test. Loopback Status –...
Page 566: Displaying Results Of Remote Loop Back Testing
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To initiate a loop back test to the peer device attached to the selected port: Click Administration, OAM, Remote Loop Back. Select Remote Loopback Test from the Action list. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply.
Page 567 | Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display the results of remote loop back testing for each port for which this information is available: Click Administration, OAM, Remote Loop Back. Select Show Test Result from the Action list. Figure 324: Displaying the Results of Remote Loop Back Testing –...
Page 568 | Basic Administration Protocols HAPTER OAM Configuration – 568 –...
Page 569: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 570 | IP Configuration HAPTER Using the Ping Function OMMAND SAGE ◆ Use the ping command to see if another site on the network can be reached. The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■...
Page 571: Using The Trace Route Function
| IP Configuration HAPTER Using the Trace Route Function SING THE RACE OUTE UNCTION Use the IP > General > Trace Route page to show the route packets take to the specified destination. CLI R EFERENCES "traceroute" on page 1408 ◆...
Page 572: Address Resolution Protocol
| IP Configuration HAPTER Address Resolution Protocol Figure 326: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Page 573: Setting The Arp Timeout
| IP Configuration HAPTER Address Resolution Protocol switch will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request. Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address.
Page 574: Displaying Arp Entries
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Use the IP > ARP (Show Information) page to display dynamic entries in ISPLAYING the ARP cache. The ARP cache contains entries for local interfaces, including ARP E NTRIES subnet, host, and broadcast addresses.
Page 575: Configuring Ipv4 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) An IP default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. NTERFACE To configure an IPv4 default gateway for the switch: Click System, IP.
Page 576 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP/BOOTP responses can include the IP address, subnet mask, and default gateway.
Page 577 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Click Apply. Figure 330: Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: Click System, IP. Select Configure Interface from the Action list. Select Add Address from the Step list.
Page 578: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Page 579: Configuring The Ipv6 Default Gateway
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) or basic troubleshooting tasks. However, to connect to a larger network with multiple segments, the switch must be configured with a global unicast address. Both link-local and global unicast address types can either be dynamically assigned (using the Configure Interface page) or manually configured (using the Add IPv6 Address page).
Page 580: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Configure Interface - VLAN) page to ONFIGURING configure general IPv6 settings for the selected VLAN, including auto- NTERFACE ETTINGS configuration of a global unicast interface address, explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
Page 581 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If auto-configuration is not selected, then an address must be ■ manually configured using the Add Interface page described below. Enable IPv6 Explicitly – Enables IPv6 on an interface. Note that ◆...
Page 582 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If the link-local address for an interface is changed, duplicate ■ address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
Page 583 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) RA Guard Interface – Shows port or trunk configuration page. ◆ RA Guard – Blocks incoming Router Advertisement and Router ◆ Redirect packets. (Default: Disabled) IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network.
Page 584: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) To configure RA Guard for the switch: Click IP, IPv6 Configuration. Select Configure Interface from the Action list. Select RA Guard mode. Enable RA Guard for untrusted interfaces. Click Apply.
Page 585 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) To connect to a larger network with multiple subnets, you must ◆ configure a global unicast address. There are several alternatives to configuring this address type: The global unicast address can be automatically configured by ■...
Page 586 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) of the address comprise the prefix (i.e., the network portion of the address). Note that the value specified in the IPv6 Address field may include some of the high-order host bits if the specified prefix length is less than 64 bits.
Page 587: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 336: Configuring an IPv6 Address Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface"...
Page 588: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Note that the solicited-node multicast address (link-local scope FF02) is used to resolve the MAC addresses for neighbor nodes since IPv6 does not support the broadcast method used by the Address Resolution Protocol in IPv4.
Page 589 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. ◆...
Page 590: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1425 ◆...
Page 591 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 592 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 593 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description ICMPv6 Transmitted Output The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors.
Page 594 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 339: Showing IPv6 Statistics (IPv6) Figure 340: Showing IPv6 Statistics (ICMPv6) –...
Page 595: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 341: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 596 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 596 –...
Page 597: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 415. This chapter provides information on the following IP services, including: ◆...
Page 598: Configuring A List Of Domain Names
| IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. ◆ (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 599 | IP Services HAPTER Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 600).
Page 600: Configuring A List Of Name Servers
| IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1385 ◆...
Page 601: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries Figure 5: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC OST TO DDRESS NTRIES Use the IP Service > DNS - Static Host Table (Add) page to manually configure static entries in the DNS table that are used to map domain names to IP addresses.
Page 602: Displaying The Dns Cache
| IP Services HAPTER Configuring Static DNS Host to Address Entries Figure 6: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 7: Showing Static Entries in the DNS Table Use the IP Service >...
Page 603: Dynamic Host Configuration Protocol
| IP Services HAPTER Dynamic Host Configuration Protocol Type – This field includes CNAME which specifies the host address for ◆ the owner, and ALIAS which specifies an alias. IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆...
Page 604: Configuring Dhcp Relay Service
| IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: VLAN – ID of configured VLAN. ◆ Vendor Class ID – The following options are supported when the ◆ check box is marked to enable this feature: Default –...
Page 605 | IP Services HAPTER Dynamic Host Configuration Protocol These fields identify the requesting device by indicating the interface through which the relay agent received the request. If DHCP relay is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
Page 606 | IP Services HAPTER Dynamic Host Configuration Protocol the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server. If a DHCP relay server has been set on the switch, when the switch ■...
Page 607 | IP Services HAPTER Dynamic Host Configuration Protocol A DHCP relay server has been set on the switch, when the switch ■ receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch ■...
Page 608: Configuring The Pppoe Intermediate Agent
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Server IP Address – Addresses of DHCP servers or relay servers to be ◆ used by the switch’s DHCP relay agent in order of preference. NTERFACE To configure DHCP relay service: Click IP Service, DHCP, Relay.
Page 609 | IP Services HAPTER Configuring the PPPoE Intermediate Agent "show pppoe intermediate-agent info" on page 877 ◆ OMMAND SAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Page 610: Configuring Pppoe Ia Interface Settings
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 12: Configuring Global Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page ONFIGURING to enable PPPoE IA on an interface, set trust status, enable vendor tag E IA I NTERFACE stripping, and set the circuit ID and remote ID.
Page 611 | IP Services HAPTER Configuring the PPPoE Intermediate Agent Circuit ID – String identifying the circuit identifier (or interface) on this ◆ switch to which the user is connected. (Range: 1-10 ASCII characters; Default: Unit/Port:VLAN-ID, or 0/Trunk-ID:VLAN-ID) The PPPoE server extracts the Line-ID tag from PPPoE discovery ■...
Page 612: Showing Pppoe Ia Statistics
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 13: Configuring Interface Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to E IA HOWING show statistics on PPPoE IA protocol messages. TATISTICS CLI R EFERENCES...
Page 613 | IP Services HAPTER Configuring the PPPoE Intermediate Agent NTERFACE To show statistics for PPPoE IA protocol messages: Click IP Service, PPPoE Intermediate Agent. Select Show Statistics from the Step list. Select Port or Trunk interface type. Figure 14: Showing PPPoE Intermediate Agent Statistics –...
Page 614 | IP Services HAPTER Configuring the PPPoE Intermediate Agent – 614 –...
Page 615: Multicast Filtering
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttling ◆ the maximum of multicast groups allowed on an interface. MLD Snooping –...
Page 616: Layer 2 Igmp (Snooping And Query For Ipv4)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 357: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop”...
Page 617 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) network segments where no node has expressed interest in receiving a specific multicast service. For switches that do not support multicast routing, or where multicast routing is already enabled on other switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering.
Page 618: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 624).
Page 619 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Multicast routers use this information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. ARAMETERS These parameters are displayed: IGMP Snooping Status –...
Page 620 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive packet loss on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
Page 621 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Forwarding Priority – Assigns a CoS priority to all multicast traffic. ◆ (Range: 0-7, where 7 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
Page 622: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 358: Configuring General Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Multicast Router (Add) page to PECIFYING TATIC statically attach an interface to a multicast router/switch. NTERFACES FOR A ULTICAST OUTER...
Page 623 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Type – Shows if this entry is static or dynamic. ◆ Expire – Time until this dynamic entry expires. ◆ NTERFACE To specify a static interface attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router.
Page 624: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/ switch are displayed.
Page 625 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Multicast IP – The IP address for a specific multicast service. ◆ NTERFACE To statically assign an interface to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Add Static Member from the Action list.
Page 626: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) To show the all interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Current Member from the Action list. Select the VLAN for which to display this information. Figure 364: Showing Current Interfaces Assigned to a Multicast Service Use the Multicast >...
Page 627 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: Multicast Router Advertisement – Advertisements are sent by routers to ◆...
Page 628 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) ARAMETERS These parameters are displayed: VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor ◆ network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic.
Page 629 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. ◆ (Default: Based on global setting) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 630 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Query Response Interval – The maximum time the system waits for ◆ a response to proxy general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This command applies when the switch is serving as the querier (page 618), or as a proxy host when IGMP snooping proxy reporting is...
Page 631 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) NTERFACE To configure IGMP snooping on a VLAN: Click Multicast, IGMP Snooping, Interface. Select Configure VLAN from the Action list. Select the VLAN to configure and update the required parameters. Click Apply.
Page 632: Filtering Igmp Query Packets And Multicast Data
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Use the Multicast > IGMP Snooping > Interface (Configure Interface) page IGMP ILTERING to configure an interface to drop IGMP query packets or multicast data UERY ACKETS AND packets.
Page 633: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS ISCOVERED BY CLI R EFERENCES IGMP S NOOPING "show ip igmp snooping group"...
Page 634: Displaying Igmp Snooping Statistics
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 368: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast >...
Page 635 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent –...
Page 636 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) NTERFACE To display statistics for IGMP snooping query-related messages: Click Multicast, IGMP Snooping, Statistics. Select Show Query Statistics from the Action list. Select a VLAN. Figure 369: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: Click Multicast, IGMP Snooping, Statistics.
Page 637 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 370: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
Page 638: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Page 639: Configuring Igmp Filter Profiles
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 372: Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page IGMP ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
Page 640 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.
Page 641: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Click Apply. Figure 375: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list.
Page 642 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. ARAMETERS These parameters are displayed: Interface – Port or trunk identifier. ◆ An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
Page 643: Mld Snooping (Snooping And Query For Ipv6)
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 377: Configuring IGMP Filtering and Throttling Interface Settings MLD S NOOPING NOOPING AND UERY FOR Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 644 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network.
Page 645: Setting Immediate Leave Status For Mld Snooping Per Interface
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Click Apply. Figure 378: Configuring General Settings for MLD Snooping Use the Multicast > MLD Snooping > Interface page to configure ETTING MMEDIATE Immediate Leave status for a VLAN. EAVE TATUS FOR MLD S...
Page 646: Specifying Static Interfaces For An Ipv6 Multicast Router
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 379: Configuring Immediate Leave for MLD Snooping Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast PECIFYING TATIC Router) page to statically attach an interface to an IPv6 multicast router/ NTERFACES FOR AN switch.
Page 647 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 380: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 648: Assigning Interfaces To Ipv6 Multicast Services
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Use the Multicast > MLD Snooping > MLD Member (Add Static Member) SSIGNING page to statically assign an IPv6 multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters"...
Page 649 | Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 383: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.
Page 650: Showing Mld Snooping Groups And Source List
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 385: Showing Current Interfaces Assigned to an IPv6 Multicast Service Use the Multicast > MLD Snooping > Group Information page to display HOWING known multicast groups, member ports, the means by which each group NOOPING ROUPS was learned, and the corresponding source list.
Page 651: Multicast Vlan Registration For Ipv4
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Request List – Sources included on the router’s request list. ◆ Exclude List – Sources included on the router’s exclude list. ◆ NTERFACE To display known MLD multicast groups: Click Multicast, MLD Snooping, Group Information. Select the port or trunk, and then select a multicast service assigned to that interface.
Page 652: Configuring Mvr Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 387: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Source Layer 2 Switch Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE ◆ General Configuration Guidelines for MVR: Enable MVR for a domain on the switch, and select the MVR VLAN (see "Configuring MVR Domain Settings"...
Page 653 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Proxy Switching – Configures MVR proxy switching, where the source ◆ port acts as a host, and the receiver port acts as an MVR router with querier service enabled.
Page 654 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Proxy Query Interval – Configures the interval at which the receiver ◆ port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) This parameter sets the general query interval at which active ■...
Page 655: Configuring Mvr Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Use the Multicast > MVR (Configure Domain) page to enable MVR globally ONFIGURING on the switch, and select the VLAN that will serve as the sole channel for MVR D OMAIN common multicast streams supported by the service provider.
Page 656: Configuring Mvr Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure settings for an MVR domain: Click Multicast, MVR. Select Configure Domain from the Step list. Select a domain from the scroll-down list. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 657 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 IGMP snooping and MVR share a maximum number of 1024 groups. ◆ Any multicast streams received in excess of this limitation will be flooded to all ports in the associated domain. ARAMETERS These parameters are displayed: Configure Profile...
Page 658 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 391: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
Page 659: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 393: Showing the MVR Group Address Profiles Assigned to a Domain Use the Multicast > MVR (Configure Interface) page to configure each ONFIGURING interface that participates in the MVR protocol as a source port or receiver NTERFACE TATUS port.
Page 660 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 remaining subscribers for that multicast group before removing the port from the group list. Using immediate leave can speed up leave latency, but should only ■ be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
Page 661: Assigning Static Mvr Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To configure interface settings for MVR: Click Multicast, MVR. Select Configure Interface from the Step list. Select Port or Trunk interface. Select an MVR domain. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached.
Page 662 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 ARAMETERS These parameters are displayed: Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ ◆ Group IP Address – Defines a multicast service sent to the selected port.
Page 663: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 396: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER ROUPS on each interface.
Page 664: Displaying Mvr Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 397: Displaying MVR Receiver Groups Use the Multicast > MVR > Show Statistics pages to display MVR protocol- ISPLAYING related statistics for the specified interface. MVR S TATISTICS CLI R EFERENCES "show mvr statistics"...
Page 665 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Number of Reports Sent – The number of reports sent from this ◆ interface. Number of Leaves Sent – The number of leaves sent from this ◆ interface. VLAN, Port, and Trunk Statistics Input Statistics Report –...
Page 666 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR domain. Figure 398: Displaying MVR Statistics – Query –...
Page 667 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 399: Displaying MVR Statistics –...
Page 668: Multicast Vlan Registration For Ipv6
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR domain. Select a Port. Figure 400: Displaying MVR Statistics –...
Page 669: Configuring Mvr6 Global Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Set the interfaces that will join the MVR as source ports or receiver ports (see "Configuring MVR6 Interface Status" on page 675). For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see "Assigning Static MVR6...
Page 670 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Robustness Value – Configures the expected packet loss, and thereby ◆ the number of times to generate report and group-specific queries. (Range: 1-10; Default: 2) This parameter is used to set the number of times report messages ■...
Page 671: Configuring Mvr6 Domain Settings
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 401: Configuring Global Settings for MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider.
Page 672 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Upstream Source IPv6 – The source IPv6 address assigned to all ◆ MVR6 control packets sent upstream on the specified domain. This parameter must be a full IPv6 address including the network prefix and host address bits.
Page 673: Configuring Mvr6 Group Address Profiles
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Profile and Associate Profile) pages to MVR6 ONFIGURING assign the multicast group address for required services to one or more ROUP DDRESS MVR6 domains. ROFILES CLI R EFERENCES "MVR for IPv6"...
Page 674 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 NTERFACE To configure an MVR6 group address profile: Click Multicast, MVR6. Select Configure Profile from the Step list. Select Add from the Action list. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts.
Page 675: Configuring Mvr6 Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Select a domain from the scroll-down list, and enter the name of a group profile. Click Apply. Figure 405: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: Click Multicast, MVR6.
Page 676 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 (see "Assigning Static MVR Multicast Groups to Interfaces" on page 661). Receiver ports should not be statically configured as a member of the MVR6 VLAN. If so configured, its MVR6 status will be inactive. Also, note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see"Adding Static Members to VLANs"...
Page 677 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Forwarding Status – Shows if multicast traffic is being forwarded or ◆ blocked. MVR6 Status – Shows the MVR6 status. MVR6 status for source ports ◆ is “Active” if MVR6 is globally enabled on the switch. MVR6 status for receiver ports is “Active”...
Page 678: Assigning Static Mvr6 Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term MVR6 M ULTICAST multicast streams associated with a stable set of hosts. ROUPS TO NTERFACES CLI R...
Page 679: Displaying Mvr6 Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 408: Assigning Static MVR6 Groups to a Port To show the static MVR6 groups assigned to an interface: Click Multicast, MVR6. Select Configure Static Group Member from the Step list. Select Show from the Action list.
Page 680: Displaying Mvr6 Statistics
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 VLAN – The VLAN through which the service is received. Note that this ◆ may be different from the MVR6 VLAN if the group address has been statically assigned. Port – Indicates the source address of the multicast service, or ◆...
Page 681 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Port – Port identifier. (Range: 1-10) ◆ Trunk – Trunk identifier. (Range: 1-5) ◆ Query Statistics Querier IPv6 Address – The IP address of the querier on this ◆ interface. Querier Expire Time – The time after which this querier is assumed to ◆...
Page 682 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Output Statistics Report – The number of MLD membership reports sent from this ◆ interface. Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this ◆...
Page 683 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain. Select a VLAN. Figure 412: Displaying MVR6 Statistics –...
Page 684 | Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR6 domain. Select a Port. Figure 413: Displaying MVR6 Statistics –...
Page 685: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 687 ◆ "General Commands" on page 699 ◆...
Page 686 | Command Line Interface ECTION "Class of Service Commands" on page 1173 ◆ "Quality of Service Commands" on page 1187 ◆ "Multicast Filtering Commands" on page 1205 ◆ "LLDP Commands" on page 1303 ◆ "CFM Commands" on page 1327 ◆ "OAM Commands"...
Page 687: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Console# – 687 –...
Page 688: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Vty-0# – 688 –...
Page 689: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to eight sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 690: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 691 | Using the Command Line Interface HAPTER Entering Commands power-source-status Show power source port status pppoe Displays PPPoE configuration privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload...
Page 692: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands If you terminate a partial keyword with a question mark, alternatives that ARTIAL EYWORD match the initial letters are provided. (Remember not to leave a space OOKUP between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
Page 693: Understanding Command Modes
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Console# – 693 –...
Page 694: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands Username: guest Password: [guest login password] CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration commands are privileged level commands used to modify ONFIGURATION switch settings.
Page 695: Table 42: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands Time Range - Sets a time range for use by other functions, such as ◆ Access Control Lists. VLAN Configuration - Includes the command to create VLAN groups. ◆ To enter the Global Configuration mode, enter the command configure in Privileged Exec mode.
Page 696: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 697: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 44: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 698 | Using the Command Line Interface HAPTER CLI Command Groups Table 44: Command Group Index (Continued) Command Group Description Page VLANs Configures VLAN settings, and defines port membership 1131 for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling Class of Service Sets port priority for untagged frames, selects strict 1173...
Page 699: General Commands
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 45: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 700 | General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload delay, or at a periodic interval. You can reboot the system immediately, or (Global Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 701 | General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 702 | General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (704) enable password (816) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 703 | General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 704 | General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 705: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 706 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 706 –...
Page 707: Table 46: System Management Commands
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 46: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 708: Table 48: Banner Commands
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 709: Banner Configure
| System Management Commands HAPTER Banner Information Table 48: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
Page 710 | System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 711 | System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 712 | System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 713 HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS3510-10PD floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 714 | System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 715 | System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 716 | System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 717: Table 49: System Status Commands
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS3510-10PD Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 718 | System Management Commands HAPTER System Status Table 49: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly This command shows utilization parameters for TCAM (Ternary Content show access-list...
Page 719 | System Management Commands HAPTER System Status Alarm Configuration Rising Threshold : 90% Falling Threshold : 70% Console# ELATED OMMANDS memory (805) This command shows the CPU utilization parameters, alarm status, and show process cpu alarm configuration. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 18%...
Page 720: Interface Settings
VLAN 1 name DefaultVlan media ethernet state active spanning-tree mst configuration interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 switchport allowed vlan add 4093 tagged interface vlan 1 ip address dhcp ip dhcp client class-id text Edge-Core – 720 –...
Page 721 | System Management Commands HAPTER System Status line console line vty Console# ELATED OMMANDS show startup-config (721) This command displays the configuration file stored in non-volatile memory show startup-config that is used to start up the system. OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show running-config...
Page 722 For a description of the items shown by this command, refer to "Displaying System Information" on page 119. XAMPLE Console#show system System Description : ECS3510-10PD System OID String : 1.3.6.1.4.1.259.10.1.25 System Information System Up Time : 0 days, 7 hours, 20 minutes, and 43.30 seconds...
Page 723: Show Users
| System Management Commands HAPTER System Status Shows all active console and Telnet sessions, including user name, idle show users time, and IP address of Telnet client. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 724: Show Watchdog
| System Management Commands HAPTER System Status XAMPLE Console#show version Unit 1 Serial Number : S123456 Hardware Version : R0A EPLD Version : 0.00 Number of Ports : 10 Main Power Status : Up Redundant Power Status : Not present Role : Master Loader Version...
Page 725: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 50: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for Layer 2 jumbo frames for Gigabit jumbo frame Ethernet ports.
Page 726: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 727: General Commands
| System Management Commands HAPTER File Management Table 51: Flash/File Commands (Continued) Command Function Mode TFTP Configuration Commands ip tftp retry Specifies the number of times the switch can retry transmitting a request to a TFTP server ip tftp timeout Specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry...
Page 728: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 729 | System Management Commands HAPTER File Management To replace the startup configuration, you must use startup-config as ◆ the destination. The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
Page 730 | System Management Commands HAPTER File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Page 731: Delete
| System Management Commands HAPTER File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# This command deletes a file or image.
Page 732: Whichboot
| System Management Commands HAPTER File Management config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown. EFAULT ETTING None...
Page 733: Automatic Code Upgrade Commands
| System Management Commands HAPTER File Management OMMAND Privileged Exec XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time...
Page 734: Upgrade Opcode Path
| System Management Commands HAPTER File Management It sets the new version as the startup image. It then restarts the system to start using the new image. ◆ Any changes made to the default setting can be displayed with the show running-config show startup-config commands.
Page 735: Upgrade Opcode Reload
| System Management Commands HAPTER File Management The name for the new image stored on the TFTP server must be ◆ es3510ma.bix. However, note that file name is not to be included in this command. When specifying a TFTP server, the following syntax must be used, ◆...
Page 736: Show Upgrade
| System Management Commands HAPTER File Management This command shows the opcode upgrade configuration settings. show upgrade OMMAND Privileged Exec XAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : es3510ma.bix Console# TFTP Configuration Commands This command specifies the number of times the switch can retry...
Page 737: Ip Tftp Timeout
| System Management Commands HAPTER File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. YNTAX ip tftp timeout seconds no ip tftp timeout...
Page 738: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 739: Databits
| System Management Commands HAPTER Line EFAULT ETTING There is no default line. OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 740: Exec-Timeout
| System Management Commands HAPTER Line XAMPLE To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# ELATED OMMANDS parity (742) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout...
Page 741: Login
| System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 742: Parity
| System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
Page 743: Password-Thresh
| System Management Commands HAPTER Line OMMAND SAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
Page 744: Silent-Time
| System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (744) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 745: Stopbits
| System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 746: Timeout Login Response
| System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 747: Terminal
| System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (854) show users (723) This command configures terminal settings, including escape-character, terminal lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. YNTAX terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs |...
Page 748: Show Line
| System Management Commands HAPTER Line XAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line.
Page 749: Table 54: Event Logging Commands
| System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 54: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based...
Page 750: Table 55: Logging Levels
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 751 | System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server.
Page 752 | System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging on Console(config)# ELATED OMMANDS logging history (750) logging trap (752) clear log (752) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 753: Show Log
| System Management Commands HAPTER Event Logging ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). EFAULT ETTING Flash and RAM OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (753) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram}...
Page 754: Table 56: Show Logging Flash/Ram - Display Description
| System Management Commands HAPTER Event Logging level: 6, module: 5, function: 1, and event no.: 1 Console# This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server.
Page 755: Table 57: Show Logging Trap - Display Description
| System Management Commands HAPTER SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Remote Log Status : Disabled Remote Log Facility Type : Local use 7 Remote Log Level Type : Debugging messages Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0 Remote Log Server IP Address : 0.0.0.0...
Page 756 | System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server.
Page 757 | System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 758 | System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.
Page 759: Table 59: Time Commands
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 760 | System Management Commands HAPTER Time SNTP Commands This command enables SNTP client requests for time synchronization from sntp client NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. YNTAX [no] sntp client EFAULT...
Page 761 | System Management Commands HAPTER Time This command sets the interval between sending time requests when the sntp poll switch is set to SNTP client mode. Use the no form to restore to the default. YNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.
Page 762 | System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console# ELATED OMMANDS sntp client (760) sntp poll (761) show sntp (762) This command displays the current time and configuration settings for the show sntp SNTP client, and indicates whether or not the local time has been properly updated.
Page 763 | System Management Commands HAPTER Time their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client. XAMPLE Console(config)#ntp authenticate Console(config)# ELATED OMMANDS ntp authentication-key (763)
Page 764 | System Management Commands HAPTER Time XAMPLE Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# ELATED OMMANDS ntp authenticate (762) This command enables NTP client requests for time synchronization from ntp client NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.
Page 765 | System Management Commands HAPTER Time This command sets the IP addresses of the servers to which NTP time ntp server requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. YNTAX ntp server ip-address [key key-number] no ntp server [ip-address]...
Page 766 | System Management Commands HAPTER Time This command displays the current time and configuration settings for the show ntp NTP client, and indicates whether or not the local time has been properly updated. OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Page 767 | System Management Commands HAPTER Time e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Page 768: Table 60: Predefined Summer-Time Parameters
| System Management Commands HAPTER Time This command configures the summer time (daylight savings time) status clock summer-time and settings for the switch using predefined configurations for several (predefined) major regions in the world. Use the no form to disable summer time. YNTAX clock summer-time name predefined [australia | europe | new- zealand | usa]...
Page 769 | System Management Commands HAPTER Time This command allows the user to manually configure the start, end, and clock summer-time offset times of summer time (daylight savings time) for the switch on a (recurring) recurring basis. Use the no form to disable summer-time. YNTAX clock summer-time name recurring b-week b-day b-month b-hour b-minute e-week e-day e-month e-hour e-minute [offset]...
Page 770 | System Management Commands HAPTER Time Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. This command sets the summer-time time zone relative to the ◆ currently configured time zone. To display a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
Page 771 | System Management Commands HAPTER Time XAMPLE Console(config)#clock timezone Japan hours 8 minute 0 after-UTC Console(config)# ELATED OMMANDS show sntp (762) This command uses predefined time zone configurations to set the time clock timezone- zone for the switch’s internal clock. Use the no form to restore the default. predefined YNTAX clock timezone-predefined offset-city...
Page 772 | System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 773: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 61: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 774: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 775: Periodic
| System Management Commands HAPTER Time Range This command sets the time range for the periodic execution of a periodic command. Use the no form to remove a previously specified time range. YNTAX [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend |...
Page 776: Show Time-Range
| System Management Commands HAPTER Switch Clustering This command shows configured time ranges. show time-range YNTAX show time-range [name] name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...
Page 777: Cluster
| System Management Commands HAPTER Switch Clustering then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. Clustered switches must be in the same Ethernet broadcast domain. In ◆ other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 778: Cluster Commander
| System Management Commands HAPTER Switch Clustering There can be up to 100 candidates and 36 member switches in one ◆ cluster. A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and ◆...
Page 779: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering This command sets the cluster IP address pool. Use the no form to reset to cluster ip-pool the default address. YNTAX cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 780: Rcommand
There is no need to enter the username and password for access to the ◆ Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the ECS3510-10PD is opened. To end the CLI session, enter [Exit]. Vty-0# – 780 –...
Page 781: Show Cluster
XAMPLE Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : ECS3510-10PD Console# This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates...
Page 782: Powered Device
| System Management Commands HAPTER Powered Device OWERED EVICE The PD version of this switch supports the IEEE 802.3af Power over Ethernet (PoE) standard for Powered Devices (PD), enabling Power Sourcing Equipment (PSE) to supply DC power over Ethernet cable to any of Fast Ethernet ports on this switch.
Page 783: Show Power-Source-Check
| System Management Commands HAPTER Powered Device This command shows if the switch is checking the Fast Ethernet ports for show power- power supplied from PSE. source-check OMMAND Privileged Exec XAMPLE Console#show power-source-check PSE Check Status: Enabled Console# This command shows if power is being supplied to any of the Fast Ethernet show power- ports.
Page 784 | System Management Commands HAPTER Powered Device – 784 –...
Page 785: Snmp Commands
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 786 | SNMP Commands HAPTER Table 64: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs...
Page 787: General Snmp Commands
| SNMP Commands HAPTER General SNMP Commands Table 64: SNMP Commands (Continued) Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm show memory Shows memory utilization parameters...
Page 788: Snmp-Server Contact
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able ◆ to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE...
Page 789: Global Configuration
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (788) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND...
Page 790: Snmp Target Host Commands
| SNMP Commands HAPTER SNMP Target Host Commands 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server Protocol traps or informs (i.e., SNMP notifications).
Page 791: Snmp-Server Host
| SNMP Commands HAPTER SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. The authentication, link-up, and link-down traps are legacy ◆ notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
Page 792 | SNMP Commands HAPTER SNMP Target Host Commands privacy. See "Simple Network Management Protocol" on page 453 for further information about these authentication and encryption options. port - Host UDP port to use. (Range: 1-65535; Default: 162) EFAULT ETTING Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162...
Page 793: Snmp-Server Enable Port-Traps Mac-Notification
| SNMP Commands HAPTER SNMP Target Host Commands To send an inform to a SNMPv3 host, complete these steps: Enable the SNMP agent (page 787). Create a remote SNMPv3 user to use in the message exchange process (page 797). Create a view with the required notification messages (page 798).
Page 794: Show Snmp-Server Enable Port-Traps
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# This command shows if SNMP traps are enabled or disabled for the show snmp-server specified interfaces. enable port-traps YNTAX show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 795 | SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING A unique engine ID is automatically generated by the switch based on its MAC address. OMMAND Global Configuration OMMAND SAGE An SNMP engine is an independent SNMP agent that resides either on ◆...
Page 796: Snmp-Server Group
| SNMP Commands HAPTER SNMPv3 Commands This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 797: Snmp-Server User
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 798: Snmp-Server View
| SNMP Commands HAPTER SNMPv3 Commands Remote users (i.e., the command specifies a remote engine identifier) ◆ must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy ◆...
Page 799: Show Snmp Engine-Id
| SNMP Commands HAPTER SNMPv3 Commands OMMAND SAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB ◆ tree. XAMPLES This view includes MIB-2.
Page 800: Show Snmp Group
| SNMP Commands HAPTER SNMPv3 Commands Table 65: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine.
Page 801: Show Snmp User
| SNMP Commands HAPTER SNMPv3 Commands Table 66: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view.
Page 802: Show Snmp View
| SNMP Commands HAPTER Notification Log Commands This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included...
Page 803: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Notification Log Commands Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server remove this log.
Page 804: Show Nlm Oper-Status
| SNMP Commands HAPTER Notification Log Commands To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 805: Show Snmp Notify-Filter
| SNMP Commands HAPTER Additional Trap Commands This command displays the configured notification logs. show snmp notify-filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23...
Page 806: Process Cpu
| SNMP Commands HAPTER Additional Trap Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. YNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 807: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 808: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 809: Rmon Event
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 810: Rmon Collection History
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
Page 811 | Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Page 812: Show Rmon Alarms
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...
Page 813: Show Rmon Statistics
| Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon the statistics group.
Page 814 | Remote Monitoring Commands HAPTER – 814 –...
Page 815: Authentication Commands
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 816: User Accounts And Privilege Levels
| Authentication Commands HAPTER User Accounts and Privilege Levels CCOUNTS AND RIVILEGE EVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 738), user authentication via a remote authentication server (page...
Page 817: Username
| Authentication Commands HAPTER User Accounts and Privilege Levels EFAULT ETTING The default is level 15. The default password is “super” OMMAND Global Configuration OMMAND SAGE You cannot set a null password. You will have to enter a password to ◆...
Page 818: Table 72: Default Login Settings
| Authentication Commands HAPTER User Accounts and Privilege Levels Level 0-7 provide the same default access privileges, all within Normal Exec mode under the “Console>” command prompt. Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#”...
Page 819: Privilege
| Authentication Commands HAPTER User Accounts and Privilege Levels This command assigns a privilege level to specified command groups or privilege individual commands. Use the no form to restore the default setting. YNTAX privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command.
Page 820: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence XAMPLE This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 821: Authentication Login
| Authentication Commands HAPTER Authentication Sequence RADIUS and TACACS+ logon authentication assigns a specific privilege ◆ level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. You can specify three authentication methods in a single command to ◆...
Page 822: Radius Client
| Authentication Commands HAPTER RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Page 823: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client OMMAND Global Configuration XAMPLE Console(config)#radius-server acct-port 181 Console(config)# This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 824: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 825: Radius-Server Retransmit
| Authentication Commands HAPTER RADIUS Client This command sets the number of retries. Use the no form to restore the radius-server default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 826: Table 75: Tacacs+ Client Commands
| Authentication Commands HAPTER TACACS+ Client This command displays the current settings for the RADIUS server. show radius-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout...
Page 827 | Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server and other optional tacacs-server host parameters. Use the no form to remove the server, or to restore the default values. YNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Page 828 | Authentication Commands HAPTER TACACS+ Client OMMAND Global Configuration XAMPLE Console(config)#tacacs-server key green Console(config)# This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 829 | Authentication Commands HAPTER TACACS+ Client XAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication tacacs-server requests to the TACACS+ server. Use the no form to restore the default. timeout YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 830: Table 76: Aaa Commands
| Authentication Commands HAPTER TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Page 831 | Authentication Commands HAPTER method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.
Page 832 | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 833 | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 834 | Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 835 | Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 836 | Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 837 | Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# This command applies an accounting method to local console, Telnet or accounting exec SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec...
Page 838 | Authentication Commands HAPTER EFAULT ETTING None OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# This command displays the current accounting settings per function and show accounting per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
Page 839: Table 77: Web Server Commands
| Authentication Commands HAPTER Web Server Interface : Eth 1/1 Method List : tps Group List : radius Interface : Eth 1/2 Accounting Type : EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
Page 840 | Authentication Commands HAPTER Web Server XAMPLE Console(config)#ip http port 769 Console(config)# ELATED OMMANDS ip http server (840) show system (721) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT...
Page 841 | Authentication Commands HAPTER Web Server OMMAND SAGE ◆ You cannot configure the HTTP and HTTPS servers to use the same port. If you change the HTTPS port number, clients attempting to connect to ◆ the HTTPS server must specify the port number in the URL, in this format: https://device:port_number XAMPLE Console(config)#ip http secure-port 1000...
Page 842: Table 78: Https System Support
| Authentication Commands HAPTER Telnet Server The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 78: HTTPS System Support...
Page 843 | Authentication Commands HAPTER Telnet Server This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. This command specifies the maximum number of Telnet sessions that can ip telnet simultaneously connect to this system.
Page 844: Ip Telnet Server
| Authentication Commands HAPTER Telnet Server XAMPLE Console(config)#ip telnet port 123 Console(config)# This command allows this device to be monitored or configured from ip telnet server Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled...
Page 845: Table 80: Secure Shell Commands
| Authentication Commands HAPTER Secure Shell ECURE HELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. The switch supports both SSH Version 1.5 and 2.0 clients.
Page 846 | Authentication Commands HAPTER Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 847 | Authentication Commands HAPTER Secure Shell entered into the known host file. However, you do not need to configure the client's keys. Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method.
Page 848 | Authentication Commands HAPTER Secure Shell This command configures the number of times the SSH server attempts to ip ssh reauthenticate a user. Use the no form to restore the default setting. authentication- retries YNTAX ip ssh authentication-retries count no ip ssh authentication-retries count –...
Page 849 | Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# ELATED OMMANDS ip ssh crypto host-key generate (850) show ssh (854) This command sets the SSH server key size. Use the no form to restore the ip ssh server-key default setting.
Page 850 | Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 851 | Authentication Commands HAPTER Secure Shell EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE The switch uses only RSA Version 1 for SSHv1.5 clients and DSA ◆ Version 2 for SSHv2 clients. This command stores the host key pair in memory (i.e., RAM). Use the ◆...
Page 852 | Authentication Commands HAPTER Secure Shell The SSH server must be disabled before you can execute this ◆ command. XAMPLE Console#ip ssh crypto zeroize dsa Console# ELATED OMMANDS ip ssh crypto host-key generate (850) ip ssh save host-key (852) no ip ssh server (848) This command saves the host key from RAM to flash memory.
Page 853: Show Public-Key
| Authentication Commands HAPTER Secure Shell This command shows the public key for the specified user or for the host. show public-key YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
Page 854: Table 81: Show Ssh - Display Description
| Authentication Commands HAPTER 802.1X Port Authentication This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 81: show ssh - display description Field Description Connection...
Page 855 | Authentication Commands HAPTER 802.1X Port Authentication Table 82: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x port-control Sets dot1x mode for a port interface dot1x re-authentication Enables re-authentication for all ports dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client dot1x timeout...
Page 856 | Authentication Commands HAPTER 802.1X Port Authentication This command passes EAPOL frames through to all ports in STP forwarding dot1x eapol-pass- state when dot1x is globally disabled. Use the no form to restore the through default. YNTAX [no] dot1x eapol-pass-through EFAULT ETTING Discards all EAPOL frames when dot1x is globally disabled...
Page 857 | Authentication Commands HAPTER 802.1X Port Authentication Authenticator Commands This command sets the port’s response to a failed authentication, either to dot1x block all traffic, or to assign all traffic for the port to a guest VLAN. Use the intrusion-action no form to reset the default.
Page 858 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# This command sets the maximum number of times the switch port will dot1x max-req retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 859 | Authentication Commands HAPTER 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective ◆ if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass ◆...
Page 860 | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# This command enables periodic re-authentication for a specified port. Use dot1x the no form to disable re-authentication. re-authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 861 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# This command sets the time period after which a connected client must be dot1x timeout re-authenticated. Use the no form of this command to reset the default. re-authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 862 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command sets the timeout for EAP-request frames other than EAP- request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 863 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Privileged Exec OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Page 864 | Authentication Commands HAPTER 802.1X Port Authentication This command sets the maximum number of times that a port supplicant dot1x max-start will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. YNTAX dot1x max-start count no dot1x max-start...
Page 865 | Authentication Commands HAPTER 802.1X Port Authentication A port cannot be configured as a dot1x supplicant if it is a member of a ◆ trunk or LACP is enabled on the port. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator.
Page 866 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting.
Page 867 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port ◆ authentication is globally enabled on the switch (page 856). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 856).
Page 868 | Authentication Commands HAPTER 802.1X Port Authentication Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, ■ authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. ■ Current Identifier– The integer (0-255) used by the Authenticator to ■...
Page 869: Table 83: Management Ip Filter Commands
| Authentication Commands HAPTER Management IP Filter Max Request Operation Mode : Multi-host Port Control : Auto Intrusion Action : Block traffic Supplicant : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server)
Page 870 | Authentication Commands HAPTER Management IP Filter end-address - The end address of a range. EFAULT ETTING All addresses OMMAND Global Configuration OMMAND SAGE The management interfaces are open to all IP addresses by default. ◆ Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Page 871 | Authentication Commands HAPTER Management IP Filter snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group. OMMAND Privileged Exec XAMPLE Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 872: Pppoe Intermediate Agent
| Authentication Commands HAPTER PPPoE Intermediate Agent NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers. Table 84: PPPoE Intermediate Agent Commands Command Function Mode...
Page 873: Pppoe Intermediate-Agent Format-Type
| Authentication Commands HAPTER PPPoE Intermediate Agent designated by the pppoe intermediate-agent trust command. The BRAS detects the presence of the subscriber’s circuit-ID tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NAS- port-ID attribute in PPP authentication and AAA accounting requests to a RADIUS server.
Page 874: Pppoe Intermediate-Agent Port-Format-Type
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# This command enables the PPPoE IA on an interface. Use the no form to pppoe disable this feature. intermediate-agent port-enable YNTAX [no] pppoe intermediate-agent port-enable EFAULT ETTING Disabled OMMAND...
Page 875: Pppoe Intermediate-Agent Trust
| Authentication Commands HAPTER PPPoE Intermediate Agent OMMAND SAGE ◆ The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NAS-Port-ID attribute in AAA access and accounting requests. The switch intercepts PPPoE discovery frames from the client and ◆...
Page 876: Pppoe Intermediate-Agent Vendor-Tag Strip
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# This command enables the stripping of vendor tags from PPPoE Discovery pppoe packets sent from a PPPoE server. Use the no form to disable this feature. intermediate-agent vendor-tag strip YNTAX...
Page 877: Show Pppoe Intermediate-Agent Info
| Authentication Commands HAPTER PPPoE Intermediate Agent XAMPLE Console#clear pppoe intermediate-agent statistics Console# This command displays configuration settings for the PPPoE Intermediate show pppoe Agent. intermediate-agent info YNTAX show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Page 878: Show Pppoe Intermediate-Agent Statistics
| Authentication Commands HAPTER PPPoE Intermediate Agent This command displays statistics for the PPPoE Intermediate Agent. show pppoe intermediate-agent statistics YNTAX show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) OMMAND Privileged Exec...
Page 879: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 880: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 881: Port Security
| General Security Measures HAPTER Port Security traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 882 | General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure ◆ port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 883: Port Security Mac-Address-As-Permanent
| General Security Measures HAPTER Port Security XAMPLE The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap ELATED OMMANDS show interfaces status (993) shutdown (988) mac-address-table static (1066) Use this command to save the MAC addresses that port security has...
Page 884: Table 88: Show Port Security - Display Description
| General Security Measures HAPTER Port Security OMMAND Privileged Exec XAMPLE This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status Intrusion Action...
Page 885: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) Port Status : Secure/Up Intrusion Action : None Max MAC Count Current MAC Count Last Intrusion MAC : NA Last Time Detected Intrusion MAC : NA Console# This example shows information about a detected intrusion. Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC Aging Mode : Disabled...
Page 886: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Table 89: Network Access Commands (Continued) Command Function Mode network-access link-detection Configures the link detection feature to detect and link-up act upon link-up events network-access link-detection Configures the link detection feature to detect and link-up-down act upon both link-up and link-down events network-access...
Page 887: Network-Access Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 858). The maximum number of secure MAC addresses supported for the ◆ switch system is 1024. XAMPLE Console(config-if)#network-access aging Console(config-if)#...
Page 888: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the time period after which a connected MAC mac-authentication address must be re-authenticated. Use the no form of this command to reauth-time restore the default value. YNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time...
Page 889: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 90: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (Kbps) rate-limit-input=100 (Kbps) rate-limit-output=rate (Kbps)
Page 890: Network-Access Guest-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE When enabled, the VLAN identifiers returned by the RADIUS server ◆ through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
Page 891: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) When used with 802.1X authentication, the intrusion-action must be ◆ set for “guest-vlan” to be effective (see the dot1x intrusion-action command). XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# Use this command to enable link detection for the selected port. Use the network-access no form of this command to restore the default.
Page 892: Network-Access Link-Detection Link-Up
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# Use this command to detect link-up events. When detected, the switch can network-access shut down the port, send an SNMP trap, or both. Use the no form of this link-detection command to disable this feature.
Page 893: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection or both. Use the no form of this command to disable this feature. link-up-down YNTAX network-access link-detection link-up-down...
Page 894: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures. XAMPLE Console(config-if)#network-access max-mac-count 5 Console(config-if)# Use this command to enable network access authentication on a port. Use network-access the no form of this command to disable network access authentication.
Page 895: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN. The “Tunnel- Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.”...
Page 896: Mac-Authentication Max-Mac-Count
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Con figuration XAMPLE Console(config-if)#mac-authentication intrusion-action block-traffic Console(config-if)# Use this command to set the maximum number of MAC addresses that can mac-authentication be authenticated on a port via MAC authentication. Use the no form of this max-mac-count command to restore the default.
Page 897: Show Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear network-access mac-address-table interface ethernet 1/1 Console# Use this command to display the MAC authentication settings for port show interfaces. network-access YNTAX show network-access [interface interface] interface - Specifies a port interface.
Page 898: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network-access mac-address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 899: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication Use this command to display information for entries in the MAC filter show tables. network-access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 900 | General Security Measures HAPTER Web Authentication Table 91: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 901 | General Security Measures HAPTER Web Authentication This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web quiet-period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 902 | General Security Measures HAPTER Web Authentication This command globally enables web authentication for the switch. Use the web-auth no form to restore the default. system-auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 903 | General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 904 | General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 905: Table 92: Dhcp Snooping Commands
| General Security Measures HAPTER DHCPv4 Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 906 | General Security Measures HAPTER DHCPv4 Snooping Table 92: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping database Writes all dynamically learned snooping entries to flash flash memory show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding...
Page 907 | General Security Measures HAPTER DHCPv4 Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN ■ where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server ■...
Page 908 | General Security Measures HAPTER DHCPv4 Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 909 | General Security Measures HAPTER DHCPv4 Snooping When the DHCP Snooping Information Option is enabled, clients can be ◆ identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 910 | General Security Measures HAPTER DHCPv4 Snooping OMMAND Global Configuration OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 911 | General Security Measures HAPTER DHCPv4 Snooping OMMAND Global Configuration OMMAND SAGE If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. XAMPLE This example enables MAC address verification.
Page 912: Table 93: Option 82 Information
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# ELATED OMMANDS ip dhcp snooping (906) ip dhcp snooping trust (913) This command enables the use of DHCP Option 82 information circuit-id ip dhcp snooping suboption.
Page 913 | General Security Measures HAPTER DHCPv4 Snooping access node identifier - ASCII string. Default is the MAC address of ■ the switch’s CPU. This field is set by the ip dhcp snooping information option command, eth - The second field is the fixed string “eth” ■...
Page 914 | General Security Measures HAPTER DHCPv4 Snooping ports within the VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. When an untrusted port is changed to a trusted port, all the dynamic ◆...
Page 915: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE Console(config)#clear ip dhcp snooping database flash Console(config)# This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 916: Table 94: Dhcp Snooping Commands
| General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
Page 917 | General Security Measures HAPTER DHCPv6 Snooping This command enables DHCPv6 snooping globally. Use the no form to ipv6 dhcp snooping restore the default setting. YNTAX [no] ipv6 dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCPv6 messages are ◆...
Page 918 | General Security Measures HAPTER DHCPv6 Snooping Solicit: Add new entry in binding cache, recording client’s DUID, ■ IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. Decline: If no matching entry is found in binding cache, drop ■...
Page 919 | General Security Measures HAPTER DHCPv6 Snooping XAMPLE This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# ELATED OMMANDS ipv6 dhcp snooping vlan (921) ipv6 dhcp snooping trust (922) This command enables the insertion of remote-id option 37 information ipv6 dhcp snooping into DHCPv6 client messages.
Page 920 | General Security Measures HAPTER DHCPv6 Snooping either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows: If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Page 921 | General Security Measures HAPTER DHCPv6 Snooping OMMAND SAGE When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Page 922 | General Security Measures HAPTER DHCPv6 Snooping XAMPLE This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# ELATED OMMANDS ipv6 dhcp snooping (917) ipv6 dhcp snooping trust (922) This command sets the maximum number of entries which can be stored in ipv6 dhcp snooping the binding database for an interface.
Page 923 | General Security Measures HAPTER DHCPv6 Snooping OMMAND SAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 924 | General Security Measures HAPTER DHCPv6 Snooping OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# This command removes all dynamically learned snooping entries from flash clear ipv6 dhcp memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping database flash Console(config)# This command shows the DHCPv6 snooping configuration settings.
Page 925 | General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCPv6 snooping binding table entries. show ipv6 dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ipv6 dhcp snooping binding NA - Non-temporary address TA - Temporary address -------------------------------------- ----------- ---- ------- ---- Link-layer Address: 00-13-49-aa-39-26 IPv6 Address Lifetime...
Page 926: Table 95: Ipv4 Source Guard Commands
| General Security Measures HAPTER IPv4 Source Guard OURCE UARD IP Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see "DHCPv4 Snooping"...
Page 927 | General Security Measures HAPTER IPv4 Source Guard EFAULT ETTING No configured entries OMMAND Global Configuration OMMAND SAGE If the binding mode is not specified in this command, the entry is bound ◆ to the ACL table by default. Table entries include a MAC address, IP address, lease time, entry type ◆...
Page 928 | General Security Measures HAPTER IPv4 Source Guard This command configures the switch to filter inbound traffic based on ip source-guard source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard...
Page 929 | General Security Measures HAPTER IPv4 Source Guard Filtering rules are implemented as follows: ◆ If DHCPv4 snooping is disabled (see page 906), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 930 | General Security Measures HAPTER IPv4 Source Guard OMMAND Interface Configuration (Ethernet) OMMAND SAGE This command sets the maximum number of address entries that can ◆ be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 931 | General Security Measures HAPTER IPv4 Source Guard This command remove all blocked records. clear ip source-guard binding blocked YNTAX clear ip source-guard binding blocked OMMAND Privileged Exec OMMAND SAGE When IP Source-Guard detects an invalid packet it creates a blocked record.
Page 932 | General Security Measures HAPTER IPv4 Source Guard This command shows the source guard binding table. show ip source-guard binding YNTAX show ip source-guard binding [dhcp-snooping | static [acl | mac] | blocked [vlan vlan-id | interface interface] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 905)
Page 933: Table 96: Ipv6 Source Guard Commands
| General Security Measures HAPTER IPv6 Source Guard OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non- routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see "DHCPv6 Snooping"...
Page 934 | General Security Measures HAPTER IPv6 Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include an associated MAC address, IPv6 global unicast ◆ address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier. Traffic filtering is based only on the source IPv6 address, VLAN ID, and ◆...
Page 935 | General Security Measures HAPTER IPv6 Source Guard This command configures the switch to filter inbound traffic based on the ipv6 source-guard source IP address stored in the binding table. Use the no form to disable this function. YNTAX ipv6 source-guard sip no ipv6 source-guard EFAULT ETTING...
Page 936 | General Security Measures HAPTER IPv6 Source Guard entry type is static IPv6 source guard binding, the packet will be forwarded. If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard ■ will check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
Page 937 | General Security Measures HAPTER IPv6 Source Guard IPv6 source guard maximum bindings must be set to a value higher ◆ than DHCPv6 snooping maximum bindings and ND snooping maximum bindings. If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled ◆...
Page 938: Table 97: Arp Inspection Commands
| General Security Measures HAPTER ARP Inspection This command shows the IPv6 source guard binding table. show ipv6 source-guard binding YNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 916) static - Shows static entries configured with the...
Page 939 | General Security Measures HAPTER ARP Inspection Table 97: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection show ip arp inspection Displays the global configuration settings for ARP...
Page 940 | General Security Measures HAPTER ARP Inspection When ARP Inspection is disabled globally, it is still possible to configure ◆ ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. XAMPLE Console(config)#ip arp inspection Console(config)# This command specifies an ARP ACL to apply to one or more VLANs.
Page 941 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings.
Page 942 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate...
Page 943 | General Security Measures HAPTER ARP Inspection This command enables ARP Inspection for a specified VLAN or range of ip arp inspection VLANs. Use the no form to disable this function. vlan YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 944 | General Security Measures HAPTER ARP Inspection This command sets a rate limit for the ARP packets received on a port. Use ip arp inspection the no form to restore the default setting. limit YNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
Page 945 | General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# This command displays the global configuration settings for ARP show ip Inspection. arp inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval...
Page 946 | General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip the associated VLAN, port, and address components. arp inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 947: Table 98: Dos Protection Commands
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 948 | General Security Measures HAPTER Denial of Service Protection EFAULT ETTING Disabled, 1000 kbits/second OMMAND Global Configuration XAMPLE Console(config)#dos-protection echo-chargen 65 Console(config)# This command protects against DoS smurf attacks in which a perpetrator dos-protection generates a large amount of spoofed ICMP Echo Request traffic to the smurf broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Page 949 | General Security Measures HAPTER Denial of Service Protection OMMAND Global Configuration XAMPLE Console(config)#dos-protection tcp-flooding 65 Console(config)# This command protects against DoS TCP-null-scan attacks in which a TCP dos-protection NULL scan message is used to identify listening TCP ports. The scan uses a tcp-null-scan series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Page 950 | General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection syn-fin-scan Console(config)# This command protects against DoS TCP-xmas-scan in which a so-called dos-protection TCP XMAS scan message is used to identify listening TCP ports. This scan tcp-xmas-scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 951 | General Security Measures HAPTER Denial of Service Protection XAMPLE Console(config)#dos-protection udp-flooding 65 Console(config)# This command protects against DoS WinNuke attacks in which affected the dos-protection Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, win-nuke the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.”...
Page 952: Table 99: Commands For Configuring Traffic Segmentation
| General Security Measures HAPTER Port-based Traffic Segmentation WinNuke Attack : Disabled, 1000 kilobits per second Console# BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 953: Table 100: Traffic Segmentation Forwarding
| General Security Measures HAPTER Port-based Traffic Segmentation Traffic segmentation and normal VLANs can exist simultaneously within ◆ the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. When traffic segmentation is enabled, the forwarding state for the ◆...
Page 954 | General Security Measures HAPTER Port-based Traffic Segmentation EFAULT ETTING None OMMAND Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. Using the no form of this command will remove any assigned uplink or ◆...
Page 955 | General Security Measures HAPTER Port-based Traffic Segmentation When specifying an uplink or downlink, a list of ports may be entered ◆ by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. A downlink port can only communicate with an uplink port in the same ◆...
Page 956 | General Security Measures HAPTER Port-based Traffic Segmentation This command displays the configured traffic segments. show traffic-segmentation OMMAND Privileged Exec XAMPLE Console#show traffic-segmentation Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet Ethernet...
Page 957: Table 101: Access Control List Commands
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 958 | Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 959 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 960 | Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 961 | Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING...
Page 962 | Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 963 | Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 964: Table 103: Ipv6 Acl Commands
| Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (959) ip access-group (962) 6 ACL The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Page 965 | Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 966 | Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 967 | Access Control Lists HAPTER IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address.
Page 968 | Access Control Lists HAPTER IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# ELATED OMMANDS access-list ipv6 (964) Time Range (773) This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port.
Page 969 | Access Control Lists HAPTER IPv6 ACLs This command shows the ports assigned to IPv6 ACLs. show ipv6 access-group OMMAND Privileged Exec XAMPLE Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# ELATED OMMANDS ipv6 access-group (968) This command displays the rules for configured IPv6 ACLs.
Page 970: Table 104: Mac Acl Commands
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Page 971 | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (971) mac access-group (974) show mac access-list (975) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 972 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol]...
Page 973 | Access Control Lists HAPTER MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3...
Page 974 | Access Control Lists HAPTER MAC ACLs EFAULT ETTING None OMMAND MAC ACL OMMAND SAGE New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted ◆ packets. A detailed listing of Ethernet protocol types can be found in RFC 1060.
Page 975: Show Mac
| Access Control Lists HAPTER MAC ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in...
Page 976: Table 105: Arp Acl Commands
| Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (971) mac access-group (974) ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp...
Page 977 | Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (977) show access-list arp (978) This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny a specified source or destination address in ARP messages. Use the no (ARP ACL) form to remove a rule.
Page 978 | Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (976) This command displays the rules for configured ARP ACLs.
Page 979: Table 106: Acl Information Commands
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 106: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified hardware counters ACL.
Page 980 | Access Control Lists HAPTER ACL Information MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list YNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 981: Table 107: Interface Commands
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 107: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 982 | Interface Commands HAPTER Interface Configuration Table 107: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver temperature which temperature can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver power level of the tx-power transmitted signal which can be used to trigger an alarm or warning message...
Page 983 | Interface Commands HAPTER Interface Configuration XAMPLE To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Page 984 | Interface Commands HAPTER Interface Configuration 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control EFAULT ETTING 100BASE-FX: 100full (SFP) 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full OMMAND Interface Configuration (Ethernet, Port Channel)
Page 985 | Interface Commands HAPTER Interface Configuration EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 986 | Interface Commands HAPTER Interface Configuration This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 987 | Interface Commands HAPTER Interface Configuration This command forces the port type selected for combination ports 9-10. media-type Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
Page 988 | Interface Commands HAPTER Interface Configuration OMMAND SAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. When auto-negotiation is enabled the switch will negotiate the best ◆...
Page 989 | Interface Commands HAPTER Interface Configuration This command configures the speed and duplex mode of a given interface speed-duplex when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex 1000full - Forces 1000 Mbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 990 | Interface Commands HAPTER Interface Configuration ELATED OMMANDS negotiation (987) capabilities (983) This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) EFAULT ETTING...
Page 991 | Interface Commands HAPTER Interface Configuration This command displays whether or not CDP and PVST packets are being show discard discarded. OMMAND Privileged Exec XAMPLE In this example, “Default” means that the packets are not discarded. Console#show discard Port PVST -------- ------- ------- Eth 1/ 1 Default Default Eth 1/ 2 Default Default...
Page 992 | Interface Commands HAPTER Interface Configuration This command displays interface statistics. show interfaces counters YNTAX show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) EFAULT ETTING Shows the counters for all interfaces.
Page 993: Show Interfaces Status
| Interface Commands HAPTER Interface Configuration 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets...
Page 994 | Interface Commands HAPTER Interface Configuration XAMPLE Console#show interfaces status ethernet 1/1 Information of Eth 1/1 Basic Information: Port Type : 100BASE-TX MAC Address : 00-E0-0C-00-00-FE Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full Broadcast Storm : Enabled Broadcast Storm Limit...
Page 995: Table 108: Show Interfaces Switchport - Display Description
| Interface Commands HAPTER Interface Configuration XAMPLE This example shows the configuration setting for port 1. Console#show interfaces switchport ethernet 1/1 Information of Eth 1/1 Broadcast Threshold : Enabled, 500 packets/second Multicast Threshold : Disabled Unknown Unicast Threshold : Disabled LACP Status : Disabled Ingress Rate Limit...
Page 996 | Interface Commands HAPTER Transceiver Threshold Configuration Table 108: show interfaces switchport - display description (Continued) Field Description 802.1Q Tunnel Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Mode Uplink (page 1148). 802.1Q Tunnel Shows the Tag Protocol Identifier used for learning and switching packets TPID (page 1151).
Page 997 | Interface Commands HAPTER Transceiver Threshold Configuration XAMPLE Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold-auto Console# This command sets thresholds for transceiver current which can be used to transceiver- trigger an alarm or warning message. threshold current YNTAX transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm –...
Page 998 | Interface Commands HAPTER Transceiver Threshold Configuration level were to fluctuate just above and below either the high threshold or the low threshold. Trap messages enabled by the transceiver-monitor command are sent ◆ to any management station configured by the snmp-server host command.
Page 999 | Interface Commands HAPTER Transceiver Threshold Configuration Trap messages enabled by the transceiver-monitor command are sent ◆ to any management station configured by the snmp-server host command. XAMPLE The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3...
Page 1000 | Interface Commands HAPTER Transceiver Threshold Configuration XAMPLE The following example sets alarm thresholds for the transceiver temperature at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold temperature low-alarm 97 Console(config-if)#transceiver-threshold temperature high-alarm -83 Console# This command sets thresholds for the transceiver power level of the transceiver- transmitted signal which can be used to trigger an alarm or warning threshold tx-power...
Page 1001 | Interface Commands HAPTER Transceiver Threshold Configuration XAMPLE The following example sets alarm thresholds for the signal power transmitted at port 1. Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold tx-power low-alarm 8 Console(config-if)#transceiver-threshold tx-power high-alarm -3 Console# This command sets thresholds for the transceiver voltage which can be transceiver- used to trigger an alarm or warning message.
Page 1002 | Interface Commands HAPTER Transceiver Threshold Configuration XAMPLE The following example sets alarm thresholds for the transceiver voltage at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold voltage low-alarm 4 Console(config-if)#transceiver-threshold voltage high-alarm 2 Console# This command displays identifying information for the specified transceiver, show interfaces including connector type and vendor-related parameters, as well as the transceiver...

Edge-Core ECS3510-10PD Management Manual

Table of Contents

About this Guide

Contents

Table of Contents

Tables

Sectioni

Getting Started

1 Introduction

2 Initial Switch Configuration

Ection

Web Configuration

3 Using the Web Interface

4 Basic

5 Interface Configuration

6 Vlan Configuration

7 Address Table Settings

8 Spanning Tree Algorithm

9 Congestion Control

10 Class of Service

11 Quality of Service

12 Oip Traffic Configuration

13 Security Measures

14 Basic Administration Protocols

Quick Links

Chapters

Related Manuals for Edge-Core ECS3510-10PD

Summary of Contents for Edge-Core ECS3510-10PD