Page 1 8-Port Layer 2 Management Guide Fast Ethernet Switch www.edge-core.com...
Page 2 ANAGEMENT UIDE ES3510MA F THERNET WITCH Layer 2 Switch with 8 10/100BASE-TX (RJ-45) Ports, and 2 Gigabit Combination Ports (RJ-45/SFP) ES3510MA E032010/ST-R01 149100000046A...
Page 3: About This Guide
BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 4 BOUT UIDE – 4 –...
Page 5: Table Of Contents
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features Configuration Backup and Restore Authentication Access Control Lists Port Configuration Port Mirroring Port Trunking Rate Limiting Storm Control Static Addresses IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Algorithm Virtual LANs IEEE 802.1Q Tunneling (QinQ)
Page 6 ONTENTS NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Enabling SNMP Management Access Managing System Files Saving or Restoring Configuration Settings ECTION ONFIGURATION SING THE NTERFACE Connecting to the Web Interface Navigating the Web Browser Interface...
Page 7 ONTENTS Specifying SNTP Time Servers Setting the Time Zone Console Port Settings Telnet Settings Displaying CPU Utilization Displaying Memory Utilization Resetting the System NTERFACE ONFIGURATION Port Configuration Configuring by Port List Configuring by Port Range Displaying Connection Status Configuring Local Port Mirroring Configuring Remote Port Mirroring Showing Port or Trunk Statistics Performing Cable Diagnostics...
Page 8 ONTENTS Protocol VLANs Configuring Protocol VLAN Groups Mapping Protocol Groups to Interfaces Configuring IP Subnet VLANs Configuring MAC-based VLANs Configuring VLAN Mirroring DDRESS ABLE ETTINGS Configuring MAC Address Learning Setting Static Addresses Changing the Aging Time Displaying the Dynamic Address Table Clearing the Dynamic Address Table Configuring MAC Address Mirroring PANNING...
Page 9 ONTENTS Attaching a Policy Map to a Port 13 V IP T RAFFIC ONFIGURATION Overview Configuring VoIP Traffic Configuring Telephony OUI Configuring VoIP Traffic Ports 14 S ECURITY EASURES AAA Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts...
Page 10 ONTENTS Configuring an ARP ACL Binding a Port to an Access Control List ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication...
Page 11 ONTENTS Simple Network Management Protocol Configuring Global Settings for SNMP Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups Setting Community Access Strings Configuring Local SNMPv3 Users Configuring Remote SNMPv3 Users Specifying Trap Managers Remote Monitoring Configuring RMON Alarms Configuring RMON Events...
Page 12 ONTENTS 18 M ULTICAST ILTERING Overview Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters Specifying Static Interfaces for a Multicast Router Assigning Interfaces to Multicast Services Setting IGMP Snooping Status per Interface Displaying Multicast Groups Discovered by IGMP Snooping Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles...
Page 13 ONTENTS 20 G ENERAL OMMANDS prompt reload (Global Configuration) enable quit show history configure disable reload (Privileged Exec) show reload exit 21 S YSTEM ANAGEMENT OMMANDS Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan...
Page 14 ONTENTS show version Frame Size jumbo frame File Management boot system copy delete whichboot upgrade opcode auto upgrade opcode path Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on...
Page 15 ONTENTS logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time sntp client sntp poll sntp server show sntp clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool...
Page 16 ONTENTS snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view snmp-server notify-filter show nlm oper-status show snmp notify-filter 23 R EMOTE ONITORING OMMANDS rmon alarm rmon event rmon collection history rmon collection stats show rmon alarm show rmon event show rmon history...
Page 17 ONTENTS TACACS+ Client tacacs-server tacacs-server host tacacs-server key tacacs-server port show tacacs-server aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-server...
Page 18 ONTENTS ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication dot1x default dot1x eapol-pass-through dot1x system-auth-control dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate dot1x identity profile...
Page 19 ONTENTS network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control...
Page 20 ONTENTS show ip dhcp snooping binding IP Source Guard ip source-guard binding ip source-guard show ip source-guard show ip source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration...
Page 21 ONTENTS show arp access-list ACL Information show access-group show access-list 27 I NTERFACE OMMANDS interface alias capabilities description flowcontrol media-type negotiation shutdown speed-duplex switchport packet-rate clear counters show interfaces brief show interfaces counters show interfaces status show interfaces switchport test cable-diagnostics show cable-diagnostics power-save show power-save...
Page 22 ONTENTS RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 30 R IMIT OMMANDS rate-limit 31 A UTOMATIC RAFFIC ONTROL OMMANDS auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action auto-traffic-control alarm-clear-threshold auto-traffic-control alarm-fire-threshold auto-traffic-control control-release auto-traffic-control auto-control-release snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire...
Page 23 ONTENTS spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-priority...
Page 24 ONTENTS show garp timer show gvrp configuration Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan vlan-trunking Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel tpid...
Page 25 ONTENTS voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan 35 C LASS OF ERVICE OMMANDS Priority Commands (Layer 2) queue mode queue weight switchport priority default show queue mode show queue weight Priority Commands (Layer 3 and 4)
Page 26 ONTENTS show class-map show policy-map show policy-map interface 37 M ULTICAST ILTERING OMMANDS IGMP Snooping ip igmp snooping ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood ip igmp snooping tcn-query-solicit ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval ip igmp snooping version...
Page 27 ONTENTS ip igmp max-groups ip igmp max-groups action show ip igmp filter show ip igmp profile show ip igmp throttle interface Multicast VLAN Registration mvr immediate-leave mvr type mvr vlan group show mvr 38 LLDP C OMMANDS lldp lldp holdtime-multiplier lldp notification-interval lldp refresh-interval lldp reinit-delay...
Page 28 ONTENTS 39 D OMAIN ERVICE OMMANDS ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts 40 DHCP C OMMANDS DHCP Client ip dhcp client class-id ip dhcp restart client ipv6 dhcp restart client vlan show ipv6 dhcp duid...
Page 29 ONTENTS ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface show ipv6 mtu show ipv6 traffic clear ipv6 traffic ping6 ipv6 nd dad attempts ipv6 nd ns-interval ipv6 nd reachable-time clear ipv6 neighbors show ipv6 neighbors ECTION PPENDICES...
Page 30 ONTENTS – 30 –...
Page 31: Figures
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 32 IGURES Figure 32: Configuring Remote Port Mirroring (Intermediate) Figure 33: Configuring Remote Port Mirroring (Destination) Figure 34: Showing Port Statistics (Table) Figure 35: Showing Port Statistics (Chart) Figure 36: Performing Cable Tests Figure 37: Configuring Static Trunks Figure 38: Creating Static Trunks Figure 39: Adding Static Trunks Members Figure 40: Configuring Connection Parameters for a Static Trunk Figure 41: Showing Information for Static Trunks...
Page 33 IGURES Figure 68: Showing the Members of a Dynamic VLAN Figure 69: QinQ Operational Concept Figure 70: Enabling QinQ Tunneling Figure 71: Adding an Interface to a QinQ Tunnel Figure 72: Configuring Protocol VLANs Figure 73: Displaying Protocol VLANs Figure 74: Assigning Interfaces to Protocol VLANs Figure 75: Showing the Interface to Protocol Group Mapping Figure 76: Configuring IP Subnet VLANs Figure 77: Showing IP Subnet VLANs...
Page 34 IGURES Figure 104: Displaying Members of an MST Instance Figure 105: Configuring MSTP Interface Settings Figure 106: Displaying MSTP Interface Settings Figure 107: Configuring Rate Limits Figure 108: Configuring Broadcast Storm Control Figure 109: Setting the Default Port Priority Figure 110: Setting the Queue Mode (Strict) Figure 111: Setting the Queue Mode (WRR) Figure 112: Setting the Queue Mode (Strict and WRR) Figure 113: Mapping CoS Values to Egress Queues...
Page 35 IGURES Figure 140: Configuring AAA Accounting Methods Figure 141: Showing AAA Accounting Methods Figure 142: Configuring AAA Accounting Service for 802.1X Service Figure 143: Configuring AAA Accounting Service for Exec Service Figure 144: Displaying a Summary of Applied AAA Accounting Methods Figure 145: Displaying Statistics for AAA Accounting Sessions Figure 146: Configuring AAA Authorization Methods Figure 147: Showing AAA Authorization Methods...
Page 36 IGURES Figure 176: Configuring a MAC ACL Figure 177: Configuring a ARP ACL Figure 178: Binding a Port to an ACL Figure 179: Configuring Global Settings for ARP Inspection Figure 180: Configuring VLAN Settings for ARP Inspection Figure 181: Configuring Interface Settings for ARP Inspection Figure 182: Displaying Statistics for ARP Inspection Figure 183: Displaying the ARP Inspection Log Figure 184: Creating an IP Address Filter for Management Access...
Page 37 IGURES Figure 212: Displaying LLDP Device Statistics (Port) Figure 213: Configuring Global Settings for SNMP Figure 214: Configuring the Local Engine ID for SNMP Figure 215: Configuring a Remote Engine ID for SNMP Figure 216: Showing Remote Engine IDs for SNMP Figure 217: Creating an SNMP View Figure 218: Showing SNMP Views Figure 219: Adding an OID Subtree to an SNMP View...
Page 38 IGURES Figure 248: Pnging a Network Device Figure 249: Configuring a Static IPv4 Address Figure 250: Configuring a Dynamic IPv4 Address Figure 251: Configuring the IPv6 Default Gateway Figure 252: Configuring General Settings for an IPv6 Interface Figure 253: Configuring an IPv6 Address Figure 254: Showing Configured IPv6 Addresses Figure 255: Showing IPv6 Neighbors Figure 256: Showing IPv6 Statistics (IPv6)
Page 39 IGURES Figure 284: Configuring IGMP Filtering and Throttling Interface Settings Figure 285: MVR Concept Figure 286: Configuring Global Settings for MVR Figure 287: Configuring Interface Settings for MVR Figure 288: Assigning Static MVR Groups to a Port Figure 289: Showing the Static MVR Groups Assigned to a Port Figure 290: Displaying MVR Receiver Groups Figure 291: Storm Control by Limiting the Traffic Rate Figure 292: Storm Control by Shutting Down a Port...
Page 40 IGURES – 40 –...
Page 41: Tables
ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Internal Configuration Information Table 9: Recommended STA Path Cost Range Table 10: Recommended STA Path Costs Table 11: Default STA Path Costs...
Page 42 ABLES Table 32: General Command Modes Table 33: Configuration Command Modes Table 34: Keystroke Commands Table 35: Command Group Index Table 36: General Commands Table 37: System Management Commands Table 38: Device Designation Commands Table 39: Banner Commands Table 40: System Status Commands Table 41: Frame Size Commands Table 42: Flash/File Commands Table 43: File Directory Information...
Page 43 ABLES Table 68: Telnet Server Commands Table 69: Secure Shell Commands Table 70: show ssh - display description Table 71: 802.1X Port Authentication Commands Table 72: Management IP Filter Commands Table 73: General Security Commands Table 74: Management IP Filter Commands Table 75: Network Access Commands Table 76: Dynamic QoS Profiles Table 77: Web Authentication...
Page 44 ABLES Table 104: GVRP and Bridge Extension Commands Table 105: Commands for Editing VLAN Groups Table 106: Commands for Configuring VLAN Interfaces Table 107: Commands for Displaying VLAN Information Table 108: 802.1Q Tunneling Commands Table 109: Commands for Configuring Traffic Segmentation Table 110: Protocol-based VLAN Commands Table 111: IP Subnet VLAN Commands Table 112: MAC Based VLAN Commands...
Page 45 ABLES Table 140: show ipv6 interface - display description Table 141: show ipv6 mtu - display description Table 142: show ipv6 traffic - display description Table 143: show ipv6 neighbors - display description Table 144: Troubleshooting Chart – 45 –...
Page 46 ABLES – 46 –...
Page 47: Sectioni
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 49 ◆...
Page 48 | Getting Started ECTION – 48 –...
Page 49: Key Features
NTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Page 50: Description Of Software Features
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 256 using IEEE 802.1Q, port-based, protocol-based, private VLANs, voice VLANs, and QinQ tunnel Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP...
Page 51: Access Control Lists
| Introduction HAPTER Description of Software Features ACLs provide packet filtering for IP frames (based on address, protocol, CCESS ONTROL TCP/UDP port number or TCP control code) or any frames (based on MAC ISTS address or Ethernet type). ACLs can by used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
Page 52: Ieee 802.1D Bridge
| Introduction HAPTER Description of Software Features The switch supports IEEE 802.1D transparent bridging. The address table IEEE 802.1D B RIDGE facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information. The address table supports up to 8K addresses.
Page 53: Virtual Lans
| Introduction HAPTER Description of Software Features The switch supports up to 255 VLANs. A Virtual LAN is a collection of IRTUAL network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.
Page 54: Quality Of Service
| Introduction HAPTER System Defaults Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
Page 55 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Web Management HTTP Server Enabled HTTP Port Number HTTP Secure Server Enabled HTTP Secure Server Port SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled...
Page 56 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings...
Page 57: Initial Switch Configuration
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 58: Required Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 59: Remote Connections
| Initial Switch Configuration HAPTER Connecting to the Switch Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows ■ keys. Once you have set up the terminal correctly, the console login screen will be displayed.
Page 60: Basic Configuration
Press <Enter>. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>. Username: admin Password: CLI session with the ES3510MA is opened. To end the CLI session, enter [Exit]. – 60 –...
Page 61: Setting An Ip Address
| Initial Switch Configuration HAPTER Basic Configuration Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual —...
Page 62 | Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit...
Page 63 | Initial Switch Configuration HAPTER Basic Configuration ND retransmit interval is 1000 milliseconds Console# Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: ◆...
Page 64 | Initial Switch Configuration HAPTER Basic Configuration 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. Console#show ipv6 default-gateway ipv6 default gateway: 2001:DB8:2222:7272::254 Console# YNAMIC ONFIGURATION Obtaining an IPv4 Address...
Page 65 | Initial Switch Configuration HAPTER Basic Configuration Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface IP address and netmask: 192.168.1.54 255.255.255.0 on VLAN 1, and address mode: DHCP Console#copy running-config startup-config Startup configuration file name []: startup...
Page 66: Enabling Snmp Management Access
| Initial Switch Configuration HAPTER Basic Configuration To dynamically generate an IPv6 host address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address autoconfig” and press <Enter>.
Page 67 | Initial Switch Configuration HAPTER Basic Configuration SNMP OMMUNITY TRINGS VERSION C CLIENTS Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
Page 68: Managing System Files
| Initial Switch Configuration HAPTER Managing System Files authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see "snmp-server host" on page 560. The following example creates a trap host for each type of SNMP client.
Page 69: Saving Or Restoring Configuration Settings
| Initial Switch Configuration HAPTER Managing System Files “startup1.cfg” that contains system settings for switch initialization, including information about the unit identifier, and MAC address for the switch. The configuration settings from the factory defaults configuration file are copied to this file, which is then used to boot the switch.
Page 70 | Initial Switch Configuration HAPTER Managing System Files To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 71: Ection
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 73 ◆ "Basic Management Tasks" on page 89 ◆...
Page 72 | Web Configuration ECTION – 72 –...
Page 73: Using The Web Interface
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Page 74: Navigating The Web Browser Interface
System Information on the right side. The Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page You can open a connection to the manufacturer’s web site by clicking on the Edge-core logo. – 74 –...
Page 75: Configuration Options
| Using the Web Interface HAPTER Navigating the Web Browser Interface Configurable parameters have a dialog box or a drop-down list. Once a ONFIGURATION configuration change has been made on a page, be sure to click on the PTIONS Apply button to confirm the new setting. The following table summarizes the web page configuration buttons.
Page 76: Main Menu
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
Page 77 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Chart Shows Interface, Etherlike, and RMON port statistics Cable Test Performs cable diagnostics for selected port to diagnose any cable faults (short, open etc.) and report the cable length Trunk Static...
Page 78 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Session Configures the uplink and down-link ports for a segmented group of ports VLAN Trunking Allows unknown VLAN groups to pass through the specified interface VLAN Virtual LAN...
Page 79 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page MAC Address Learning Status Enables MAC address learning on selected interfaces Static Configures static entries in the address table Show Displays static entries in the address table Dynamic Configure Aging...
Page 80 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Priority Default Priority Sets the default priority for each port or trunk Queue Sets queue mode for the switch; sets the service weight for each queue that will use a weighted or hybrid mode Trust Mode Selects DSCP or CoS priority processing...
Page 81 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Interface Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priority assigned to the voice traffic Security...
Page 82 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Network Access MAC address-based network access authentication Configure Global Enables aging for authenticated MAC addresses, and sets the time period after which a connected MAC address must be reauthenticated Configure Interface General...
Page 83 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Rule Shows the rules specified for an ACL Configure Interface Binds a port to the specified ACL and time range ARP Inspection Configure General Enables inspection globally, configures validation of additional...
Page 84 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show Local Device Information General Displays general information about the local device Port/Trunk Displays information about each interface Show Remote Device Information Port/Trunk Displays information about a remote device connected to a port on this switch...
Page 85 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page RMON Remote Monitoring Configure Global Alarm Sets threshold bounds for a monitored variable Event Creates a response event for an alarm Show Alarm Shows all configured alarms...
Page 86 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Show MTU Shows the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch IP Service Domain Name Service...
Page 87 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Interface Configure Configures IGMP snooping per VLAN interface Show Shows IGMP snooping settings per VLAN interface Forwarding Entry Displays the current multicast groups learned through IGMP Snooping Filter Configure General...
Page 88 | Using the Web Interface HAPTER Navigating the Web Browser Interface – 88 –...
Page 89: Basic
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 90: Displaying Hardware/Software Versions
| Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS These parameters are displayed: System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network ◆ management subsystem. System Up Time – Length of time the management agent has been ◆...
Page 91 | Basic Management Tasks HAPTER Displaying Hardware/Software Versions ARAMETERS The following parameters are displayed: Main Board Information Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ ◆ Hardware Version – Hardware version of the main board. Internal Power Status –...
Page 92: Configuring Support For Jumbo Frames
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes for Gigabit Ethernet.
Page 93: Displaying Bridge Extension Capabilities
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
Page 94: Managing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To view Bridge Extension information: Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System >...
Page 95 | Basic Management Tasks HAPTER Managing System Files CLI R EFERENCES ◆ "copy" on page 512 ARAMETERS The following parameters are displayed: Copy Type – The firmware copy operation includes these options: ◆ FTP Upgrade – Copies a file from an FTP server to the switch. ■...
Page 96: Saving The Running Configuration To A Local File
| Basic Management Tasks HAPTER Managing System Files Select FTP Upgrade, HTTP Upgrade, or TFTP Upgrade as the file transfer method. If FTP or TFTP Upgrade is used, enter the IP address of the file server. If FTP Upgrade is used, enter the user name and password for your account on the FTP server.
Page 97: Setting The Start-Up File
| Basic Management Tasks HAPTER Managing System Files Destination File Name – Copy to the currently designated startup ◆ file, or to a new file. The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 31 characters for files on the switch.
Page 98: Showing System Files
| Basic Management Tasks HAPTER Managing System Files NTERFACE To set a file to use for system initialization: Click System, then File. Select Set Start-Up from the Action list. Mark the operation code or configuration file to be used at startup Then click Apply.
Page 99: Automatic Operation Code Upgrade
◆ The file name of the code stored on the remote server must be es3510ma.bix (using upper case and lower case letters exactly as indicated here). Enter the file name for other switches described in this manual exactly as shown on the web interface.
Page 100 NetBSD, OpenBSD, and most Linux distributions, etc.) are case- sensitive, meaning that two files in the same directory, es3510ma.bix and ES3510MA.bix are considered to be unique files. Thus, if the upgrade file is stored as ES3510MA.bix (or even Es3510ma.bix) on a case-sensitive server, then the switch (requesting es3510ma.bix) will...
Page 101 | Basic Management Tasks HAPTER Managing System Files The following syntax must be observed: tftp://host[/filedir]/ tftp:// – Defines TFTP protocol for the server connection. ■ host – Defines the IP address of the TFTP server. Valid IP addresses ■ consist of four numbers, 0 to 255, separated by periods. DNS host names are not recognized.
Page 102 | Basic Management Tasks HAPTER Managing System Files tftp://192.168.0.1/switches/opcode/ ■ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented: ftp://192.168.0.1/...
Page 103: Setting The System Clock
| Basic Management Tasks HAPTER Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.0; new version 1.1.1.2 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...
Page 104: Configuring Sntp
| Basic Management Tasks HAPTER Setting the System Clock Day – Sets the day of the month. (Range: 1-31; Default: 1) ◆ Year – Sets the year. (Range: 2001-2100; Default: 2009) ◆ NTERFACE To manually set the system clock: Click System, then Time. Select Configure General from the Action list.
Page 105: Specifying Sntp Time Servers
| Basic Management Tasks HAPTER Setting the System Clock NTERFACE To set the polling interval for SNTP: Click System, then Time. Select Configure General from the Action list. Select SNTP from the Maintain Type list. Modify the polling interval if required. Click Apply Figure 13: Setting the Polling Interval for SNTP Use the System >...
Page 106: Setting The Time Zone
| Basic Management Tasks HAPTER Setting the System Clock Figure 14: Specifying SNTP Time Servers Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
Page 107: Console Port Settings
| Basic Management Tasks HAPTER Console Port Settings Figure 15: Setting the Time Zone ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
Page 108 | Basic Management Tasks HAPTER Console Port Settings Data Bits – Sets the number of data bits per character that are ◆ interpreted and generated by the console port. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 109: Telnet Settings
| Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.
Page 110: Displaying Cpu Utilization
| Basic Management Tasks HAPTER Displaying CPU Utilization NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 17: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization.
Page 111: Displaying Memory Utilization
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 18: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 504 ◆ ARAMETERS The following parameters are displayed: ◆...
Page 112: Resetting The System
| Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 490 ◆...
Page 113 | Basic Management Tasks HAPTER Resetting the System Regularly – Specifies a periodic interval at which to reload the ■ switch. Time HH - The hour at which to reload. (Range: 0-23) ■ MM - The minute at which to reload. (Range: 0-59) ■...
Page 114 | Basic Management Tasks HAPTER Resetting the System Figure 21: Restarting the Switch (In) Figure 22: Restarting the Switch (At) – 114 –...
Page 115 | Basic Management Tasks HAPTER Resetting the System Figure 23: Restarting the Switch (Regularly) – 115 –...
Page 116 | Basic Management Tasks HAPTER Resetting the System – 116 –...
Page 117: Interface Configuration
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
Page 118: I Nterface C Onfiguration
| Interface Configuration HAPTER Port Configuration When using auto-negotiation, the optimal settings will be negotiated ◆ between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
Page 119 | Interface Configuration HAPTER Port Configuration Sym (Gigabit only) - Check this item to transmit and receive pause ■ frames. FC - Flow control can eliminate frame loss by “blocking” traffic from ■ end stations or segments connected directly to the switch when its buffers fill.
Page 120: Configuring By Port Range
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 121 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Port – Port identifier. ◆ Type – Indicates the port type. (100Base-TX, 1000Base-T, ◆ 100Base SFP or 1000Base SFP) Name – Interface label. ◆ Admin – Shows if the port is enabled or disabled. ◆...
Page 122: Configuring Local Port Mirroring
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING OCAL port to a target port for real-time analysis. You can then attach a logic IRRORING analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 123 | Interface Configuration HAPTER Port Configuration NTERFACE To configure a local mirror session: Click Interface, Port, Mirror. Select Add from the Action List. Specify the source port. Specify the monitor port. Specify the traffic type to be mirrored. Click Apply. Figure 28: Configuring Local Port Mirroring To display the configured mirror sessions: Click Interface, Port, Mirror.
Page 124: Configuring Remote Port Mirroring
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > RSPAN page to mirror traffic from remote ONFIGURING EMOTE switches for analysis at a destination port on the local switch. This feature, IRRORING also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user- specified VLAN dedicated to that RSPAN session in all participating switches.
Page 125 | Interface Configuration HAPTER Port Configuration Set up all intermediate switches on the RSPAN configuration page, entering the mirror session, the switch’s role (Intermediate), the RSPAN VLAN, and the uplink port(s). Set up the destination switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Destination), the destination port, whether or not the traffic exiting this port will be tagged or untagged, and the RSPAN VLAN.
Page 126 | Interface Configuration HAPTER Port Configuration Operation Status – Indicates whether or not RSPAN is currently ◆ functioning. Switch Role – Specifies the role this switch performs in mirroring ◆ traffic. None – This switch will not participate in RSPAN. ■...
Page 127 | Interface Configuration HAPTER Port Configuration NTERFACE To configure a remote mirror session: Click Interface, RSPAN. Set the Switch Role to None, Source, Intermediate, or Destination. Configure the required settings for each switch participating in the RSPAN VLAN. Click Apply. Figure 31: Configuring Remote Port Mirroring (Source) Figure 32: Configuring Remote Port Mirroring (Intermediate) –...
Page 128: Showing Port Or Trunk Statistics
| Interface Configuration HAPTER Port Configuration Figure 33: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 129 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher- layer protocol.
Page 130 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular interface fails Errors due to an internal MAC sublayer receive error. Internal MAC Transmit A count of frames for which transmission on a particular interface Errors fails due to an internal MAC sublayer transmit error.
Page 131 | Interface Configuration HAPTER Port Configuration Figure 34: Showing Port Statistics (Table) To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list.
Page 132: Performing Cable Diagnostics
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING ABLE port. The cable test will check for any cable faults (short, open, etc.). If a IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 133: Trunk Configuration
| Interface Configuration HAPTER Trunk Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Cable Test. Click Test for any port to start the cable test. Figure 36: Performing Cable Tests RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link.
Page 134: Configuring A Static Trunk
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Page 135 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE ◆ When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer’s implementation. However, note that the static trunks on this switch are Cisco EtherChannel compatible.
Page 136 | Interface Configuration HAPTER Trunk Configuration To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list. Select a trunk identifier. Set the unit and port for an additional trunk member. Click Apply.
Page 137: Configuring A Dynamic Trunk
| Interface Configuration HAPTER Trunk Configuration To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 41: Showing Information for Static Trunks Use the Interface > Trunk > Dynamic (Configure Aggregator) page to set ONFIGURING A the administrative key for an aggregation group, enable LACP on a port, YNAMIC...
Page 138 | Interface Configuration HAPTER Trunk Configuration All ports on both ends of an LACP trunk must be configured for full ◆ duplex, and auto-negotiation. Ports are only allowed to join the same Link Aggregation Group (LAG) if ◆ (1) the LACP port system priority matches, (2) the LACP port admin key matches, and (3) the LAG admin key matches (if configured).
Page 139 | Interface Configuration HAPTER Trunk Configuration Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. Configuring the port partner sets the remote side of an aggregate link;...
Page 140 | Interface Configuration HAPTER Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 44: Enabling LACP on a Port –...
Page 141 | Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 45: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
Page 142 | Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Configure from the Action List. Modify the required interface settings. (See "Configuring by Port List" on page 117 for a description of the interface settings.) Click Apply.
Page 143: Displaying Lacp Port Counters
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Counters) page to display statistics for LACP protocol OUNTERS messages. CLI R EFERENCES "show lacp" on page 723 ◆...
Page 144: Displaying Lacp Settings And Status For The Local Side
| Interface Configuration HAPTER Trunk Configuration Figure 49: Displaying LACP Port Counters Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
Page 145 | Interface Configuration HAPTER Trunk Configuration Table 7: LACP Internal Configuration Information (Continued) Parameter Description LACPDUs Interval Number of seconds before invalidating received LACPDU information. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired – The actor’s receive machine is in the expired state; ◆...
Page 146: Displaying Lacp Settings And Status For The Remote Side
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP settings and status for the local side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 50: Displaying LACP Port Internal Information Use the Interface >...
Page 147 | Interface Configuration HAPTER Trunk Configuration Table 8: LACP Internal Configuration Information (Continued) Parameter Description Partner Oper Operational port number assigned to this aggregation port by the Port Number port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner.
Page 148: Saving Power
| Interface Configuration HAPTER Saving Power AVING OWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI R EFERENCES "power-save" on page 714 ◆ ◆ "show power-save" on page 715 OMMAND SAGE IEEE 802.3 defines the Ethernet standard and subsequent power ◆...
Page 149 | Interface Configuration HAPTER Saving Power ARAMETERS These parameters are displayed: Port – Power saving mode only applies to the Gigabit Ethernet ports ◆ using copper media. ◆ Power Saving Status – Adjusts the power provided to ports based on the length of the cable used to connect to other devices.
Page 150: Traffic Segmentation
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.
Page 151: Configuring Uplink And Downlink Ports
| Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 152: Vlan Trunking
| Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 794 ◆ OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate ◆...
Page 153 | Interface Configuration HAPTER VLAN Trunking ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 9-10) ◆ VLAN trunking can only be enabled on Gigabit ports. ◆ Trunk – Trunk Identifier. (Range: 1-5) VLAN Trunking Status –...
Page 154 | Interface Configuration HAPTER VLAN Trunking – 154 –...
Page 155: Vlan Configuration
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 156 | VLAN Configuration HAPTER IEEE 802.1Q VLANs since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 256 VLANs based on the IEEE 802.1Q standard ◆ Distributed VLAN learning across multiple switches using explicit or ◆...
Page 157 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 158: Configuring Vlan Groups
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 58: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 159 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Modify VLAN ID – ID of configured VLAN (1-4093). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. ◆ Show VLAN ID – ID of configured VLAN. ◆...
Page 160: Adding Static Members To Vlans
| VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
Page 161 | VLAN Configuration HAPTER IEEE 802.1Q VLANs a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. CLI R EFERENCES "Configuring VLAN Interfaces" on page 788 ◆ "Displaying VLAN Information" on page 795 ◆...
Page 162 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Ingress Filtering – Determines how to process frames tagged for ◆ VLANs for which the ingress port is not a member. (Default: Disabled) Ingress filtering only affects tagged frames. ■ If ingress filtering is disabled and a port receives frames tagged for ■...
Page 163 | VLAN Configuration HAPTER IEEE 802.1Q VLANs The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page. NTERFACE To configure static members by the VLAN index: Click VLAN, Static.
Page 164 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure static members by interface: Click VLAN, Static. Select Edit Member by Interface from the Step list. Select a port or trunk configure. Modify the settings for any interface as required. Click Apply. Figure 63: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static.
Page 165: Configuring Dynamic Vlan Registration
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 64: Configuring Static VLAN Members by Interface Range Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION...
Page 166 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Join – The interval between transmitting requests/queries to ■ participate in a VLAN group. (Range: 20-1000 centiseconds; Default: 20) Leave – The interval a port waits before leaving a VLAN group. This ■ time should be set to more than twice the join time.
Page 167 | VLAN Configuration HAPTER IEEE 802.1Q VLANs To configure GVRP status and timers on a port or trunk: Click VLAN, Dynamic. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Modify the GVRP status or timers for any interface. Click Apply.
Page 168: Ieee 802.1Q Tunneling
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 68: Showing the Members of a Dynamic VLAN IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 169 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
Page 170 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped.
Page 171 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling The switch sends the packet to the proper egress port. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags.
Page 172: Enabling Qinq Tunneling On The Switch
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configure the QinQ tunnel uplink port to Tunnel Uplink mode (see "Adding an Interface to a QinQ Tunnel" on page 173). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see "Adding Static Members to VLANs"...
Page 173: Adding An Interface To A Qinq Tunnel
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 70: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.
Page 174: Protocol Vlans
| VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Tunnel and the tunnel uplink port to Tunnel Uplink. Click Apply.
Page 175: Configuring Protocol Vlan Groups
| VLAN Configuration HAPTER Protocol VLANs Then map the protocol for each interface to the appropriate VLAN using the Configure Interface (Add) page. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Page 176 | VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.
Page 177: Mapping Protocol Groups To Interfaces
| VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
Page 178 | VLAN Configuration HAPTER Protocol VLANs NTERFACE To map a protocol group to a VLAN for a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Add from the Action list. Select a port or trunk. Enter the identifier for a protocol group.
Page 179: Configuring Ip Subnet Vlans
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 180 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
Page 181: Configuring Mac-Based Vlans
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 182 | VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field. Enter an identifier in the VLAN field. Note that the specified VLAN need not already be configured.
Page 183: Configuring Vlan Mirroring
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 184 | VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 80: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
Page 185: Address Table Settings
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 186 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the ◆ following conditions exist: 802.1X Port Authentication has been globally enabled on the switch ■ (see "Configuring 802.1X Global Settings" on page 326).
Page 187: Setting Static Addresses
| Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 188: Changing The Aging Time
| Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 83: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 84: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
Page 189: Displaying The Dynamic Address Table
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
Page 190: Clearing The Dynamic Address Table
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
Page 191: Configuring Mac Address Mirroring
| Address Table Settings HAPTER Configuring MAC Address Mirroring Select Clear Dynamic MAC from the Action list. Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface.
Page 192 | Address Table Settings HAPTER Configuring MAC Address Mirroring matching packets will not be sent to target port specified for port mirroring. ARAMETERS These parameters are displayed: Source MAC – MAC address in the form of xx-xx-xx-xx-xx-xx or ◆ xxxxxxxxxxxx. Target Port –...
Page 193: Spanning Tree Algorithm
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 194 | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 90: STP Root Ports and Designated Ports Designated Root...
Page 195 | Spanning Tree Algorithm HAPTER Overview Figure 91: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree MST 1 (for this Region) Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 196: Configuring Loopback Detection
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
Page 197: Configuring Global Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 93: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
Page 198 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives ■ an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
Page 199 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Default: 32768 ■ Range: 0-61440, in steps of 4096 ■ Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, ■ 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 Advanced ◆ Path Cost Method –...
Page 200 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Configuration Settings for MSTP Max Instance Numbers – The maximum number of MSTP instances ◆ to which this switch can be assigned. Configuration Digest – An MD5 signature key that contains the VLAN ◆...
Page 201 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 95: Configuring Global Settings for STA (RSTP) Figure 96: Configuring Global Settings for STA (MSTP) – 201 –...
Page 202: Displaying Global Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. CLI R EFERENCES ◆...
Page 203: Configuring Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Figure 97: Displaying Global Settings for STA ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Configure) page to configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port.
Page 204: Table 9: Recommended Sta Path Cost Range
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA port priority. (Range: 0 for auto-configuration, 1-65535 for the short path cost method , 1-200,000,000 for the long path cost method) By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
Page 205 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Guard – STA allows a bridge with a lower bridge identifier (or ◆ same identifier and lower MAC address) to take over as the root bridge at any time. Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location.
Page 206 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA BPDU Guard – This feature protects edge ports from receiving BPDUs. ◆ It prevents loops by shutting down an edge port when a BPDU is received instead of putting it into the spanning tree discarding state. In a valid configuration, configured edge ports should not receive BPDUs.
Page 207: Displaying Interface Settings For Sta
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 208 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Oper Path Cost – The contribution of this port to the path cost of ◆ paths towards the spanning tree root which include this port. Oper Link Type – The operational point-to-point status of the LAN ◆...
Page 209: Configuring Multiple Spanning Trees
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To display interface settings for STA: Click Spanning Tree, STA. Select Configure Interface from the Step list. Select Show Information from the Action list. Figure 100: Displaying Interface Settings for STA ONFIGURING ULTIPLE PANNING...
Page 210 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To use multiple spanning trees: Set the spanning tree type to MSTP (page 197). Enter the spanning tree priority for the selected MST instance on the Spanning Tree > MSTP (Configure Global - Add) page. Add the VLANs that will share this MSTI on the Spanning Tree >...
Page 211 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees Figure 101: Creating an MST Instance To show the MSTP instances: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Show from the Action list. The attributes displayed on this page are described under "Displaying Global Settings for STA"...
Page 212 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
Page 213: Configuring Interface Settings For Mstp
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 757 ◆...
Page 214 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 9 on page 204. The recommended path cost is listed in Table 10 on page 204. The default path costs are listed in Table 11 on page 204.
Page 215 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Figure 106: Displaying MSTP Interface Settings – 215 –...
Page 216 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP – 216 –...
Page 217: Rate Limit Configuration
IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 218 | Rate Limit Configuration HAPTER NTERFACE To configure rate limits: Click Traffic, Rate Limit. Enable the Rate Limit Status for the required ports. set the rate limit for the individual ports,. Click Apply. Figure 107: Configuring Rate Limits – 218 –...
Page 219: Storm Control Configuration
TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast storm control thresholds. Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 220 | Storm Control Configuration HAPTER NTERFACE To configure broadcast storm control: Click Traffic, Storm Control. Set the Status field to enable or disable storm control. Set the required threshold beyond which the switch will start dropping packets. Click Apply. Figure 108: Configuring Broadcast Storm Control –...
Page 221: Class Of Service
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 222: Selecting The Queue Mode
| Class of Service HAPTER Layer 2 Queue Settings If the output port is an untagged member of the associated VLAN, ◆ these frames are stripped of all VLAN tags prior to transmission. ARAMETERS These parameters are displayed: Interface – Displays a list of ports or trunks. ◆...
Page 223 | Class of Service HAPTER Layer 2 Queue Settings The WRR algorithm used by this switch is known as Shaped Deficit ◆ Weighted Round Robin (SDWRR). The basic WRR algorithm uses a relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
Page 224 | Class of Service HAPTER Layer 2 Queue Settings Queue ID – The ID of the priority queue. (Range: 0-7) ◆ Strict Mode – If “Strict and WRR” mode is selected, then a ◆ combination of strict service is used for the high priority queues and weighted service for the remaining queues.
Page 225: Mapping Cos Values To Egress Queues
| Class of Service HAPTER Layer 2 Queue Settings Figure 112: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are...
Page 226: Table 14: Mapping Internal Per-Hop Behavior To Hardware Queues
| Class of Service HAPTER Layer 2 Queue Settings Table 13: CoS Priority Levels (Continued) Priority Level Traffic Type Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES "qos map phb-queue" on page 825 ◆ OMMAND SAGE Egress packets are placed into the hardware queues according to the ◆...
Page 227 | Class of Service HAPTER Layer 2 Queue Settings Figure 113: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: Click Traffic, Priority, PHB to Queue. Select Show from the Action list. Select an interface. Figure 114: Showing CoS Values to Egress Queues –...
Page 228: Layer 3/4 Priority Settings
| Class of Service HAPTER Layer 3/4 Priority Settings 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
Page 229: Mapping Ingress Dscp Values To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings ARAMETERS These parameters are displayed: Interface – Specifies a port or trunk. ◆ Trust Mode ◆ DSCP – Maps layer 3/4 priorities using Differentiated Services Code ■ Point values. CoS – Maps layer 3/4 priorities using Class of Service values. ■...
Page 230: Table 15: Default Mapping Of Dscp Values To Internal Phb/Drop Values
| Class of Service HAPTER Layer 3/4 Priority Settings OMMAND SAGE ◆ Enter per-hop behavior and drop precedence for any of the DSCP values 0 - 63. This map is only used when the priority mapping mode is set to DSCP ◆...
Page 231 | Class of Service HAPTER Layer 3/4 Priority Settings NTERFACE To map DSCP values to internal PHB/drop precedence: Click Traffic, Priority, DSCP to DSCP. Select Add from the Action list. Set the PHB and drop precedence for any DSCP value. Click Apply.
Page 232: Mapping Cos Priorities To Internal Dscp Values
| Class of Service HAPTER Layer 3/4 Priority Settings Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing. DSCP NTERNAL ALUES CLI R...
Page 233: Table 16: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service HAPTER Layer 3/4 Priority Settings Table 16: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) NTERFACE To map CoS/CFI values to internal PHB/drop precedence: Click Traffic, Priority, CoS to DSCP.
Page 234 | Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Select an interface. Figure 119: Showing CoS to DSCP Internal Mapping –...
Page 235: Quality Of Service
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
Page 236: Configuring A Class Map
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
Page 237 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the ◆...
Page 238 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 121: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
Page 239: Creating Qos Policies
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 123: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 240 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
Page 241 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B ■ down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. ■...
Page 242 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
Page 243 | Quality of Service HAPTER Creating QoS Policies ARAMETERS These parameters are displayed: Policy Name – Name of policy map. (Range: 1-16 characters) ◆ Description – A brief description of a policy map. (Range: 1-256 ◆ characters) Add Rule Policy Name – Name of policy map. ◆...
Page 244 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. (Range: 4000- ■ 16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Conform – Specifies that traffic conforming to the maximum ■...
Page 245 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■ change to the DSCP service level. Exceed –...
Page 246 | Quality of Service HAPTER Creating QoS Policies Committed Burst Size (BC) – Burst in bytes. ■ (Range: 4000-16000000 at a granularity of 4k bytes) The burst size cannot exceed 16 Mbytes. Peak Burst Size (BP) – Burst size in bytes. (Range: 4000- ■...
Page 247 | Quality of Service HAPTER Creating QoS Policies NTERFACE To configure a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add from the Action list. Enter a policy name. Enter a description. Click Add. Figure 124: Configuring a Policy Map To show the configured policy maps: Click Traffic, DiffServ.
Page 248 | Quality of Service HAPTER Creating QoS Policies To edit the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Add Rule from the Action list. Select the name of a policy map. Set the CoS or per-hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class.
Page 249: Attaching A Policy Map To A Port
| Quality of Service HAPTER Attaching a Policy Map to a Port To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 127: Showing the Rules for a Policy Map TTACHING A OLICY AP TO A...
Page 250 | Quality of Service HAPTER Attaching a Policy Map to a Port NTERFACE To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box.
Page 251: Oip Traffic Configuration
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
Page 252: V O Ip T Raffic C Onfiguration
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES ◆ "Configuring Voice VLANs" on page 809 ARAMETERS These parameters are displayed: Auto Detection Status – Enables the automatic detection of VoIP ◆ traffic on switch ports. (Default: Disabled) Voice VLAN –...
Page 253: Configuring Telephony Oui
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Page 254: Configuring Voip Traffic Ports
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 130: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 131: Showing an OUI Telephony List IP T ONFIGURING...
Page 255 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Auto – The port will be added as a tagged member to the Voice ■ VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
Page 256 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 132: Configuring Port Settings for a Voice VLAN – 256 –...
Page 257: Security Measures
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 258: Aaa Authorization And Accounting
| Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source ◆ address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.
Page 259: Configuring Local/Remote Logon Authentication
| Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.
Page 260: Configuring Remote Logon Authentication Servers
| Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up ■ to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods).
Page 261 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES ◆ "RADIUS Client" on page 588 "TACACS+ Client" on page 592 ◆ "AAA" on page 595 ◆ OMMAND SAGE If a remote authentication server is used, you must specify the ◆...
Page 262 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. ■ Authentication Key – Encryption key used to authenticate logon ■ access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
Page 263 | Security Measures HAPTER AAA Authorization and Accounting Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it Click Apply.
Page 264 | Security Measures HAPTER AAA Authorization and Accounting To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Add from the Action list. Select RADIUS or TACACS+ server type. Enter the group name, followed by the index of the server to use for each priority level.
Page 265: Configuring Aaa Accounting
| Security Measures HAPTER AAA Authorization and Accounting Figure 138: Showing AAA Server Groups Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
Page 266 | Security Measures HAPTER AAA Authorization and Accounting Accounting Notice – Records user activity from log-in to log-off point. ◆ Server Group Name - Specifies the accounting server group. ◆ (Range: 1-255 characters) The group names “radius” and “tacacs+” specifies all configured RADIUS and TACACS+ hosts (see "Configuring Local/Remote Logon Authentication"...
Page 267 | Security Measures HAPTER AAA Authorization and Accounting NTERFACE To configure global settings for AAA accounting: Click Security, AAA, Accounting. Select Configure Global from the Step list. Enter the required update interval. Click Apply. Figure 139: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting.
Page 268 | Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 141: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
Page 269 | Security Measures HAPTER AAA Authorization and Accounting Figure 143: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
Page 270: Configuring Aaa Authorization
| Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
Page 271 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these ◆ rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
Page 272 | Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 148: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.
Page 273: Configuring User Accounts
| Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 583 ◆ OMMAND SAGE The default guest name is “guest”...
Page 274: Web Authentication
| Security Measures HAPTER Web Authentication Figure 150: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 151: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
Page 275: Configuring Global Settings For Web Authentication
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 259.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
Page 276: Configuring Interface Settings For Web Authentication
| Security Measures HAPTER Web Authentication Figure 152: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
Page 277: Network Access (Mac Address Authentication)
| Security Measures HAPTER Network Access (MAC Address Authentication) Figure 153: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.
Page 278: Table 17: Dynamic Qos Profiles
| Security Measures HAPTER Network Access (MAC Address Authentication) Authenticated MAC addresses are stored as dynamic entries in the ◆ switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
Page 279: Configuring Global Settings For Network Access
| Security Measures HAPTER Network Access (MAC Address Authentication) Any unsupported profiles in the Filter-ID attribute are ignored. ◆ For example, if the attribute is “map-ip-dscp=2:3;service-policy- in=p1,” then the switch ignores the “map-ip-dscp” profile. When authentication is successful, the dynamic QoS information may ◆...
Page 280: Configuring Network Access For Ports
| Security Measures HAPTER Network Access (MAC Address Authentication) Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
Page 281 | Security Measures HAPTER Network Access (MAC Address Authentication) Intrusion – Sets the port response to a host MAC authentication ■ failure to either block access to the port or to pass traffic through. (Options: Block, Pass; Default: Block) Max MAC Count –...
Page 282: Configuring Port Link Detection
| Security Measures HAPTER Network Access (MAC Address Authentication) Make any configuration changes required to enable address authentication on a port, set the maximum number of secure addresses supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments. Click Apply.
Page 283: Configuring Amac Address Filter
| Security Measures HAPTER Network Access (MAC Address Authentication) NTERFACE To configure link detection on switch ports: Click Security, Network Access. Select Configure Interface from the Step list. Click the Link Detection button. Modify the link detection status, trigger condition, and the response for any port.
Page 284 | Security Measures HAPTER Network Access (MAC Address Authentication) MAC Address Mask – The filter rule will check for the range of MAC ◆ addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF;...
Page 285: Displaying Secure Mac Address Information
| Security Measures HAPTER Network Access (MAC Address Authentication) Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected NFORMATION entries can be removed from the table.
Page 286: Configuring Https
| Security Measures HAPTER Configuring HTTPS Figure 159: Showing Addresses Authenticated for Network Access HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security >...
Page 287: Table 18: Https System Support
| Security Measures HAPTER Configuring HTTPS The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 5.x or above, Netscape 6.2 or above, and Mozilla Firefox 2.0.0.0 or above. The following web browsers and operating systems currently support ◆...
Page 288: Replacing The Default Secure-Site Certificate
| Security Measures HAPTER Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site.
Page 289: Configuring The Secure Shell
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To replace the default secure-site certificate: Click Security, HTTPS. Select Copy Certificate from the Step list. Fill in the TFTP server, certificate and private key file name, and private password. Click Apply. Figure 161: Downloading the Secure-Site Certificate ONFIGURING THE ECURE...
Page 290 | Security Measures HAPTER Configuring the Secure Shell OMMAND SAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page...
Page 291 | Security Measures HAPTER Configuring the Secure Shell Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server.
Page 292: Configuring The Ssh Server
| Security Measures HAPTER Configuring the Secure Shell checks whether the signature is correct. If both checks succeed, the client is authenticated. The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Page 293: Generating The Host Key Pair
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To configure the SSH server: Click Security, SSH. Select Configure Global from the Step list. Enable the SSH server. Adjust the authentication parameters as required. Click Apply. Figure 162: Configuring the SSH Server Use the Security >...
Page 294 | Security Measures HAPTER Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Save Host-Key from Memory to Flash – Saves the host key from ◆...
Page 295: Importing User Public Keys
| Security Measures HAPTER Configuring the Secure Shell To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear. Click Clear.
Page 296 | Security Measures HAPTER Configuring the Secure Shell The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 297: Access Control Lists
| Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.
Page 298: Settinga Time Range
| Security Measures HAPTER Access Control Lists An ACL can have up to 32 rules. However, due to resource restrictions, ◆ the average number of rules bound to the ports should not exceed 20. Use the Security > ACL (Configure Time Range) page to sets a time range ETTING during which ACL functions are applied.
Page 299 | Security Measures HAPTER Access Control Lists NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list. Enter the name of a time range. Click Apply. Figure 167: Setting the Name of a Time Range To show a list of time ranges: Click Security, ACL.
Page 300 | Security Measures HAPTER Access Control Lists Fill in the required parameters for the selected mode. Click Apply. Figure 169: Add a Rule to a Time Range To show the rules configured for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Show Rule from the Action list.
Page 301: Showing Tcam Utilizaiton
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Show TCAM) page to show TCAM HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZAITON including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Page 302: Setting The Acl Name And Type
| Security Measures HAPTER Access Control Lists Figure 171: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R EFERENCES "access-list ip" on page 684 ◆ "show ip access-list" on page 689 ◆...
Page 303 | Security Measures HAPTER Access Control Lists NTERFACE To configure the name and type of an ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add from the Action list. Fill in the ACL Name field, and select the ACL type. Click Apply.
Page 304: Configuring A Standard Ipv4 Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)" on page 685 ◆...
Page 305: Configuring An Extended Ipv4 Acl
| Security Measures HAPTER Access Control Lists Click Apply. Figure 174: Configuring a Standard IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES...
Page 306 | Security Measures HAPTER Access Control Lists Source/Destination Port Bit Mask – Decimal number representing ◆ the port bits to match. (Range: 0-65535) Protocol – Specifies the protocol type to match as TCP, UDP or Others, ◆ where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others;...
Page 307 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an Extended IP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select Extended IP from the Type list. Select the name of an ACL from the Name list.
Page 308: Configuring Amac Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)" on page 691 ◆...
Page 309 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to a MAC ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select MAC from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 310: Configuring An Arp Acl
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
Page 311 | Security Measures HAPTER Access Control Lists NTERFACE To add rules to an ARP ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select ARP from the Type list. Select the name of an ACL from the Name list. Specify the action (i.e., Permit or Deny).
Page 312: Binding A Port To An Access Control List
| Security Measures HAPTER Access Control Lists After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.
Page 313: Arp Inspection
| Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select the name of an ACL from the ACL list. Click Apply.
Page 314: Configuring Global Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection OMMAND SAGE Enabling & Disabling ARP Inspection ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. ◆ If ARP Inspection is globally enabled, then it becomes active only on ■...
Page 315 | Security Measures HAPTER ARP Inspection with different MAC addresses are classified as invalid and are dropped. IP – Checks the ARP body for invalid and unexpected IP addresses. ■ These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
Page 316: Configuring Vlan Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Src-MAC – Validates the source MAC address in the Ethernet ■ header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. Log Message Number – The maximum number of entries saved in a ◆...
Page 317 | Security Measures HAPTER ARP Inspection ARP Inspection ACLs can be applied to any configured VLAN. ◆ ARP Inspection uses the DHCP snooping bindings database for the list ◆ of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
Page 318: Configuring Interface Settings For Arp Inspection
| Security Measures HAPTER ARP Inspection Figure 180: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.
Page 319: Displaying Arp Inspection Statistics
| Security Measures HAPTER ARP Inspection NTERFACE To configure interface settings for ARP Inspection: Click Security, ARP Inspection. Select Configure Interface from the Step list. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 181: Configuring Interface Settings for ARP Inspection Use the Security >...
Page 320: Displaying The Arp Inspection Log
| Security Measures HAPTER ARP Inspection Table 19: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by Count of packets that failed the source MAC address test. additional validation (Src-MAC) ARP packets dropped by ARP Count of ARP packets that failed validation against ARP ACL ACLs rules.
Page 321: Filtering Ip Addresses For Management Access
| Security Measures HAPTER Filtering IP Addresses for Management Access Table 20: ARP Inspection Log (Continued) Parameter Description Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet.
Page 322 | Security Measures HAPTER Filtering IP Addresses for Management Access When entering addresses for the same group (i.e., SNMP, web or ◆ Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Page 323: Configuring Port Security
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 185: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 324 | Security Measures HAPTER Configuring Port Security OMMAND SAGE ◆ A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. ■ It should not be connected to a network interconnection device. ■...
Page 325: Configuring 802.1X Port Authentication
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 186: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.
Page 326: Configuring 802.1X Global Settings
| Security Measures HAPTER Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 187: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
Page 327 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port Authentication Status – Sets the global setting for 802.1X. ◆ (Default: Disabled) ◆ EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. (Default: Disabled) When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, EAPOL Pass...
Page 328: Configuring Port Authenticator Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 188: Configuring Global Settings for 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface – ONFIGURING Authenticator) page to configure 802.1X port settings for the switch as the UTHENTICATOR local authenticator.
Page 329 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed: Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. ◆ The status is disabled if the control mode is set to Force-Authorized. Authorized –...
Page 330 | Security Measures HAPTER Configuring 802.1X Port Authentication Max-Request – Sets the maximum number of times the switch port ◆ will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) Quiet Period –...
Page 331 | Security Measures HAPTER Configuring 802.1X Port Authentication Current Identifier – Identifier sent in each EAP Success, Failure or ◆ Request packet by the Authentication Server. Backend State Machine State – Current state (including request, response, success, fail, ◆ timeout, idle, initialize). Request Count –...
Page 332: Configuring Port Supplicant Settings For 802.1X
| Security Measures HAPTER Configuring 802.1X Port Authentication Figure 189: Configuring Interface Settings for 802.1X Port Authenticator Use the Security > Port Authentication (Configure Interface – Supplicant) ONFIGURING page to configure 802.1X port settings for supplicant requests issued from UPPLICANT ETTINGS a port to an authenticator on another device.
Page 333 | Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 326) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
Page 334: Displaying 802.1X Statistics
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 190: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 335 | Security Measures HAPTER Configuring 802.1X Port Authentication Table 21: 802.1X Statistics (Continued) Parameter Description Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator. Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator.
Page 336 | Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 191: Showing Statistics for 802.1X Port Authenticator – 336 –...
Page 337: Ip Source Guard
| Security Measures HAPTER IP Source Guard To display port supplicant statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Supplicant. Figure 192: Showing Statistics for 802.1X Port Supplicant IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 338 | Security Measures HAPTER IP Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.
Page 339: Configuring Static Bindings For Ip Source Guard
| Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and ■ corresponding MAC addresses stored in the binding table. NTERFACE To set the IP Source Guard filter for ports: Click Security, IP Source Guard, Port Configuration. Set the required filtering type for each port.
Page 340 | Security Measures HAPTER IP Source Guard new entry will replace the old one and the entry type will be changed to static IP source guard binding. Only unicast addresses are accepted for static bindings. ■ ARAMETERS These parameters are displayed: ◆...
Page 341: Displaying Information For Dynamic Ip Source Guard Bindings
| Security Measures HAPTER IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Show from the Action list. Figure 195: Displaying Static Bindings for IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface.
Page 342: Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 196: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
Page 343 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed ◆ by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an ◆...
Page 344 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its ◆ DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 345: Dhcp Snooping Configuration
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification. CLI R EFERENCES "DHCP Snooping" on page 660 ◆...
Page 346: Dhcp Snooping Vlan Configuration
| Security Measures HAPTER DHCP Snooping Figure 197: Configuring Global Settings for DHCP Snooping Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or DHCP S NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...
Page 347: Configuring Ports For Dhcp Snooping
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, IP Source Guard, DHCP Snooping. Select Configure VLAN from the Step list. Enable DHCP Snooping on any existing VLAN. Click Apply Figure 198: Configuring DHCP Snooping on a VLAN Use the IP Service >...
Page 348: Displaying Dhcp Snooping Binding Information
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click Security, IP Source Guard, DHCP Snooping. Select Configure Interface from the Step list. Set any ports within the local network or firewall to trusted. Click Apply Figure 199: Configuring the Port Mode for DHCP Snooping Use the IP Service >...
Page 349 | Security Measures HAPTER DHCP Snooping Store – Writes all dynamically learned snooping entries to flash ◆ memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Page 350 | Security Measures HAPTER DHCP Snooping – 350 –...
Page 351: Basic Administration Protocols
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
Page 352: Table 22: Logging Levels
| Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed: System Log Status – Enables/disables the logging of debug or error ◆ messages to the logging process. (Default: Enabled) ◆ Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
Page 353: Remote Log Configuration
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 201: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click Administration, Log, System. Select Show System Logs from the Step list. This page allows you to scroll through the logged system and event messages.
Page 354 | Basic Administration Protocols HAPTER Configuring Event Logging Logging Facility – Sets the facility type for remote logging of syslog ◆ messages. There are eight facility types specified by values of 16 to 23. The facility type is used by the syslog server to dispatch log messages to an appropriate service.
Page 355: Sending Simple Mail Transfer Protocol Alerts
| Basic Administration Protocols HAPTER Configuring Event Logging Use the Administration > Log > SMTP page to alert system administrators ENDING IMPLE of problems by sending SMTP (Simple Mail Transfer Protocol) email RANSFER ROTOCOL messages when triggered by logging events of a specified level. The LERTS messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients.
Page 356: Link Layer Discovery Protocol
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 204: Configuring SMTP Alert Messages AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 357 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol This attribute must comply with the following rule: (Transmission Interval * Hold Time Multiplier) ≤ 65536, and Transmission Interval >= (4 * Delay Interval) Hold Time Multiplier – Configures the time-to-live (TTL) value sent in ◆...
Page 358: Configuring Lldp Interface Attributes
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Enable LLDP, and modify any of the timing parameters as required. Click Apply. Figure 205: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface) page to specify the LLDP ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE...
Page 359 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address – The management address protocol ■...
Page 360 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the ■ VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 155). VLAN Name – The name of all VLANs to which this interface has ■...
Page 361: Displaying Lldp Local Device Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 206: Configuring LLDP Interface Attributes Use the Administration > LLDP (Show Local Device Information) page to LLDP ISPLAYING display information about the switch, such as its MAC address, chassis ID, OCAL EVICE management IP address, and port information.
Page 362: Table 24: System Capabilities
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Chassis ID – An octet string indicating the specific identifier for the ◆ particular chassis in this system. System Name – A string that indicates the system’s administratively ◆ assigned name (see "Displaying System Information"...
Page 363: Displaying Lldp Remote Port Information
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 207: Displaying Local Device Information for LLDP (General) Figure 208: Displaying Local Device Information for LLDP (Port) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed...
Page 364: Table 25: Port Id Subtype
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Name – A string that indicates the system’s administratively ◆ assigned name. Port Details Local Port – The local port to which a remote LLDP-capable device is ◆ attached. Chassis Type – Identifies the chassis containing the IEEE 802 LAN ◆...
Page 365: Table 26: Remote Port Auto-Negotiation Advertised Capability
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Management Address List – The management addresses for this ◆ device. Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
Page 366 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 26: Remote Port Auto-Negotiation Advertised Capability Capability Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode 1000BASE-X, -LX, -SX, -CX full duplex mode 1000BASE-T half duplex mode 1000BASE-T full duplex mode ◆...
Page 367 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Link Aggregation Port ID – This object contains the IEEE ◆ 802.3 aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1), derived from the ifNumber of the ifIndex for the port component associated with the remote system. If the remote port is not in link aggregation state and/or it does not support link aggregation, this value should be zero.
Page 368: Displaying Device Statistics
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 210: Displaying Remote Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces.
Page 369 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Dropped Count – The number of times which the ◆ remote database on this switch dropped an LLDPDU because of insufficient resources. Neighbor Entries Age-out Count – The number of times that a ◆...
Page 370: Simple Network Management Protocol
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To display statistics for LLDP-capable devices attached to the switch: Click Administration, LLDP. Select Show Device Statistics from the Step list. Select General, Port, or Trunk. Figure 211: Displaying LLDP Device Statistics (General) Figure 212: Displaying LLDP Device Statistics (Port) IMPLE ETWORK...
Page 371: Table 27: Snmpv3 Security Models And Levels
| Basic Administration Protocols HAPTER Simple Network Management Protocol Managed devices supporting SNMP contain software, which runs locally on the device and is referred to as an agent. A defined set of variables, known as managed objects, is maintained by the SNMP agent and used to manage the device.
Page 372 | Basic Administration Protocols HAPTER Simple Network Management Protocol The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration >...
Page 373: Configuring Global Settings For Snmp
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Global) page to enable SNMPv3 ONFIGURING LOBAL service for all management clients (i.e., versions 1, 2c, 3), and to enable SNMP ETTINGS FOR trap messages. CLI R EFERENCES "snmp-server"...
Page 374: Setting The Local Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE OCAL change the local engine ID. An SNMPv3 engine is an independent SNMP NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 375: Specifying A Remote Engine Id
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A EMOTE page to configure a engine ID for a remote management station. To allow NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 376: Setting Snmpv3 Views
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a remote SNMP engine ID: Click Administration, SNMP. Select Configure Engine from the Step list. Select Add Remote Engine from the Action list. Enter an ID of a least 9 hexadecimal characters, and the IP address of the remote host.
Page 377 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Add View View Name – The name of the SNMP view. (Range: 1-64 characters) ◆ OID Subtree – Specifies the initial object identifier of a branch within ◆...
Page 378 | Basic Administration Protocols HAPTER Simple Network Management Protocol To show the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show View from the Action list. Figure 218: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP.
Page 379: Configuring Snmpv3 Groups
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list. Select a view name from the list of existing views.
Page 380: Table 28: Supported Notification Messages
| Basic Administration Protocols HAPTER Simple Network Management Protocol Read View – The configured view for read access. ◆ (Range: 1-64 characters) Write View – The configured view for write access. ◆ (Range: 1-64 characters) Notify View – The configured view for notifications. ◆...
Page 381 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 28: Supported Notification Messages (Continued) Model Level Group RMON Events (V2) risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps.
Page 382 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 28: Supported Notification Messages (Continued) Model Level Group swMemoryUtiRisingThresholdNotifica 1.3.6.1.4.1.259.8.1.11.2.1.0.109 This notification indicates that the tion memory utilization has risen from memoryUtiFallingThreshold to memoryUtiRisingThreshold. swMemoryUtiFallingThresholdNotific 1.3.6.1.4.1.259.8.1.11.2.1.0.110 This notification indicates that the ation memory utilization has fallen from memoryUtiRisingThreshold to...
Page 383: Setting Community Access Strings
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 222: Showing SNMP Groups Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c.
Page 384 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To set a community access string: Click Administration, SNMP. Select Configure User from the Step list. Select Add Community from the Action list. Add new community strings as required, and select the corresponding access rights from the Access Mode list.
Page 385: Configuring Local Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch. Each SNMPv3 user is defined by a unique name.
Page 386 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP. Select Configure User from the Step list. Select Add SNMPv3 Local User from the Action list. Enter a name and assign it to a group. If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv, then an authentication protocol and password must be specified.
Page 387: Configuring Remote Snmpv3 Users
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 226: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch.
Page 388 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters ◆...
Page 389 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 227: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 228: Showing Remote SNMPv3 Users –...
Page 390: Specifying Trap Managers
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 391 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 392 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive ◆ notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 393 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 229: Configuring Trap Managers (SNMPv1) Figure 230: Configuring Trap Managers (SNMPv2c)
Page 394: Remote Monitoring
| Basic Administration Protocols HAPTER Remote Monitoring Figure 231: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 232: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.
Page 395: Configuring Rmon Alarms
| Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
Page 396 | Basic Administration Protocols HAPTER Remote Monitoring generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. (Range: 1-65535) Rising Event Index –...
Page 397 | Basic Administration Protocols HAPTER Remote Monitoring Figure 233: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 234: Showing Configured RMON Alarms –...
Page 398: Configuring Rmon Events
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Event) page to RMON ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
Page 399 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.
Page 400: Configuring Rmon History Samples
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 236: Showing Configured RMON Events Use the Administration > RMON (Configure Interface - Add - History) page RMON ONFIGURING to collect statistics on a physical interface to monitor network utilization,...
Page 401 | Basic Administration Protocols HAPTER Remote Monitoring ARAMETERS These parameters are displayed: Port – The port number on the switch. ◆ Index - Index to this entry. (Range: 1-65535) ◆ Interval - The polling interval. (Range: 1-3600 seconds; Default: 1800 ◆...
Page 402 | Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History. Figure 238: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON.
Page 403: Configuring Rmon Statistical Samples
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates. CLI R EFERENCES "Remote Monitoring Commands"...
Page 404 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To enable regular sampling of statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 240: Configuring an RMON Statistical Sample...
Page 405 | Basic Administration Protocols HAPTER Remote Monitoring Figure 241: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click Statistics.
Page 406: Switch Clustering
| Basic Administration Protocols HAPTER Switch Clustering WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 407 | Basic Administration Protocols HAPTER Switch Clustering ARAMETERS These parameters are displayed: Cluster Status – Enables or disables clustering on the switch. ◆ (Default: Disabled) ◆ Commander Status – Enables or disables the switch as a cluster Commander. (Default: Disabled) ◆...
Page 408: Cluster Member Configuration
| Basic Administration Protocols HAPTER Switch Clustering Use the Administration > Cluster (Configure Member - Add) page to add LUSTER EMBER Candidate switches to the cluster as Members. ONFIGURATION CLI R EFERENCES "Switch Clustering" on page 548 ◆ ARAMETERS These parameters are displayed: ◆...
Page 409: Managing Cluster Members
| Basic Administration Protocols HAPTER Switch Clustering Figure 245: Showing Cluster Members To show cluster candidates: Click Administration, Cluster. Select Configure Member from the Step list. Select Show Candidate from the Action list. Figure 246: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING LUSTER switch in the cluster.
Page 410 | Basic Administration Protocols HAPTER Switch Clustering Operate – Remotely manage a cluster member. ◆ NTERFACE To manage a cluster member: Click Administration, Cluster. Select Show Member from the Step list. Select an entry from the Cluster Member List. Click Operate. Figure 247: Managing a Cluster Member –...
Page 411: Ip Configuration
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 412: Setting The Switch's Ip Address (Ip Version 4)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Destination does not respond - If the host does not respond, a ■ “timeout” appears in ten seconds. Destination unreachable - The gateway for this destination indicates ■ that the destination is unreachable.
Page 413 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) CLI R EFERENCES ◆ "DHCP Client" on page 911 "Basic IPv4 Configuration" on page 918 ◆ ARAMETERS These parameters are displayed: Management VLAN – ID of the configured VLAN (1-4093). By default, ◆...
Page 414 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click System, IP. Select the VLAN through which the management station is attached, set the IP Address Mode to “Static,” enter the IP address, subnet mask and gateway.
Page 415: Setting The Switch's Ip Address (Ip Version 6)
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 250: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...
Page 416: Configuring The Ipv6 Default Gateway
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) with a global unicast address. Both link-local and global unicast address types can either be dynamically assigned (using the Configure Interface page) or manually configured (using the Add IPv6 Address page). Use the IP >...
Page 417: Configuring Ipv6 Interface Settings
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Configure Interface) page to configure ONFIGURING general IPv6 settings for the selected VLAN, including auto-configuration of NTERFACE ETTINGS a global unicast interface address, explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
Page 418 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Enable IPv6 Explicitly – Enables IPv6 on an interface. Note that ◆ when an explicit address is assigned to an interface, IPv6 is automatically enabled, and cannot be disabled until all assigned addresses have been removed.
Page 419 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ND NS Interval – The interval between transmitting IPv6 neighbor ◆ solicitation messages on an interface. (Range: 1000-3600000 milliseconds; Default: 1000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements.
Page 420: Configuring An Ipv6 Address
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING AN IPv6 interface for management access over the network. DDRESS CLI R EFERENCES "IPv6 Interface" on page 925 ◆...
Page 421 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN which is to be used for management ◆ access. By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address.
Page 422: Showing Ipv6 Addresses
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Link Local – Configures an IPv6 link-local address. ■ The address prefix must be FE80. ■ You can configure only one link-local address per interface. ■ The specified address replaces a link-local address that was ■...
Page 423 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) IP Address – An IPv6 address assigned to this interface. ◆ In addition to the unicast addresses assigned to an interface, a host is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope).
Page 424: Showing The Ipv6 Neighbor Cache
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 254: Showing Configured IPv6 Addresses Use the IP >...
Page 425 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 29: Show IPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: INCMP (Incomplete) - Address resolution is being carried out on the ◆...
Page 426: Showing Ipv6 Statistics
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 937 ◆...
Page 427 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 30: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 428 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 30: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Page 429 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 30: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
Page 430 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 256: Showing IPv6 Statistics (IPv6) Figure 257: Showing IPv6 Statistics (ICMPv6) –...
Page 431: Showing The Mtu For Responding Destinations
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 258: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
Page 432 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the MTU reported from other devices: Click IP, IPv6 Configuration. Select Show MTU from the Action list. Figure 259: Showing Reported MTU Values – 432 –...
Page 433: Ip Services
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 342. DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network.
Page 434: Configuring A List Of Domain Names
| IP Services HAPTER Configuring a List of Domain Names NTERFACE To configure general settings for DNS: Click IP Service, DNS. Select Configure Global from the Action list. Enable domain lookup, and set the default domain name. Click Apply. Figure 260: Configuring General Settings for DNS ONFIGURING A IST OF OMAIN...
Page 435 | IP Services HAPTER Configuring a List of Domain Names ARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) NTERFACE To create a list domain names: Click IP Service, DNS.
Page 436: Configuring A List Of Name Servers
| IP Services HAPTER Configuring a List of Name Servers ONFIGURING A IST OF ERVERS Use the IP Service > DNS - General (Add Name Server) page to configure a list of name servers to be tried in sequential order. CLI R EFERENCES "ip name-server"...
Page 437: Configuring Static Dns Host To Address Entries
| IP Services HAPTER Configuring Static DNS Host to Address Entries To show the list name servers: Click IP Service, DNS. Select Show Name Servers from the Action list. Figure 264: Showing the List of Name Servers for DNS DNS H ONFIGURING TATIC OST TO...
Page 438 | IP Services HAPTER Configuring Static DNS Host to Address Entries NTERFACE To configure static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Add from the Action list. Enter a host name and the corresponding address. Click Apply.
Page 439: Displaying The Dns Cache
| IP Services HAPTER Displaying the DNS Cache DNS C ISPLAYING THE ACHE Use the IP Service > DNS - Cache page to display entries in the DNS cache that have been learned via the designated name servers. CLI R EFERENCES "show dns cache"...
Page 440 | IP Services HAPTER Displaying the DNS Cache – 440 –...
Page 441: Multicast
ULTICAST ILTERING This chapter describes how to configure the following multicast servcies: IGMP – Configuring snooping and query parameters. ◆ Filtering and Throttling – Filtering specified multicast service, or ◆ throttling the maximum of multicast groups allowed on an interface. Multicast VLAN Registration (MVR) –...
Page 442: Layer 2 Igmp (Snooping And Query)
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly. If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch.
Page 443 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. IGMP snooping will not function unless a multicast router port is enabled on the switch.
Page 444: Configuring Igmp Snooping And Query Parameters
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > General page to configure the switch IGMP ONFIGURING to forward multicast traffic. Based on the IGMP query and report NOOPING AND UERY messages, the switch forwards multicast traffic only to the ports that ARAMETERS request it.
Page 445 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy ◆ Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 446 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the root bridge in a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
Page 447: Specifying Static Interfaces For A Multicast Router
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Snooping Version – Sets the protocol version for compatibility ◆ with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
Page 448 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) attached router. This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch. CLI R EFERENCES "Static Multicast Routing" on page 867 ◆ ARAMETERS These parameters are displayed: ◆...
Page 449: Assigning Interfaces To Multicast Services
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 271: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 450 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) OMMAND SAGE ◆ Static multicast addresses are never aged out. When a multicast address is assigned to an interface in a specific VLAN, ◆ the corresponding traffic can only be forwarded to ports within that VLAN.
Page 451: Setting Igmp Snooping Status Per Interface
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 274: Showing Static Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service: Click Multicast, IGMP Snooping, Multicast Router. Select Current Member from the Action list. Select the VLAN for which to display this information.
Page 452 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) OMMAND SAGE Multicast Router Discovery There have been many mechanisms used in the past to identify multicast routers. This has lead to interoperability issues between multicast routers and snooping switches from different vendors. In response to this problem, the Multicast Router Discovery (MRD) protocol has been developed for use by IGMP snooping and multicast routing devices.
Page 453 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Advertisement and Termination messages are sent to the All-Snoopers multicast address. Solicitation messages are sent to the All-Routers multicast address. MRD messages are flooded to all ports in a VLAN where IGMP snooping or routing has been enabled.
Page 454 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping. This attribute is only effective if IGMP snooping is enabled, and IGMPv2 snooping is used.
Page 455 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Query Response Interval – The maximum time the system waits for ◆ a response to proxy general queries. (Range: 10-31744 tenths of a second; Default: 10 seconds) This command applies when the switch is serving as the querier (page 444), or as a proxy host when IGMP snooping proxy reporting is enabled...
Page 456 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) NTERFACE To configure IGMP snooping on a VLAN: Click Multicast, IGMP Snooping, Interface. Select Configure from the Action list. Select the VLAN to configure and update the required parameters. Click Apply. Figure 276: Configuring IGMP Snooping on an Interface To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
Page 457: Displaying Multicast Groups Discovered By Igmp Snooping
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 277: Showing Interface Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP ISCOVERED BY CLI R...
Page 458: Filtering And Throttling Igmp Groups
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To show multicast groups learned through IGMP snooping: Click Multicast, IGMP Snooping, Forwarding Entry. Select the VLAN for which to display this information. Figure 278: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING...
Page 459: Enabling Igmp Filtering And Throttling
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Use the Multicast > IGMP Snooping > Filter (Configure General) page to IGMP NABLING enable IGMP filtering and throttling globally on the switch. ILTERING AND HROTTLING CLI R EFERENCES "ip igmp filter (Global Configuration)" on page 869 ◆...
Page 460 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed: Profile ID – Creates an IGMP profile. (Range: 1-4294967295) ◆ Access Mode – Sets the access mode of the profile; either permit or ◆ deny. (Default: Deny) When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Page 461 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Select Show from the Action list. Figure 281: Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Add Multicast Group Range from the Action list.
Page 462: Configuring Igmp Filtering And Throttling For Interfaces
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Show Multicast Group Range from the Action list. Select the profile for which to display this information. Figure 283: Showing the Groups Assigned to an IGMP Filtering Profile Use the Multicast >...
Page 463: Multicast Vlan Registration
| Multicast Filtering HAPTER Multicast VLAN Registration Current Multicast Groups – Displays the current multicast groups the ◆ interface has joined. Throttling Action Mode – Sets the action to take when the maximum ◆ number of multicast groups for the interface has been exceeded. (Default: Deny) Deny - The new multicast group join report is dropped.
Page 464 | Multicast Filtering HAPTER Multicast VLAN Registration MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong. Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN, users in different IEEE 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services).
Page 465: Configuring Global Mvr Settings
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider, and assign the multicast group address for each of these services to the MVR VLAN.
Page 466: Configuring Mvr Interface Status
| Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure global settings for MVR: Click Multicast, MVR. Select Configure General from the Action list. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to participating hosts. Click Apply.
Page 467 | Multicast Filtering HAPTER Multicast VLAN Registration One or more interfaces may be configured as MVR source ports. A ◆ source port is able to both receive and send data for configured MVR groups or for groups which have been statically assigned (see "Assigning Static Multicast Groups to Interfaces"...
Page 468: Assigning Static Multicast Groups To Interfaces
| Multicast Filtering HAPTER Multicast VLAN Registration multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface. Immediate Leave – Configures the switch to immediately remove an ◆ interface from a multicast stream as soon as it receives a leave message for that group.
Page 469 | Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To assign a static MVR group to a port: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Add from the Action list. Select a VLAN and port member to receive the multicast stream, and then enter the multicast group address.
Page 470: Displaying Mvr Receiver Groups
| Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Show Member) page to display the interfaces ISPLAYING assigned to the MVR receiver groups. ECEIVER ROUPS CLI R EFERENCES "show mvr" on page 880 ◆ ARAMETERS These parameters are displayed: ◆...
Page 471: Command Line Interface
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "Using the Command Line Interface" on page 473 ◆ "General Commands" on page 485 ◆...
Page 472 | Command Line Interface ECTION "Multicast Filtering Commands" on page 849 ◆ "LLDP Commands" on page 883 ◆ "Domain Name Service Commands" on page 901 ◆ "DHCP Commands" on page 911 ◆ "IP Interface Commands" on page 917 ◆ – 472 –...
Page 473: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the ES3510MA is opened. To end the CLI session, enter [Exit]. Console# – 473 –...
Page 474: Telnet Connection
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the ES3510MA is opened. To end the CLI session, enter [Exit]. Vty-0# – 474 –...
Page 475: Entering Commands
| Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
Page 476: Getting Help On Commands
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 477: Partial Keyword Lookup
| Using the Command Line Interface HAPTER Entering Commands sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server information time-range Time range traffic-segmentation Traffic segmentation information upgrade...
Page 478: Understanding Command Modes
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ES3510MA is opened. To end the CLI session, enter [Exit]. Console# – 478 –...
Page 479: Configuration Commands
| Using the Command Line Interface HAPTER Entering Commands Username: guest Password: [guest login password] CLI session with the ES3510MA is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration commands are privileged level commands used to modify ONFIGURATION switch settings.
Page 480: Table 33: Configuration Command Modes
| Using the Command Line Interface HAPTER Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the...
Page 481: Command Line Processing
| Using the Command Line Interface HAPTER Entering Commands Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 482: Cli Command Groups
| Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 35: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
Page 483 | Using the Command Line Interface HAPTER CLI Command Groups Table 35: Command Group Index (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration Link Layer Discovery Configures LLDP settings to enable information...
Page 484 | Using the Command Line Interface HAPTER CLI Command Groups – 484 –...
Page 485: General Commands
ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 36: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 486: Reload (Global Configuration)
| General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# This command restarts the system at a specified time, after a specified reload (Global delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Page 487: Enable
| General Commands HAPTER OMMAND SAGE ◆ This command resets the entire system. Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...
Page 488: Quit
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (490) enable password (584) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
Page 489: Configure
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
Page 490: Disable
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
Page 491: Show Reload
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 492 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 492 –...
Page 493: System Management Commands
YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 37: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
Page 494: Hostname
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
Page 495: Banner Configure
| System Management Commands HAPTER Banner Information Table 39: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
Page 496: Banner Configure Company
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
Page 497: Banner Configure Dc-Power-Info
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 498: Banner Configure Equipment-Info
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 499: Banner Configure Equipment-Location
| System Management Commands HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ES3510MA floor 3 row 10 rack 15 shelf-rack 12 manufacturer EdgeCore Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting.
Page 500: Banner Configure Lp-Number
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 501: Banner Configure Manager-Info
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
Page 502: Banner Configure Note
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Page 503: Show Banner
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis EdgeCore- ES3510MA Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 504: Show Access-List Tcam-Utilization
| System Management Commands HAPTER System Status This command shows utilization parameters for TCAM (Ternary Content show access-list Addressable Memory), including the number policy control entries in use, tcam-utilization the number of free entries, and the overall percentage of TCAM in use. OMMAND Privileged Exec OMMAND...
Page 505: Show Running-Config
| System Management Commands HAPTER System Status XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# This command displays the configuration information currently in use. show running- config OMMAND Privileged Exec OMMAND SAGE Use this command in conjunction with the show startup-config ◆...
Page 506: Show Startup-Config
1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 switchport allowed vlan add 4093 tagged interface vlan 1 ip address dhcp ip dhcp client class-id text Edge-Core line console line vty Console# ELATED OMMANDS show startup-config (506)
Page 507: Show System
◆ The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. XAMPLE Console#show system System Description : ES3510MA System OID String : 1.3.6.1.4.1.259.8.1.11 System Information System Up Time : 0 days, 7 hours, 20 minutes, and 43.30 seconds...
Page 508: Show Version
| System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console admin 0:14:14...
Page 509: Frame Size
| System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 41: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames This command enables support for jumbo frames for Gigabit Ethernet jumbo frame ports.
Page 510: File Management
| System Management Commands HAPTER File Management ANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 511: Boot System
| System Management Commands HAPTER File Management This command specifies the file or image used to start up the system. boot system YNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image.
Page 512: Copy
| System Management Commands HAPTER File Management This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 513 | System Management Commands HAPTER File Management The Boot ROM and Loader cannot be uploaded or downloaded from the ◆ FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. For information on specifying an https-certificate, see "Replacing the ◆...
Page 514 | System Management Commands HAPTER File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success.
Page 515: Delete
| System Management Commands HAPTER File Management This command deletes a file or image. delete YNTAX delete filename filename - Name of configuration file or code image. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE ◆ If the file type is used for system startup, then this file cannot be deleted.
Page 516: Whichboot
The length of the file in bytes. XAMPLE The following example shows how to display all file information: Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ---------- Unit 1: ES3510MA-FLF-38_V1.1.0.2.bix OpCode 2009-12-10 10:35:35 11354263 ES3510MA-FLF-38_V1.1.0.4.bix OpCode 2009-12-16 08:44:35 11354752 Factory_Default_Config.cfg Config 2009-12-16 08:44:35 startup1.cfg...
Page 517: Upgrade Opcode Auto
(page 518). The name for the new image stored on the TFTP server must be es3510ma.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
Page 518: Upgrade Opcode Path
The name for the new image stored on the TFTP server must be ◆ es3510ma.bix. However, note that file name is not to be included in this command. – 518 –...
Page 519 | System Management Commands HAPTER File Management When specifying a TFTP server, the following syntax must be used, ◆ where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ When specifying an FTP server, the following syntax must be used, ◆...
Page 520: Line
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Page 521: Databits
| System Management Commands HAPTER Line OMMAND Global Configuration OMMAND SAGE Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Page 522: Exec-Timeout
| System Management Commands HAPTER Line ELATED OMMANDS parity (523) This command sets the interval that the system waits until user input is exec-timeout detected. Use the no form to restore the default. YNTAX exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 0 - 65535 seconds;...
Page 523: Parity
| System Management Commands HAPTER Line EFAULT ETTING login local OMMAND Line Configuration OMMAND SAGE There are three authentication modes provided by the switch itself at ◆ login: login selects authentication by a single global password as ■ specified by the password line configuration command.
Page 524: Password
| System Management Commands HAPTER Line EFAULT ETTING No parity OMMAND Line Configuration OMMAND SAGE Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. XAMPLE To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# This command specifies the password for a line.
Page 525: Password-Thresh
| System Management Commands HAPTER Line XAMPLE Console(config-line)#password 0 secret Console(config-line)# ELATED OMMANDS login (522) password-thresh (525) This command sets the password intrusion threshold which limits the password-thresh number of failed logon attempts. Use the no form to remove the threshold value.
Page 526: Silent-Time
| System Management Commands HAPTER Line This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. YNTAX silent-time [seconds] no silent-time...
Page 527: Stopbits
| System Management Commands HAPTER Line supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly. XAMPLE To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# This command sets the number of the stop bits transmitted per byte.
Page 528: Disconnect
| System Management Commands HAPTER Line OMMAND Line Configuration OMMAND SAGE If a login attempt is not detected within the timeout interval, the ◆ connection is terminated for the session. This command applies to both the local console and Telnet connections. ◆...
Page 529: Show Line
| System Management Commands HAPTER Event Logging This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING Shows all lines OMMAND Normal Exec, Privileged Exec XAMPLE...
Page 530: Logging Facility
| System Management Commands HAPTER Event Logging Table 45: Event Logging Commands (Continued) Command Function Mode clear log Clears messages from the logging buffer show log Displays log messages show logging Displays the state of logging This command sets the facility type for remote logging of syslog messages. logging facility Use the no form to return the type to the default.
Page 531: Logging History
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 532: Logging Host
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX [no] logging host host-ip-address host-ip-address - The IP address of a syslog server. EFAULT ETTING None...
Page 533: Logging Trap
| System Management Commands HAPTER Event Logging ELATED OMMANDS logging history (531) logging trap (533) clear log (533) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 534: Show Log
| System Management Commands HAPTER Event Logging OMMAND Privileged Exec XAMPLE Console#clear log Console# ELATED OMMANDS show log (534) This command displays the log messages stored in local memory. show log YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 535: Show Logging
| System Management Commands HAPTER Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. YNTAX show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 536: Smtp Alerts
| System Management Commands HAPTER SMTP Alerts REMOTELOG Level Type: Debugging messages REMOTELOG server IP Address: 1.2.3.4 REMOTELOG server IP Address: 0.0.0.0 REMOTELOG server IP Address: 0.0.0.0 REMOTELOG server IP Address: 0.0.0.0 REMOTELOG server IP Address: 0.0.0.0 Console# Table 48: show logging trap - display description Field Description Syslog logging...
Page 537: Logging Sendmail
| System Management Commands HAPTER SMTP Alerts This command enables SMTP event handling. Use the no form to disable logging sendmail this function. YNTAX [no] logging sendmail EFAULT ETTING Enabled OMMAND Global Configuration XAMPLE Console(config)#logging sendmail Console(config)# This command specifies SMTP servers that will be sent alert messages. Use logging sendmail the no form to remove an SMTP server.
Page 538: Logging Sendmail Level
| System Management Commands HAPTER SMTP Alerts XAMPLE Console(config)#logging sendmail host 192.168.1.19 Console(config)# This command sets the severity threshold used to trigger alert messages. logging sendmail Use the no form to restore the default setting. level YNTAX logging sendmail level level no logging sendmail level level - One of the system message levels (page...
Page 539: Logging Sendmail Source-Email
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. XAMPLE Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# This command sets the email address used for the “From” field in alert logging sendmail messages.
Page 540: Time
| System Management Commands HAPTER Time SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP Source Email Address: bill@this-company.com SMTP Status: Enabled Console# The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 541: Sntp Poll
| System Management Commands HAPTER Time OMMAND SAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan.
Page 542: Sntp Server
| System Management Commands HAPTER Time ELATED OMMANDS sntp client (540) This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 543: Clock Timezone
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# This command sets the time zone for the switch’s internal clock.
Page 544: Calendar Set
| System Management Commands HAPTER Time This command sets the system clock. It may be used if there is no time calendar set server on your network, or if you have not configured the switch to receive signals from a time server. YNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format.
Page 545: Time Range
| System Management Commands HAPTER Time Range ANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 51: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute Sets the time range for the execution of a command...
Page 546: Absolute
| System Management Commands HAPTER Time Range This command sets the time range for the execution of a command. Use absolute the no form to remove a previously specified time. YNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Page 547: Show Time-Range
| System Management Commands HAPTER Time Range monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) EFAULT ETTING None...
Page 548: Switch Clustering
| System Management Commands HAPTER Switch Clustering WITCH LUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 549: Cluster
| System Management Commands HAPTER Switch Clustering This command enables clustering on the switch. Use the no form to disable cluster clustering. YNTAX [no] cluster EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE To create a switch cluster, first be sure that clustering is enabled on the ◆...
Page 550: Cluster Ip-Pool
| System Management Commands HAPTER Switch Clustering OMMAND SAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
Page 551: Cluster Member
| System Management Commands HAPTER Switch Clustering This command configures a Candidate switch as a cluster Member. Use the cluster member no form to remove a Member switch from the cluster. YNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
Page 552: Show Cluster
| System Management Commands HAPTER Switch Clustering XAMPLE Console#rcommand id 1 CLI session with the ES-3024GP is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration. show cluster OMMAND Privileged Exec XAMPLE Console#show cluster Role : commander Interval Heartbeat...
Page 553: Show Cluster Candidates
| System Management Commands HAPTER Switch Clustering This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-E0-0C-00-00-FE ES-3024GP Managed GE POE Switch CANDIDATE 00-12-CF-0B-47-A0 ES-3024GP Managed GE POE Switch Console#...
Page 554 | System Management Commands HAPTER Switch Clustering – 554 –...
Page 555: Snmp Commands
SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 556: Snmp-Server
| SNMP Commands HAPTER Table 53: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs...
Page 557: Snmp-Server Community
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server Console(config)# This command defines community access strings used to authorize snmp-server management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Page 558: Snmp-Server Location
| SNMP Commands HAPTER OMMAND Global Configuration XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (558) This command sets the system location string. Use the no form to remove snmp-server the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location.
Page 559: Snmp-Server Enable Traps
| SNMP Commands HAPTER XAMPLE Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...
Page 560: Snmp-Server Host
| SNMP Commands HAPTER snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps command is used in conjunction with ◆...
Page 561 | SNMP Commands HAPTER prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 562 | SNMP Commands HAPTER To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 556). Create a view with the required notification messages (page 566). Create a group that includes the required notify view (page 564).
Page 563: Snmp-Server Engine-Id
| SNMP Commands HAPTER This command configures an identification string for the SNMPv3 engine. snmp-server Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.
Page 564: Snmp-Server Group
| SNMP Commands HAPTER ELATED OMMANDS snmp-server host (560) This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.
Page 565: Snmp-Server User
| SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# This command adds a user to an SNMP group, restricting the user to a snmp-server user specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Page 566: Snmp-Server View
| SNMP Commands HAPTER Remote users (i.e., the command specifies a remote engine identifier) ◆ must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy ◆...
Page 567: Show Snmp Engine-Id
| SNMP Commands HAPTER OMMAND SAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB ◆ tree. XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.
Page 568: Show Snmp Group
| SNMP Commands HAPTER Table 54: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. Four default groups are provided –...
Page 569: Show Snmp User
| SNMP Commands HAPTER Table 55: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry.
Page 570: Show Snmp View
| SNMP Commands HAPTER This command shows information on the SNMP views. show snmp view OMMAND Privileged Exec XAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile...
Page 571: Snmp-Server Notify-Filter
| SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored ◆ in the notification log. XAMPLE This example enables the notification logs A1 and A2. Console(config)#nlm A1 Console(config)#nlm A2 Console(config)# This command creates an SNMP notification log. Use the no form to snmp-server notify- remove this log.
Page 572: Show Nlm Oper-Status
| SNMP Commands HAPTER To avoid this problem, notification logging should be configured and ◆ enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Page 573: Show Snmp Notify-Filter
| SNMP Commands HAPTER This command displays the configured notification logs. show snmp notify- filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Note that the last entry is a default filter created when a trap host is initially created.
Page 574 | SNMP Commands HAPTER – 574 –...
Page 575: Remote Monitoring Commands
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 576: Rmon Alarm
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval seconds {absolute | delta} rising-threshold threshold event event-index falling-threshold threshold event event-index [owner name] no rmon event index index –...
Page 577: Rmon Event
| Remote Monitoring Commands HAPTER such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. XAMPLE Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 interval 15 delta rising-threshold 100 event 1 falling-threshold 30 event 1 owner mike Console(config)# This command creates a response event for an alarm.
Page 578: Rmon Collection History
| Remote Monitoring Commands HAPTER OMMAND SAGE ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. The specified events determine the action to take when an alarm ◆...
Page 579: Rmon Collection Stats
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethenet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# This command enables the collection of statistics on a physical interface. rmon collection Use the no form to disable statistics collection. stats YNTAX rmon collection stats index [owner name]...
Page 580: Show Rmon Alarm
| Remote Monitoring Commands HAPTER This command shows the settings for all configured alarms. show rmon alarm OMMAND Privileged Exec XAMPLE Console#show rmon alarm alarm Index = 1 alarm Interval = 30 alarm Type is Delta alarm Value alarm Rising Threshold = 892800 alarm Rising Event = 0 alarm Falling Threshold = 446400 alarm Falling Event = 0...
Page 581: Show Rmon Statistics
| Remote Monitoring Commands HAPTER buckets requested = 8 buckets granted = 8 Interval = 30 Owner RMON_SNMP This command shows the information collected for all configured entries in show rmon the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics rmon collection index 1 stats->ifindex = 1 input packets 00, bytes 00, dropped 00, multicast packets 00...
Page 582 | Remote Monitoring Commands HAPTER – 582 –...
Page 583: Authentication
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 584: Enable Password
| Authentication Commands HAPTER User Accounts After initially logging onto the system, you should set the Privileged Exec enable password password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 585: Username
| Authentication Commands HAPTER User Accounts This command adds named users, requires authentication at login, username specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Page 586: Authentication Sequence
| Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 62: Authentication Sequence Commands Command Function Mode...
Page 587: Authentication Login
| Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (584) This command defines the login authentication method and precedence. authentication login Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...
Page 588: Radius Client
| Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (585) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
Page 589: Radius-Server Auth-Port
| Authentication Commands HAPTER RADIUS Client This command sets the RADIUS server network port. Use the no form to radius-server auth- restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 590: Radius-Server Key
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the RADIUS encryption key. Use the no form to restore radius-server key the default.
Page 591: Radius-Server Timeout
| Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication radius-server requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...
Page 592: Tacacs+ Client
| Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Auth-port : 1812 Acct-port : 1813 Retransmit Times Request Timeout Console# TACACS+ C LIENT Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Page 593: Tacacs-Server Host
| Authentication Commands HAPTER TACACS+ Client EFAULT ETTING 10.11.12.13 OMMAND Global Configuration XAMPLE Console(config)#tacacs-server host 192.168.1.25 Console(config)# This command specifies the TACACS+ server. Use the no form to restore tacacs-server host the default. YNTAX tacacs-server host host-ip-address no tacacs-server host host-ip-address - IP address of a TACACS+ server.
Page 594: Tacacs-Server Port
| Authentication Commands HAPTER TACACS+ Client XAMPLE Console(config)#tacacs-server key green Console(config)# This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 595: Aaa
| Authentication Commands HAPTER The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 65: AAA Commands Command Function Mode...
Page 596: Aaa Accounting Dot1X
| Authentication Commands HAPTER group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters) EFAULT ETTING Accounting is not enabled...
Page 597: Aaa Accounting Exec
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 598: Aaa Accounting Update
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 599: Aaa Authorization Exec
| Authentication Commands HAPTER Using the command without specifying an interim interval enables ◆ updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service.
Page 600: Aaa Group Server
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 601: Accounting Dot1X
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 602: Authorization Exec
| Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to local console or Telnet authorization exec connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...
Page 603: Web Server
| Authentication Commands HAPTER Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show accounting Accounting type: dot1x...
Page 604: Ip Http Port
| Authentication Commands HAPTER Web Server This command specifies the TCP port number used by the web browser ip http port interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 605: Ip Http Secure-Server
| Authentication Commands HAPTER Web Server This command enables the secure hypertext transfer protocol (HTTPS) over ip http secure- the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted server connection) to the switch’s web interface. Use the no form to disable this function.
Page 606: Ip Http Secure-Port
| Authentication Commands HAPTER Web Server To specify a secure-site certificate, see “Replacing the Default Secure- ◆ site Certificate” on page 288. Also refer to the copy tftp https-certificate command. XAMPLE Console(config)#ip http secure-server Console(config)# ELATED OMMANDS ip http secure-port (606) copy tftp https-certificate (512) show system (507)
Page 607: Telnet Server
| Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 68: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 608: Ip Telnet Port
| Authentication Commands HAPTER Telnet Server This command specifies the TCP port number used by the Telnet interface. ip telnet port Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 609: Show Ip Telnet
| Authentication Commands HAPTER Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
Page 610 | Authentication Commands HAPTER Secure Shell Table 69: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 611 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 612: Ip Ssh Authentication-Retries
| Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.
Page 613: Ip Ssh Server-Key Size
| Authentication Commands HAPTER Secure Shell OMMAND SAGE ◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first ◆...
Page 614: Ip Ssh Timeout
| Authentication Commands HAPTER Secure Shell This command configures the timeout for the SSH server. Use the no form ip ssh timeout to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
Page 615: Ip Ssh Crypto Host-Key Generate
| Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host- key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 616: Ip Ssh Crypto Zeroize
| Authentication Commands HAPTER Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.
Page 617: Show Ip Ssh
| Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (615) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 618: Show Ssh
| Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...
Page 619: Port Authentication
| Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 620: Dot1X Default
| Authentication Commands HAPTER 802.1X Port Authentication Table 71: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Display Information Commands show dot1x Shows all dot1x related information This command sets all configurable dot1x global and port settings to their...
Page 621: Dot1X System-Auth-Control
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# This command enables IEEE 802.1X port authentication globally on the dot1x system-auth- switch.
Page 622: Dot1X Max-Req
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# This command sets the maximum number of times the switch port will dot1x max-req retransmit an EAP request/identity packet to the client before it times out the authentication session.
Page 623: Dot1X Port-Control
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT Single-host OMMAND Interface Configuration OMMAND SAGE The “max-count” parameter specified by this command is only effective ◆ if the dot1x mode is set to “auto” by the dot1x port-control command. In “multi-host” mode, only one host connected to a port needs to pass ◆...
Page 624: Dot1X Re-Authentication
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# This command enables periodic re-authentication for a specified port. Use dot1x re- the no form to disable re-authentication. authentication YNTAX [no] dot1x re-authentication OMMAND Interface Configuration OMMAND SAGE The re-authentication process verifies the connected client’s user ID...
Page 625: Dot1X Timeout Re-Authperiod
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# This command sets the time period after which a connected client must be dot1x timeout re- re-authenticated. Use the no form of this command to reset the default. authperiod YNTAX dot1x timeout re-authperiod seconds...
Page 626: Dot1X Timeout Tx-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command sets the timeout for EAP-request frames other than EAP- request/identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/identity frame to the client to request its identity, followed by one or more requests for authentication information.
Page 627: Dot1X Identity Profile
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Privileged Exec OMMAND SAGE The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Page 628: Dot1X Max-Start
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the maximum number of times that a port supplicant dot1x max-start will send an EAP start frame to the client before assuming that the client is 802.1X unaware. Use the no form to restore the default value. YNTAX dot1x max-start count no dot1x max-start...
Page 629: Dot1X Timeout Auth-Period
| Authentication Commands HAPTER 802.1X Port Authentication A port cannot be configured as a dot1x supplicant if it is a member of a ◆ trunk or LACP is enabled on the port. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#dot1x pae supplicant Console(config-if)# This command sets the time that a supplicant port waits for a response dot1x timeout auth- from the authenticator.
Page 630: Dot1X Timeout Start-Period
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout held-period 120 Console(config-if)# This command sets the time that a supplicant port waits before resending dot1x timeout start- an EAPOL start frame to the authenticator. Use the no form to restore the period default setting.
Page 631 | Authentication Commands HAPTER 802.1X Port Authentication OMMAND SAGE This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port ◆ authentication is globally enabled on the switch (page 621). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 620).
Page 632 | Authentication Commands HAPTER 802.1X Port Authentication Current Identifier– The integer (0-255) used by the Authenticator to ■ identify the current authentication session. Backend State Machine ◆ State – Current state (including request, response, success, fail, ■ timeout, idle, initialize). Request Count–...
Page 633: Management Ip Filter
| Authentication Commands HAPTER Management IP Filter Authenticator State Machine State : Authenticated Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch.
Page 634: Show Management
| Authentication Commands HAPTER Management IP Filter OMMAND SAGE ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 635 | Authentication Commands HAPTER Management IP Filter XAMPLE Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address...
Page 636 | Authentication Commands HAPTER Management IP Filter – 636 –...
Page 637: General Security Measures
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 638: Port Security
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 639: Port Security
| General Security Measures HAPTER Port Security The mac-learning commands cannot be used if 802.1X Port ◆ Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface.
Page 640 | General Security Measures HAPTER Port Security addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. First use the port security max-mac-count command to set the ◆...
Page 641: Network Access (Mac Address Authentication)
| General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 642: Network-Access Aging
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored network-access in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...
Page 643: Mac-Authentication Reauth-Time
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the ◆ mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...
Page 644: Network-Access Dynamic-Qos
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...
Page 645: Network-Access Dynamic-Vlan
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable dynamic VLAN assignment for an network-access authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan EFAULT ETTING Enabled OMMAND Interface Configuration OMMAND...
Page 646: Network-Access Link-Detection
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The VLAN to be used as the guest VLAN must be defined and set as ◆ active (See the vlan database command). When used with 802.1X authentication, the intrusion-action must be ◆...
Page 647: Network-Access Link-Detection Link-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to detect link-down events. When detected, the switch network-access can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.
Page 648: Network-Access Link-Detection Link-Up-Down
| General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# Use this command to detect link-up and link-down events. When either network-access event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.
Page 649: Network-Access Mode Mac-Authentication
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed.
Page 650: Network-Access Port-Mac-Filter
| General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from ◆ the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN ◆...
Page 651: Mac-Authentication Intrusion-Action
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...
Page 652: Show Network-Access
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display the MAC authentication settings for port show network- interfaces. access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 653: Show Network-Access Mac-Address-Table
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network- access mac- address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.
Page 654: Show Network-Access Mac-Filter
| General Security Measures HAPTER Web Authentication Use this command to display information for entries in the MAC filter show network- tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 655: Web-Auth Login-Attempts
| General Security Measures HAPTER Web Authentication Table 77: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 656: Web-Auth Quiet-Period
| General Security Measures HAPTER Web Authentication This command defines the amount of time a host must wait after exceeding web-auth quiet- the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 657: Web-Auth System-Auth-Control
| General Security Measures HAPTER Web Authentication This command globally enables web authentication for the switch. Use the web-auth system- no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 658: Web-Auth Re-Authenticate (Port)
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth re- and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 659: Show Web-Auth
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
Page 660: Show Web-Auth Summary
| General Security Measures HAPTER DHCP Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 661: Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command enables DHCP snooping globally. Use the no form to restore ip dhcp snooping the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are ◆...
Page 662 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or ■ RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, ■...
Page 663: Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 664: Ip Dhcp Snooping Information Policy
| General Security Measures HAPTER DHCP Snooping Use the ip dhcp snooping information option command to specify ◆ how to handle DHCP client request packets which already contain Option 82 information. XAMPLE This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# This command sets the DHCP snooping information option policy for DHCP...
Page 665: Ip Dhcp Snooping Verify Mac-Address
| General Security Measures HAPTER DHCP Snooping This command verifies the client’s hardware address stored in the DHCP ip dhcp snooping packet against the source MAC address in the Ethernet header. Use the no verify mac-address form to disable this function. YNTAX [no] ip dhcp binding verify mac-address EFAULT...
Page 666: Ip Dhcp Snooping Trust
| General Security Measures HAPTER DHCP Snooping When the DHCP snooping is globally disabled, DHCP snooping can still ◆ be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, configuration changes for ◆...
Page 667: Clear Ip Dhcp Snooping Database Flash
| General Security Measures HAPTER DHCP Snooping When an untrusted port is changed to a trusted port, all the dynamic ◆ DHCP snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client – The ◆...
Page 668: Show Ip Dhcp Snooping
| General Security Measures HAPTER DHCP Snooping This command shows the DHCP snooping configuration settings. show ip dhcp snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...
Page 669: Ip Source Guard
| General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 670: Ip Source-Guard
| General Security Measures HAPTER IP Source Guard All static entries are configured with an infinite lease time, which is ◆ indicated with a value of zero by the show ip source-guard command (page 672). When source guard is enabled, traffic is filtered based upon dynamic ◆...
Page 671 | General Security Measures HAPTER IP Source Guard OMMAND Interface Configuration (Ethernet) OMMAND SAGE Source guard is used to filter traffic on an insecure port which receives ◆ messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 672: Show Ip Source-Guard
| General Security Measures HAPTER IP Source Guard XAMPLE This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# ELATED OMMANDS ip source-guard binding (669) ip dhcp snooping (661) ip dhcp snooping vlan (665) This command shows whether source guard is enabled or disabled on each show ip source- interface.
Page 673: Arp Inspection
| General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Page 674: Ip Arp Inspection
| General Security Measures HAPTER ARP Inspection Table 80: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...
Page 675: Ip Arp Inspection Filter
| General Security Measures HAPTER ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use ip arp inspection the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.
Page 676: Ip Arp Inspection Log-Buffer Logs
| General Security Measures HAPTER ARP Inspection This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...
Page 677: Ip Arp Inspection Validate
| General Security Measures HAPTER ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 678: Ip Arp Inspection Limit
| General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection ◆ command, it becomes active only on those VLANs where it has been enabled with this command.
Page 679: Ip Arp Inspection Trust
| General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, ◆ the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...
Page 680: Show Ip Arp Inspection Configuration
| General Security Measures HAPTER ARP Inspection This command displays the global configuration settings for ARP show ip arp Inspection. inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Page 681: Show Ip Arp Inspection Log
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip arp the associated VLAN, port, and address components. inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
Page 682 | General Security Measures HAPTER ARP Inspection OMMAND Privileged Exec XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# – 682 –...
Page 683: Lists
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 684: Access-List Ip
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 685: Permit, Deny (Standard Ip Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...
Page 686: Permit, Deny (Extended Ipv4 Acl)
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 687 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 688: Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 689: Show Ip Access-Group
| Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 690: Mac Acls
| Access Control Lists HAPTER MAC ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (685) ip access-group (688) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Page 691: (Mac Acl)
| Access Control Lists HAPTER MAC ACLs To remove a rule, use the no permit or no deny command followed by ◆ the exact text of a previously configured rule. An ACL can contain up to 128 rules. ◆ XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED...
Page 692 | Access Control Lists HAPTER MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3...
Page 693: Mac Access-Group
| Access Control Lists HAPTER MAC ACLs OMMAND SAGE ◆ New rules are added to the end of the list. The ethertype option can only be used to filter Ethernet II formatted ◆ packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP ■...
Page 694: Show Mac Access-Group
| Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# ELATED OMMANDS show mac access-list (694) Time Range (545) This command shows the ports assigned to MAC ACLs. show mac access- group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5...
Page 695: Arp Acls
| Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...
Page 696: Permit, Deny (Arp Acl)
| Access Control Lists HAPTER ARP ACLs This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny (ARP a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...
Page 697: Show Arp Access-List
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (695) This command displays the rules for configured ARP ACLs.
Page 698: Acl Information
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 85: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules This command shows the port assignments of ACLs.
Page 699: Interface
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 86: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 700: Interface
| Interface Commands HAPTER This command configures an interface type and enter interface interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface.
Page 701: Capabilities
| Interface Commands HAPTER OMMAND SAGE The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. XAMPLE The following example adds an alias to port 4.
Page 702: Description
| Interface Commands HAPTER manually specify the link attributes with the speed-duplex flowcontrol commands. XAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# ELATED OMMANDS negotiation (704) speed-duplex (706) flowcontrol (703)
Page 703: Flowcontrol
| Interface Commands HAPTER This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 704: Media-Type
| Interface Commands HAPTER This command forces the port type selected for combination ports 9-10. media-type Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed).
Page 705: Shutdown
| Interface Commands HAPTER negotiation is disabled, you must manually specify the link attributes with the speed-duplex flowcontrol commands. If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration ◆ will also be disabled for the RJ-45 ports. XAMPLE The following example configures port 10 to use auto-negotiation. Console(config)#interface ethernet 1/10 Console(config-if)#negotiation Console(config-if)#...
Page 706: Speed-Duplex
| Interface Commands HAPTER This command configures the speed and duplex mode of a given interface speed-duplex when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {100full | 100half | 10full | 10half} no speed-duplex 100full - Forces 100 Mbps full-duplex operation 100half - Forces 100 Mbps half-duplex operation 10full - Forces 10 Mbps full-duplex operation...
Page 707: Switchport Packet-Rate
| Interface Commands HAPTER This command configures broadcast, multicast and unknown unicast storm switchport packet- control. Use the no form to restore the default setting. rate YNTAX switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} broadcast - Specifies storm control for broadcast traffic.
Page 708: Clear Counters
| Interface Commands HAPTER This command clears statistics on an interface. clear counters YNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE...
Page 709: Show Interfaces Counters
| Interface Commands HAPTER This command displays interface statistics. show interfaces counters YNTAX show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) port-channel channel-id (Range: 1-5) EFAULT ETTING Shows the counters for all interfaces. OMMAND Normal Exec, Privileged Exec OMMAND...
Page 710: Show Interfaces Status
| Interface Commands HAPTER ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets...
Page 711: Show Interfaces Switchport
| Interface Commands HAPTER Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Multicast Storm : Disabled Multicast Storm Limit : 64 Kbits/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 64 Kbits/second Flow Control : Disabled LACP...
Page 712: Table 87: Show Interfaces Switchport - Display Description
| Interface Commands HAPTER Egress Rate Limit : Disabled, 1000M bits per second VLAN Membership Mode : Hybrid Ingress Rule : Disabled Acceptable Frame Type : All frames Native VLAN Priority for Untagged Traffic : 0 GVRP Status : Disabled Allowed VLAN 1(u) Forbidden VLAN...
Page 713: Test Cable-Diagnostics
| Interface Commands HAPTER This command performs cable diagnostics on the specified port to diagnose test cable- any cable faults (short, open, etc.) and report the cable length. diagnostics YNTAX test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 714: Show Cable-Diagnostics
| Interface Commands HAPTER This command shows the results of a cable diagnostics test. show cable- diagnostics YNTAX show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) OMMAND Privileged Exec XAMPLE Console#show cable-diagnostics interface ethernet 1/10 Console#show cable-diagnostics interface e 1/10...
Page 715: Show Power-Save
| Interface Commands HAPTER partner. If none is detected, the switch automatically turns off the transmitter, and most of the receive circuitry (entering Sleep Mode). In this mode, the low-power energy-detection circuit continuously checks for energy on the cable. If none is detected, the MAC interface is also powered down to save additional energy.
Page 716: Interface Commands
| Interface Commands HAPTER XAMPLE Console#show power-save interface ethernet 1/10 Power Saving Status : Enabled Console# – 716 –...
Page 717: Link Aggregation Commands
GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 718: Channel-Group
| Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, ◆ including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Page 719: Lacp
| Link Aggregation Commands HAPTER XAMPLE The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# This command enables 802.3ad Link Aggregation Control Protocol (LACP) lacp for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT...
Page 720: Lacp Admin-Key (Ethernet Interface)
| Link Aggregation Commands HAPTER Console#show interfaces status port-channel 1 Information of Trunk 1 Basic Information: Port Type : 100TX Mac Address : 12-34-12-34-12-3F Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full Flow Control : Disabled Port Security : Disabled...
Page 721: Lacp Port-Priority
| Link Aggregation Commands HAPTER the partner only applies to its administrative state, not its operational state. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# This command configures LACP port priority. Use the no form to restore lacp port-priority the default setting.
Page 722: Lacp System-Priority
| Link Aggregation Commands HAPTER This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 723: Show Lacp
| Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system ◆ priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 724: Table 89: Show Lacp Counters - Display Description
| Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Receive Marker Sent Marker Receive LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 89: show lacp counters - display description Field Description LACPDUs Sent...
Page 725: Table 91: Show Lacp Neighbors - Display Description
| Link Aggregation Commands HAPTER Table 90: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State ◆...
Page 726: Table 92: Show Lacp Sysid - Display Description
| Link Aggregation Commands HAPTER Table 91: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.
Page 727: Port Mirroring Commands
IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Page 728 | Port Mirroring Commands HAPTER Local Port Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. EFAULT ETTING No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received ◆ and transmitted packets.
Page 729: Show Port Monitor
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands This command displays mirror information. show port monitor YNTAX show port monitor [interface] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10) EFAULT ETTING Shows all sessions.
Page 730 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands Table 95: RSPAN Commands (Continued) Command Function Mode no rspan session Deletes a configured RSPAN session show rspan Displays the configuration settings for an RSPAN session Configuration Guidelines Take the following steps to configure an RSPAN session: Use the vlan rspan command to configure a VLAN to use for RSPAN.
Page 731: Rspan Source
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. RSPAN uplink ports cannot be configured to use IEEE 802.1X Port Authentication, but RSPAN source ports and destination ports can be configured to use it Port Security –...
Page 732: Rspan Destination
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands The source port and destination port cannot be configured on the same ◆ switch. XAMPLE The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# Use this command to specify the destination port to monitor the mirrored...
Page 733: Rspan Remote Vlan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands A destination port can still send and receive switched traffic, and ◆ participate in any Layer 2 protocols to which it has been assigned. XAMPLE The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# Use this command to specify the RSPAN VLAN, switch role (source,...
Page 734: No Rspan Session
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands OMMAND SAGE ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). Only one uplink port can be configured on a source switch, but there is ◆...
Page 735: Show Rspan
| Port Mirroring Commands HAPTER RSPAN Mirroring Commands Use this command to displays the configuration settings for an RSPAN show rspan session. YNTAX show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1-2) Only two mirror sessions are allowed, including both local and remote mirroring.
Page 736 | Port Mirroring Commands HAPTER RSPAN Mirroring Commands – 736 –...
Page 737: Rate Limit Commands
IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Page 738 | Rate Limit Commands HAPTER by the storm control command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (711) – 738 –...
Page 739: Automatic Traffic Control Commands
UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 97: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...
Page 740 | Automatic Traffic Control Commands HAPTER Table 97: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...
Page 741: Auto-Traffic-Control Apply-Timer
| Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release ◆ timer expires, traffic control will be stopped and a Traffic Control Release Trap sent and logged.
Page 742: Auto-Traffic-Control Release-Timer
| Automatic Traffic Control Commands HAPTER EFAULT ETTING 300 seconds OMMAND Global Configuration OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
Page 743: Auto-Traffic-Control
| Automatic Traffic Control Commands HAPTER XAMPLE This example sets the release timer to 800 seconds for all ports. Console(config)#auto-traffic-control broadcast release-timer 800 Console(config)# This command enables automatic traffic control for broadcast or multicast auto-traffic-control storms. Use the no form to disable this feature. YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic.
Page 744: Auto-Traffic-Control Action
| Automatic Traffic Control Commands HAPTER This command sets the control action to limit ingress traffic or shut down auto-traffic-control the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action broadcast - Specifies automatic storm control for broadcast traffic.
Page 745: Auto-Traffic-Control Alarm-Clear-Threshold
| Automatic Traffic Control Commands HAPTER This command sets the lower threshold for ingress traffic beneath which a auto-traffic-control cleared storm control trap is sent. Use the no form to restore the default alarm-clear- setting. threshold YNTAX auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold no auto-traffic-control {broadcast | multicast} alarm-clear-threshold...
Page 746: Auto-Traffic-Control Alarm-Fire-Threshold
| Automatic Traffic Control Commands HAPTER This command sets the upper threshold for ingress traffic beyond which a auto-traffic-control storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold no auto-traffic-control {broadcast | multicast}...
Page 747: Auto-Traffic-Control Auto-Control-Release
| Automatic Traffic Control Commands HAPTER OMMAND Privileged Exec OMMAND SAGE This command can be used to manually stop a control response any time after the specified action has been triggered. XAMPLE Console#auto-traffic-control broadcast control-release interface ethernet 1/1 Console# This command automatically releases a control response after the time auto-traffic-control specified in the auto-traffic-control release-timer...
Page 748: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Fire
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# ELATED OMMANDS auto-traffic-control action (744) auto-traffic-control alarm-clear-threshold (745) This command sends a trap when broadcast traffic exceeds the upper snmp-server enable threshold for automatic storm control. Use the no form to disable this trap. port-traps atc broadcast-alarm-fire YNTAX...
Page 749: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Release
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (746) auto-traffic-control apply-timer (741) This command sends a trap when broadcast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered and the port-traps atc release timer expires.
Page 750: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# ELATED OMMANDS auto-traffic-control action (744) auto-traffic-control alarm-clear-threshold (745) This command sends a trap when multicast traffic exceeds the upper snmp-server enable threshold for automatic storm control. Use the no form to disable this trap. port-traps atc multicast-alarm-fire YNTAX...
Page 751: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release
| Automatic Traffic Control Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# ELATED OMMANDS auto-traffic-control alarm-fire-threshold (746) auto-traffic-control apply-timer (741) This command sends a trap when multicast traffic falls beneath the lower snmp-server enable threshold after a storm control response has been triggered and the port-traps atc release timer expires.
Page 752: Show Auto-Traffic-Control Interface
| Automatic Traffic Control Commands HAPTER Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# This command shows interface configuration settings and storm control show auto-traffic- status for the specified port. control interface YNTAX show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 753: Address
DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 98: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 754: Mac-Address-Table Static
| Address Table Commands HAPTER This command maps a static address to a destination port in a VLAN. Use mac-address-table the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 755: Clear Mac-Address-Table Dynamic
| Address Table Commands HAPTER This command removes any learned entries from the forwarding database. clear mac-address- table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# This command shows classes of entries in the bridge-forwarding database. show mac-address- table YNTAX...
Page 756: Show Mac-Address-Table Aging-Time
| Address Table Commands HAPTER example, a mask of 00-00-00-00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.” The maximum number of address entries is 16K. ◆ XAMPLE Console#show mac-address-table Interface MAC Address VLAN Type Life Time --------- ----------------- ---- -------- ----------------- Eth 1/ 1 00-E0-29-94-34-DE 1 Config...
Page 757: Spanning Tree Commands
PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 99: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
Page 758: Spanning-Tree
| Spanning Tree Commands HAPTER Table 99: Spanning Tree Commands (Continued) Command Function Mode spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs spanning-tree spanning- Disables spanning tree for an interface disabled spanning-tree loopback- Manually releases a port placed in discarding state by...
Page 759: Spanning-Tree Forward-Time
| Spanning Tree Commands HAPTER This command configures the spanning tree bridge forward time globally spanning-tree for this switch. Use the no form to restore the default. forward-time YNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 760: Spanning-Tree Max-Age
| Spanning Tree Commands HAPTER XAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# ELATED OMMANDS spanning-tree forward-time (759) spanning-tree max-age (760) This command configures the spanning tree bridge maximum age globally spanning-tree max- for this switch. Use the no form to restore the default. YNTAX spanning-tree max-age seconds no spanning-tree max-age...
Page 761: Spanning-Tree Mode
| Spanning Tree Commands HAPTER This command selects the spanning tree mode for this switch. Use the no spanning-tree mode form to restore the default. YNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) EFAULT...
Page 762: Spanning-Tree Pathcost Method
| Spanning Tree Commands HAPTER restarts the system in the new mode, temporarily disrupting user traffic. XAMPLE The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# This command configures the path cost method used for Rapid Spanning spanning-tree Tree and Multiple Spanning Tree.
Page 763: Spanning-Tree Priority
| Spanning Tree Commands HAPTER This command configures the spanning tree priority globally for this switch. spanning-tree Use the no form to restore the default. priority YNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) EFAULT...
Page 764: Spanning-Tree Transmission-Limit
| Spanning Tree Commands HAPTER revision (767) max-hops (764) This command configures the minimum interval between the transmission spanning-tree of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. transmission-limit YNTAX spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) EFAULT ETTING OMMAND...
Page 765: Mst Priority
| Spanning Tree Commands HAPTER Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. XAMPLE Console(config-mstp)#max-hops 30 Console(config-mstp)# This command configures the priority of a spanning tree instance. Use the mst priority no form to restore the default.
Page 766: Mst Vlan
| Spanning Tree Commands HAPTER This command adds VLANs to a spanning tree instance. Use the no form to mst vlan remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. YNTAX [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree.
Page 767: Revision
| Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE The MST region name and revision number (page 767) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 768: Spanning-Tree Bpdu-Filter
| Spanning Tree Commands HAPTER This command filters all BPDUs received on an edge port. Use the no form spanning-tree bpdu- to disable this feature. filter YNTAX [no] spanning-tree bpdu-filter EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE This command filters all Bridge Protocol Data Units (BPDUs) received on ◆...
Page 769: Spanning-Tree Cost
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker.
Page 770: Spanning-Tree Edge-Port
| Spanning Tree Commands HAPTER EFAULT ETTING By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 771: Spanning-Tree Link-Type
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 772: Spanning-Tree Loopback-Detection
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point This command enables the detection and response to Spanning Tree spanning-tree loopback BPDU packets on the port. Use the no form to disable this loopback-detection feature. YNTAX [no] spanning-tree loopback-detection EFAULT ETTING Enabled...
Page 773: Spanning-Tree Loopback-Detection Trap
| Spanning Tree Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE If the port is configured for automatic loopback release, then the port ◆ will only be returned to the forwarding state if one of the following conditions is satisfied: The port receives any other BPDU except for it’s own, or;...
Page 774: Spanning-Tree Mst Cost
| Spanning Tree Commands HAPTER This command configures the path cost on a spanning instance in the spanning-tree mst Multiple Spanning Tree. Use the no form to restore the default auto- cost configuration mode. YNTAX spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree.
Page 775: Spanning-Tree Mst Port-Priority
| Spanning Tree Commands HAPTER This command configures the interface priority on a spanning instance in spanning-tree mst the Multiple Spanning Tree. Use the no form to restore the default. port-priority YNTAX spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree.
Page 776: Spanning-Tree Root-Guard
| Spanning Tree Commands HAPTER OMMAND SAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 777: Spanning-Tree Spanning-Disabled
| Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# This command disables the spanning tree algorithm for the specified spanning-tree interface. Use the no form to re-enable the spanning tree algorithm for the spanning-disabled specified interface.
Page 778: Spanning-Tree Protocol-Migration
| Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# This command re-checks the appropriate BPDU format to send on the spanning-tree selected interface. protocol-migration YNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 779: Show Spanning-Tree
| Spanning Tree Commands HAPTER This command shows the configuration for the common spanning tree show spanning-tree (CST) or for an instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 780: Show Spanning-Tree Mst Configuration
| Spanning Tree Commands HAPTER Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes Last Topology Change Time (sec.): 11409 Transmission Limit Path Cost Method : Long...
Page 781: Table 103: Vlan Commands
VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 782: Ommands
| VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 783: Garp Timer
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command sets the values for the join, leave and leaveall timers. Use garp timer the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 784: Switchport Forbidden Vlan
| VLAN Commands HAPTER GVRP and Bridge Extension Commands This command configures forbidden VLANs. Use the no form to remove the switchport list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 785: Show Bridge-Ext
| VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# This command shows the configuration for bridge extension commands. show bridge-ext EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 93 for a description of the displayed items.
Page 786: Show Gvrp Configuration
| VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds Console# ELATED OMMANDS garp timer (783) This command shows if GVRP is enabled. show gvrp configuration YNTAX...
Page 787: Vlan Database
| VLAN Commands HAPTER Editing VLAN Groups This command enters VLAN database mode. All commands in this mode vlan database will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete ◆...
Page 788: Configuring Vlan Interfaces
| VLAN Commands HAPTER Configuring VLAN Interfaces VLAN 1 (the switch’s default VLAN), nor VLAN 4093 (the VLAN used for switch clustering). For more information on configuring RSPAN through the CLI, see "RSPAN Mirroring Commands" on page 729. EFAULT ETTING By default only VLAN 1 exists and is active.
Page 789: Interface Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces Table 106: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport ingress- Enables ingress filtering on an interface filtering switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking...
Page 790: Switchport Acceptable-Frame-Types
| VLAN Commands HAPTER Configuring VLAN Interfaces This command configures the acceptable frame types for a port. Use the switchport no form to restore the default. acceptable-frame- types YNTAX switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 791: Switchport Ingress-Filtering
| VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All ports are assigned to VLAN 1 by default. The default frame type is untagged. OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE A port, or a trunk with switchport mode set to hybrid, must be ◆...
Page 792: Switchport Mode
| VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE ◆ Ingress filtering only affects tagged frames. If ingress filtering is disabled and a port receives frames tagged for ◆ VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Page 793: Switchport Native Vlan
| VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# ELATED OMMANDS switchport acceptable-frame-types (790) This command configures the PVID (i.e., default VLAN ID) for a port.
Page 794: Vlan-Trunking
| VLAN Commands HAPTER Configuring VLAN Interfaces This command allows unknown VLAN groups to pass through the specified vlan-trunking interface. Use the no form to disable this feature. YNTAX [no] vlan-trunking EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use this command to configure a tunnel across one or more...
Page 795: Displaying Vlan Information
| VLAN Commands HAPTER Displaying VLAN Information To prevent loops from forming in the spanning tree, all unknown VLANs ◆ will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode). If both VLAN trunking and ingress filtering are disabled on an interface, ◆...
Page 796: Configuring Ieee 802.1Q Tunneling
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND Normal Exec, Privileged Exec XAMPLE The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Console# IEEE 802.1Q T...
Page 797: Dot1Q-Tunnel System-Tunnel-Control
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
Page 798: Switchport Dot1Q-Tunnel Mode
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling ELATED OMMANDS show dot1q-tunnel (799) show interfaces switchport (711) This command configures an interface as a QinQ tunnel port. Use the no switchport dot1q- form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Page 799: Switchport Dot1Q-Tunnel Tpid
| VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling This command sets the Tag Protocol Identifier (TPID) value of a tunnel switchport dot1q- port. Use the no form to restore the default setting. tunnel tpid YNTAX switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid –...
Page 800: Configuring Port-Based Traffic Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
Page 801: Show Traffic-Segmentation
| VLAN Commands HAPTER Configuring Port-based Traffic Segmentation only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group. Any port can be defined as an uplink port or downlink port, but cannot ◆...
Page 802: Configuring Protocol-Based Vlans
| VLAN Commands HAPTER Configuring Protocol-based VLANs VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
Page 803: Protocol-Vlan Protocol-Group (Configuring Groups)
| VLAN Commands HAPTER Configuring Protocol-based VLANs This command creates a protocol group, or to add specific protocols to a protocol-vlan group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.
Page 804: Show Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this ◆ command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 805: Show Interfaces Protocol-Vlan Protocol-Group
| VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces.
Page 806: Configuring Ip Subnet Vlans
| VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Page 807: Show Subnet-Vlan
| VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are ◆...
Page 808: Configuring Mac Based Vlans
| VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Page 809: Show Mac-Vlan
| VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are ◆ supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10.
Page 810: Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs Table 113: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings This command enables VoIP traffic detection and defines the Voice VLAN voice vlan...
Page 811: Voice Vlan Aging
| VLAN Commands HAPTER Configuring Voice VLANs This command sets the Voice VLAN ID time out. Use the no form to restore voice vlan aging the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...
Page 812: Switchport Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
Page 813: Switchport Voice Vlan Priority
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# This command specifies a CoS priority for VoIP traffic on a port. Use the no switchport voice form to restore the default priority on a port.
Page 814: Switchport Voice Vlan Security
| VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in ◆ the Telephony OUI list (see the voice vlan mac-address command.
Page 815: Show Voice Vlan
| VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# This command displays the Voice VLAN settings on the switch and the OUI show voice vlan Telephony list.
Page 816 | VLAN Commands HAPTER Configuring Voice VLANs – 816 –...
Page 817: Class Of Service Commands
LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.
Page 818: Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Shaped Deficiit Weighted Round-Robin (SDWRR), or a combination of strict and weighted queuing.
Page 819: Queue Weight
| Class of Service Commands HAPTER Priority Commands (Layer 2) preserving the overall weight ratios between the queues. This produces less jitter and lower maximum latency for traffic on all of the serviced queues. If Strict and SDWRR mode is selected, a combination of strict service is ◆...
Page 820: Switchport Priority Default
| Class of Service Commands HAPTER Priority Commands (Layer 2) OMMAND SAGE ◆ This command shares bandwidth at the egress port by defining scheduling weights for SWDRR, or for the queuing mode that uses a combination of strict and weighted queuing (page 818).
Page 821: Show Queue Mode
| Class of Service Commands HAPTER Priority Commands (Layer 2) frames that do not have VLAN tags are tagged with the input port's default ingress user priority, and then placed in the appropriate priority queue at the output port. The default priority for all ingress ports is zero.
Page 822: Priority Commands (Layer 3 And 4)
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 116: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 823: Table 117: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) EFAULT ETTING Table 117: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) OMMAND Interface Configuration (Port, Static Aggregation) OMMAND...
Page 824: Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map dscp- and drop precedence values for priority processing. Use the no form to mutation restore the default settings. YNTAX qos map dscp-mutation phb drop-precedence from dscp0 ...
Page 825: Qos Map Phb-Queue
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Random Early Detection starts dropping yellow and red packets when ◆...
Page 826: Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# This command sets QoS mapping to DSCP or CoS. Use the no form to qos map trust-mode restore the default setting.
Page 827: Show Qos Map Dscp-Mutation
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the ingress DSCP to internal DSCP map. show qos map dscp-mutation YNTAX show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 828: Show Qos Map Cos-Dscp
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) OMMAND Privileged Exec XAMPLE Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 phb-queue map: phb: ------------------------------------------------------- queue: Console# This command shows ingress CoS/CFI to internal DSCP map. show qos map cos- dscp YNTAX...
Page 829: Show Qos Map Trust-Mode
| Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) This command shows the QoS mapping mode. show qos map trust- mode YNTAX show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 830 | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) – 830 –...
Page 831: Quality Of Service Commands
UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 832: Class-Map
| Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...
Page 833: Description
| Quality of Service Commands HAPTER One or more class maps can be assigned to a policy map (page 835). ◆ The policy map is then bound by a service policy to an interface (page 845). A service policy defines packet classification, service tagging, and bandwidth policing.
Page 834: Match
| Quality of Service Commands HAPTER This command defines the criteria used to classify traffic. Use the no form match to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list.
Page 835: Rename
| Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Page 836: Class
| Quality of Service Commands HAPTER OMMAND SAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied ◆...
Page 837: Police Flow
| Quality of Service Commands HAPTER police commands define parameters such as the maximum ■ throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map. ◆ XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
Page 838 | Quality of Service Commands HAPTER OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and ◆ the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the ◆...
Page 839: Police Srtcm-Color
| Quality of Service Commands HAPTER This command defines an enforcer for classified traffic based on a single police srtcm-color rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp}...
Page 840 | Quality of Service Commands HAPTER The srTCM as defined in RFC 2697 meters a traffic stream and ◆ processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). The PHB label is composed of five bits, three bits for per-hop behavior, ◆...
Page 841: Police Trtcm-Color
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst...
Page 842 | Quality of Service Commands HAPTER violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action.
Page 843: Set Cos
| Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■...
Page 844: Set Phb
| Quality of Service Commands HAPTER OMMAND SAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set cos and set phb command function at the same level of ◆...
Page 845: Service-Policy
| Quality of Service Commands HAPTER XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating...
Page 846: Show Class-Map
| Quality of Service Commands HAPTER This command displays the QoS class maps which define matching criteria show class-map used for classifying traffic. YNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) EFAULT ETTING Displays all class maps. OMMAND Privileged Exec XAMPLE...
Page 847: Show Policy-Map Interface
| Quality of Service Commands HAPTER Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# This command displays the service policy assigned to the specified show policy-map interface. interface YNTAX show policy-map interface interface input interface...
Page 848 | Quality of Service Commands HAPTER – 848 –...
Page 849: Ulticast Iltering Ommands
ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 850: Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping Table 122: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report- transmit unsolicited IGMP reports (when proxy interval reporting is enabled) ip igmp snooping version...
Page 851: Ip Igmp Snooping Proxy-Reporting
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE When IGMP snooping is enabled globally, the per VLAN interface ◆ settings for IGMP snooping take precedence. When IGMP snooping is disabled globally, snooping can still be ◆...
Page 852: Ip Igmp Snooping Querier
| Multicast Filtering Commands HAPTER IGMP Snooping If the IGMP proxy reporting is configured on a VLAN, this setting takes ◆ precedence over the global configuration. XAMPLE Console(config)#ip igmp snooping proxy-reporting Console(config)# This command enables the switch as an IGMP querier. Use the no form to ip igmp snooping disable it.
Page 853: Ip Igmp Snooping Router-Port-Expire-Time
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with a large source list and the Maximum Response Time set to a large value.
Page 854: Ip Igmp Snooping Tcn-Flood
| Multicast Filtering Commands HAPTER IGMP Snooping This command enables flooding of multicast traffic if a spanning tree ip igmp snooping topology change notification (TCN) occurs. Use the no form to disable tcn-flood flooding. YNTAX [no] ip igmp snooping tcn-flood EFAULT ETTING Disabled...
Page 855: Ip Igmp Snooping Tcn-Query-Solicit
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# This command instructs the switch to send out an IGMP general query ip igmp snooping solicitation when a spanning tree topology change notification (TCN) tcn-query-solicit occurs.
Page 856: Ip Igmp Snooping Unsolicited-Report-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND Global Configuration OMMAND SAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Page 857: Ip Igmp Snooping Version
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the IGMP snooping version. Use the no form to ip igmp snooping restore the default. version YNTAX ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 858: Ip Igmp Snooping Vlan General-Query-Suppression
| Multicast Filtering Commands HAPTER IGMP Snooping EFAULT ETTING Global: Disabled VLAN: Disabled OMMAND Global Configuration OMMAND SAGE If version exclusive is disabled on a VLAN, then this setting is based on ◆ the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 859: Ip Igmp Snooping Vlan Immediate-Leave
| Multicast Filtering Commands HAPTER IGMP Snooping This command immediately deletes a member port of a multicast service if ip igmp snooping a leave packet is received at that port and immediate-leave is enabled for vlan immediate- the parent VLAN. Use the no form to restore the default. leave YNTAX [no] ip igmp snooping vlan vlan-id immediate-leave...
Page 860: Ip Igmp Snooping Vlan Last-Memb-Query-Count
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the number of IGMP proxy group-specific or ip igmp snooping group-and-source-specific query messages that are sent out before the vlan last-memb- system assumes there are no more local members. Use the no form to query-count restore the default.
Page 861: Ip Igmp Snooping Vlan Mrd
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group- specific or group-and-source-specific query message, and starts a timer.
Page 862: Ip Igmp Snooping Vlan Proxy-Address
| Multicast Filtering Commands HAPTER IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. This command may also be used to disable multicast router solicitation ◆ messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN.
Page 863: Ip Igmp Snooping Vlan Proxy-Query-Interval
| Multicast Filtering Commands HAPTER IGMP Snooping XAMPLE The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# This command configures the interval between sending IGMP proxy general ip igmp snooping queries.
Page 864: Ip Igmp Snooping Vlan Proxy-Query-Resp-Intvl
| Multicast Filtering Commands HAPTER IGMP Snooping This command configures the maximum time the system waits for a ip igmp snooping response to proxy general queries. Use the no form to restore the default. vlan proxy-query- resp-intvl YNTAX ip igmp snooping vlan vlan-id proxy-query-resp-intvl interval no ip igmp snooping vlan vlan-id proxy-query-resp-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The maximum time the system waits for a response to...
Page 865: Show Ip Igmp Snooping
| Multicast Filtering Commands HAPTER IGMP Snooping OMMAND SAGE ◆ Static multicast entries are never aged out. When a multicast entry is assigned to an interface in a specific VLAN, ◆ the corresponding traffic can only be forwarded to ports within that VLAN.
Page 866: Show Ip Igmp Snooping Group
| Multicast Filtering Commands HAPTER IGMP Snooping This command shows known multicast group, source, and host port show ip igmp mappings for the specified VLAN interface, or for all interfaces if none is snooping group specified. YNTAX show ip igmp snooping group [vlan vlan-id [user | igmpsnp]] [user | igmpsnp] vlan-id - VLAN ID (1-4093) user - Display only the user-configured multicast entries.
Page 867: Static Multicast Routing
| Multicast Filtering Commands HAPTER Static Multicast Routing TATIC ULTICAST OUTING This section describes commands used to configure static multicast routing on the switch. Table 123: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 868: Show Ip Igmp Snooping Mrouter
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command displays information on statically configured and show ip igmp dynamically learned multicast router ports. snooping mrouter YNTAX show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) EFAULT ETTING Displays multicast router ports for all configured VLANs.
Page 869: Ip Igmp Filter (Global Configuration)
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling Table 124: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ip igmp max-groups Sets the IGMP throttling action for an interface action show ip igmp filter Displays the IGMP filtering status show ip igmp profile Displays IGMP profiles and settings show ip igmp throttle...
Page 870: Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command creates an IGMP filter profile number and enters IGMP ip igmp profile profile configuration mode. Use the no form to delete a profile number. YNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 871: Range
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# This command specifies multicast group addresses for a profile. Use the no range form to delete addresses from a profile. YNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 872: Ip Igmp Max-Groups
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling OMMAND SAGE ◆ The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. Only one profile can be assigned to an interface. ◆...
Page 873: Ip Igmp Max-Groups Action
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling This command sets the IGMP throttling action for an interface on the ip igmp max-groups switch. action YNTAX ip igmp max-groups action {replace | deny} replace - The new multicast group replaces an existing group. deny - The new multicast group join report is dropped.
Page 874: Show Ip Igmp Profile
| Multicast Filtering Commands HAPTER IGMP Filtering and Throttling XAMPLE Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------- IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# This command displays IGMP filtering profiles created on the switch. show ip igmp profile YNTAX show ip igmp profile [profile-number]...
Page 875: Multicast Vlan Registration
| Multicast Filtering Commands HAPTER Multicast VLAN Registration EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE Using this command without specifying an interface displays all interfaces. XAMPLE Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console#...
Page 876: Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
Page 877: Mvr Immediate-Leave
| Multicast Filtering Commands HAPTER Multicast VLAN Registration IGMP snooping and MVR share a maximum number of 255 groups. Any ◆ multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN. XAMPLE The following example enables MVR globally, and configures a range of MVR group addresses: Console(config)#mvr...
Page 878: Mvr Type
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command configures an interface as an MVR receiver or source port. mvr type Use the no form to restore the default settings. YNTAX [no] mvr type {receiver | source} receiver - Configures the interface as a subscriber port that can receive multicast data.
Page 879: Mvr Vlan Group
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command statically binds a multicast group to a port which will receive mvr vlan group long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. YNTAX [no] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is...
Page 880: Show Mvr
| Multicast Filtering Commands HAPTER Multicast VLAN Registration This command shows information about the global MVR configuration show mvr settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Page 881: Table 127: Show Mvr Interface - Display Description
| Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 126: show mvr - display description (Continued) Field Description MVR Group Address A multicast service sent to all attached subscribers MVR Group Count The number of contiguous MVR group addresses. The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface Port...
Page 882 | Multicast Filtering Commands HAPTER Multicast VLAN Registration Table 128: show mvr members - display description (Continued) Field Description Source Address Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned. VLAN Indicates the MVR VLAN receiving the multicast service.
Page 883: Lldp Commands
LLDP C OMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 884: Lldp
| LLDP Commands HAPTER Table 129: LLDP Commands (Continued) Command Function Mode lldp dot3-tlv link-agg Configures an LLDP-enabled port to advertise its link aggregation capabilities lldp dot3-tlv mac-phy Configures an LLDP-enabled port to advertise its MAC and physical layer specifications lldp dot3-tlv max- Configures an LLDP-enabled port to advertise its frame...
Page 885: Lldp Notification-Interval
| LLDP Commands HAPTER EFAULT ETTING Holdtime multiplier: 4 TTL: 4*30 = 120 seconds OMMAND Global Configuration OMMAND SAGE The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
Page 886: Lldp Refresh-Interval
| LLDP Commands HAPTER This command configures the periodic transmit interval for LLDP lldp refresh-interval advertisements. Use the no form to restore the default setting. YNTAX lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent.
Page 887: Lldp Tx-Delay
| LLDP Commands HAPTER XAMPLE Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting. YNTAX lldp -delay seconds...
Page 888: Lldp Basic-Tlv Management-Ip-Address
| LLDP Commands HAPTER EFAULT ETTING tx-rx OMMAND Interface Configuration (Ethernet, Port Channel) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp admin-status rx-only Console(config-if)# This command configures an LLDP-enabled port to advertise the lldp basic-tlv management address for this device. Use the no form to disable this management-ip- feature.
Page 889: Lldp Basic-Tlv Port-Description
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ip-address Console(config-if)# This command configures an LLDP-enabled port to advertise its port lldp basic-tlv port- description. Use the no form to disable this feature. description YNTAX [no] lldp basic-tlv port-description EFAULT ETTING Enabled...
Page 890: Lldp Basic-Tlv System-Description
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# This command configures an LLDP-enabled port to advertise the system lldp basic-tlv description. Use the no form to disable this feature. system-description YNTAX [no] lldp basic-tlv system-description EFAULT ETTING Enabled OMMAND...
Page 891: Lldp Dot1-Tlv Proto-Ident
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# This command configures an LLDP-enabled port to advertise the supported lldp dot1-tlv proto- protocols. Use the no form to disable this feature. ident YNTAX [no] lldp dot1-tlv proto-ident EFAULT ETTING Enabled...
Page 892: Lldp Dot1-Tlv Pvid
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# This command configures an LLDP-enabled port to advertise its default lldp dot1-tlv pvid VLAN ID. Use the no form to disable this feature. YNTAX [no] lldp dot1-tlv pvid EFAULT ETTING Enabled...
Page 893: Lldp Dot3-Tlv Link-Agg
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# This command configures an LLDP-enabled port to advertise link lldp dot3-tlv link-agg aggregation capabilities. Use the no form to disable this feature. YNTAX [no] lldp dot3-tlv link-agg EFAULT ETTING Enabled...
Page 894: Lldp Dot3-Tlv Max-Frame
| LLDP Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# This command configures an LLDP-enabled port to advertise its maximum lldp dot3-tlv max- frame size. Use the no form to disable this feature. frame YNTAX [no] lldp dot3-tlv max-frame EFAULT ETTING Enabled...
Page 895: Show Lldp Config
| LLDP Commands HAPTER SNMP trap destinations are defined using the snmp-server host ◆ command. Information about additional changes in LLDP neighbors that occur ◆ between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 896: Show Lldp Info Local-Device
| LLDP Commands HAPTER Eth 1/5 | Tx-Rx True Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan...
Page 897: Show Lldp Info Remote-Device
| LLDP Commands HAPTER Management Address : 192.168.0.101 (IPv4) LLDP Port Information Interface |PortID Type PortID PortDesc --------- + ---------------- ----------------- --------------------------- Eth 1/1 |MAC Address 00-01-02-03-04-06 Ethernet Port on unit 1, port 1 Eth 1/2 |MAC Address 00-01-02-03-04-07 Ethernet Port on unit 1, port 2 Eth 1/3 |MAC Address 00-01-02-03-04-08 Ethernet Port on unit 1, port 3...
Page 898: Show Lldp Info Statistics
| LLDP Commands HAPTER PortID Type : MAC Address PortID : 00-01-02-03-04-06 SysName SysDescr : 24 10/100 ports and 4 gigabit ports with PoE switch PortDescr : Ethernet Port on unit 1, port 1 SystemCapSupported : Bridge SystemCapEnabled : Bridge Remote Management Address : 00-01-02-03-04-05 (MAC Address) Remote Port VID : 1...
Page 899 | LLDP Commands HAPTER XAMPLE switch#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated : 2450279 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface | NumFramesRecvd NumFramesSent NumFramesDiscarded --------- + -------------- ------------- ------------------ Eth 1/1 | 10...
Page 900 | LLDP Commands HAPTER – 900 –...
Page 901: Domain Name Service Commands
OMAIN ERVICE OMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 902: Ip Domain-Lookup
| Domain Name Service Commands HAPTER OMMAND Global Configuration OMMAND SAGE Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this ◆ switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 903: Ip Domain-Name
| Domain Name Service Commands HAPTER If all name servers are deleted, DNS will automatically be disabled. ◆ XAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp...
Page 904: Ip Host
| Domain Name Service Commands HAPTER Name Server List: Console# ELATED OMMANDS ip domain-list (901) ip name-server (905) ip domain-lookup (902) This command creates a static entry in the DNS table that maps a host ip host name to an IPv4 address. Use the no form to remove an entry. YNTAX [no] ip host name address name - Name of an IPv4 host.
Page 905: Ip Name-Server
| Domain Name Service Commands HAPTER This command specifies the address of one or more domain name servers ip name-server to use for name-to-address resolution. Use the no form to remove a name server from this list. YNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IP address of domain-name server.
Page 906: Ipv6 Host
| Domain Name Service Commands HAPTER This command creates a static entry in the DNS table that maps a host ipv6 host name to an IPv6 address. Use the no form to remove an entry. YNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host.
Page 907: Clear Host
| Domain Name Service Commands HAPTER This command deletes dynamic entries from the DNS table. clear host YNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. EFAULT ETTING None OMMAND Privileged Exec OMMAND...
Page 908: Show Dns Cache
| Domain Name Service Commands HAPTER This command displays entries in the DNS cache. show dns cache OMMAND Privileged Exec XAMPLE Console#show dns cache Flag Type IP Address Domain ------- ------- ------- --------------- ------- -------- 4 Host 209.131.36.158 115 www-real.wa1.b.yahoo.com 4 CNAME POINTER TO:3 115 www.yahoo.com...
Page 909: Table 132: Show Hosts - Display Description
| Domain Name Service Commands HAPTER Table 132: show hosts - display description Field Description The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address”...
Page 910 | Domain Name Service Commands HAPTER – 910 –...
Page 911: Dhcp C
DHCP C OMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. Table 133: DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP C LIENT Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.
Page 912: Ip Dhcp Client Class-Id
| DHCP Commands HAPTER DHCP Client This command specifies the DCHP client vendor class identifier for the ip dhcp client current interface. Use the no form to remove this identifier. class-id YNTAX ip dhcp client class-id {text text | hex hex} no ip dhcp client class-id text - A text string.
Page 913: Ipv6 Dhcp Restart Client Vlan
| DHCP Commands HAPTER DHCP Client OMMAND SAGE ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the address command. DHCP requires the server to reassign the client’s last address if ◆...
Page 914: Show Ipv6 Dhcp Duid
| DHCP Commands HAPTER DHCP Client When the DHCP client process is enabled and a prefix is successfully ◆ acquired, the prefix is stored in the IPv6 general prefix pool. Other commands and applications (such as the ipv6 address command) can then refer to the prefixes in the general prefix pool.
Page 915: Show Ipv6 Dhcp Vlan
| DHCP Commands HAPTER DHCP Client This command shows DHCPv6 information for the specified interface(s). show ipv6 dhcp vlan YNTAX show ipv6 dhcp vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 916 | DHCP Commands HAPTER DHCP Client – 916 –...
Page 917: Ip Interface Commands
IP I NTERFACE OMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 918: Basic Ipv4 Configuration
| IP Interface Commands HAPTER IPv4 Interface This section describes commands used to configure IP addresses for VLAN ASIC interfaces on the switch. ONFIGURATION Table 137: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this router can reach other subnetworks...
Page 919: Ip Default-Gateway
| IP Interface Commands HAPTER IPv4 Interface broadcast periodically by the router in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). If the DHCP/BOOTP server is slow to respond, you may need to use the ip dhcp restart client command to re-start...
Page 920: Show Ip Default-Gateway
| IP Interface Commands HAPTER IPv4 Interface This command shows the IPv4 default gateway configured for this device. show ip default- gateway EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show ip redirects ip default gateway 10.1.0.254 Console# ELATED OMMANDS ip default-gateway (919) show ipv6 default-gateway (934) This command displays the settings of an IPv4 interface.
Page 921: Ping
| IP Interface Commands HAPTER IPv4 Interface OMMAND Privileged Exec OMMAND SAGE Use the traceroute command to determine the path taken to reach a ◆ specified destination. A trace terminates when the destination responds, when the maximum ◆ time out (TTL) is exceeded, or the maximum number of hops is exceeded.
Page 922 | IP Interface Commands HAPTER IPv4 Interface OMMAND Normal Exec, Privileged Exec OMMAND SAGE Use the ping command to see if another site on the network can be ◆ reached. The following are some results of the ping command: ◆ Normal response - The normal response occurs in one to ten ■...
Page 923: Arp Configuration
| IP Interface Commands HAPTER IPv4 Interface This section describes commands used to configure the Address Resolution ARP C ONFIGURATION Protocol (ARP) on the switch. Table 138: Address Resolution Protocol Commands Command Function Mode arp timeout Sets the time a dynamic entry remains in the ARP cache clear arp-cache Deletes all dynamic entries from the ARP cache...
Page 924: Clear Arp-Cache
| IP Interface Commands HAPTER IPv4 Interface This command deletes all dynamic entries from the Address Resolution clear arp-cache Protocol (ARP) cache. OMMAND Privileged Exec XAMPLE This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# This command displays entries in the Address Resolution Protocol (ARP)
Page 925: Ipv6 Interface
| IP Interface Commands HAPTER IPv6 Interface NTERFACE This switch supports the following IPv6 interface commands. Table 139: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface ipv6 address autoconfig...
Page 926: Ipv6 Default-Gateway
| IP Interface Commands HAPTER IPv6 Interface This command sets an IPv6 default gateway to use when the destination is ipv6 default- located in a different network segment. Use the no form to remove a gateway previously configured default gateway. YNTAX ipv6 default-gateway ipv6-address no ipv6 address...
Page 927: Ipv6 Address
| IP Interface Commands HAPTER IPv6 Interface This command configures an IPv6 global unicast address and enables IPv6 ipv6 address on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Page 928: Ipv6 Address Autoconfig
| IP Interface Commands HAPTER IPv6 Interface Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds Console# ELATED OMMANDS ipv6 address eui-64 (929) ipv6 address autoconfig (928) show ipv6 interface (935) ip address (918)
Page 929: Ipv6 Address Eui-64
| IP Interface Commands HAPTER IPv6 Interface XAMPLE This example assigns a dynamic global unicast address of 2001:DB8:2222:7272:2E0:CFF:FE00:FD to the switch. Console(config-if)#ipv6 address autoconfig Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface Vlan 1 is up IPv6 is enable. Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7272:2E0:CFF:FE00:FD/64, subnet is 2001:DB8:2222:7272::/ 64[AUTOCONFIG]...
Page 930 | IP Interface Commands HAPTER IPv6 Interface OMMAND SAGE ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 931: Ipv6 Address Link-Local
| IP Interface Commands HAPTER IPv6 Interface Global unicast address(es): 2001:DB8::1:2E0:CFF:FE00:FD/64, subnet is 2001:DB8::1:0:0:0:0/64[EUI] 2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96[EUI] Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds Console# ELATED OMMANDS...
Page 932: Ipv6 Enable
| IP Interface Commands HAPTER IPv6 Interface XAMPLE This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that the prefix FE80 is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269.
Page 933: Ipv6 Mtu
| IP Interface Commands HAPTER IPv6 Interface If a duplicate address is detected on the local segment, this interface ◆ will be disabled and a warning message displayed on the console. The no ipv6 enable command does not disable IPv6 for an interface ◆...
Page 934: Show Ipv6 Default-Gateway
| IP Interface Commands HAPTER IPv6 Interface OMMAND SAGE ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. All devices on the same physical medium must use the same MTU in ◆...
Page 935: Show Ipv6 Interface
| IP Interface Commands HAPTER IPv6 Interface This command displays the usability and configured settings for IPv6 show ipv6 interface interfaces. YNTAX show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.
Page 936: Show Ipv6 Mtu
| IP Interface Commands HAPTER IPv6 Interface Table 140: show ipv6 interface - display description (Continued) Field Description Link-local Shows the link-local address assigned to this interface address Global unicast Shows the global unicast address(es) assigned to this interface address(es) Joined group In addition to the unicast addresses assigned to an interface, a host is also address(es)
Page 937: Show Ipv6 Traffic
| IP Interface Commands HAPTER IPv6 Interface XAMPLE The following example shows the MTU cache for this device: Console#show ipv6 mtu Since Destination Address 1400 00:04:21 5000:1::3 1280 00:04:50 FE80::203:A0FF:FED6:141D Console# Table 141: show ipv6 mtu - display description Field Description Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path.
Page 938: Ip Interface Commands
| IP Interface Commands HAPTER IPv6 Interface ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages group membership query messages group membership response messages group membership reduction messages router solicit messages router advertisement messages...
Page 939 | IP Interface Commands HAPTER IPv6 Interface Table 142: show ipv6 traffic - display description (Continued) Field Description unknown protocols The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
Page 940 | IP Interface Commands HAPTER IPv6 Interface Table 142: show ipv6 traffic - display description (Continued) Field Description ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Page 941: Clear Ipv6 Traffic
| IP Interface Commands HAPTER IPv6 Interface Table 142: show ipv6 traffic - display description (Continued) Field Description echo reply messages The number of ICMP Echo Reply messages sent by the interface. router solicit messages The number of ICMP Router Solicitation messages sent by the interface.
Page 942: Ping6
| IP Interface Commands HAPTER IPv6 Interface This command sends (IPv6) ICMP echo request packets to another node on ping6 the network. YNTAX ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,”...
Page 943: Ipv6 Nd Dad Attempts
| IP Interface Commands HAPTER IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# This command configures the number of consecutive neighbor solicitation...
Page 944: Ipv6 Nd Ns-Interval
| IP Interface Commands HAPTER IPv6 Interface If the link-local address for an interface is changed, duplicate address ◆ detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface. XAMPLE The following configures five neighbor solicitation attempts for addresses configured on VLAN 1.
Page 945: Ipv6 Nd Reachable-Time
| IP Interface Commands HAPTER IPv6 Interface OMMAND SAGE ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. XAMPLE The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds:...
Page 946: Clear Ipv6 Neighbors
| IP Interface Commands HAPTER IPv6 Interface OMMAND SAGE ◆ The time limit configured by this command allows the switch to detect unavailable neighbors. XAMPLE The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#pv6 nd reachable-time 1000 Console(config)# This command deletes all dynamic entries in the IPv6 neighbor discovery...
Page 947 | IP Interface Commands HAPTER IPv6 Interface XAMPLE The following shows all known IPv6 neighbors for this switch: Console#show ipv6 neighbors IPv6 Address Link-layer Addr State VLAN 2009:DB9:2229::79 00-00-E8-90-00-00 REACH FE80::200:E8FF:FE90:0 00-00-E8-90-00-00 REACH Console# Table 143: show ipv6 neighbors - display description Field Description IPv6 Address...
Page 948 | IP Interface Commands HAPTER IPv6 Interface – 948 –...
Page 949: Ection
ECTION PPENDICES This section provides additional information and includes these items: "Software Specifications" on page 951 ◆ "Troubleshooting" on page 955 ◆ "License Information" on page 957 ◆ – 949 –...
Page 950 | Appendices ECTION – 950 –...
Page 951: Specifications
OFTWARE PECIFICATIONS OFTWARE EATURES Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port ANAGEMENT Security, IP Filter, DHCP Snooping UTHENTICATION Access Control Lists (512 rules), Port Authentication (802.1X), MAC LIENT CCESS Authentication, Port Security, DHCP Snooping, IP Source Guard ONTROL 100BASE-TX: 10/100 Mbps, half/full duplex ONFIGURATION 100BASE-FX: 100 Mbps at full duplex (SFP)
Page 952: Management Features
| Software Specifications PPENDIX Management Features Up to 256 groups; port-based, protocol-based, tagged (802.1Q), VLAN S UPPORT private VLANs, voice VLANs, IP subnet, MAC-based, GVRP for automatic VLAN learning Supports four levels of priority LASS OF ERVICE Strict, Shaped Deficit Weighted Round Robin (SDWRR or DRR as shown in the interface), Weighted Round Robin (WRR), or a combination of strict and weighted queuing Layer 3/4 priority mapping: IP DSCP...
Page 953: Standards
| Software Specifications PPENDIX Standards Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) RMON TANDARDS IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs...
Page 954 | Software Specifications PPENDIX Management Information Bases Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052)
Page 955: Problems Accessing The Management Interface
ROUBLESHOOTING ROBLEMS CCESSING THE ANAGEMENT NTERFACE Table 144: Troubleshooting Chart Symptom Action Cannot connect using ◆ Be sure the switch is powered up. Telnet, web browser, or ◆ Check network cabling between the management station SNMP software and the switch. ◆...
Page 956: B Troubleshooting
| Troubleshooting PPENDIX Using System Logs SING YSTEM If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 957: Information
ICENSE NFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 958: License Information
| License Information PPENDIX The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 959 | License Information PPENDIX The GNU General Public License a). Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b).
Page 960 | License Information PPENDIX The GNU General Public License This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 961: Glossary
LOSSARY Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 962 LOSSARY Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 963 LOSSARY Generic Multicast Registration Protocol. GMRP allows network devices to GMRP register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GARP VLAN Registration Protocol. Defines a way for switches to exchange GVRP VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work...
Page 964 LOSSARY Internet Group Management Protocol. A protocol through which hosts can IGMP register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 965 LOSSARY MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 966 LOSSARY A method whereby data on a target port is mirrored to a monitor port for IRRORING troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Defines a network link aggregation and trunking method which specifies RUNK how to create a single high-speed logical link that combines several lower- speed physical links.
Page 967 LOSSARY allows a device to set its internal clock based on SNTP Simple Network Time Protocol periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers.
Page 968 LOSSARY Virtual LAN. A Virtual LAN is a collection of network nodes that share the VLAN same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN.
Page 969: Ommand Ist
OMMAND capabilities channel-group aaa accounting commands class aaa accounting dot1x class-map aaa accounting exec clear arp-cache 924 aaa accounting update clear counters aaa authorization exec clear dns cache aaa group server clear host absolute clear ip dhcp snooping database flash access-list arp access-list ip clear ipv6 neighbors...
Page 970 OMMAND dot1x timeout start-period ip igmp filter (Global Configuration) dot1x timeout supp-timeout dot1x timeout tx-period ip igmp filter (Interface Configuration) ip igmp max-groups ip igmp max-groups action 873 ip igmp profile enable ip igmp snooping enable password ip igmp snooping proxy-reporting ip igmp snooping querier exec-timeout 522 ip igmp snooping router-alert-option-...
Page 971 OMMAND ipv6 enable 932 mac-address-table static ipv6 host mac-authentication intrusion-action ipv6 mtu 933 ipv6 nd dad attempts mac-authentication max-mac-count ipv6 nd ns-interval 944 ipv6 nd reachable-time 945 mac-authentication reauth-time mac-learning mac-vlan 808 management match jumbo frame 509 max-hops media-type mst priority mst vlan 766 lacp lacp admin-key (Ethernet Interface)
Page 972 OMMAND police trtcm-color show banner policy-map show bridge-ext 785 port monitor show cable-diagnostics port security 639 show calendar power-save show class-map prompt show cluster protocol-vlan protocol-group show cluster candidates (Configuring Groups) show cluster members protocol-vlan protocol-group show dns (Configuring Interfaces) show dns cache show dot1q-tunnel 799 show dot1x...
Page 973 OMMAND show logging sendmail 539 show web-auth summary show mac access-group shutdown 705 show mac access-list silent-time show mac-address-table snmp-server show mac-address-table aging-time snmp-server community 557 snmp-server contact show mac-vlan snmp-server enable port-traps atc show management 634 broadcast-alarm-clear show memory snmp-server enable port-traps atc show mvr broadcast-alarm-fire 748...
Page 974 OMMAND spanning-tree transmission-limit time-range speed traceroute speed-duplex traffic-segmentation stopbits subnet-vlan switchport acceptable-frame-types upgrade opcode auto switchport allowed vlan 790 upgrade opcode path 518 switchport dot1q-tunnel mode 798 username switchport dot1q-tunnel tpid switchport forbidden vlan switchport gvrp 784 switchport ingress-filtering vlan 787 switchport mode 792 vlan database switchport native vlan...
Page 975: Index
NDEX ARP configuration 923 UMERICS ARP inspection 313 802.1Q tunnel 168 ACL filter 316 access 173 additional validation criteria 315 configuration, guidelines 171 ARP ACL 317 configuration, limitations 171 enabling globally 315 description 168 enabling per VLAN 317 ethernet type 172 trusted ports 318 –...
Page 976 NDEX color blind, trTCM 245 command modes 478 committed burst size 244 showing commands 476 committed information rate 243 clustering switches, management access 406 command line interface See CLI configuring 831 committed burst size, QoS policy 243 conforming traffic, configuring response 837 committed information rate, QoS policy 243 description 833 excess burst size 244...
Page 977 NDEX encryption Layer 2 442 DSA 293 query 442 RSA 293 snooping 442 engine ID 374 snooping & query, parameters 444 event logging 351 snooping, configuring 444 excess burst size, QoS policy 244 snooping, immediate leave 453 exec command privileges, accounting 266 IGMP services, displaying 457 exec settings IGMP snooping...
Page 978 NDEX global unicast 421 logon authentication 273 link-local 422 encryption keys 262 manual configuration (global unicast) 62 RADIUS client 261 RADIUS server 261 manual configuration (link-local) 62 sequence 259 setting 61 settings 260 TACACS+ client 260 TACACS+ server 260 logon authentication, settings 262 logon banner, configuring 494 jumbo frame 92 loopback detection, STA 196...
Page 979 NDEX description 463 power savings, configuring 714 interface status, configuring 466 power savings, enabling per port 148 interface status, displaying 468 priority, default port ingress 221 setting interface type 467 private key 289 setting multicast groups 465 problems, troubleshooting 955 specifying a VLAN 465 protocol migration 206 static binding 468...
Page 980 NDEX restarting the system 112 QoS policy 240 at scheduled times 112 SSH 289 RMON 394 authentication retries 292 alarm, displaying settings 397 configuring 289 alarm, setting thresholds 395 downloading public keys for clients 295 commands 575 generating host key pair 293 event settings, displaying 400 server, configuring 292 response to alarm setting 398...
Page 981 NDEX Telnet displaying port members 795 configuring 109 displaying port members by interface 164 server, enabling 109 displaying port members by interface range 165 time range, ACL 298 displaying port members by VLAN index 163 time zone, setting 106 dynamic assignment 281 time, setting 103 egress mode 161 TPID 172...
Page 982 NDEX – 982 –...
Page 984 ES3510MA E032010/ST-R01 149100000046A...

Edge-Core ES3510MA Management Manual

Table of Contents

About this Guide

Contents

Figures

Tables

Sectioni

Getting Started

1 Introduction

2 Initial Switch Configuration

Ection

Web Configuration

3 Using the Web Interface

4 Basic

5 Interface Configuration

6 Vlan Configuration

7 Address Table Settings

8 Spanning Tree Algorithm

9 Rate Limit Configuration

10 Storm Control Configuration

11 Class of Service

12 Quality of Service

13 Oip Traffic Configuration

14 Security Measures

15 Basic Administration Protocols

16 Ip Configuration

17 Ip Services

18 Multicast

Using the Command Line Interface

20 General Commands

21 System Management Commands

22 Snmp Commands

23 Remote Monitoring Commands

24 Authentication

25 General Security Measures

Lists

27 Interface

28 Link Aggregation Commands

29 Port Mirroring Commands

30 Rate Limit Commands

31 Automatic Traffic Control Commands

Ddress Able Ommands

32 Address

33 Spanning Tree Commands

Ommands

35 Class of Service Commands

36 Quality of Service Commands

37 Ulticast Iltering Ommands

Lldp Commands

39 Domain Name Service Commands

40 Dhcp C

41 Ip Interface Commands

Ection

Appendices

Specifications

B Troubleshooting

Information

Glossary

Ommand ist

Index

Quick Links

Chapters

Related Manuals for Edge-Core ES3510MA

Summary of Contents for Edge-Core ES3510MA