BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
Page 6
ELEASE This is the second version of this guide. This guide is valid for software release v1.1.2.0. It includes information on the following changes: Adds information for the ECS4110-28T and ECS4110-28P. ◆ Updated information in Table 1, "Key Features," on page ◆...
Page 7
BOUT UIDE Updated the parameter list under "Configuring AAA Accounting" on ◆ page 317. Updated the parameter list under "Configuring AAA Authorization" on ◆ page 323. Updated description of the Access Level parameter under "Configuring ◆ User Accounts" on page 326.
Page 8
BOUT UIDE Added the sections "Filtering IGMP Query Packets and Multicast Data" ◆ on page 584 "Displaying IGMP Snooping Statistics" on page 586. Added the section "MLD Snooping (Snooping and Query for IPv6)" on ◆ page 595. Added the section "Configuring MVR Global Settings"...
Page 9
BOUT UIDE Added the commands "clock summer-time (date)" on page 777, "clock ◆ summer-time (predefined)" on page 778, and "clock summer-time (recurring)" on page 779. Updated syntax for the command "snmp-server enable traps" on ◆ page 798. Added the commands "snmp-server enable port-traps mac-notification"...
Page 10
BOUT UIDE Added allow-zeros parameter to the command "ip arp inspection ◆ validate" on page 952. Added new commands under the section "Denial of Service Protection" ◆ on page 957. Added new commands under the section "Port-based Traffic ◆ Segmentation" on page 963.
Page 11
BOUT UIDE Included information for configuring a Layer 3 interface with the ◆ command "interface vlan" on page 1157. Added the command "switchport dot1q-tunnel service match cvid" on ◆ page 1168. Updated syntax for the command "show dot1q-tunnel" on page 1171.
Page 12
BOUT UIDE Added the command "traceroute6" on page 1450. ◆ Added the commands "ipv6 nd dad attempts" on page 1452, "ipv6 nd ◆ raguard" on page 1454, "show ipv6 nd raguard" on page 1456, and "ipv6 nd reachable-time" on page 1455.
ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Downloading a Configuration File Referenced by a DHCP Server Enabling SNMP Management Access Managing System Files...
Page 14
ONTENTS Navigating the Web Browser Interface Home Page Configuration Options Panel Display Main Menu ASIC ANAGEMENT ASKS Displaying System Information Displaying Hardware/Software Versions Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting the Start-Up File Showing System Files...
Page 15
ONTENTS Configuring Transceiver Thresholds Performing Cable Diagnostics Trunk Configuration Configuring a Static Trunk Configuring a Dynamic Trunk Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Configuring Load Balancing Saving Power Traffic Segmentation Enabling Traffic Segmentation...
Page 16
ONTENTS PANNING LGORITHM Overview Configuring Loopback Detection Configuring Global Settings for STA Displaying Global Settings for STA Configuring Interface Settings for STA Displaying Interface Settings for STA Configuring Multiple Spanning Trees Configuring Interface Settings for MSTP ONGESTION ONTROL Rate Limiting Storm Control Automatic Traffic Control Setting the ATC Timers...
Page 17
ONTENTS 13 S ECURITY EASURES AAA Authentication, Authorization and Accounting Configuring Local/Remote Logon Authentication Configuring Remote Logon Authentication Servers Configuring AAA Accounting Configuring AAA Authorization Configuring User Accounts Web Authentication Configuring Global Settings for Web Authentication Configuring Interface Settings for Web Authentication Network Access (MAC Address Authentication) Configuring Global Settings for Network Access Configuring Network Access for Ports...
Page 18
ONTENTS ARP Inspection Configuring Global Settings for ARP Inspection Configuring VLAN Settings for ARP Inspection Configuring Interface Settings for ARP Inspection Displaying ARP Inspection Statistics Displaying the ARP Inspection Log Filtering IP Addresses for Management Access Configuring Port Security Configuring 802.1X Port Authentication Configuring 802.1X Global Settings Configuring Port Authenticator Settings for 802.1X Configuring Port Supplicant Settings for 802.1X...
Page 19
ONTENTS Displaying LLDP Local Device Information Displaying LLDP Remote Device Information Displaying Device Statistics Power over Ethernet Setting the Switch’s Overall PoE Power Budget Setting the Port PoE Power Budget Simple Network Management Protocol Configuring Global Settings for SNMP Setting the Local Engine ID Specifying a Remote Engine ID Setting SNMPv3 Views Configuring SNMPv3 Groups...
Page 20
ONTENTS Configuring Maintenance End Points Configuring Remote Maintenance End Points Transmitting Link Trace Messages Transmitting Loop Back Messages Transmitting Delay-Measure Requests Displaying Local MEPs Displaying Details for Local MEPs Displaying Local MIPs Displaying Remote MEPs Displaying Details for Remote MEPs Displaying the Link Trace Cache Displaying Fault Notification Settings Displaying Continuity Check Errors...
Page 21
ONTENTS Setting Immediate Leave Status for MLD Snooping per Interface Specifying Static Interfaces for an IPv6 Multicast Router Assigning Interfaces to IPv6 Multicast Services Showing MLD Snooping Groups and Source List Multicast VLAN Registration for IPv4 Configuring MVR Global Settings Configuring MVR Domain Settings Configuring MVR Group Address Profiles Configuring MVR Interface Status...
Page 22
ONTENTS Displaying the DNS Cache Dynamic Host Configuration Protocol Specifying a DHCP Client Identifier Configuring DHCP Relay Service Configuring the PPPoE Intermediate Agent Configuring PPPoE IA Global Settings Configuring PPPoE IA Interface Settings Showing PPPoE IA Statistics 18 G IP R ENERAL OUTING Overview...
Page 23
ONTENTS Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands Command Line Processing Output Modifiers CLI Command Groups 20 G ENERAL OMMANDS prompt reload (Global Configuration) enable quit show history configure...
Page 24
ONTENTS banner configure note show banner System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show tech-support show users show version show watchdog watchdog software Frame Size jumbo frame File Management General Commands boot system copy delete...
Page 25
ONTENTS login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email...
Page 26
ONTENTS ntp client ntp server show ntp Manual Configuration Commands clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members...
Page 27
ONTENTS SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view Notification Log Commands snmp-server notify-filter show nlm oper-status show snmp notify-filter Additional Trap Commands memory process cpu 23 R EMOTE ONITORING...
Page 29
ONTENTS ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication...
Page 30
ONTENTS dot1x timeout held-period dot1x timeout start-period Information Display Commands show dot1x Management IP Filter management show management PPPoE Intermediate Agent pppoe intermediate-agent pppoe intermediate-agent format-type pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 25 G...
Page 31
ONTENTS network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option...
Page 32
ONTENTS ipv6 dhcp snooping vlan ipv6 dhcp snooping max-binding ipv6 dhcp snooping trust clear ipv6 dhcp snooping binding clear ipv6 dhcp snooping database flash show ipv6 dhcp snooping show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding...
Page 33
ONTENTS Denial of Service Protection dos-protection echo-chargen dos-protection smurf dos-protection tcp-flooding dos-protection tcp-null-scan dos-protection tcp-syn-fin-scan dos-protection tcp-udp-port-zero dos-protection tcp-xmas-scan dos-protection udp-flooding dos-protection win-nuke show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 26 A CCESS ONTROL ISTS IPv4 ACLs...
Page 34
ONTENTS show mac access-group show mac access-list ARP ACLs access-list arp permit, deny (ARP ACL) show access-list arp ACL Information clear access-list hardware counters show access-group show access-list 27 I NTERFACE OMMANDS Interface Configuration interface alias capabilities description discard flowcontrol 1000 media-type 1001...
Page 35
ONTENTS show interfaces transceiver 1015 show interfaces transceiver-threshold 1016 Cable Diagnostics 1017 test cable-diagnostics 1017 show cable-diagnostics 1018 Power Savings 1019 power-save 1019 show power-save 1020 28 L 1021 GGREGATION OMMANDS Manual Configuration Commands 1022 port channel load-balance 1022 channel-group 1024 Dynamic Configuration Commands 1024...
Page 36
ONTENTS RSPAN Mirroring Commands 1048 rspan source 1050 rspan destination 1051 rspan remote vlan 1052 no rspan session 1053 show rspan 1053 31 C 1055 ONGESTION ONTROL OMMANDS Rate Limit Commands 1055 rate-limit 1056 Storm Control Commands 1057 switchport packet-rate 1057 Automatic Traffic Control Commands 1058...
Page 37
ONTENTS loopback-detection recover-time 1075 loopback-detection transmit-interval 1076 loopback detection trap 1076 loopback-detection release 1077 show loopback-detection 1077 33 U 1079 IRECTIONAL ETECTION OMMANDS udld message-interval 1079 udld aggressive 1080 udld port 1081 show udld 1082 34 A 1085 DDRESS ABLE OMMANDS mac-address-table aging-time 1085...
Page 48
ONTENTS ip host 1404 ip name-server 1405 ipv6 host 1406 clear dns cache 1406 clear host 1407 show dns 1407 show dns cache 1408 show hosts 1408 45 DHCP C 1411 OMMANDS DHCP Client 1411 DHCP for IPv4 1412 ip dhcp client class-id 1412 ip dhcp restart client 1413...
Page 49
ONTENTS IPv6 Interface 1432 Interface Address Configuration and Utilities 1433 ipv6 default-gateway 1433 ipv6 address 1434 ipv6 address autoconfig 1435 ipv6 address eui-64 1436 ipv6 address link-local 1438 ipv6 enable 1439 ipv6 mtu 1441 show ipv6 default-gateway 1442 show ipv6 interface 1442 show ipv6 mtu 1444...
Page 50
ONTENTS show ipv6 nd snooping prefix 1466 46 IP R 1467 OUTING OMMANDS Global Routing Configuration 1467 IPv4 Commands 1468 ip route 1468 ip sw-route 1469 show ip route 1469 show ip route database 1470 show ip route summary 1471 1473 ECTION PPENDICES...
IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Configuring Automatic Code Upgrade...
Page 52
IGURES Figure 32: Configuring Local Port Mirroring Figure 33: Configuring Local Port Mirroring Figure 34: Displaying Local Port Mirror Sessions Figure 35: Configuring Remote Port Mirroring Figure 36: Configuring Remote Port Mirroring (Source) Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) Figure 39: Showing Port Statistics (Table) Figure 40: Showing Port Statistics (Chart)
Page 53
IGURES Figure 68: Creating Static VLANs Figure 69: Modifying Settings for Static VLANs Figure 70: Showing Static VLANs Figure 71: Configuring Static Members by VLAN Index Figure 72: Configuring Static VLAN Members by Interface Figure 73: Configuring Static VLAN Members by Interface Range Figure 74: Configuring Global Status of GVRP Figure 75: Configuring GVRP for an Interface Figure 76: Showing Dynamic VLANs Registered on the Switch...
Page 54
IGURES Figure 104: Configuring Port Loopback Detection Figure 105: Configuring Global Settings for STA (STP) Figure 106: Configuring Global Settings for STA (RSTP) Figure 107: Configuring Global Settings for STA (MSTP) Figure 108: Displaying Global Settings for STA Figure 109: Configuring Interface Settings for STA Figure 110: STA Port Roles Figure 111: Displaying Interface Settings for STA Figure 112: Creating an MST Instance...
Page 55
IGURES Figure 140: Showing the Rules for a Class Map Figure 141: Configuring a Policy Map Figure 142: Showing Policy Maps Figure 143: Adding Rules to a Policy Map Figure 144: Showing the Rules for a Policy Map Figure 145: Attaching a Policy Map to a Port Figure 146: Configuring a Voice VLAN Figure 147: Configuring an OUI Telephony List Figure 148: Showing an OUI Telephony List...
Page 56
IGURES Figure 176: Showing Addresses Authenticated for Network Access Figure 177: Configuring HTTPS Figure 178: Downloading the Secure-Site Certificate Figure 179: Configuring the SSH Server Figure 180: Generating the SSH Host Key Pair Figure 181: Showing the SSH Host Key Pair Figure 182: Copying the SSH User’s Public Key Figure 183: Showing the SSH User’s Public Key Figure 184: Setting the Name of a Time Range...
Page 57
IGURES Figure 212: Configuring Interface Settings for 802.1X Port Supplicant Figure 213: Showing Statistics for 802.1X Port Authenticator Figure 214: Showing Statistics for 802.1X Port Supplicant Figure 215: Protecting Against DoS Attacks Figure 216: Setting the Filter Type for IPv4 Source Guard Figure 217: Configuring Static Bindings for IPv4 Source Guard Figure 218: Displaying Static Bindings for IPv4 Source Guard Figure 219: Showing the IPv4 Source Guard Binding Table...
Page 58
IGURES Figure 248: Configuring a Remote Engine ID for SNMP Figure 249: Showing Remote Engine IDs for SNMP Figure 250: Creating an SNMP View Figure 251: Showing SNMP Views Figure 252: Adding an OID Subtree to an SNMP View Figure 253: Showing the OID Subtree Configured for SNMP Views Figure 254: Creating an SNMP Group Figure 255: Showing SNMP Groups Figure 256: Setting Community Access Strings...
Page 59
IGURES Figure 284: ERPS Ring Components Figure 285: Ring Interconnection Architecture (Multi-ring/Ladder Network) Figure 286: Setting ERPS Global Status Figure 287: Sub-ring with Virtual Channel Figure 288: Sub-ring without Virtual Channel Figure 289: Non-ERPS Device Protection Figure 290: Creating an ERPS Ring Figure 291: Creating an ERPS Ring Figure 292: Showing Configured ERPS Rings Figure 293: Blocking an ERPS Ring Port...
Page 60
IGURES Figure 320: Displaying Statistics for OAM Messages Figure 321: Displaying the OAM Event Log Figure 322: Displaying Status of Remote Interfaces Figure 323: Running a Remote Loop Back Test Figure 324: Displaying the Results of Remote Loop Back Testing Figure 325: Multicast Filtering Concept Figure 326: Configuring General Settings for IGMP Snooping Figure 327: Configuring a Static Interface for a Multicast Router...
Page 61
IGURES Figure 356: Configuring Domain Settings for MVR Figure 357: Configuring an MVR Group Address Profile Figure 358: Displaying MVR Group Address Profiles Figure 359: Assigning an MVR Group Address Profile to a Domain Figure 360: Showing the MVR Group Address Profiles Assigned to a Domain Figure 361: Configuring Interface Settings for MVR Figure 362: Assigning Static MVR Groups to an Interface Figure 363: Showing the Static MVR Groups Assigned to a Port...
Page 62
IGURES Figure 392: Showing IPv6 Statistics (UDP) Figure 393: Showing Reported MTU Values Figure 394: Configuring General Settings for DNS Figure 395: Configuring a List of Domain Names for DNS Figure 396: Showing the List of Domain Names for DNS Figure 397: Configuring a List of Name Servers for DNS Figure 398: Showing the List of Name Servers for DNS Figure 399: Configuring Static Entries in the DNS Table...
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 75 ◆...
NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 static routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
| Introduction HAPTER Description of Software Features Table 1: Key Features (Continued) Feature Description IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward Supported to ensure wire-speed switching while eliminating bad Switching frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.1Q, port-based, protocol-based,...
Page 77
| Introduction HAPTER Description of Software Features This switch authenticates management access via the console port, Telnet, UTHENTICATION or a web browser. User names and passwords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+).
Page 78
| Introduction HAPTER Description of Software Features taking over the load if a port in the trunk should fail. The switch supports up to 12 trunks. Broadcast, multicast and unknown unicast storm suppression prevents TORM ONTROL traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted.
Page 79
| Introduction HAPTER Description of Software Features Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) – This protocol ◆ reduces the convergence time for network topology changes to about 3 to 5 seconds, compared to 30 seconds or more for the older IEEE 802.1D STP standard.
Page 80
| Introduction HAPTER Description of Software Features This feature is designed for service providers carrying traffic for multiple IEEE 802.1Q customers across their networks. QinQ tunneling is used to maintain UNNELING customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 81
| Introduction HAPTER Description of Software Features Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.
| Introduction HAPTER System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
Page 83
| Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default SNMP SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled...
Page 84
| Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority Queue Mode Queue Weight Queue: 0 1 2 3 Weight: 1 2 4 6 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled IP Settings...
NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
| Initial Switch Configuration HAPTER Basic Configuration Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface" on page 697. For a list of all the CLI commands and detailed information on using the CLI, refer to "CLI Command Groups"...
Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS4110-28T, ECS4110-28P, ECS4110-52T and ECS4110-52P Gigabit Ethernet switches. Other than the difference in port count and support for PoE (ECS4110-28P/52P), there are no other significant differences.
| Initial Switch Configuration HAPTER Basic Configuration You must establish IP address information for the switch to obtain ETTING AN management access through the network. This can be done in either of the DDRESS following ways: Manual — You have to input the information, including IP address and ◆...
Page 90
| Initial Switch Configuration HAPTER Basic Configuration To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit...
Page 91
| Initial Switch Configuration HAPTER Basic Configuration ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
Page 92
| Initial Switch Configuration HAPTER Basic Configuration Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): 2001:db8:2222:7272::66/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::1:ff00:66 ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Page 93
| Initial Switch Configuration HAPTER Basic Configuration To obtain IP settings via BOOTP, type “ip address bootp” and press ■ <Enter>. Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface”...
Page 94
| Initial Switch Configuration HAPTER Basic Configuration IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
| Initial Switch Configuration HAPTER Basic Configuration Information passed on to the switch from a DHCP server may also include a OWNLOADING A configuration file to be downloaded and the TFTP servers where that file ONFIGURATION can be accessed. If the Factory Default Configuration file is used to EFERENCED BY A provision the switch at startup, in addition to requesting IP configuration DHCP S...
| Initial Switch Configuration HAPTER Basic Configuration Table 4: Options 55 and 124 Statements Statement Option Keyword Parameter dhcp-parameter-request-list a list of parameters, separated by ',' vendor-class-identifier a string indicating the vendor class identifier The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file).
Page 97
| Initial Switch Configuration HAPTER Basic Configuration requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string.
Page 98
| Initial Switch Configuration HAPTER Basic Configuration ECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
| Initial Switch Configuration HAPTER Managing System Files ANAGING YSTEM ILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Page 100
| Initial Switch Configuration HAPTER Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup”...
ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 103 ◆ "Basic Management Tasks" on page 123 ◆...
Page 102
| Web Configuration ECTION "General IP Routing" on page 679 ◆ – 102 –...
SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions).
Main Menu links are used to navigate to other menus, and display configuration parameters and statistics. Figure 1: Home Page This manual covers the ECS4110-28T, ECS4110-28P, ECS4110-52T and ECS4110-52P Gigabit Ethernet switches. Other than the difference in port count and support for PoE (ECS4110-28P/52P), there are no other significant differences.
Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators ECS4110-28T ECS4110-28P ECS4110-52T ECS4110-52P – 105 –...
| Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 6: Switch Main Menu Menu Description...
Page 107
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Information Displays port connection status Mirror Sets the source and target ports for mirroring Show Shows the configured mirror sessions Statistics Shows Interface, Etherlike, and RMON port statistics Chart...
Page 108
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Statistics Shows Interface, Etherlike, and RMON port statistics Chart Shows Interface, Etherlike, and RMON port statistics Load Balance Sets the load-distribution method among ports in aggregated links Green Ethernet Adjusts the power provided to ports based on the length of the cable used to connect to other devices...
Page 109
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Subnet Maps IP subnet traffic to a VLAN Show Shows IP subnet to VLAN mapping MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping Mirror...
Page 110
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Member Adds VLAN members for an MST instance Show Member Adds or deletes VLAN members for an MST instance Show Information Shows global settings for an MST instance Configure Interface...
Page 111
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Policy Creates a policy map to apply to multiple interfaces Show Shows configured policy maps Modify Modifies the name of a policy map Add Rule Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic...
Page 112
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Authorization Enables authorization of requested services Configure Method Configures authorization for various service types Show Shows the authorization settings used for various service types Configure Service Sets the authorization method applied used for the console port, and for Telnet...
Page 113
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Access Control Lists Configure Time Range Configures the time to apply an ACL Specifies the name of a time range Show Shows the name of configured time ranges Add Rule...
Page 114
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Supplicant Sets port supplicant settings Show Statistics Displays protocol statistics for the selected port Authenticator Displays protocol statistics for port authenticator Supplicant Displays protocol statistics for port supplicant DoS Protection...
Page 115
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Local Device Information General Displays general information about the local device Port/Trunk Displays information about each interface Show Remote Device Information Port/Trunk Displays information about a remote device connected to a port on this switch...
Page 116
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Trap Configures notification managers to receive messages on key events that occur this switch Show Shows configured notification managers Configure Notify Filter Creates an SNMP notification log Show...
Page 117
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows list of configured ERPS rings, status, and settings Configure Details Configures ring parameters Configure Operation Blocks a ring port using Forced Switch or Manual Switch commands Connectivity Fault Management Configure Global Configures global settings, including administrative status, cross-...
Page 118
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Remote MEP Details Displays detailed CFM information about a specified remote MEP in the continuity check database Show Link Trace Cache Shows information about link trace operations launched from this device Show Fault Notification Generator...
Page 119
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IPv6 Configuration Configure Global Sets an IPv6 default gateway for traffic with no known next hop Configure Interface Configures IPv6 interface address using auto-configuration or link- local address, and sets related protocol settings Add IPv6 Address Adds an global unicast, EUI-64, or link-local IPv6 address to an...
Page 120
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page PPPoE Intermediate Agent Configure Global Enables PPPoE IA on the switch, sets access node identifier, sets generic error message Configure Interface Enables PPPoE IA on an interface, sets trust status, enables vendor tag stripping, sets circuit ID and remote ID Show Statistics...
Page 121
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Trunk Statistics Shows statistics for protocol messages, number of active groups MLD Snooping General Enables multicast filtering; configures parameters for IPv6 multicast snooping Interface Configures Immediate Leave status for a VLAN...
Page 122
| Using the Web Interface HAPTER Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Trunk Statistics Shows statistics for protocol messages and number of active groups MVR6 Multicast VLAN Registration for IPv6 Configure Global Configures proxy switching and robustness value Configure Domain Enables MVR for a domain, sets the MVR VLAN, forwarding priority,...
ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, ◆ including contact information. Displaying Hardware/Software Versions – Shows the hardware version, ◆ power status, and firmware versions Configuring Support for Jumbo Frames –...
Page 124
System Object ID – MIB II object ID for switch’s network ◆ management subsystem. ECS4110-52T – 1.3.6.1.4.1.259.10.1.39.101 ■ ECS4110-52P – 1.3.6.1.4.1.259.10.1.39.102 ■ ECS4110-28T – 1.3.6.1.4.1.259.10.1.39.103 ■ ECS4110-28P – 1.3.6.1.4.1.259.10.1.39.104 ■ System Up Time – Length of time the management agent has been ◆ ◆...
Operation Code Version – Version number of runtime code. ◆ Thermal Detector – The switch monitors the temperature registered ◆ by the PHY ICs. (The ECS4110-28T/P does not support this feature.) Temperature – The highest reported temperature on the board. ◆ – 125 –...
| Basic Management Tasks HAPTER Configuring Support for Jumbo Frames NTERFACE To view hardware and software version information. Click System, then Switch. Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for Layer 2 jumbo frames.
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities NTERFACE To configure support for jumbo frames: Click System, then Capability. Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System >...
Page 128
| Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Configurable PVID Tagging – This switch allows you to override the ◆ default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to "VLAN Configuration"...
| Basic Management Tasks HAPTER Managing System Files ANAGING YSTEM ILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. Use the System > File (Copy) page to upload/download firmware or OPYING ILES VIA configuration settings using FTP, TFTP or HTTP.
Page 130
| Basic Management Tasks HAPTER Managing System Files or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch. The maximum number of user-defined configuration files is limited only by available flash memory space.
| Basic Management Tasks HAPTER Managing System Files Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch. The configuration settings are not ONFIGURATION TO A automatically saved by the system for subsequent use when the switch is OCAL rebooted.
| Basic Management Tasks HAPTER Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Set Start-Up) page to specify the firmware or ETTING THE configuration file to use for system initialization.
| Basic Management Tasks HAPTER Managing System Files NTERFACE To show the system files: Click System, then File. Select Show from the Action list. To delete a file, mark it in the File List and click Delete. Figure 10: Displaying System Files Use the System >...
Page 134
| Basic Management Tasks HAPTER Managing System Files The FTP connection is made with PASV mode enabled. PASV mode is ◆ needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled. The switch-based search function is case-insensitive in that it will ◆...
Page 135
| Basic Management Tasks HAPTER Managing System Files Automatic Upgrade Location URL – Defines where the switch should ◆ search for the operation code upgrade file. The last character of this URL must be a forward slash (“/”). The ecs4110-series.bix filename must not be included since it is automatically appended by the switch.
Page 136
| Basic Management Tasks HAPTER Managing System Files tftp://192.168.0.1/switch-opcode/ ■ The image file is in the “switch-opcode” directory, relative to the TFTP root. tftp://192.168.0.1/switches/opcode/ ■ The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the TFTP root. The following examples demonstrate the URL syntax for an FTP server at IP address 192.168.0.1 with various user name, password and file location options presented:...
| Basic Management Tasks HAPTER Setting the System Clock If a new image is found at the specified location, the following type of messages will be displayed during bootup. Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.5; new version 1.1.2.0 Image upgrade in progress The switch will restart after upgrade succeeds Downloading new image...
| Basic Management Tasks HAPTER Setting the System Clock Day – Sets the day of the month. (Range: 1-31) ◆ Year – Sets the year. (Range: 1970-2037) ◆ NTERFACE To manually set the system clock: Click System, then Time. Select Configure General from the Step list. Select Manual from the Maintain Type list.
| Basic Management Tasks HAPTER Setting the System Clock Select SNTP from the Maintain Type list. Modify the polling interval if required. Click Apply Figure 13: Setting the Polling Interval for SNTP Use the System > Time (Configure General - NTP) page to configure NTP ONFIGURING authentication and show the polling interval at which the switch will query the specified time servers.
| Basic Management Tasks HAPTER Setting the System Clock Enable authentication if required. Click Apply Figure 14: Configuring NTP Use the System > Time (Configure Time Server) pages to specify the IP ONFIGURING address for NTP/SNTP time servers, or to set the authentication key for ERVERS NTP time servers.
Page 141
| Basic Management Tasks HAPTER Setting the System Clock Figure 15: Specifying SNTP Time Servers NTP T PECIFYING ERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI R EFERENCES "ntp server"...
Page 142
| Basic Management Tasks HAPTER Setting the System Clock Figure 16: Adding an NTP Time Servers To show the list of configured NTP time servers: Click System, then Time. Select Configure Time Server from the Step list. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List NTP A PECIFYING...
Page 143
| Basic Management Tasks HAPTER Setting the System Clock NTERFACE To add an entry to NTP authentication key list: Click System, then Time. Select Configure Time Server from the Step list. Select Add NTP Authentication Key from the Action list. Enter the index number and MD5 authentication key string.
| Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.
| Basic Management Tasks HAPTER Configuring the Console Port ONFIGURING THE ONSOLE Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
| Basic Management Tasks HAPTER Configuring Telnet Settings The password for the console connection can only be configured through the CLI (see "password" on page 752). Password checking can be enabled or disabled for logging in to the console connection (see "login"...
Page 147
| Basic Management Tasks HAPTER Configuring Telnet Settings ARAMETERS The following parameters are displayed: Telnet Status – Enables or disables Telnet access to the switch. ◆ (Default: Enabled) ◆ TCP Port – Sets the TCP port number for Telnet on the switch. (Range: 1-65535;...
| Basic Management Tasks HAPTER Displaying CPU Utilization Figure 22: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI R EFERENCES "show process cpu" on page 729 ◆ ARAMETERS The following parameters are displayed: Time Interval –...
| Basic Management Tasks HAPTER Displaying Memory Utilization Figure 23: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 728 ◆ ARAMETERS The following parameters are displayed: ◆...
| Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 714 ◆...
Page 151
| Basic Management Tasks HAPTER Resetting the System At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 01-31) ■ MM - The month at which to reload. (Range: 01-12) ■...
Page 152
| Basic Management Tasks HAPTER Resetting the System Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) – 152 –...
Page 153
| Basic Management Tasks HAPTER Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 153 –...
Page 154
| Basic Management Tasks HAPTER Resetting the System – 154 –...
NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- ◆ negotiation, or manual setting of speed, duplex mode, and flow control. Local Port Mirroring – Sets the source and target ports for mirroring on ◆...
| Interface Configuration HAPTER Port Configuration ONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. Use the Interface > Port > General (Configure by Port List) page to enable/ ONFIGURING BY disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
Page 157
| Interface Configuration HAPTER Port Configuration SFP-Forced 1000SFP - Forces port to use 1000BASE SFP mode. ■ SFP-Forced 100FX - Forces port to use 100BASE-FX mode. ■ Autonegotiation (Port Capabilities) – Allows auto-negotiation to be ◆ enabled/disabled. When auto-negotiation is enabled, you need to specify the capabilities to be advertised.
| Interface Configuration HAPTER Port Configuration Figure 29: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
| Interface Configuration HAPTER Port Configuration Figure 30: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...
| Interface Configuration HAPTER Port Configuration Figure 31: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis. You can then attach a logic OCAL analyzer or RMON probe to the target port and study the traffic crossing IRRORING...
Page 161
| Interface Configuration HAPTER Port Configuration Spanning Tree BPDU packets are not mirrored to the target port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ARAMETERS These parameters are displayed: Source Port – The port whose traffic will be monitored. ◆...
| Interface Configuration HAPTER Port Configuration Figure 34: Displaying Local Port Mirror Sessions Use the Interface > RSPAN page to mirror traffic from remote switches for ONFIGURING analysis at a destination port on the local switch. This feature, also called EMOTE Remote Switched Port Analyzer (RSPAN), carries traffic generated on the IRRORING...
Page 163
| Interface Configuration HAPTER Port Configuration Configuration Guidelines ◆ Take the following step to configure an RSPAN session: Use the VLAN Static List (see "Configuring VLAN Groups" on page 202) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN”...
Page 164
| Interface Configuration HAPTER Port Configuration Port Security – If port security is enabled on any port, that port ■ cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Page 165
| Interface Configuration HAPTER Port Configuration Destination Port – Specifies the destination port to monitor the ◆ traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
| Interface Configuration HAPTER Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
Page 167
| Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher- layer protocol.
Page 168
| Interface Configuration HAPTER Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive A count of frames for which reception on a particular interface fails Errors due to an internal MAC sublayer receive error. Internal MAC Transmit A count of frames for which transmission on a particular interface Errors fails due to an internal MAC sublayer transmit error.
Page 169
| Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). Select a port from the drop-down list. Use the Refresh button to update the screen. Figure 39: Showing Port Statistics (Table) –...
| Interface Configuration HAPTER Port Configuration To show a chart of port statistics: Click Interface, Port, Chart. Select the statistics mode to display (Interface, Etherlike, RMON or All). If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
Page 171
| Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed: Port – Port number. (Range: 25-28/49-52) ◆ General – Information on connector type and vendor-related ◆ parameters. DDM Information – Information on temperature, supply voltage, ◆ laser bias current, laser power, and received optical power. The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
| Interface Configuration HAPTER Port Configuration Use the Interface > Port > Transceiver page to configure thresholds for ONFIGURING alarm and warning messages for optical transceivers which support Digital RANSCEIVER Diagnostic Monitoring (DDM). This page also displays identifying HRESHOLDS information for supported transceiver types, and operational parameters for transceivers which support DDM.
Page 173
| Interface Configuration HAPTER Port Configuration High Warning – Sends a warning message when the high ■ threshold is crossed. High Alarm – Sends an alarm message when the high threshold is ■ crossed. The configurable ranges are: Temperature: -128.00-128.00 °C ■...
| Interface Configuration HAPTER Port Configuration Figure 42: Configuring Transceiver Thresholds Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING port. The cable test will check for any cable faults (short, open, etc.). If a ABLE IAGNOSTICS fault is found, the switch reports the length to the fault.
Page 175
| Interface Configuration HAPTER Port Configuration Impedance mismatch: Terminating impedance is not in the ■ reference range. Ports are linked down while running cable diagnostics. ◆ ARAMETERS These parameters are displayed: ◆ Port – Switch port identifier. Type – Displays media type. (GE – Gigabit Ethernet, Other – SFP) ◆...
| Interface Configuration HAPTER Trunk Configuration RUNK ONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault- tolerant link between two devices.
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Static page to create a trunk, assign member ONFIGURING A ports, and configure the connection parameters. TATIC RUNK Figure 44: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands"...
Page 178
| Interface Configuration HAPTER Trunk Configuration Set the unit and port for the initial trunk member. Click Apply. Figure 45: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list.
| Interface Configuration HAPTER Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 48: Showing Information for Static Trunks Use the Interface >...
Page 180
| Interface Configuration HAPTER Trunk Configuration OMMAND SAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. If the target switch has also enabled LACP on the connected ports, the ◆...
Page 181
| Interface Configuration HAPTER Trunk Configuration Long Timeout – Specifies a slow timeout of 90 seconds. (This is ■ the default setting.) Short Timeout – Specifies a fast timeout of 3 seconds. ■ The timeout is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs.
Page 182
| Interface Configuration HAPTER Trunk Configuration more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port. If an LAG already exists with the maximum number of allowed port ■...
Page 183
| Interface Configuration HAPTER Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 51: Enabling LACP on a Port –...
Page 184
| Interface Configuration HAPTER Trunk Configuration To configure LACP parameters for group members: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click Actor or Partner. Configure the required settings. Click Apply. Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic.
| Interface Configuration HAPTER Trunk Configuration To configure connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step list. Select Configure from the Action list. Modify the required interface settings. (See "Configuring by Port List" on page 156 for a description of the interface settings.) Click Apply.
| Interface Configuration HAPTER Trunk Configuration ARAMETERS These parameters are displayed: Table 8: LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
| Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...
| Interface Configuration HAPTER Trunk Configuration Figure 57: Displaying LACP Port Internal Information Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show LACP ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.
| Interface Configuration HAPTER Trunk Configuration NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Internal. Select a group member from the Port list. Figure 58: Displaying LACP Port Remote Information Use the Interface >...
Page 190
| Interface Configuration HAPTER Trunk Configuration for switch-to-router trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch- to-server trunk links where the destination IP address is the same for all traffic. Destination MAC Address: All traffic with the same destination ■...
| Interface Configuration HAPTER Saving Power NTERFACE To display the load-distribution method used by ports in aggregated links: Click Interface, Trunk, Load Balance. Select the required method from the Load Balance Mode list. Click Apply. Figure 59: Configuring Load Balancing AVING OWER Use the Interface >...
Page 192
| Interface Configuration HAPTER Saving Power Power saving when there is a link partner: ■ Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter. When cable length is shorter, power consumption can be reduced since signal attenuation is proportional to cable length.
| Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
| Interface Configuration HAPTER Traffic Segmentation Figure 61: Enabling Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
Page 195
| Interface Configuration HAPTER Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. If a downlink port is not configured for the session, the assigned uplink ◆ ports will operate as normal ports. ARAMETERS These parameters are displayed: Session ID –...
| Interface Configuration HAPTER VLAN Trunking To show the members of the traffic segmentation group: Click Interface, Traffic Segmentation. Select Configure Session from the Step list. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN T RUNKING Use the Interface >...
Page 197
| Interface Configuration HAPTER VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain ◆ customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs.
Page 200
| VLAN Configuration HAPTER IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN.
Page 201
| VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
Page 203
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Status – Enables or disables the specified VLAN. ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring ◆ Remote Port Mirroring" on page 162). Modify VLAN ID – ID of configured VLAN (1-4094). ◆...
Page 204
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 68: Creating Static VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name, operational status, or Layer 3 Interface status as required.
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Static (Edit Member by VLAN, Edit Member by Interface, or DDING TATIC Edit Member by Interface Range) pages to configure port members for the VLAN EMBERS TO selected VLAN index, interface, or a range of interfaces. Use the menus for editing port members to configure the VLAN behavior for specific interfaces, including the mode of operation (Hybrid or 1Q Trunk), the default VLAN identifier (PVID), accepted frame types, and ingress filtering.
Page 206
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Acceptable Frame Type – Sets the interface to accept all frame ◆ types, including tagged or untagged frames, or only tagged frames. When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
Page 207
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. Port Range – Displays a list of ports. (Range: 1-28/52) ◆...
Page 208
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Click Apply. Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Action list. Set the Interface type to display as Port or Trunk. Enter an interface range.
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 1150 ◆...
Page 210
| VLAN Configuration HAPTER IEEE 802.1Q VLANs the group. (Range: 500-18000 centiseconds; Default: 1000 centiseconds) Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status –...
Page 211
| VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
Page 213
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 78: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
Page 214
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) ◆...
Page 215
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If ◆ the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 79: Enabling QinQ Tunneling Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to REATING SPVLAN mapping entry. CVLAN SPVLAN APPING NTRIES CLI R EFERENCES "switchport dot1q-tunnel service match cvid" on page 1168 ◆...
Page 218
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) ◆ NTERFACE To configure a mapping entry: Click VLAN, Tunnel. Select Configure Service from the Step list. Select Add from the Action list. Select an interface from the Port list.
| VLAN Configuration HAPTER IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command.
| VLAN Configuration HAPTER Protocol VLANs Click Apply. Figure 82: Adding an Interface to a QinQ Tunnel VLAN ROTOCOL The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol.
| VLAN Configuration HAPTER Protocol VLANs Figure 83: Configuring Protocol VLANs To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Show from the Action list. Figure 84: Displaying Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING protocol group to a VLAN for each interface that will participate in the ROTOCOL...
Page 223
| VLAN Configuration HAPTER Protocol VLANs When a frame enters a port that has been assigned to a protocol VLAN, ◆ it is processed in the following manner: If the frame is tagged, it will be processed according to the standard ■...
Page 224
| VLAN Configuration HAPTER Protocol VLANs Figure 85: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list. Select Show from the Action list. Select a port or trunk.
| VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 226
| VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.
| VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
Page 228
| VLAN Configuration HAPTER Configuring MAC-based VLANs NTERFACE To map a MAC address to a VLAN: Click VLAN, MAC-Based. Select Add from the Action list. Enter an address in the MAC Address field, and a mask to indicate a range of addresses. Enter an identifier in the VLAN field.
| VLAN Configuration HAPTER Configuring VLAN Mirroring VLAN M ONFIGURING IRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
Page 230
| VLAN Configuration HAPTER Configuring VLAN Mirroring NTERFACE To configure VLAN mirroring: Click VLAN, Mirror. Select Add from the Action list. Select the source VLAN, and select a target port. Click Apply. Figure 91: Configuring VLAN Mirroring To show the VLANs to be mirrored: Click VLAN, Mirror.
DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
Page 232
| Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the ◆ following conditions exist: 802.1X Port Authentication has been globally enabled on the switch ■ (see "Configuring 802.1X Global Settings" on page 389).
| Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
| Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 94: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 95: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...
| Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.
| Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
| Address Table Settings HAPTER Configuring MAC Address Mirroring Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. Click Clear.
Page 238
| Address Table Settings HAPTER Configuring MAC Address Mirroring ARAMETERS These parameters are displayed: Source MAC – MAC address in the form of xx-xx-xx-xx-xx-xx or ◆ xxxxxxxxxxxx. ◆ Target Port – The port that will mirror the traffic from the source port. (Range: 1-28/52) NTERFACE To mirror packets based on a MAC address:...
PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback ◆ BPDUs. Global Settings for STA – Configures global bridge settings for STP, ◆ RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, ◆...
Page 240
| Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 101: STP Root Ports and Designated Ports Designated Root...
Page 241
| Spanning Tree Algorithm HAPTER Overview Figure 102: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees"...
| Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Shutdown Interval – The duration to shut down the interface. ◆ (Range: 60-86400 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
Page 244
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Page 245
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Spanning Tree Type – Specifies the type of spanning tree used on ◆ this switch: STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option ■ is selected, the switch will use RSTP set to STP forced compatibility mode).
Page 246
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Transmission Limit – The maximum transmission rate for BPDUs is ◆ specified by setting the minimum interval between the transmission of consecutive protocol messages. (Range: 1-10; Default: 3) When the Switch Becomes Root Hello Time –...
Page 247
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Region Revision – The revision for this MSTI. (Range: 0-65535; ◆ Default: 0) ◆ Region Name – The name for this MSTI. (Maximum length: 32 characters; Default: switch’s MAC address) Max Hop Count –...
Page 248
| Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Figure 106: Configuring Global Settings for STA (RSTP) Figure 107: Configuring Global Settings for STA (MSTP) – 248 –...
| Spanning Tree Algorithm HAPTER Displaying Global Settings for STA ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch. CLI R EFERENCES ◆...
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA NTERFACE To display global STA settings: Click Spanning Tree, STA. Select Configure Global from the Step list. Select Show Information from the Action list. Figure 108: Displaying Global Settings for STA ONFIGURING NTERFACE ETTINGS FOR...
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Priority – Defines the priority used for this port in the Spanning Tree ◆ Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 252
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Auto – The switch automatically determines if the interface is ■ attached to a point-to-point link or to shared media. (This is the default setting.) Root Guard – STA allows a bridge with a lower bridge identifier (or ◆...
Page 253
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA If the port does not receive any BPDUs after the edge delay timer ■ expires, its role changes to designated port and it immediately enters forwarding state (see "Displaying Interface Settings for STA" on page 254).
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 109: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
Page 255
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging ■ device is always forwarding. If two ports of a switch are connected to the same segment and ■...
Page 256
| Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 110: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 1091 ◆...
Page 258
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
Page 259
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
Page 260
| Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 1091 ◆...
Page 262
| Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 251. The default path costs are listed in Table 13 on page 251. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
ONGESTION ONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
| Congestion Control HAPTER Storm Control Rate – Sets the rate limit level. (Range: 64 - 1000000 kbits per ◆ second) NTERFACE To configure rate limits: Click Traffic, Rate Limit. Set the interface type to Port or Trunk. Check the Status box to enable rate limiting for an interface. Set the rate limit for the required interfaces.
Page 265
| Congestion Control HAPTER Storm Control Traffic storms can be controlled at the hardware level using Storm ◆ Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
| Congestion Control HAPTER Automatic Traffic Control Figure 121: Configuring Storm Control UTOMATIC RAFFIC ONTROL Use the Traffic > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI R EFERENCES "Automatic Traffic Control Commands"...
Page 267
| Congestion Control HAPTER Automatic Traffic Control When traffic exceeds the alarm fire threshold and the apply timer ◆ expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. Alarm Clear Threshold – The lower threshold beneath which a control ◆...
| Congestion Control HAPTER Automatic Traffic Control Use the Traffic > Auto Traffic Control (Configure Global) page to set the ETTING THE time at which to apply the control response after ingress traffic has ATC T IMERS exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
| Congestion Control HAPTER Automatic Traffic Control Figure 124: Configuring ATC Timers Use the Traffic > Auto Traffic Control (Configure Interface) page to set the ONFIGURING storm control mode (broadcast or multicast), the traffic thresholds, the HRESHOLDS AND control response, to automatically release a response of rate limiting, or to ESPONSES send related SNMP trap messages.
Page 270
| Congestion Control HAPTER Automatic Traffic Control Auto Release Control – Automatically stops a traffic control response ◆ of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 122 on page 266.
Page 271
| Congestion Control HAPTER Automatic Traffic Control NTERFACE To configure the response timers for automatic storm control: Click Traffic, Auto Traffic Control. Select Configure Interface from the Step field. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send.
Page 272
| Congestion Control HAPTER Automatic Traffic Control – 272 –...
LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
| Class of Service HAPTER Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, ◆...
Page 275
| Class of Service HAPTER Layer 2 Queue Settings OMMAND SAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. WRR queuing specifies a relative weight for each queue. WRR uses a ◆...
Page 276
| Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Set the queue mode. If the weighted queue mode is selected, the queue weight can be modified if required. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table.
| Class of Service HAPTER Layer 2 Queue Settings Use the Traffic > Priority > PHB to Queue page to specify the hardware APPING ALUES output queues to use based on the internal per-hop behavior value. (For GRESS UEUES more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values"...
| Class of Service HAPTER Layer 2 Queue Settings The default internal PHB to output queue mapping is shown below. ◆ Table 16: Mapping Internal Per-hop Behavior to Hardware Queues Per-hop Behavior Hardware Queues ◆ The specified mapping applies to all interfaces. ARAMETERS These parameters are displayed: PHB –...
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 131: Showing CoS Values to Egress Queue Mapping 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements.
| Class of Service HAPTER Layer 3/4 Priority Settings The switch allows a choice between using DSCP or CoS priority processing ETTING RIORITY methods. Use the Priority > Trust Mode page to select the required ROCESSING TO processing method. DSCP CLI R EFERENCES "qos map trust-mode"...
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 132: Setting the Trust Mode Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in APPING NGRESS incoming packets to per-hop behavior and drop precedence values for DSCP V ALUES TO internal priority processing.
| Class of Service HAPTER Layer 3/4 Priority Settings Drop Precedence – Drop precedence used for Random Early Detection ◆ in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values ingress- dscp1 ingress-...
| Class of Service HAPTER Layer 3/4 Priority Settings Figure 134: Showing DSCP to DSCP Internal Mapping Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in APPING incoming packets to per-hop behavior and drop precedence values for RIORITIES TO priority processing.
| Class of Service HAPTER Layer 3/4 Priority Settings PHB – Per-hop behavior, or the priority used for this router hop. ◆ (Range: 0-7) Drop Precedence – Drop precedence used for Random Early Detection ◆ in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0)
Page 285
| Class of Service HAPTER Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: Click Traffic, Priority, CoS to DSCP. Select Show from the Action list. Figure 136: Showing CoS to DSCP Internal Mapping – 285 –...
Page 286
| Class of Service HAPTER Layer 3/4 Priority Settings – 286 –...
UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...
| Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value.
Page 289
| Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 ◆ characters) Add Rule Class Name – Name of the class map. ◆ Type – The criteria specified by the match command. (This field is set ◆...
Page 290
| Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 138: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.
| Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 140: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
Page 292
| Quality of Service HAPTER Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
Page 293
| Quality of Service HAPTER Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B0, the ■...
Page 294
| Quality of Service HAPTER Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: If Tp(t)-B <...
Page 295
| Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. ◆ Class Name – Name of a class map that defines a traffic classification ◆ upon which a policy can act. Action – This attribute is used to set an internal QoS value in hardware ◆...
Page 296
| Quality of Service HAPTER Creating QoS Policies Conform – Specifies that traffic conforming to the maximum ■ rate (CIR) and committed burst size (BC) will be transmitted without any change to the DSCP service level. Transmit – Transmits in-conformance traffic without any ■...
Page 297
| Quality of Service HAPTER Creating QoS Policies Exceed – Specifies whether traffic that exceeds the committed ■ maximum rate (CIR) or burst size (BC) but is within the excess burst size (BE) will be dropped or the DSCP service level will be reduced.
Page 298
| Quality of Service HAPTER Creating QoS Policies The burst size cannot exceed 16 Mbytes. Conform – Specifies that traffic conforming to the committed ■ maximum rate (CIR) and peak burst size (BP) will be transmitted without any change to the DSCP service level. Transmit –...
Page 299
| Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 142: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
Page 300
| Quality of Service HAPTER Creating QoS Policies Figure 143: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 144: Showing the Rules for a Policy Map –...
| Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 1207 ◆...
Page 302
| Quality of Service HAPTER Attaching a Policy Map to a Port NTERFACE To bind a policy map to a port: Click Traffic, DiffServ. Select Configure Interface from the Step list. Check the box under the Ingress field to enable a policy map for a port. Select a policy map from the scroll-down box.
IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the ◆ aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP ◆...
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic IP T ONFIGURING RAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
| VoIP Traffic Configuration HAPTER Configuring Telephony OUI Figure 146: Configuring a Voice VLAN ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses.
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices. Click Apply.
Page 307
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports OMMAND SAGE All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), first ensure that VLAN membership is not set to access mode (see "Adding Static Members to VLANs"...
Page 308
| VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port.
ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
| Security Measures HAPTER AAA Authentication, Authorization and Accounting IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the ◆ source address cannot be identified via DHCPv4 snooping nor static source bindings. IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the ◆...
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To configure AAA on the switch, you need to follow this general process: Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 311. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services.
| Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Authentication Sequence – Select the authentication, or ◆ authentication sequence required: Local – User authentication is performed only locally by the switch. ■ RADIUS – User authentication is performed using a RADIUS server ■...
Page 313
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 151: Authentication Server Operation console Telnet 1. Client attempts management access. 2. Switch contacts authentication server. RADIUS/ 3. Authentication server challenges client. 4. Client responds with proper password or key. TACACS+ 5.
Page 314
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Server IP Address – Address of authentication server. ■ (A Server Index entry must be selected to display this item.) Accounting Server UDP Port – Network (UDP) port on ■ authentication server used for accounting messages. (Range: 1-65535;...
Page 315
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Authentication Key – Encryption key used to authenticate logon ■ access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) Confirm Authentication Key – Re-type the string entered in the ■...
Page 316
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 152: Configuring Remote Authentication Server (RADIUS) Figure 153: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list.
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 154: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server. Select Configure Group from the Step list. Select Show from the Action list. Figure 155: Showing AAA Server Groups Use the Security >...
Page 318
| Security Measures HAPTER AAA Authentication, Authorization and Accounting ARAMETERS These parameters are displayed: Configure Global Periodic Update - Specifies the interval at which the local accounting ◆ service updates information for all users on the system to the accounting server. (Range: 1-2147483647 minutes) Configure Method Accounting Type –...
Page 319
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Console Method Name – Specifies a user-defined method name ■ to apply to commands entered at the specified CLI privilege level through the console interface. VTY Method Name – Specifies a user-defined method name to ■...
Page 320
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 156: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list.
Page 321
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 158: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: Click Security, AAA, Accounting. Select Configure Service from the Step list.
Page 322
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 160: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Figure 162: Displaying Statistics for AAA Accounting Sessions Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces.
Page 324
| Security Measures HAPTER AAA Authentication, Authorization and Accounting Configure Service Authorization Type - Specifies EXEC authorization, or Command ◆ authorization for specific CLI privilege levels. Console Method Name – Specifies a user defined method name to ◆ apply to console connections. VTY Method Name –...
Page 325
| Security Measures HAPTER AAA Authentication, Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: Click Security, AAA, Authorization. Select Configure Method from the Step list. Select Show from the Action list. Figure 164: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections:...
| Security Measures HAPTER Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization. Select Show Information from the Step list. Figure 166: Displaying the Applied AAA Authorization Method ONFIGURING CCOUNTS Use the Security >...
Page 327
| Security Measures HAPTER Configuring User Accounts Level 8-14 provide the same default access privileges, including additional commands beyond those provided for Levels 0-7 (equivalent to CLI Normal Exec command mode), and a subset of the configuration commands provided for Level 15 (equivalent to CLI Privileged Exec command mode).
| Security Measures HAPTER Web Authentication Figure 167: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 168: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
| Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 311.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.
| Security Measures HAPTER Web Authentication Figure 169: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...
| Security Measures HAPTER Network Access (MAC Address Authentication) Mark the check box for any host addresses that need to be re- authenticated, and click Re-authenticate. Figure 170: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
| Security Measures HAPTER Network Access (MAC Address Authentication) authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). Authenticated MAC addresses are stored as dynamic entries in the ◆...
| Security Measures HAPTER Network Access (MAC Address Authentication) If duplicate profiles are passed in the Filter-ID attribute, then only the ◆ first profile is used. For example, if the attribute is “service-policy-in=p1;service-policy- in=p2”, then the switch applies only the DiffServ profile “p1.” Any unsupported profiles in the Filter-ID attribute are ignored.
| Security Measures HAPTER Network Access (MAC Address Authentication) This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 390).
Page 335
| Security Measures HAPTER Network Access (MAC Address Authentication) ARAMETERS These parameters are displayed: MAC Authentication ◆ Status – Enables MAC authentication on a port. (Default: Disabled) ■ Intrusion – Sets the port response to a host MAC authentication ■ failure to either block access to the port or to pass traffic through.
| Security Measures HAPTER Network Access (MAC Address Authentication) exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) NTERFACE To configure MAC authentication on switch ports: Click Security, Network Access. Select Configure Interface from the Step list.
| Security Measures HAPTER Network Access (MAC Address Authentication) Link up and down – All link up and link down events will trigger ■ the port action. Action – The switch can respond in three ways to a link up or down ◆...
Page 338
| Security Measures HAPTER Network Access (MAC Address Authentication) Up to 65 filter tables can be defined. ◆ There is no limitation on the number of entries used in a filter table. ◆ ARAMETERS These parameters are displayed: Filter ID – Adds a filter rule for the specified filter. (Range: 1-64) ◆...
| Security Measures HAPTER Network Access (MAC Address Authentication) To show the MAC address filter table for MAC authentication: Click Security, Network Access. Select Configure MAC Filter from the Step list. Select Show from the Action list. Figure 175: Showing the MAC Address Filter Table for Network Access Use the Security >...
Page 340
| Security Measures HAPTER Network Access (MAC Address Authentication) Attribute – Indicates a static or dynamic address. ■ NTERFACE To display the authenticated MAC addresses stored in the secure MAC address table: Click Security, Network Access. Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute.
| Security Measures HAPTER Configuring HTTPS HTTPS ONFIGURING You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the Security > HTTPS (Configure Global) page to enable or disable ONFIGURING LOBAL HTTPS and specify the TCP port used for this service.
| Security Measures HAPTER Configuring HTTPS Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. Connection to the web interface is not supported for HTTPS using an IPv6 link local address. ARAMETERS These parameters are displayed: HTTPS Status –...
Page 343
| Security Measures HAPTER Configuring HTTPS For maximum security, we recommend you obtain a unique AUTION Secure Sockets Layer certificate at the earliest opportunity. This is because the default certificate for the switch is not unique to the hardware you have purchased.
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To replace the default secure-site certificate: Click Security, HTTPS. Select Copy Certificate from the Step list. Fill in the TFTP server, certificate and private key file name, and private password. Click Apply. Figure 178: Downloading the Secure-Site Certificate ONFIGURING THE ECURE...
Page 345
| Security Measures HAPTER Configuring the Secure Shell OMMAND SAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page...
Page 346
| Security Measures HAPTER Configuring the Secure Shell Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server.
| Security Measures HAPTER Configuring the Secure Shell checks whether the signature is correct. If both checks succeed, the client is authenticated. The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To configure the SSH server: Click Security, SSH. Select Configure Global from the Step list. Enable the SSH server. Adjust the authentication parameters as required. Click Apply. Figure 179: Configuring the SSH Server Use the Security >...
Page 349
| Security Measures HAPTER Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. Save Host-Key from Memory to Flash – Saves the host key from ◆...
| Security Measures HAPTER Configuring the Secure Shell Figure 181: Showing the SSH Host Key Pair Use the Security > SSH (Configure User Key - Copy) page to upload a MPORTING user’s public key to the switch. This public key must be stored on the UBLIC switch for the user to be able to log in using the public key authentication mechanism.
Page 351
| Security Measures HAPTER Configuring the Secure Shell NTERFACE To copy the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Copy from the Action list. Select the user name and the public-key type from the respective drop- down boxes, input the TFTP server IP address and the public key source file name.
| Security Measures HAPTER Access Control Lists Figure 183: Showing the SSH User’s Public Key CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
| Security Measures HAPTER Access Control Lists precisely determined. It depends on the amount of hardware resources reserved at runtime for this purpose. Auto ACE Compression is a software feature used to compress all the ACEs of an ACL to utilize hardware resources more efficiency. Without compression, one ACE would occupy a fixed number of entries in TCAM.
Page 354
| Security Measures HAPTER Access Control Lists ARAMETERS These parameters are displayed: Time-Range Name – Name of a time range. (Range: 1-16 characters) ◆ Add Rule ◆ Time-Range – Name of a time range. Mode ◆ Absolute – Specifies a specific time or time range. ■...
Page 355
| Security Measures HAPTER Access Control Lists Figure 185: Showing a List of Time Ranges To configure a rule for a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add Rule from the Action list. Select the name of time range from the drop-down list.
| Security Measures HAPTER Access Control Lists Figure 187: Showing the Rules Configured for a Time Range Use the Security > ACL (Configure ACL - Show TCAM) page to show TCAM HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
| Security Measures HAPTER Access Control Lists NTERFACE To show information on TCAM utilization: Click Security, ACL. Select Configure ACL from the Step list. Select Show TCAM from the Action list. Figure 188: Showing TCAM Utilization Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R...
Page 358
| Security Measures HAPTER Access Control Lists MAC – MAC ACL mode filters packets based on the source or ■ destination MAC address and the Ethernet frame type (RFC 1060). ARP – ARP ACL specifies static IP-to-MAC address bindings used for ■...
| Security Measures HAPTER Access Control Lists Figure 190: Showing a List of ACLs Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to ONFIGURING A configure a Standard IPv4 ACL. 4 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IP ACL)"...
| Security Measures HAPTER Access Control Lists NTERFACE To add rules to an IPv4 Standard ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IP Standard from the Type list. Select the name of an ACL from the Name list.
| Security Measures HAPTER Access Control Lists but limits the checking of ToS bits (underlined in the following example) to the leftmost three bits, ignoring the right most fourth bit. For example, if you configured an access list to deny packets with a ToS of 7 (00001110), the highlighted bit would be ignored, and the access list would drop packets with a ToS of both 6 and 7.
Page 362
| Security Measures HAPTER Access Control Lists Control Code Bit Mask – Decimal number representing the code bits ◆ to match. (Range: 0-63) The control bit mask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1”...
| Security Measures HAPTER Access Control Lists Figure 192: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
Page 364
| Security Measures HAPTER Access Control Lists Source Prefix-Length – A decimal value indicating how many ◆ contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits) Time Range – Name of a time range. ◆...
| Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING configure a MAC ACL based on hardware addresses, packet format, and MAC ACL Ethernet type. CLI R EFERENCES "permit, deny (MAC ACL)"...
Page 368
| Security Measures HAPTER Access Control Lists Internet Protocol – Layer 3 or 4 information to match. ◆ No – Not applied. ■ IPv4 – See "Configuring an Extended IPv4 ACL" on page 360. ■ IPv6 – See "Configuring an Extended IPv6 ACL" on page 365.
| Security Measures HAPTER Access Control Lists Figure 195: Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING ACLs based on ARP message addresses. ARP Inspection can then use these ARP ACL ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP...
Page 370
| Security Measures HAPTER Access Control Lists Source/Destination IP Subnet Mask – Subnet mask for source or ◆ destination address. (See the description for Subnet Mask on page 359.) Source/Destination MAC Address Type – Use “Any” to include all ◆ possible addresses, “Host”...
| Security Measures HAPTER Access Control Lists Figure 196: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface – INDING A ORT TO AN Configure) page to bind the ports that need to filter traffic to the CCESS ONTROL appropriate ACLs.
| Security Measures HAPTER Access Control Lists NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select Configure from the Action list. Select IP, MAC or IPv6 from the Type options. Select a port.
Page 373
| Security Measures HAPTER Access Control Lists Use the Add Mirror page to specify the ACL and the destination port to which matching traffic will be mirrored. ARAMETERS These parameters are displayed: Port – Port identifier. ◆ ACL – ACL used for ingress packets. ◆...
| Security Measures HAPTER Access Control Lists Figure 199: Showing the VLANs to Mirror Use the Security > ACL > Configure Interface (Show Hardware Counters) HOWING page to show statistics for ACL hardware counters. ACL H ARDWARE OUNTERS CLI R EFERENCES "show access-list"...
| Security Measures HAPTER ARP Inspection Select ingress or egress traffic. Figure 200: Showing ACL Statistics ARP I NSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle”...
| Security Measures HAPTER ARP Inspection When ARP Inspection is disabled, all ARP request and reply packets ■ will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect ■...
Page 377
| Security Measures HAPTER ARP Inspection ARP Inspection Logging By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, ◆...
| Security Measures HAPTER ARP Inspection NTERFACE To configure global settings for ARP Inspection: Click Security, ARP Inspection. Select Configure General from the Step list. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. Click Apply.
Page 379
| Security Measures HAPTER ARP Inspection If Static is not specified, ARP packets are first validated against the ◆ selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. ARAMETERS These parameters are displayed: ARP Inspection VLAN ID –...
| Security Measures HAPTER ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate. ARP I NSPECTION CLI R EFERENCES "ARP Inspection" on page 948 ◆...
| Security Measures HAPTER ARP Inspection Figure 203: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or ARP I NSPECTION dropped for various reasons.
| Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Statistics from the Action list. Figure 204: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...
| Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Show Information from the Step list. Select Show Log from the Action list. Figure 205: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
Page 384
| Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or ◆ by specifying both the start address and end address. ARAMETERS These parameters are displayed: Mode ◆ Web –...
| Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 207: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
Page 386
| Security Measures HAPTER Configuring Port Security When the port security state is changed from enabled to disabled, all ◆ dynamically learned entries are cleared from the address table. If port security is enabled, and the maximum number of allowed ◆...
| Security Measures HAPTER Configuring 802.1X Port Authentication Current MAC Count – The number of MAC addresses currently ◆ associated with this interface. MAC Filter – Shows if MAC address filtering has been set under ◆ Security > Network Access (Configure MAC Filter) as described on page 337.
Page 388
| Security Measures HAPTER Configuring 802.1X Port Authentication users to first submit credentials for authentication. Access to all switch ports in a network can be centrally controlled from a server, which means that authorized users can use the same credentials for authentication from any point within the network.
| Security Measures HAPTER Configuring 802.1X Port Authentication Each switch port that will be used must be set to dot1X “Auto” mode. ◆ Each client that needs to be authenticated must have dot1X client ◆ software installed and properly configured. The RADIUS server and 802.1X client support EAP.
| Security Measures HAPTER Configuring 802.1X Port Authentication Identity Profile Password – The dot1x supplicant password used to ◆ identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. (Range: 1-8 characters) Confirm Profile Password – This field is used to confirm the dot1x ◆...
Page 391
| Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When the switch functions as a local authenticator between supplicant devices attached to the switch and the authentication server, configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page.
Page 392
| Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
Page 393
| Security Measures HAPTER Configuring 802.1X Port Authentication Re-authentication Period – Sets the time period after which a ◆ connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) Re-authentication Max Retries – The maximum number of times the ◆...
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Authenticator. Modify the authentication settings for each port as required. Click Apply Figure 211: Configuring Interface Settings for 802.1X Port Authenticator Use the Security >...
Page 395
| Security Measures HAPTER Configuring 802.1X Port Authentication OMMAND SAGE ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 389) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate...
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To configure port authenticator settings for 802.1X: Click Security, Port Authentication. Select Configure Interface from the Step list. Click Supplicant. Modify the supplicant settings for each port as required. Click Apply Figure 212: Configuring Interface Settings for 802.1X Port Supplicant Use the Security >...
Page 397
| Security Measures HAPTER Configuring 802.1X Port Authentication Table 24: 802.1X Statistics (Continued) Parameter Description Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator. Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator.
Page 398
| Security Measures HAPTER Configuring 802.1X Port Authentication NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 213: Showing Statistics for 802.1X Port Authenticator To display port supplicant statistics for 802.1X: Click Security, Port Authentication.
| Security Measures HAPTER DoS Protection ROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Page 400
| Security Measures HAPTER DoS Protection target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan. (Default: Enabled) TCP Xmas Scan – A so-called TCP XMAS scan message is used to ◆...
| Security Measures HAPTER IPv4 Source Guard Figure 215: Protecting Against DoS Attacks OURCE UARD IPv4 Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
Page 402
| Security Measures HAPTER IPv4 Source Guard Multicast addresses cannot be used by IP Source Guard. ◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping (see "DHCP Snooping" on page 412), or static addresses configured in the source guard binding table. If IP source guard is enabled, an inbound packet’s IP address (SIP ◆...
| Security Measures HAPTER IPv4 Source Guard page 412) and static entries set by IP source guard (see "Configuring Static Bindings for IPv4 Source Guard" on page 403). NTERFACE To set the IP Source Guard filter for ports: Click Security, IP Source Guard, Port Configuration. Set the required filtering type for each port.
Page 404
| Security Measures HAPTER IPv4 Source Guard Only unicast addresses are accepted for static bindings. ■ ARAMETERS These parameters are displayed: Port – The port to which a static entry is bound. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆...
| Security Measures HAPTER IPv4 Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Binding. Select Show from the Action list. Figure 218: Displaying Static Bindings for IPv4 Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface.
| Security Measures HAPTER IPv6 Source Guard NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 219: Showing the IPv4 Source Guard Binding Table OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non-...
Page 407
| Security Measures HAPTER IPv6 Source Guard OMMAND SAGE ◆ Setting source guard mode to SIP (Source IP) enables this function on the selected port. Use the SIP option to check the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table.
Page 408
| Security Measures HAPTER IPv6 Source Guard Filter Type – Configures the switch to filter inbound traffic based on ◆ the following options. (Default: Disabled) Disabled – Disables IPv6 source guard filtering on the port. ■ SIP – Enables traffic filtering based on IPv6 global unicast source ■...
| Security Measures HAPTER IPv6 Source Guard Use the Security > IPv6 Source Guard > Static Configuration page to bind ONFIGURING TATIC a static address to a port. Table entries include a MAC address, IPv6 global INDINGS FOR unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, OURCE UARD Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier.
Page 410
| Security Measures HAPTER IPv6 Source Guard Show VLAN – VLAN to which this entry is bound. ◆ MAC Address – Physical address associated with the entry. ◆ Interface – The port to which this entry is bound. ◆ IPv6 Address – IPv6 address corresponding to the client. ◆...
| Security Measures HAPTER IPv6 Source Guard To display static bindings for Iv6 Source Guard: Click Security, IPv6 Source Guard, Static Configuration. Select Show from the Action list. Figure 222: Displaying Static Bindings for IPv6 Source Guard Use the Security > IPv6 Source Guard > Dynamic Binding page to display ISPLAYING the source-guard binding table for a selected interface.
| Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IPv6 Source Guard: Click Security, IPv6 Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 223: Showing the IPv6 Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
Page 413
| Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed ◆ by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an ◆...
Page 414
| Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its ◆ DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
| Security Measures HAPTER DHCP Snooping Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP S NOOPING DHCP Snooping globally on the switch, or to configure MAC Address LOBAL Verification. ONFIGURATION CLI R EFERENCES "DHCPv4 Snooping" on page 915 ◆...
| Security Measures HAPTER DHCP Snooping NTERFACE To configure global settings for DHCP Snooping: Click IP Service, DHCP, Snooping. Select Configure Global from the Step list. Select the required options for the general DHCP snooping process and for the DHCP snooping information policy. Click Apply Figure 224: Configuring Global Settings for DHCP Snooping Use the IP Service >...
| Security Measures HAPTER DHCP Snooping DHCP Snooping Status – Enables or disables DHCP snooping for the ◆ selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
| Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: Trust Status – Enables or disables a port as trusted. ◆ (Default: Disabled) ◆ Circuit ID – Specifies DHCP Option 82 circuit ID suboption information. Mode – Specifies the default string “VLAN-Unit-Port” or an arbitrary ■...
Page 419
| Security Measures HAPTER DHCP Snooping ARAMETERS These parameters are displayed: MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. ◆...
ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system ◆ memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
| Basic Administration Protocols HAPTER Configuring Event Logging ONFIGURING VENT OGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. Use the Administration >...
Page 423
| Basic Administration Protocols HAPTER Configuring Event Logging RAM Level – Limits log messages saved to the switch’s temporary RAM ◆ memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) The Flash Level must be equal to or less than the RAM Level.
| Basic Administration Protocols HAPTER Configuring Event Logging Figure 229: Showing Error Messages Logged to System Memory Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level.
| Basic Administration Protocols HAPTER Configuring Event Logging NTERFACE To configure the logging of error messages to remote servers: Click Administration, Log, Remote. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. Click Apply.
Page 426
| Basic Administration Protocols HAPTER Configuring Event Logging Email Destination Address – Specifies the email recipients of alert ◆ messages. You can specify up to five recipients. Server IP Address – Specifies a list of up to three recipient SMTP ◆...
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol AYER ISCOVERY ROTOCOL Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Page 428
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission. This attribute must comply with the rule: (4 * Delay Interval) Transmission Interval Reinitialization Delay –...
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 232: Configuring LLDP Timing Attributes Use the Administration > LLDP (Configure Interface – Configure General) ONFIGURING page to specify the message attributes for individual interfaces, including LLDP I NTERFACE whether messages are transmitted, received, or both transmitted and TTRIBUTES received, whether SNMP notifications are sent, and the type of information advertised.
Page 430
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol MED Notification – Enables the transmission of SNMP trap ◆ notifications about LLDP-MED changes. (Default: Disabled) Basic Optional TLVs – Configures basic information included in the ◆ TLV field of advertised messages. Management Address –...
Page 431
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN ID – The port’s default VLAN identifier (PVID) indicates the ■ VLAN with which untagged or priority-tagged frames are associated (see "IEEE 802.1Q VLANs" on page 199). VLAN Name – The name of all VLANs to which this interface has ■...
Page 432
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. MED-Location Civic Address – Configures information for the ◆ location of the attached device included in the MED TLV field of advertised messages, including the country and the device type.
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 233: Configuring LLDP Interface Attributes Use the Administration > LLDP (Configure Interface – Add CA-Type) page ONFIGURING to specify the physical location of the device attached to an interface. LLDP I NTERFACE IVIC DDRESS...
Page 434
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 26: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519 Floor Room...
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol To show the physical location of the attached device: Click Administration, LLDP. Select Configure Interface from the Step list. Select Show CA-Type from the Action list. Select an interface from the Port or Trunk list. Figure 235: Showing the Civic Address for an LLDP Interface Use the Administration >...
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 27: Chassis ID Subtype (Continued) ID Basis Reference Interface name ifName (IETF RFC 2863) Locally assigned locally assigned Chassis ID – An octet string indicating the specific identifier for the ◆...
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Details The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Local Port/Trunk – Local interface on this switch. ◆...
Page 438
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 236: Displaying Local Device Information for LLDP (General) Figure 237: Displaying Local Device Information for LLDP (Port) Figure 238: Displaying Local Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Remote Device Information) page to LLDP ISPLAYING display information about devices connected directly to the switch’s ports...
Page 439
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol CLI R EFERENCES ◆ "show lldp info remote-device" on page 1344 ARAMETERS These parameters are displayed: Port Local Port – The local port to which a remote LLDP-capable device is ◆ attached.
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol System Capabilities Enabled – The primary function(s) of the ◆ system which are currently enabled. (See Table 28, "System Capabilities," on page 436.) Management Address List – The management addresses for this ◆...
Page 441
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 30: Remote Port Auto-Negotiation Advertised Capability Capability PAUSE for full-duplex links Asymmetric PAUSE for full-duplex links Symmetric PAUSE for full-duplex links Asymmetric and Symmetric PAUSE for full-duplex links 1000BASE-X, -LX, -SX, -CX half duplex mode 1000BASE-X, -LX, -SX, -CX full duplex mode 1000BASE-T half duplex mode 1000BASE-T full duplex mode...
Page 442
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Link Aggregation Status – The current aggregation status ◆ of the link. Remote Link Port ID – This object contains the IEEE 802.3 ◆ aggregated port identifier, aAggPortID (IEEE 802.3-2002, 30.7.2.1.1), derived from the ifNumber of the ifIndex for the port component associated with the remote system.
Page 443
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Port Details – Network Policy Application Type – The primary application(s) defined for this ◆ network policy: Voice ■ Voice Signaling ■ Guest Signaling ■ Guest Voice Signaling ■ Softphone Voice ■...
Page 444
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol ECS ELIN – Emergency Call Service Emergency Location ■ Identification Number supports traditional PSAP-based Emergency Call Service in North America. Country Code – The two-letter ISO 3166 country code in capital ASCII ◆...
Page 445
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 240: Displaying Remote Device Information for LLDP (Port Details) – 445 –...
Page 446
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 241: Displaying Remote Device Information for LLDP (End Node) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING statistics for LLDP-capable devices attached to the switch, and for LLDP EVICE...
Page 447
| Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Age-out Count – The number of times that a ◆ neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired. Port/Trunk Frames Discarded –...
Page 448
| Basic Administration Protocols HAPTER Power over Ethernet Figure 243: Displaying LLDP Device Statistics (Port) OWER OVER THERNET The ECS4110-28P/52P can provide DC power to a wide range of connected devices, eliminating the need for an additional power source and cutting down on the amount of cables attached to each device.
Page 449
| Basic Administration Protocols HAPTER Power over Ethernet Use the Administration > PoE > PSE (Configure Global) page to set the ’ ETTING THE WITCH maximum PoE power budget for the switch (power available to all Gigabit VERALL OWER Ethernet ports). If the power demand from devices connected to the switch UDGET exceeds the power budget, the switch uses port power priority settings to limit the supplied power.
| Basic Administration Protocols HAPTER Power over Ethernet Set the maximum PoE power provided by the switch, and enable the compatible mode if required. Click Apply. Figure 244: Setting the Switch’s PoE Budget Use the Administration > PoE > PSE (Configure Interface) page to set the ETTING THE maximum power provided to a port.
| Basic Administration Protocols HAPTER Power over Ethernet If a device is connected to a switch port and the switch detects that it ◆ requires more than the power budget set for the port or to the overall switch, no power is supplied to the device (i.e., port power remains off).
Page 452
| Basic Administration Protocols HAPTER Simple Network Management Protocol Priority – Sets the power priority for a port. (Options: Low, High, or ◆ Critical; Default: Low) Power Allocation – Sets the power budget for a port. ◆ (Range: 3000-34200 milliwatts; Default: 34200 milliwatts) Power Consumption –...
| Basic Administration Protocols HAPTER Simple Network Management Protocol the device. These objects are defined in a Management Information Base (MIB) that provides a standard presentation of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network.
Page 454
| Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...
Page 455
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps – Issues a notification message to specified IP ◆ trap managers whenever an invalid community string is submitted during the SNMP access authentication process.
Page 456
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Set Engine ID) page to ETTING THE change the local engine ID. An SNMPv3 engine is an independent SNMP OCAL NGINE agent that resides on the switch. This engine protects against message replay, delay, and redirection.
Page 457
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Engine - Add Remote Engine) PECIFYING A page to configure a engine ID for a remote management station. To allow EMOTE NGINE management access from an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Page 458
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 248: Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs: Click Administration, SNMP. Select Configure Engine from the Step list. Select Show Remote Engine from the Action list. Figure 249: Showing Remote Engine IDs for SNMP Use the Administration >...
Page 459
| Basic Administration Protocols HAPTER Simple Network Management Protocol Add OID Subtree View Name – Lists the SNMP views configured in the Add View page. ◆ (Range: 1-32 characters) OID Subtree – Adds an additional object identifier of a branch within ◆...
Page 460
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 251: Showing SNMP Views To add an object identifier to an existing SNMP view of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Add OID Subtree from the Action list. Select a view name from the list of existing views, and specify an additional OID subtree in the switch’s MIB database to be included or excluded in the view.
Page 461
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 253: Showing the OID Subtree Configured for SNMP Views Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views.
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 34: Supported Notification Messages Model Level Group RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer...
Page 463
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group Private Traps swPowerStatusChangeTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.1 This trap is sent when the power state changes. swPortSecurityTrap 1.3.6.1.4.1.259.10.1.39.2.1.0.36 This trap is sent when the port is being intruded.
Page 464
| Basic Administration Protocols HAPTER Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group swCpuUtiRisingNotification 1.3.6.1.4.1.259.10.1.39.2.1.0.107 This notification indicates that the CPU utilization has risen from cpuUtiFallingThreshold to cpuUtiRisingThreshold. swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.39.2.1.0.108 This notification indicates that the CPU utilization has fallen from cpuUtiRisingThreshold to cpuUtiFallingThreshold.
Page 465
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.
Page 466
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure User - Add Community) page to ETTING OMMUNITY configure up to five community strings authorized for management access CCESS TRINGS by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
Page 467
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show the community access strings: Click Administration, SNMP. Select Configure User from the Step list. Select Show Community from the Action list. Figure 257: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify...
Page 468
| Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and ■ encryption. Authentication Protocol – The method used for user authentication. ◆ (Options: MD5, SHA; Default: MD5) Authentication Password – Enter plain text characters for the ◆...
Page 469
| Basic Administration Protocols HAPTER Simple Network Management Protocol To show local SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Local User from the Action list. Figure 259: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from...
Page 470
| Basic Administration Protocols HAPTER Simple Network Management Protocol Security Level – The following security levels are only used for the ◆ groups assigned to the SNMP security model: noAuthNoPriv – There is no authentication or encryption used in ■ SNMP communications.
Page 471
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 260: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 261: Showing Remote SNMPv3 Users –...
Page 472
| Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
Page 473
| Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed: SNMP Version 1 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 474
| Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IPv4 or IPv6 address of a new management station to ◆ receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or ◆...
Page 475
| Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 262: Configuring Trap Managers (SNMPv1) Figure 263: Configuring Trap Managers (SNMPv2c)
Page 476
| Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 264: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 265: Showing Trap Managers Use the Administration >...
Page 477
| Basic Administration Protocols HAPTER Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. Given the service provided by the NLM, individual MIBs can now bear ◆...
Page 478
| Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 266: Creating SNMP Notification Logs To show configured SNMP notification logs: Click Administration, SNMP. Select Configure Notify Filter from the Step list. Select Show from the Action list. Figure 267: Showing SNMP Notification Logs Use the Administration >...
Page 479
| Basic Administration Protocols HAPTER Simple Network Management Protocol Illegal operation for community name supplied – The total ◆ number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message.
Page 480
| Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To show SNMP statistics: Click Administration, SNMP. Select Show Statistics from the Step list. Figure 268: Showing SNMP Statistics EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
Page 481
| Basic Administration Protocols HAPTER Remote Monitoring Use the Administration > RMON (Configure Global - Add - Alarm) page to ONFIGURING define specific criteria that will generate response events. Alarms can be RMON A LARMS set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
Page 482
| Basic Administration Protocols HAPTER Remote Monitoring Falling Threshold – If the current value is less than or equal to the ◆ falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Page 483
| Basic Administration Protocols HAPTER Remote Monitoring To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 270: Showing Configured RMON Alarms Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered.
Page 484
| Basic Administration Protocols HAPTER Remote Monitoring Type – Specifies the type of event to initiate: ◆ None – No event is generated. ■ Log – Generates an RMON log entry when the event is triggered. ■ Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration"...
Page 485
| Basic Administration Protocols HAPTER Remote Monitoring Figure 271: Configuring an RMON Event To show configured RMON events: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Event. Figure 272: Showing Configured RMON Events Use the Administration >...
Page 486
| Basic Administration Protocols HAPTER Remote Monitoring OMMAND SAGE ◆ Each index number equates to a port on the switch. If history collection is already enabled on an interface, the entry must ◆ be deleted before any changes can be made. ◆...
Page 487
| Basic Administration Protocols HAPTER Remote Monitoring Click Apply Figure 273: Configuring an RMON History Sample To show configured RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show from the Action list. Select a port from the list. Click History.
Page 488
| Basic Administration Protocols HAPTER Remote Monitoring Click History. Figure 275: Showing Collected RMON History Samples Use the Administration > RMON (Configure Interface - Add - Statistics) RMON ONFIGURING page to collect statistics on a port, which can subsequently be used to TATISTICAL AMPLES monitor the network for common errors and overall traffic rates.
Page 489
| Basic Administration Protocols HAPTER Remote Monitoring Click Statistics. Select a port from the list as the data source. Enter an index number, and the name of the owner for this entry Click Apply Figure 276: Configuring an RMON Statistical Sample To show configured RMON statistical samples: Click Administration, RMON.
Page 490
| Basic Administration Protocols HAPTER Switch Clustering Select Show Details from the Action list. Select a port from the list. Click Statistics. Figure 278: Showing Collected RMON Statistical Samples WITCH LUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit.
Page 491
| Basic Administration Protocols HAPTER Switch Clustering manually selected by the administrator through the management station. There can be up to 100 candidates and 36 member switches in one ◆ cluster. A switch can only be a member of one cluster. ◆...
Page 492
| Basic Administration Protocols HAPTER Switch Clustering Number of Members – The current number of Member switches in the ◆ cluster. Number of Candidates – The current number of Candidate switches ◆ discovered in the network that are available to become Members. NTERFACE To configure a switch cluster: Click Administration, Cluster.
Page 493
| Basic Administration Protocols HAPTER Switch Clustering NTERFACE To configure cluster members: Click Administration, Cluster. Select Configure Member from the Step list. Select Add from the Action list. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate.
Page 494
| Basic Administration Protocols HAPTER Switch Clustering Figure 282: Showing Cluster Candidates Use the Administration > Cluster (Show Member) page to manage another ANAGING switch in the cluster. LUSTER EMBERS CLI R EFERENCES "Switch Clustering" on page 786 ◆ ARAMETERS These parameters are displayed: Member ID –...
Page 495
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 283: Managing a Cluster Member THERNET ROTECTION WITCHING Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.8032 recommendation specifies a protection switching mechanism and protocol for Ethernet layer network rings. Ethernet rings can provide wide-area multipoint connectivity more economically due to their reduced number of links.
Page 496
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching blocking the RPL. Each link is monitored by its two adjacent nodes using Connectivity Fault Management (CFM) protocol messages. Protection switching (opening the RPL to traffic) occurs when a signal failure message generated by the Connectivity Fault Management (CFM) protocol is declared on one of the ring links, and the detected failure has a higher priority than any other request;...
Page 497
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 285 on page 498 (Normal Condition) depicts an example of a multi- ring/ladder network. If the network is in normal operating condition, the RPL owner node of each ring blocks the transmission and reception of traffic over the RPL for that ring.
Page 498
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 285: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition Signal Fail Condition RPL Owner RPL Owner Node Node for ERP1 for ERP1 ring node B ring node A ring node B ring node A ERP1 ERP1...
Page 499
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. Enable an ERPS ring (Configure Domain –...
Page 500
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Mark the ERPS Status check box. Click Apply. Figure 286: Setting ERPS Global Status Use the Administration > ERPS (Configure Domain) pages to configure ERPS R ERPS rings. ONFIGURATION CLI R EFERENCES ◆...
Page 501
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching MEG Level – The maintenance entity group (MEG) level providing a ◆ communication channel for ring automatic protection switching (R-APS) information. Control VLAN – Shows the Control VLAN ID. ◆ Node State – Shows the following ERPS states: ◆...
Page 502
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Configure Details Domain Name – Name of a configured ERPS ring. (Range: 1-12 ◆ characters) Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 503
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier.
Page 504
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching RPL Neighbor – Specifies a ring node to be the RPL neighbor. ■ The RPL neighbor node, when configured, is a ring node ■ adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions (i.e., the ring is established and no requests are present in the ring) in addition to the block at the other end by the RPL Owner Node.
Page 505
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Recovery with Revertive Mode – When all ring links and ring ■ nodes have recovered and no external requests are active, reversion is handled in the following way: The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTR (Wait-to-Restore) timer.
Page 506
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching accept an RAPS (NR, RB) message, or when another higher priority request is received. If the ring node where the Forced Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message over both ring ports.
Page 507
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching commands, and triggers reversion if the ring is in revertive behavior mode. The ring node where the Manual Switch was cleared keeps the ring port blocked for the traffic channel and for the R-APS channel, due to the previous Manual Switch command.
Page 508
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB.
Page 509
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching are forwarded over the sub-ring’s virtual channel are broadcast or multicast over the interconnected network. For this reason the broadcast/multicast domain of the virtual channel should be limited to the necessary links and nodes. For example, the virtual channel could span only the interconnecting rings or sub-rings that are necessary for forwarding R-APS messages of this sub-ring.
Page 510
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 288: Sub-ring without Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel R-APS Def MAC – Sets the switch’s MAC address to be used as the ◆...
Page 511
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching in the following figure, and node E detected CCM loss, it would send an R-APS (SF) message to the RPL owner and block the link to node D, isolating that non-ERPS device. Figure 289: Non-ERPS Device Protection Owner blocked...
Page 512
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. WTB Timer – The Wait to Block (WTB) timer is used when clearing ◆...
Page 513
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk. Port State – Once configured, this field shows the operational state of ◆...
Page 514
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Click Apply. Figure 290: Creating an ERPS Ring To configure the ERPS parameters for a ring: Click Administration, ERPS. Select Configure Domain from the Step list. Select Configure Details from the Action list. Configure the ERPS parameters for this node.
Page 515
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Figure 291: Creating an ERPS Ring To show the configured ERPS rings: Click Administration, ERPS. Select Configure Domain from the Step list. Select Show from the Action list. Figure 292: Showing Configured ERPS Rings –...
Page 516
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching Use the Administration > ERPS (Configure Operation) page to block a ring ERPS F ORCED AND port using Forced Switch or Manual Switch commands. ANUAL PERATIONS CLI R EFERENCES "erps forced-switch" on page 1141 ◆...
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Page 518
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Manual Switch – Blocks specified ring port, in the absence of a ■ failure or an FS command. (Options: West or East) A ring with no request has a logical topology with the traffic ■...
Page 519
| Basic Administration Protocols HAPTER Ethernet Ring Protection Switching An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request.
Page 520
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 293: Blocking an ERPS Ring Port ONNECTIVITY AULT ANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
Page 521
| Basic Administration Protocols HAPTER Connectivity Fault Management A Maintenance Level allows maintenance domains to be nested in a ◆ hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution.
Page 522
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 295: Multiple CFM Maintenance Domains Customer MA Operator 1 MA Operator 2 MA Provider MA Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
Page 523
| Basic Administration Protocols HAPTER Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent.
Page 524
| Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1347 ARAMETERS These parameters are displayed: Global Configuration CFM Status – Enables CFM processing globally on the switch. ◆ (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
Page 525
| Basic Administration Protocols HAPTER Connectivity Fault Management Link Trace Cache Hold Time – The hold time for CFM link trace cache ◆ entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field.
Page 526
| Basic Administration Protocols HAPTER Connectivity Fault Management Cross Check MEP Unknown – Sends a trap if an unconfigured MEP ◆ comes up. A MEP Unknown trap is sent if cross-checking is enabled , and a CCM is received from a remote MEP that is not configured in the static list NTERFACE To configure global settings for CFM: Click Administration, CFM.
Page 527
| Basic Administration Protocols HAPTER Connectivity Fault Management CFM processes are enabled by default for all physical interfaces, both ports ONFIGURING and trunks. You can use the Administration > CFM (Configure Interface) NTERFACES FOR page to change these settings. CLI R EFERENCES "ethernet cfm port-enable"...
Page 528
| Basic Administration Protocols HAPTER Connectivity Fault Management CLI R EFERENCES ◆ "CFM Commands" on page 1347 OMMAND SAGE Configuring General Settings Where domains are nested, an upper-level hierarchical domain must ◆ have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
| Basic Administration Protocols HAPTER Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification A fault alarm can generate an SNMP notification. It is issued when the ◆...
Page 530
| Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: Creating a Maintenance Domain MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric ◆ characters) MD Level – Authorized maintenance level for this domain. ◆...
Page 531
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To create a maintenance domain: Click Administration, CFM. Select Configure MD from the Step list. Select Add from the Action list. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). Specify the manner in which MIPs can be created within each domain.
Page 532
| Basic Administration Protocols HAPTER Connectivity Fault Management To configure detailed settings for maintenance domains: Click Administration, CFM. Select Configure MD from the Step list. Select Configure Details from the Action list. Select an entry from the MD Index. Specify the MEP archive hold and MEP fault notification parameters. Click Apply Figure 300: Configuring Detailed Settings for Maintenance Domains Use the Administration >...
Page 533
| Basic Administration Protocols HAPTER Connectivity Fault Management Multiple domains at the same maintenance level cannot have an MA on ◆ the same VLAN (see "Configuring CFM Maintenance Domains" on page 527). Before removing an MA, first remove the MEPs assigned to it (see ◆...
Page 534
| Basic Administration Protocols HAPTER Connectivity Fault Management MIP Creation Type – Specifies the CFM protocol’s creation method for ◆ maintenance intermediate points (MIPs) in this MA: Default – MIPs can be created for this MA on any bridge port ■...
Page 535
| Basic Administration Protocols HAPTER Connectivity Fault Management AIS Transmit Level – Configure the AIS maintenance level in an MA. ◆ (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level AIS Suppress Alarm – Enables/disables suppression of the AIS. ◆...
Page 536
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 302: Showing Maintenance Associations To configure detailed settings for maintenance associations: Click Administration, CFM. Select Configure MA from the Step list. Select Configure Details from the Action list. Select an entry from MD Index and MA Index. Specify the CCM interval, enable the transmission of connectivity check and cross check messages, and configure the required AIS parameters.
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Configure MEP – Add) page to configure ONFIGURING Maintenance End Points (MEPs). MEPs, also called Domain Service Access AINTENANCE Points (DSAPs), must be configured at the domain boundary to provide OINTS management access for each maintenance association.
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Figure 304: Configuring Maintenance End Points To show the configured maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 305: Showing Maintenance End Points Use the Administration >...
Page 539
| Basic Administration Protocols HAPTER Connectivity Fault Management OMMAND SAGE ◆ All MEPs that exist on other devices inside a maintenance association should be statically configured to ensure full connectivity through the cross-check process. Remote MEPs can only be configured if local domain service access ◆...
| Basic Administration Protocols HAPTER Connectivity Fault Management Figure 306: Configuring Remote Maintenance End Points To show the configured remote maintenance end points: Click Administration, CFM. Select Configure MEP from the Step list. Select Show from the Action list. Select an entry from MD Index and MA Index. Figure 307: Showing Remote Maintenance End Points Use the Administration >...
Page 541
| Basic Administration Protocols HAPTER Connectivity Fault Management LTMs are sent as multicast CFM frames, and forwarded from MIP to MIP, ◆ with each MIP generating a link trace reply, up to the point at which the LTM reaches its destination or can no longer be forwarded. LTMs are used to isolate faults.
| Basic Administration Protocols HAPTER Connectivity Fault Management Click Apply. Check the results in the Link Trace cache (see "Displaying the Link Trace Cache"). Figure 308: Transmitting Link Trace Messages Use the Administration > CFM (Transmit Loopback) page to transmit RANSMITTING Loopback Messages (LBMs).
Page 543
| Basic Administration Protocols HAPTER Connectivity Fault Management MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the ◆ loopback message. (Range: 1-8191) Target ◆ MEP ID – The identifier of a remote MEP that is the target of a ■...
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM (Transmit Delay Measure) page to send RANSMITTING periodic delay-measure requests to a specified MEP within a maintenance ELAY EASURE association. EQUESTS CLI R EFERENCES "ethernet cfm delay-measure two-way" on page 1386 ◆...
Page 545
| Basic Administration Protocols HAPTER Connectivity Fault Management Count – The number of times to retry sending the message if no ◆ response is received before the specified timeout. (Range: 1-5; Default: 5) Packet Size – The size of the delay-measure message. ◆...
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP) page ISPLAYING to show information for the MEPs configured on this device. OCAL CLI R EFERENCES "show ethernet cfm maintenance-points local" on page 1363 ◆...
| Basic Administration Protocols HAPTER Connectivity Fault Management Use the Administration > CFM > Show Information (Show Local MEP ISPLAYING ETAILS Details) page to show detailed CFM information about a local MEP in the OCAL continuity check database. CLI R EFERENCES "show ethernet cfm maintenance-points local detail mep"...
| Basic Administration Protocols HAPTER Connectivity Fault Management Suppressing Alarms – Shows if the specified MEP is currently ◆ suppressing sending frames containing AIS information following the detection of defect conditions. NTERFACE To show detailed information for the MEPs configured on this device: Click Administration, CFM.
| Basic Administration Protocols HAPTER Connectivity Fault Management ARAMETERS These parameters are displayed: MD Name – Maintenance domain name. ◆ Level – Authorized maintenance level for this domain. ◆ MA Name – Maintenance association name. ◆ ◆ Primary VLAN – Service VLAN ID. Interface –...
| Basic Administration Protocols HAPTER Connectivity Fault Management MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ Primary VLAN – Service VLAN ID. ◆ MEP Up – Indicates whether or not this MEP is functioning normally. ◆...
Page 551
| Basic Administration Protocols HAPTER Connectivity Fault Management MA Name – Maintenance association name. ◆ Level – Authorized maintenance level for this domain. ◆ MAC Address – MAC address of this MEP entry. ◆ Primary VLAN – Service VLAN ID. ◆...
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show detailed information for remote MEPs: Click Administration, CFM. Select Show Information from the Step list. Select Show Remote MEP Details from the Action list. Select an entry from MD Index and MA Index. Select a MEP ID.
Page 553
| Basic Administration Protocols HAPTER Connectivity Fault Management MA – Maintenance association name. ◆ IP Address / Alias – IP address or DNS alias of the target device’s ◆ CPU. Forwarded – Shows whether or not this link trace message was ◆...
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show information about link trace operations launched from this device: Click Administration, CFM. Select Show Information from the Step list. Select Show Link Trace Cache from the Action list. Figure 316: Showing the Link Trace Cache Use the Administration >...
| Basic Administration Protocols HAPTER Connectivity Fault Management NTERFACE To show configuration settings for the fault notification generator: Click Administration, CFM. Select Show Information from the Step list. Select Show Fault Notification Generator from the Action list. Figure 317: Showing Settings for the Fault Notification Generator Use the Administration >...
| Basic Administration Protocols HAPTER OAM Configuration VIDS – MA x is associated with a specific VID list , an MEP is ■ configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port.
| Basic Administration Protocols HAPTER OAM Configuration CLI R EFERENCES ◆ "OAM Commands" on page 1389 ARAMETERS These parameters are displayed: Port – Port identifier. (Range: 1-28/52) ◆ Admin Status – Enables or disables OAM functions. ◆ (Default: Disabled) Operation State – Shows the operational state between the local and ◆...
Page 558
| Basic Administration Protocols HAPTER OAM Configuration Critical Link Event – Controls reporting of critical link events to its ◆ OAM peer. Dying Gasp – If an unrecoverable condition occurs, the local OAM ■ entity (i.e., this switch) indicates this by immediately sending a trap message.
| Basic Administration Protocols HAPTER OAM Configuration Click Apply. Figure 319: Enabling OAM for Local Ports Use the Administration > OAM > Counters page to display statistics for the ISPLAYING various types of OAM messages passed across each port. TATISTICS FOR OAM M ESSAGES CLI R...
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display statistics for OAM messages: Click Administration, OAM, Counters. Figure 320: Displaying Statistics for OAM Messages Use the Administration > OAM > Event Log page to display link events for ISPLAYING THE the selected port.
| Basic Administration Protocols HAPTER OAM Configuration Figure 321: Displaying the OAM Event Log Use the Administration > OAM > Remote Interface page to display ISPLAYING information about attached OAM-enabled devices. TATUS OF EMOTE NTERFACES CLI R EFERENCES ◆ "show efm oam status remote interface" on page 1400 ARAMETERS These parameters are displayed: Port –...
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display information about attached OAM-enabled devices: Click Administration, OAM, Remote Interface. Figure 322: Displaying Status of Remote Interfaces Use the Administration > OAM > Remote Loopback (Remote Loopback ONFIGURING A Test) page to initiate a loop back test to the peer device attached to the EMOTE selected port.
| Basic Administration Protocols HAPTER OAM Configuration Loopback Mode – Shows if loop back mode is enabled on the peer. ◆ This attribute must be enabled before starting the loopback test. Loopback Status – Shows if loopback testing is currently running. ◆...
| Basic Administration Protocols HAPTER OAM Configuration Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. Set the number of packets to send and the packet size, and then click Test.
Page 565
| Basic Administration Protocols HAPTER OAM Configuration NTERFACE To display the results of remote loop back testing for each port for which this information is available: Click Administration, OAM, Remote Loop Back. Select Show Test Result from the Action list. Figure 324: Displaying the Results of Remote Loop Back Testing –...
ULTICAST ILTERING This chapter describes how to configure the following multicast services: IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling – Filters specified multicast service, or throttles ◆ the maximum of multicast groups allowed on an interface. MLD Snooping –...
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 325: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop”...
Page 569
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) network segments where no node has expressed interest in receiving a specific multicast service. For switches that do not support multicast routing, or where multicast routing is already enabled on other switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering.
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) your switch (page 574). This interface will then join all the current multicast groups supported by the attached router/switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch. Static IGMP Host Interface –...
Page 571
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) these devices is elected “querier” and assumes the role of querying the LAN for group members. It then propagates the service requests on to any upstream multicast switch/router to ensure that it will continue to receive the multicast service.
Page 572
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) When a new uplink port starts up, the switch sends unsolicited reports for all currently learned channels out the new uplink port. By default, the switch immediately enters into “multicast flooding mode”...
Page 573
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN. Forwarding Priority –...
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 326: Configuring General Settings for IGMP Snooping Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch.
Page 575
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Show Static Multicast Router VLAN – Selects the VLAN for which to display any configured static ◆ multicast routers. Interface – Shows the interface to which the specified static multicast ◆...
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 328: Showing Static Interfaces Attached a Multicast Router To show the all interfaces attached to a multicast router: Click Multicast, IGMP Snooping, Multicast Router. Select Current Multicast Router from the Action list. Select the VLAN for which to display this information.
Page 577
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) OMMAND SAGE ◆ Static multicast addresses are never aged out. When a multicast address is assigned to an interface in a specific VLAN, ◆ the corresponding traffic can only be forwarded to ports within that VLAN.
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 331: Showing Static Interfaces Assigned to a Multicast Service Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to IGMP ETTING configure IGMP snooping attributes for a VLAN. To configure snooping NOOPING TATUS globally, refer to...
Page 579
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Multicast Router Discovery uses the following three message types to discover multicast routers: Multicast Router Advertisement – Advertisements are sent by routers to ◆ advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
Page 580
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) ARAMETERS These parameters are displayed: VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor ◆ network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic.
Page 581
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. ◆ (Default: Based on global setting) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Page 582
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Query Response Interval – The maximum time the system waits for ◆ a response to general queries. (Range: 10-31740 tenths of a second in multiples of 10; Default: 10 seconds) This command applies when the switch is serving as the querier (page 570), or as a proxy host when IGMP snooping proxy reporting is...
Page 583
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Select the VLAN to configure and update the required parameters. Click Apply. Figure 332: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface.
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Use the Multicast > IGMP Snooping > Interface (Configure Interface) page IGMP ILTERING to configure an interface to drop IGMP query packets or multicast data UERY ACKETS AND packets.
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS ISCOVERED BY CLI R EFERENCES IGMP S NOOPING "show ip igmp snooping group"...
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Figure 335: Showing Multicast Groups Learned by IGMP Snooping Use the Multicast > IGMP Snooping > Statistics pages to display IGMP ISPLAYING snooping protocol-related statistics for the specified interface. IGMP S NOOPING TATISTICS...
Page 587
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆ on this interface. Specific Query Sent –...
Page 588
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) G Query – The number of general query messages sent from this ◆ interface. G(-S)-S Query – The number of group specific or group-and-source ◆ specific query messages sent from this interface. Drop –...
Page 589
| Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query for IPv4) Select a VLAN. Figure 337: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: Click Multicast, IGMP Snooping, Statistics. Select Show Port Statistics from the Action list. Select a Port.
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 339: Enabling IGMP Filtering and Throttling Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page IGMP ONFIGURING to create an IGMP profile and set its access mode. Then use the (Add ILTER ROFILES Multicast Group Range) page to configure the multicast groups to filter.
Page 592
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups NTERFACE To create an IGMP filter profile and set its access mode: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Add from the Action list. Enter the number for a profile, and set its access mode. Click Apply.
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Click Apply. Figure 342: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: Click Multicast, IGMP Snooping, Filter. Select Configure Profile from the Step list. Select Show Multicast Group Range from the Action list.
Page 594
| Multicast Filtering HAPTER Filtering and Throttling IGMP Groups removes an existing group and replaces it with the new multicast group. ARAMETERS These parameters are displayed: Interface – Port or trunk identifier. ◆ An IGMP profile or throttling setting can be applied to a port or trunk. When ports are configured as trunk members, the trunk uses the settings applied to the first port member in the trunk.
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 344: Configuring IGMP Filtering and Throttling Interface Settings MLD S NOOPING NOOPING AND UERY FOR Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 596
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) ARAMETERS These parameters are displayed: MLD Snooping Status – When enabled, the switch will monitor ◆ network traffic to determine which hosts want to receive multicast traffic. (Default: Disabled) Querier Status –...
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) To Router Port – Forwards any received IPv6 multicast packets ■ that have not been requested by a host to ports that are connected to a detected multicast router. (This is the default action.) NTERFACE To configure general settings for MLD Snooping: Click Multicast, MLD Snooping, General.
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) enabled device, either a service host or a neighbor running MLD snooping. NTERFACE To configure immediate leave for MLD Snooping: Click Multicast, MLD Snooping, Interface. Select a VLAN, and set the status for immediate leave. Click Apply.
Page 599
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) NTERFACE To specify a static interface attached to a multicast router: Click Multicast, MLD Snooping, Multicast Router. Select Add Static Multicast Router from the Action list. Select the VLAN which will forward all the corresponding IPv6 multicast traffic, and select the port or trunk attached to the multicast router.
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) Figure 349: Showing Current Interfaces Attached an IPv6 Multicast Router Use the Multicast > MLD Snooping > MLD Member (Add Static Member) SSIGNING page to statically assign an IPv6 multicast service to an interface. NTERFACES TO ULTICAST ERVICES...
Page 601
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) NTERFACE To statically assign an interface to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member. Select Add Static Member from the Action list. Select the VLAN that will propagate the multicast service, specify the interface attached to a multicast service (through an MLD-enabled switch or multicast router), and enter the multicast IP address.
| Multicast Filtering HAPTER MLD Snooping (Snooping and Query for IPv6) To display information about all IPv6 multicast groups, MLD Snooping or multicast routing must first be enabled on the switch. To show all of the interfaces statically or dynamically assigned to an IPv6 multicast service: Click Multicast, MLD Snooping, MLD Member.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 request list and exclude list, indicating that the reception of packets sent to the given multicast address is requested from all IP source addresses, except for those listed in the exclude source-list and for any other sources where the source timer status has expired.
Page 604
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 support common multicast services over a wide part of the network without having to use any multicast routing protocol. MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 hosts can issue multicast join or leave messages. Since IGMP version 1 hosts do not support leave messages, they are timed out by the switch. Use the Multicast > MVR (Configure Global) page to configure proxy ONFIGURING switching and the robustness variable.
Page 606
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 This parameter is used to set the number of times report messages ■ are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 355: Configuring Global Settings for MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally ONFIGURING on the switch, and select the VLAN that will serve as the sole channel for OMAIN ETTINGS common multicast streams supported by the service provider.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Upstream Source IP – The source IP address assigned to all MVR ◆ control packets sent upstream on the specified domain. By default, all MVR reports sent upstream use a null source IP address. NTERFACE To configure settings for an MVR domain: Click Multicast, MVR.
Page 609
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 The IP address range from 224.0.0.0 to 239.255.255.255 is used for ◆ multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. IGMP snooping and MVR share a maximum number of 1023 groups. ◆...
Page 610
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 357: Configuring an MVR Group Address Profile To show the configured MVR group address profiles: Click Multicast, MVR. Select Configure Profile from the Step list. Select Show from the Action list. Figure 358: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: Click Multicast, MVR.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 359: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: Click Multicast, MVR. Select Associate Profile from the Step list. Select Show from the Action list.
Page 612
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Receiver ports should not be statically configured as a member of the MVR VLAN. If so configured, its MVR status will be inactive. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see "Adding Static Members to VLANs"...
Page 613
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Non-MVR – An interface that does not participate in the MVR VLAN. ■ (This is the default type.) Forwarding Status – Shows if MVR traffic is being forwarded or ◆ discarded. MVR Status –...
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 361: Configuring Interface Settings for MVR Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING statically bind multicast groups to a port which will receive long-term TATIC multicast streams associated with a stable set of hosts.
Page 615
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To assign a static MVR group to an interface: Click Multicast, MVR. Select Configure Static Group Member from the Step list. Select Add from the Action list. Select an MVR domain. Select a VLAN and interface to receive the multicast stream, and then enter the multicast group address.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 363: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast ISPLAYING groups either statically or dynamically assigned to the MVR receiver groups ECEIVER ROUPS on each interface.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Figure 364: Displaying MVR Receiver Groups Use the Multicast > MVR > Show Statistics pages to display MVR protocol- ISPLAYING related statistics for the specified interface. MVR S TATISTICS CLI R EFERENCES "show mvr statistics"...
Page 618
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 Number of Reports Sent – The number of reports sent from this ◆ interface. Number of Leaves Sent – The number of leaves sent from this ◆ interface. VLAN, Port, and Trunk Statistics Input Statistics Report –...
Page 619
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 NTERFACE To display statistics for MVR query-related messages: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR domain. Figure 365: Displaying MVR Statistics – Query –...
Page 620
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: Click Multicast, MVR. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR domain. Select a VLAN. Figure 366: Displaying MVR Statistics –...
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 367: Displaying MVR Statistics – Port VLAN R ULTICAST EGISTRATION FOR MVR6 functions in a manner similar to that described for MRV (see "Multicast VLAN Registration for IPv4" on page 603).
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Global) page to configure proxy MVR6 ONFIGURING switching and the robustness variable. LOBAL ETTINGS CLI R EFERENCES "MVR for IPv6" on page 1303 ◆ ARAMETERS These parameters are displayed: ◆...
Page 623
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Proxy Query Interval – Configures the interval at which the receiver ◆ port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) This parameter sets the general query interval at which active ■...
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 MVR6 ONFIGURING globally on the switch, and select the VLAN that will serve as the sole OMAIN ETTINGS channel for common multicast streams supported by the service provider. CLI R EFERENCES "MVR for IPv6"...
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 NTERFACE To configure settings for an MVR6 domain: Click Multicast, MVR6. Select Configure Domain from the Step list. Select a domain from the scroll-down list. Enable MVR6 for the selected domain, select the MVR6 VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required.
Page 626
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 The MVR6 group address range assigned to a profile cannot overlap ◆ with the group address range of any other profile. MRV6 domains can be associated with more than one MVR6 profile. But ◆...
Page 627
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Figure 370: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: Click Multicast, MVR6. Select Configure Profile from the Step list. Select Show from the Action list. Figure 371: Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain: Click Multicast, MVR6.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To show the MVR6 group address profiles assigned to a domain: Click Multicast, MVR6. Select Associate Profile from the Step list. Select Show from the Action list. Figure 373: Showing MVR6 Group Address Profiles Assigned to a Domain Use the Multicast >...
Page 629
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Immediate leave applies only to receiver ports. When enabled, the ◆ receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the...
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 By Host IP – The router/querier will not send out a group-specific ■ query when an MLDv1/v2 Listener Done message is received (the same as it would without this option having been used). Instead of immediately deleting that group, it will look up the record, and only delete the group if there are no other subscribers for it on the member port.
Page 631
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing ◆ Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To show the static MVR6 groups assigned to an interface: Click Multicast, MVR6. Select Configure Static Group Member from the Step list. Select Show from the Action list. Select an MVR6 domain. Select the port or trunk for which to display this information.
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 Expire – Time before this entry expires if no membership report is ◆ received from currently active or new clients. Count – The number of multicast services currently being forwarded ◆ from the MVR6 VLAN.
Page 634
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 General Query Received – The number of general queries received ◆ on this interface. General Query Sent – The number of general queries sent from this ◆ interface. Specific Query Received – The number of specific queries received ◆...
Page 635
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 NTERFACE To display statistics for MVR6 query-related messages: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Query Statistics from the Action list. Select an MVR6 domain. Figure 378: Displaying MVR6 Statistics – Query –...
Page 636
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show VLAN Statistics from the Action list. Select an MVR6 domain. Select a VLAN. Figure 379: Displaying MVR6 Statistics –...
Page 637
| Multicast Filtering HAPTER Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: Click Multicast, MVR6. Select Show Statistics from the Step list. Select Show Port Statistics from the Action list. Select an MVR6 domain. Select a Port. Figure 380: Displaying MVR6 Statistics –...
IP C ONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server.
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To enable routing between interfaces defined on this switch and ◆ external network interfaces, you must configure static routes (page 1468). The precedence for configuring IP interfaces is the IP > General > ◆...
Page 641
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click IP, General, Routing Interface. Select Add Address from the Action list. Select any configured VLAN, set IP Address Mode to “User Specified,” set IP Address Type to “Primary”...
Page 642
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 382: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 383: Showing the Configured IP Address for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an IPv6 interface for management access over the network, or for creating an interface to multiple subnets.
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: Default Gateway – Sets the IPv6 address of the default next hop ◆ router to use when no routing information is known about an IPv6 address.
Page 645
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) OMMAND SAGE ◆ The switch must be configured with a link-local address. The switch’s address auto-configuration function will automatically create a link-local address, as well as an IPv6 global address if router advertisements are detected on the local interface.
Page 646
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Enable IPv6 Explicitly – Enables IPv6 on an interface and assigns it a ◆ link-local address. Note that when an explicit address is assigned to an interface, IPv6 is automatically enabled, and cannot be disabled until all assigned addresses have been removed.
Page 647
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) configuration commands associated with a duplicate address remain configured while the address is in “duplicate” state. If the link-local address for an interface is changed, duplicate ■ address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
Page 648
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) switch should attempt to acquire from the DHCPv6 server as described below. Both M and O flags are set to 1: ■ DHCPv6 is used for both address and other configuration settings. This combination is known as DHCPv6 stateful autoconfiguration, in which a DHCPv6 server assigns stateful addresses to IPv6 hosts.
Page 649
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) message interval, and the amount of time that a remote IPv6 node is considered reachable. Click Apply. Figure 385: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: Click IP, IPv6 Configuration.
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an ONFIGURING IPv6 interface for management access over the network, or for creating an DDRESS interface to multiple subnets. CLI R EFERENCES "IPv6 Interface"...
Page 651
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: VLAN – ID of a configured VLAN which is to be used for management ◆ access, or for creating an interface to multiple subnets. By default, all ports on the switch are members of VLAN 1.
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Link Local – Configures an IPv6 link-local address. ■ The address prefix must be in the range of FE80~FEBF. ■ You can configure only one link-local address per interface. ■...
Page 653
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) In addition to the unicast addresses assigned to an interface, a node is also required to listen to the all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope). FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes.
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to HOWING THE display the IPv6 addresses detected for neighbor devices. EIGHBOR ACHE CLI R EFERENCES "show ipv6 neighbors" on page 1457 ◆...
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 389: Showing IPv6 Neighbors Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic"...
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) ARAMETERS These parameters are displayed: Table 41: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
Page 657
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 41: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Page 658
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 41: Show IPv6 Statistics - display description (Continued) Field Description Group Membership The number of ICMPv6 Group Membership Reduction messages Reduction Messages received by the interface. Router Solicit Messages The number of ICMP Router Solicit messages received by the interface.
Page 659
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the IPv6 statistics: Click IP, IPv6 Configuration. Select Show Statistics from the Action list. Click IPv6, ICMPv6 or UDP. Figure 390: Showing IPv6 Statistics (IPv6) –...
Page 660
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 391: Showing IPv6 Statistics (ICMPv6) Figure 392: Showing IPv6 Statistics (UDP) – 660 –...
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch. ESTINATIONS CLI R EFERENCES...
Page 662
| IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 662 –...
IP S ERVICES This chapter describes how to configure Domain Name Service (DNS) and a DHCP client identifier for the switch. For information on DHCP snooping which is included in this folder, see "DHCP Snooping" on page 412. This chapter provides information on the following IP services, including: ◆...
| IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed: Domain Lookup – Enables DNS host name-to-address translation. ◆ (Default: Disabled) Default Domain Name – Defines the default domain name appended ◆ to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
Page 665
| IP Services HAPTER Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 666).
| IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1405 ◆...
| IP Services HAPTER Domain Name Service Figure 398: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.
| IP Services HAPTER Domain Name Service Figure 399: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 400: Showing Static Entries in the DNS Table Use the IP Service >...
| IP Services HAPTER Dynamic Host Configuration Protocol Type – This field includes CNAME which specifies the host address for ◆ the owner, and ALIAS which specifies an alias. IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆...
| IP Services HAPTER Dynamic Host Configuration Protocol Table 43: Options 60, 66 and 67 Statements Statement Option Keyword Parameter vendor-class-identifier a string indicating the vendor class identifier tftp-server-name a string indicating the tftp server name bootfile-name a string indicating the bootfile name By default, DHCP option 66/67 parameters are not carried in a DHCP ◆...
| IP Services HAPTER Dynamic Host Configuration Protocol NTERFACE To configure a DHCP client identifier: Click IP Service, DHCP, Client. Mark the check box to enable this feature. Select the default setting, or the format for a vendor class identifier. If a non-default value is used, enter a text string or hexadecimal value.
| IP Services HAPTER Configuring the PPPoE Intermediate Agent ARAMETERS These parameters are displayed: ◆ VLAN ID – ID of configured VLAN. Server IP Address – Addresses of DHCP servers or relay servers to be ◆ used by the switch’s DHCP relay agent in order of preference. Restart DHCP Relay –...
Page 673
| IP Services HAPTER Configuring the PPPoE Intermediate Agent OMMAND SAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and forwards this information to all trusted ports (designated on the Configure Interface page).
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 405: Configuring Global Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page ONFIGURING to enable PPPoE IA on an interface, set trust status, enable vendor tag E IA I NTERFACE stripping, and set the circuit ID and remote ID.
Page 675
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Circuit ID – String identifying the circuit identifier (or interface) on this ◆ switch to which the user is connected. (Range: 1-10 ASCII characters; Default: Unit/Port:VLAN-ID, or 0/Trunk-ID:VLAN-ID) The PPPoE server extracts the Line-ID tag from PPPoE discovery ■...
| IP Services HAPTER Configuring the PPPoE Intermediate Agent Figure 406: Configuring Interface Settings for PPPoE Intermediate Agent Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to E IA HOWING show statistics on PPPoE IA protocol messages. TATISTICS CLI R EFERENCES...
Page 677
| IP Services HAPTER Configuring the PPPoE Intermediate Agent NTERFACE To show statistics for PPPoE IA protocol messages: Click IP Service, PPPoE Intermediate Agent. Select Show Statistics from the Step list. Select Port or Trunk interface type. Figure 407: Showing PPPoE Intermediate Agent Statistics –...
Page 678
| IP Services HAPTER Configuring the PPPoE Intermediate Agent – 678 –...
IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. ◆ Trace Route – Sends ICMP echo request packets to another node on the ◆ network. Address Resolution Protocol –...
| General IP Routing HAPTER IP Routing and Switching Figure 408: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...
| General IP Routing HAPTER IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.
| General IP Routing HAPTER Configuring IP Routing Interfaces The switch supports both static and dynamic routing. OUTING ROTOCOLS Static routing requires routing information to be stored in the switch ◆ either manually or when a connection is set up by an application outside the switch.
| General IP Routing HAPTER Configuring IP Routing Interfaces entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page 691, enter 0.0.0.0 for the IP address and subnet mask,...
| General IP Routing HAPTER Configuring IP Routing Interfaces address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. NTERFACE To ping another device on the network: Click IP, General, Ping. Specify the target device and ping parameters.
Page 685
| General IP Routing HAPTER Configuring IP Routing Interfaces A trace terminates when the destination responds, when the maximum ◆ timeout (TTL) is exceeded, or the maximum number of hops is exceeded. The trace route function first sends probe datagrams with the TTL value ◆...
| General IP Routing HAPTER Address Resolution Protocol DDRESS ESOLUTION ROTOCOL The router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
Page 687
| General IP Routing HAPTER Address Resolution Protocol sending its own MAC address to the requesting node. That node then sends traffic to the router, which in turn uses its own routing table to forward the traffic to the remote destination. Figure 411: Proxy ARP Proxy ARP request...
| General IP Routing HAPTER Address Resolution Protocol For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.
| General IP Routing HAPTER Address Resolution Protocol Figure 413: Configuring Static ARP Entries To display static entries in the ARP cache: Click IP, ARP. Select Configure Static Address from the Step List. Select Show from the Action List. Figure 414: Displaying Static ARP Entries Use the IP >...
| General IP Routing HAPTER Address Resolution Protocol Figure 415: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Other Address. Figure 416: Displaying Local ARP Entries Use the IP >...
| General IP Routing HAPTER Configuring Static Routes NTERFACE To display ARP statistics: Click IP, ARP. Select Show Information from the Step List. Click Statistics. Figure 417: Displaying ARP Statistics ONFIGURING TATIC OUTES This router can configure routes to other network segments by manually entering static routes in the routing table using the IP >...
Page 692
| General IP Routing HAPTER Configuring Static Routes ARAMETERS These parameters are displayed: Destination IP Address – IP address of the destination network, ◆ subnetwork, or host. ◆ Netmask – Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. ◆...
| General IP Routing HAPTER Displaying the Routing Table Figure 419: Displaying Static Routes ISPLAYING THE OUTING ABLE Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
Page 694
| General IP Routing HAPTER Displaying the Routing Table ARAMETERS These parameters are displayed: VLAN – VLAN identifier (i.e., configured as a valid IP subnet). ◆ Destination IP Address – IP address of the destination network, ◆ subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router.
ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 709 ◆ "System Management Commands" on page 717 ◆ "SNMP Commands"...
Page 696
| Command Line Interface ECTION "Spanning Tree Commands" on page 1091 ◆ "ERPS Commands" on page 1119 ◆ "VLAN Commands" on page 1149 ◆ "Class of Service Commands" on page 1195 ◆ "Quality of Service Commands" on page 1207 ◆ "Multicast Filtering Commands"...
SING THE OMMAND NTERFACE This chapter describes how to use the Command Line Interface (CLI). CCESSING THE When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
| Using the Command Line Interface HAPTER Accessing the CLI Telnet operates over the IP transport protocol. In this environment, your ELNET ONNECTION management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
| Using the Command Line Interface HAPTER Entering Commands You can open up to eight sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.
| Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...
Page 701
| Using the Command Line Interface HAPTER Entering Commands port-channel Port channel information power Shows power power-save Shows the power saving information pppoe Displays PPPoE configuration privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information...
| Using the Command Line Interface HAPTER Entering Commands If you terminate a partial keyword with a question mark, alternatives that ARTIAL EYWORD match the initial letters are provided. (Remember not to leave a space OOKUP between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
| Using the Command Line Interface HAPTER Entering Commands When you open a new console session on the switch with the user name OMMANDS and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode.
| Using the Command Line Interface HAPTER Entering Commands Class Map Configuration - Creates a DiffServ class map for a specified ◆ traffic type. ERPS Configuration – These commands configure Ethernet Ring ◆ Protection Switching for increased availability of Ethernet rings commonly used in service provider networks.
| Using the Command Line Interface HAPTER CLI Command Groups Table 49: Keystroke Commands (Continued) Keystroke Function Esc-F Moves the cursor forward one word. Delete key or Erases a mistake when entering a command. backspace key Some of the show commands include options for output modifiers. For UTPUT ODIFIERS example, the “show running-config”...
Page 707
| Using the Command Line Interface HAPTER CLI Command Groups Table 50: Command Group Index (Continued) Command Group Description Page General Security Segregates traffic for clients attached to common data Measures ports; and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses Access Control List...
Page 708
| Using the Command Line Interface HAPTER CLI Command Groups Table 50: Command Group Index (Continued) Command Group Description Page IP Interface Configures IP address for the switch interfaces; also 1421 configures ARP parameters and static entries IP Routing Configures static unicast routing 1467 Debug Displays debugging information for all key functions...
ENERAL OMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 51: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
| General Commands HAPTER OMMAND SAGE This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. XAMPLE Console(config)#prompt RD2 RD2(config)#...
| General Commands HAPTER OMMAND Global Configuration OMMAND SAGE This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option ◆ is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. ◆...
| General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (714) enable password (824) This command exits the configuration program. quit EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...
| General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...
| General Commands HAPTER This command returns to Normal Exec mode from privileged mode. In disable normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...
| General Commands HAPTER This command displays the current reload settings, and the time at which show reload next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 716
| General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 716 –...
YSTEM ANAGEMENT OMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 52: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location...
| System Management Commands HAPTER Banner Information This command specifies or modifies the host name for this device. Use the hostname no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...
| System Management Commands HAPTER Banner Information Table 54: Banner Commands (Continued) Command Function Mode banner configure Configures the Manager contact information that is manager-info displayed by banner banner configure mux Configures the MUX information that is displayed by banner banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading...
| System Management Commands HAPTER Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information.
| System Management Commands HAPTER Banner Information This command is use to configure DC power information displayed in the banner configure banner. Use the no form to restore the default setting. dc-power-info YNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
| System Management Commands HAPTER Banner Information XAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS4110-52T floor 3 row 10 rack 15 shelf-rack 12 manufacturer EdgeCore Console(config)# This command is used to configure the equipment location information banner configure displayed in the banner. Use the no form to restore the default setting. equipment-location YNTAX banner configure equipment-location location...
| System Management Commands HAPTER Banner Information OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
| System Management Commands HAPTER Banner Information This command is used to configure the manager contact information banner configure displayed in the banner. Use the no form to restore the default setting. manager-info YNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3]...
| System Management Commands HAPTER Banner Information EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
| System Management Commands HAPTER System Status Table 55: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly This command shows utilization parameters for TCAM (Ternary Content show access-list...
| System Management Commands HAPTER System Status Alarm Configuration Rising Threshold : 95% Falling Threshold : 90% Console# ELATED OMMANDS memory (813) This command shows the CPU utilization parameters, alarm status, and show process cpu alarm thresholds. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show process cpu CPU Utilization in the past 5 seconds : 39%...
| System Management Commands HAPTER System Status OMMAND Privileged Exec OMMAND SAGE Use the interface keyword to display configuration data for the ◆ specified interface. Use this command in conjunction with the show startup-config ◆ command to compare the information in running memory to the information stored in non-volatile memory.
| System Management Commands HAPTER System Status queue mode strict-wrr 0 0 0 1 queue weight 1 2 4 0 line console line vty Console# ELATED OMMANDS show startup-config (731) This command displays the configuration file stored in non-volatile memory show startup-config that is used to start up the system.
SAGE For a description of the items shown by this command, refer to ◆ "Displaying System Information" on page 123. The ECS4110-28T/P has two fans and ECS4110-52T/P has three. ◆ The ECS4110-28T/P does not monitor system temperature. ◆ XAMPLE Console#show system...
| System Management Commands HAPTER System Status XAMPLE Console#show tech-support show system: System Description : ECS4110-52T Managed GE Switch System OID String : 1.3.6.1.4.1.259.10.1.39.101 System Information System Up Time : 0 days, 1 hours, 28 minutes, and 51.70 seconds System Name System Location System Contact MAC Address (Unit 1)
| System Management Commands HAPTER System Status This command displays hardware and software version information for the show version system. OMMAND Normal Exec, Privileged Exec OMMAND SAGE "Displaying Hardware/Software Versions" on page 125 for detailed information on the items displayed by this command. XAMPLE Console#show version Serial Number...
| System Management Commands HAPTER Frame Size This command monitors key processes, and automatically reboots the watchdog software system if any of these processes are not responding correctly. YNTAX watchdog software {disable | enable} EFAULT ETTING Disabled OMMAND Privileged Exec XAMPLE Console#watchdog Console#...
| System Management Commands HAPTER File Management To use jumbo frames, both the source and destination end nodes (such ◆ as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
| System Management Commands HAPTER File Management Table 57: Flash/File Commands (Continued) Command Function Mode whichboot Displays the files booted Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server upgrade opcode path Specifies an FTP/TFTP server and directory in which the new opcode is stored...
| System Management Commands HAPTER File Management ELATED OMMANDS dir (742) whichboot (743) This command moves (upload/download) a code image or configuration file copy between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 739
| System Management Commands HAPTER File Management You can use “Factory_Default_Config.cfg” as the source to copy from ◆ the factory default configuration file, but you cannot use it as the destination. To replace the startup configuration, you must use startup-config as ◆...
Page 740
| System Management Commands HAPTER File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
| System Management Commands HAPTER File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# This command deletes a file or image.
| System Management Commands HAPTER File Management This command displays a list of files in flash memory. YNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image.
| System Management Commands HAPTER File Management This command displays which files were booted when the system powered whichboot YNTAX whichboot EFAULT ETTING None OMMAND Privileged Exec XAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
| System Management Commands HAPTER File Management stored on the TFTP server must be ecs4110-series.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
| System Management Commands HAPTER File Management OMMAND Global Configuration OMMAND SAGE This command is used in conjunction with the upgrade opcode auto ◆ command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. The name for the new image stored on the TFTP server must be ◆...
| System Management Commands HAPTER File Management XAMPLE This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# This command shows the opcode upgrade configuration settings. show upgrade OMMAND Privileged Exec XAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled...
| System Management Commands HAPTER File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. YNTAX ip tftp timeout seconds no ip tftp timeout...
| System Management Commands HAPTER Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
| System Management Commands HAPTER Line This command identifies a specific line for configuration, and to process line subsequent line configuration commands. YNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). EFAULT ETTING There is no default line.
| System Management Commands HAPTER Line OMMAND SAGE The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 751
| System Management Commands HAPTER Line This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. YNTAX login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 752
| System Management Commands HAPTER Line This command defines the generation of a parity bit. Use the no form to parity restore the default setting. YNTAX parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity EFAULT ETTING...
Page 753
| System Management Commands HAPTER Line OMMAND SAGE ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns...
Page 754
| System Management Commands HAPTER Line XAMPLE To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# ELATED OMMANDS silent-time (754) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 755
| System Management Commands HAPTER Line EFAULT ETTING 115200 bps OMMAND Line Configuration OMMAND SAGE Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported.
Page 756
| System Management Commands HAPTER Line This command sets the interval that the system waits for a user to log into timeout login the CLI. Use the no form to restore the default setting. response YNTAX timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Page 757
| System Management Commands HAPTER Line XAMPLE Console#disconnect 1 Console# ELATED OMMANDS show ssh (862) show users (733) This command configures terminal settings, including escape-character, terminal lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. YNTAX terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs |...
Page 758
| System Management Commands HAPTER Line XAMPLE This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# This command displays the terminal line’s parameters. show line YNTAX show line [console | vty] console - Console terminal line.
| System Management Commands HAPTER Event Logging VENT OGGING This section describes commands used to configure event logging on the switch. Table 60: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages logging history Limits syslog messages saved to switch memory based...
| System Management Commands HAPTER Event Logging This command limits syslog messages saved to switch memory based on logging history severity. The no form returns the logging of syslog messages to the default level. YNTAX logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 761
| System Management Commands HAPTER Event Logging This command adds a syslog server host IP address that will receive logging host logging messages. Use the no form to remove a syslog server host. YNTAX logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server.
Page 762
| System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging on Console(config)# ELATED OMMANDS logging history (760) logging trap (762) clear log (763) This command enables the logging of system messages to a remote server, logging trap or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Page 763
| System Management Commands HAPTER Event Logging This command clears messages from the log buffer. clear log YNTAX clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 764
| System Management Commands HAPTER Event Logging XAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...
| System Management Commands HAPTER Event Logging Table 62: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.
| System Management Commands HAPTER SMTP Alerts SMTP A LERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 64: Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling logging sendmail host SMTP servers to receive alert messages logging sendmail level...
Page 767
| System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to three SMTP servers for event handing. However, ◆ you must enter a separate command to specify each server. To send email alerts, the switch first opens a connection, sends all the ◆...
Page 768
| System Management Commands HAPTER SMTP Alerts XAMPLE This example will send email alerts for system errors from level 3 through Console(config)#logging sendmail level 3 Console(config)# This command specifies the email recipients of alert messages. Use the no logging sendmail form to remove a recipient.
| System Management Commands HAPTER Time OMMAND SAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. XAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# This command displays the settings for the SMTP event handler. show logging sendmail OMMAND...
Page 770
| System Management Commands HAPTER Time Table 65: Time Commands (Continued) Command Function Mode NTP Commands ntp authenticate Enables authentication for NTP traffic ntp authentication-key Configures authentication keys ntp client Enables the NTP client for time updates from specified servers ntp server Specifies NTP servers to poll for time updates show ntp...
Page 771
| System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# ELATED OMMANDS...
Page 772
| System Management Commands HAPTER Time This command sets the IP address of the servers to which SNTP time sntp server requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 773
| System Management Commands HAPTER Time XAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands This command enables authentication for NTP client-server ntp authenticate...
| System Management Commands HAPTER Time This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to authentication-key clear a specific authentication key or all keys from the current list. YNTAX ntp authentication-key number md5 key no ntp authentication-key [number]...
Page 775
| System Management Commands HAPTER Time EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE The SNTP and NTP clients cannot be enabled at the same time. First ◆ disable the SNTP client before using this command. The time acquired from time servers is used to record accurate dates ◆...
Page 776
| System Management Commands HAPTER Time requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
| System Management Commands HAPTER Time Manual Configuration Commands This command sets the start, end, and offset times of summer time clock summer-time (daylight savings time) for the switch on a one-time basis. Use the no form (date) to disable summer time. YNTAX clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [offset]...
| System Management Commands HAPTER Time This command sets the summer-time time zone relative to the ◆ currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
| System Management Commands HAPTER Time Table 66: Predefined Summer-Time Parameters Region Start Time, Day, End Time, Day, Rel. Offset Week, & Month Week, & Month Australia 00:00:00, Sunday, 23:59:59, Sunday, 60 min Week 5 of October Week 5 of March Europe 00:00:00, Sunday, 23:59:59, Sunday,...
| System Management Commands HAPTER Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end.
| System Management Commands HAPTER Time hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
| System Management Commands HAPTER Time Range OMMAND Privileged Exec OMMAND SAGE Note that when SNTP is enabled, the system clock cannot be manually configured. XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2012. Console#calendar set 15:12:34 1 February 2012 Console# This command displays the system clock.
| System Management Commands HAPTER Time Range This command specifies the name of a time range, and enters time range time-range configuration mode. Use the no form to remove a previously specified time range. YNTAX [no] time-range name name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING None...
| System Management Commands HAPTER Time Range OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
| System Management Commands HAPTER Time Range EFAULT ETTING None OMMAND Time Range Configuration OMMAND SAGE If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
| System Management Commands HAPTER Switch Clustering WITCH LUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
| System Management Commands HAPTER Switch Clustering to the Commander. When using a console connection, from the Commander CLI prompt, use the rcommand to connect to the Member switch. This command enables clustering on the switch. Use the no form to disable cluster clustering.
| System Management Commands HAPTER Switch Clustering OMMAND Global Configuration OMMAND SAGE Once a switch has been configured to be a cluster Commander, it ◆ automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
| System Management Commands HAPTER Switch Clustering XAMPLE Console(config)#cluster ip-pool 10.2.3.4 Console(config)# This command configures a Candidate switch as a cluster Member. Use the cluster member no form to remove a Member switch from the cluster. YNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
| System Management Commands HAPTER Switch Clustering There is no need to enter the username and password for access to the ◆ Member switch CLI. XAMPLE Console#rcommand id 1 CLI session with the ECS4110-52T is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration.
| System Management Commands HAPTER Switch Clustering This command shows the discovered Candidate switches in the network. show cluster candidates OMMAND Privileged Exec XAMPLE Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Active member 00-E0-0C-00-00-FE ECS4110-52T Managed GE Switch CANDIDATE 00-12-CF-0B-47-A0 ECS4110-52T Managed GE Switch Console#...
SNMP C OMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 794
| SNMP Commands HAPTER Table 69: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs...
| SNMP Commands HAPTER General SNMP Commands Table 69: SNMP Commands (Continued) Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm show memory Shows memory utilization parameters...
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. private - Read/write access. Authorized management stations are able ◆ to both retrieve and modify MIB objects. OMMAND Global Configuration XAMPLE...
| SNMP Commands HAPTER General SNMP Commands EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#snmp-server location WC-19 Console(config)# ELATED OMMANDS snmp-server contact (796) This command can be used to check the status of SNMP communications. show snmp EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND...
| SNMP Commands HAPTER SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. The authentication, link-up, and link-down traps are legacy ◆ notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
Page 800
| SNMP Commands HAPTER SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
| SNMP Commands HAPTER SNMP Target Host Commands Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: Enable the SNMP agent (page 795).
| SNMP Commands HAPTER SNMP Target Host Commands OMMAND SAGE This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the snmp- server enable traps mac-authentication command. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)#...
| SNMP Commands HAPTER SNMPv3 Commands SNMPv3 Commands This command configures an identification string for the SNMPv3 engine. snmp-server Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
| SNMP Commands HAPTER SNMPv3 Commands XAMPLE Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# ELATED OMMANDS snmp-server host (799) This command adds an SNMP group, mapping SNMP users to SNMP views. snmp-server group Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...
| SNMP Commands HAPTER SNMPv3 Commands For additional information on the notification messages supported by ◆ this switch, see Table 34, "Supported Notification Messages," on page 462. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
| SNMP Commands HAPTER SNMPv3 Commands OMMAND SAGE ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
| SNMP Commands HAPTER SNMPv3 Commands EFAULT ETTING defaultview (includes access to the entire MIB tree) OMMAND Global Configuration OMMAND SAGE Views are used in the snmp-server group command to restrict user ◆ access to specified portions of the MIB tree. The predefined view “defaultview”...
| SNMP Commands HAPTER SNMPv3 Commands Table 70: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
| SNMP Commands HAPTER SNMPv3 Commands Console# Table 71: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view.
| SNMP Commands HAPTER Notification Log Commands Table 72: show snmp user - display description (Continued) Field Description Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. This command shows information on the SNMP views.
| SNMP Commands HAPTER Notification Log Commands OMMAND Global Configuration OMMAND SAGE Notification logging is enabled by default, but will not start recording ◆ information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. Disabling logging with this command does not delete the entries stored ◆...
| SNMP Commands HAPTER Notification Log Commands event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. If notification logging is not configured and enabled, when the switch ◆...
| SNMP Commands HAPTER Additional Trap Commands This command displays the configured notification logs. show snmp notify-filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23...
| SNMP Commands HAPTER Additional Trap Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. YNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
| Remote Monitoring Commands HAPTER This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
| Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and ◆ the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
| Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm ◆ triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# This command periodically samples statistics on a physical interface.
| Remote Monitoring Commands HAPTER show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
| Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# This command shows the settings for all configured alarms. show rmon alarms OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0...
| Remote Monitoring Commands HAPTER 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 This command shows the information collected for all configured entries in show rmon the statistics group.
UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
| Authentication Commands HAPTER User Accounts and Privilege Levels CCOUNTS AND RIVILEGE EVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 748), user authentication via a remote authentication server (page...
| Authentication Commands HAPTER User Accounts and Privilege Levels EFAULT ETTING The default is level 15. The default password is “super” OMMAND Global Configuration OMMAND SAGE You cannot set a null password. You will have to enter a password to ◆...
| Authentication Commands HAPTER User Accounts and Privilege Levels Level 0-7 provide the same default access privileges, all within Normal Exec mode under the “Console>” command prompt. Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#”...
| Authentication Commands HAPTER User Accounts and Privilege Levels This command assigns a privilege level to specified command groups or privilege individual commands. Use the no form to restore the default setting. YNTAX privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command.
| Authentication Commands HAPTER Authentication Sequence XAMPLE This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access.
| Authentication Commands HAPTER Authentication Sequence RADIUS and TACACS+ logon authentication assigns a specific privilege ◆ level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. You can specify three authentication methods in a single command to ◆...
| Authentication Commands HAPTER RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Page 831
| Authentication Commands HAPTER RADIUS Client OMMAND Global Configuration XAMPLE Console(config)#radius-server acct-port 181 Console(config)# This command sets the RADIUS server network port. Use the no form to radius-server restore the default. auth-port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 832
| Authentication Commands HAPTER RADIUS Client key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 833
| Authentication Commands HAPTER RADIUS Client This command sets the number of retries. Use the no form to restore the radius-server default. retransmit YNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
| Authentication Commands HAPTER TACACS+ Client This command displays the current settings for the RADIUS server. show radius-server EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times Request Timeout...
Page 835
| Authentication Commands HAPTER TACACS+ Client This command specifies the TACACS+ server and other optional tacacs-server host parameters. Use the no form to remove the server, or to restore the default values. YNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Page 836
| Authentication Commands HAPTER TACACS+ Client OMMAND Global Configuration XAMPLE Console(config)#tacacs-server key green Console(config)# This command specifies the TACACS+ server network port. Use the no tacacs-server port form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 837
| Authentication Commands HAPTER TACACS+ Client XAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# This command sets the interval between transmitting authentication tacacs-server requests to the TACACS+ server. Use the no form to restore the default. timeout YNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
| Authentication Commands HAPTER TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Page 839
| Authentication Commands HAPTER method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.
Page 840
| Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 841
| Authentication Commands HAPTER server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) EFAULT ETTING Accounting is not enabled No servers are specified OMMAND Global Configuration OMMAND SAGE This command runs accounting for Exec service requests for the local ◆...
Page 842
| Authentication Commands HAPTER XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# This command enables the authorization for Exec access. Use the no form aaa authorization to disable the authorization service. exec YNTAX aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Page 843
| Authentication Commands HAPTER Use this command to name a group of security server hosts. To remove a aaa group server server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 844
| Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# This command applies an accounting method for 802.1X service requests accounting dot1x on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...
Page 845
| Authentication Commands HAPTER OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# This command applies an accounting method to local console, Telnet or accounting exec SSH connections. Use the no form to disable accounting on the line. YNTAX accounting exec {default | list-name} no accounting exec...
Page 846
| Authentication Commands HAPTER EFAULT ETTING None OMMAND Line Configuration XAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# This command displays the current accounting settings per function and show accounting per port. YNTAX show accounting [commands [level]] | [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] commands - Displays command accounting information.
| Authentication Commands HAPTER Web Server Interface : Eth 1/1 Method List : tps Group List : radius Interface : Eth 1/2 Accounting Type: EXEC Method List : default Group List : tacacs+ Interface : vty Console# ERVER This section describes commands used to configure web browser management access to the switch.
Page 848
| Authentication Commands HAPTER Web Server XAMPLE Console(config)#ip http port 769 Console(config)# ELATED OMMANDS ip http server (848) show system (732) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. YNTAX [no] ip http server EFAULT...
Page 849
| Authentication Commands HAPTER Web Server OMMAND SAGE ◆ You cannot configure the HTTP and HTTPS servers to use the same port. If you change the HTTPS port number, clients attempting to connect to ◆ the HTTPS server must specify the port number in the URL, in this format: https://device:port_number XAMPLE Console(config)#ip http secure-port 1000...
| Authentication Commands HAPTER Telnet Server The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 83: HTTPS System Support...
Page 851
| Authentication Commands HAPTER Telnet Server This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. This command specifies the maximum number of Telnet sessions that can ip telnet simultaneously connect to this system.
Page 852
| Authentication Commands HAPTER Telnet Server OMMAND Global Configuration XAMPLE Console(config)#ip telnet port 123 Console(config)# This command allows this device to be monitored or configured from ip telnet server Telnet. Use the no form to disable this function. YNTAX [no] ip telnet server EFAULT ETTING Enabled...
| Authentication Commands HAPTER Secure Shell ECURE HELL This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. The switch supports both SSH Version 1.5 and 2.0 clients.
Page 854
| Authentication Commands HAPTER Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 855
| Authentication Commands HAPTER Secure Shell entered into the known host file. However, you do not need to configure the client's keys. Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method.
Page 856
| Authentication Commands HAPTER Secure Shell This command configures the number of times the SSH server attempts to ip ssh reauthenticate a user. Use the no form to restore the default setting. authentication- retries YNTAX ip ssh authentication-retries count no ip ssh authentication-retries count –...
Page 857
| Authentication Commands HAPTER Secure Shell XAMPLE Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# ELATED OMMANDS ip ssh crypto host-key generate (858) show ssh (862) This command sets the SSH server key size. Use the no form to restore the ip ssh server-key default setting.
Page 858
| Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 859
| Authentication Commands HAPTER Secure Shell EFAULT ETTING Generates both the DSA and RSA key pairs. OMMAND Privileged Exec OMMAND SAGE The switch uses only RSA Version 1 for SSHv1.5 clients and DSA ◆ Version 2 for SSHv2 clients. This command stores the host key pair in memory (i.e., RAM). Use the ◆...
Page 860
| Authentication Commands HAPTER Secure Shell The SSH server must be disabled before you can execute this ◆ command. XAMPLE Console#ip ssh crypto zeroize dsa Console# ELATED OMMANDS ip ssh crypto host-key generate (858) ip ssh save host-key (860) no ip ssh server (856) This command saves the host key from RAM to flash memory.
Page 861
| Authentication Commands HAPTER Secure Shell This command shows the public key for the specified user or for the host. show public-key YNTAX show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) EFAULT ETTING Shows all public keys.
| Authentication Commands HAPTER 802.1X Port Authentication This command displays the current SSH server connections. show ssh OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 86: show ssh - display description Field Description Connection...
Page 863
| Authentication Commands HAPTER 802.1X Port Authentication Table 87: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x port-control Sets dot1x mode for a port interface dot1x re-authentication Enables re-authentication for all ports dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client dot1x timeout...
Page 864
| Authentication Commands HAPTER 802.1X Port Authentication dot1x timeout quiet-period ◆ dot1x timeout tx-period ◆ dot1x timeout re-authperiod ◆ dot1x timeout sup-timeout ◆ dot1x re-authentication ◆ ◆ dot1x intrusion-action XAMPLE Console(config)#dot1x default Console(config)# This command passes EAPOL frames through to all ports in STP forwarding dot1x eapol-pass- state when dot1x is globally disabled.
Page 865
| Authentication Commands HAPTER 802.1X Port Authentication This command enables IEEE 802.1X port authentication globally on the dot1x system-auth- switch. Use the no form to restore the default. control YNTAX [no] dot1x system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration XAMPLE Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands...
Page 866
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the maximum number of times that the switch sends dot1x an EAP-request/identity frame to the client before restarting the max-reauth-req authentication process. Use the no form to restore the default. YNTAX dot1x max-reauth-req count no dot1x max-reauth-req...
Page 867
| Authentication Commands HAPTER 802.1X Port Authentication This command allows hosts (clients) to connect to an 802.1X-authorized dot1x port. Use the no form with no keywords to restore the default to single operation-mode host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Page 868
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 869
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# ELATED OMMANDS dot1x timeout re-authperiod (869) This command sets the time that a switch port waits after the maximum dot1x timeout request count (see page 866) has been exceeded before attempting to quiet-period acquire a new client.
Page 870
| Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Page 871
| Authentication Commands HAPTER 802.1X Port Authentication EFAULT 30 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re-authenticate YNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 872
| Authentication Commands HAPTER 802.1X Port Authentication Supplicant Commands This command sets the dot1x supplicant user name and password. Use the dot1x identity no form to delete the identity settings. profile YNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Page 873
| Authentication Commands HAPTER 802.1X Port Authentication OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# This command enables dot1x supplicant mode on a port. Use the no form dot1x pae to disable dot1x supplicant mode on a port. supplicant YNTAX [no] dot1x pae supplicant...
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits for a response dot1x timeout from the authenticator. Use the no form to restore the default setting. auth-period YNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
| Authentication Commands HAPTER 802.1X Port Authentication This command sets the time that a supplicant port waits before resending dot1x timeout an EAPOL start frame to the authenticator. Use the no form to restore the start-period default setting. YNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 876
| Authentication Commands HAPTER 802.1X Port Authentication Supplicant Parameters – Shows the supplicant user name used when ◆ the switch responds to an MD5 challenge from an authenticator (page 872). 802.1X Port Summary – Displays the port access control parameters ◆...
| Authentication Commands HAPTER 802.1X Port Authentication Request Count– Number of EAP Request packets sent to the ■ Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP ■ Success, Failure or Request packet received from the Authentication Server.
| Authentication Commands HAPTER Management IP Filter Identifier(Server) Reauthentication State Machine State : Initialize Console# IP F ANAGEMENT ILTER This section describes commands used to configure IP management access to the switch. Table 88: Management IP Filter Commands Command Function Mode management Configures IP addresses that are allowed management...
| Authentication Commands HAPTER Management IP Filter If anyone tries to access a management interface on the switch from an ◆ invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
| Authentication Commands HAPTER PPPoE Intermediate Agent SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# NTERMEDIATE GENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
| Authentication Commands HAPTER PPPoE Intermediate Agent This command enables the PPPoE Intermediate Agent globally on the pppoe switch. Use the no form to disable this feature. intermediate-agent YNTAX [no] pppoe intermediate-agent EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE The switch inserts a tag identifying itself as a PPPoE Intermediate Agent ◆...
| Authentication Commands HAPTER PPPoE Intermediate Agent EFAULT ETTING ◆ Access Node Identifier: IP address of the management interface. Generic Error Message: PPPoE Discover packet too large to process. Try ◆ reducing the number of tags added. OMMAND Global Configuration OMMAND SAGE The switch uses the access-node-identifier to generate the circuit-id for...
| Authentication Commands HAPTER PPPoE Intermediate Agent This command sets the circuit-id or remote-id for an interface. Use the no pppoe form to restore the default settings. intermediate-agent port-format-type YNTAX pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
| Authentication Commands HAPTER PPPoE Intermediate Agent This command sets an interface to trusted mode to indicate that it is pppoe connected to a PPPoE server. Use the no form to set an interface to intermediate-agent untrusted mode. trust YNTAX [no] pppoe intermediate-agent trust EFAULT ETTING...
| Authentication Commands HAPTER PPPoE Intermediate Agent PPPoE Discover packet too large to process. Try reducing the number of tags added. PPPoE Intermediate Agent Oper Generic Error Message PPPoE Discover packet too large to process. Try reducing the number of tags added.
Page 887
| Authentication Commands HAPTER PPPoE Intermediate Agent Table 90: show pppoe intermediate-agent statistics - display description Field Description PADT PPPoE Active Discovery Terminate Dropped Response from Response from an interface which not been configured as trusted. untrusted Request towards Request sent to an interface which not been configured as trusted. untrusted Malformed Corrupted PPPoE message.
ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
| General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
| General Security Measures HAPTER Port Security traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 892
| General Security Measures HAPTER Port Security OMMAND Interface Configuration (Ethernet) OMMAND SAGE The default maximum number of MAC addresses allowed on a secure ◆ port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
| General Security Measures HAPTER Port Security XAMPLE The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap ELATED OMMANDS show interfaces status (1007) shutdown (1002) mac-address-table static (1086) Use this command to save the MAC addresses that port security has...
| General Security Measures HAPTER Port Security OMMAND Privileged Exec XAMPLE This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status Intrusion Action...
| General Security Measures HAPTER Network Access (MAC Address Authentication) Port Status : Secure/Up Intrusion Action : None Max MAC Count Current MAC Count MAC Filter : Disabled Last Intrusion MAC : NA Last Time Detected Intrusion MAC : NA Console# This example shows information about a detected intrusion.
| General Security Measures HAPTER Network Access (MAC Address Authentication) Table 94: Network Access Commands (Continued) Command Function Mode network-access link-detection Configures the link detection feature to detect and link-down act upon link-down events network-access link-detection Configures the link detection feature to detect and link-up act upon link-up events network-access link-detection...
| General Security Measures HAPTER Network Access (MAC Address Authentication) well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 867). The maximum number of secure MAC addresses supported for the ◆...
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the time period after which a connected MAC mac-authentication address must be re-authenticated. Use the no form of this command to reauth-time restore the default value. YNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time...
| General Security Measures HAPTER Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 95: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (Kbps) rate-limit-input=100 (Kbps) rate-limit-output=rate (Kbps)
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE When enabled, the VLAN identifiers returned by the RADIUS server ◆ through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
| General Security Measures HAPTER Network Access (MAC Address Authentication) When used with 802.1X authentication, the intrusion-action must be ◆ set for “guest-vlan” to be effective (see the dot1x intrusion-action command). XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# Use this command to enable link detection for the selected port. Use the network-access no form of this command to restore the default.
| General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# Use this command to detect link-up events. When detected, the switch can network-access shut down the port, send an SNMP trap, or both. Use the no form of this link-detection command to disable this feature.
| General Security Measures HAPTER Network Access (MAC Address Authentication) trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port. EFAULT ETTING Disabled OMMAND Interface Configuration XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# Use this command to set the maximum number of MAC addresses that can network-access...
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable network access authentication on a port. Use network-access the no form of this command to disable network access authentication. mode mac-authentication YNTAX [no] network-access mode mac-authentication EFAULT ETTING Disabled...
Page 905
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to enable the specified MAC address filter. Use the no network-access form of this command to disable the specified MAC address filter. port-mac-filter YNTAX network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Page 906
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to set the maximum number of MAC addresses that can mac-authentication be authenticated on a port via MAC authentication. Use the no form of this max-mac-count command to restore the default. YNTAX mac-authentication max-mac-count count no mac-authentication max-mac-count...
Page 907
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display the MAC authentication settings for port show interfaces. network-access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 908
| General Security Measures HAPTER Network Access (MAC Address Authentication) Use this command to display secure MAC address table entries. show network-access mac-address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
| General Security Measures HAPTER Web Authentication Use this command to display information for entries in the MAC filter show tables. network-access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.
Page 910
| General Security Measures HAPTER Web Authentication Table 96: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)
Page 911
| General Security Measures HAPTER Web Authentication This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web quiet-period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...
Page 912
| General Security Measures HAPTER Web Authentication This command globally enables web authentication for the switch. Use the web-auth no form to restore the default. system-auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Page 913
| General Security Measures HAPTER Web Authentication This command ends all web authentication sessions connected to the port web-auth and forces the users to re-authenticate. re-authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Page 914
| General Security Measures HAPTER Web Authentication This command displays global web authentication parameters. show web-auth OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters show web-auth...
| General Security Measures HAPTER DHCPv4 Snooping This command displays a summary of web authentication port parameters show web-auth and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...
Page 916
| General Security Measures HAPTER DHCPv4 Snooping Table 97: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping database Writes all dynamically learned snooping entries to flash flash memory show ip dhcp snooping Shows the DHCP snooping configuration settings show ip dhcp snooping Shows the DHCP snooping binding table entries binding...
Page 917
| General Security Measures HAPTER DHCPv4 Snooping If DHCP snooping is enabled globally, and also enabled on the VLAN ■ where the DHCP packet is received, but the port is not trusted, it is processed as follows: If the DHCP packet is a reply packet from a DHCP server ■...
Page 918
| General Security Measures HAPTER DHCPv4 Snooping This command enables the use of DHCP Option 82 information for the ip dhcp snooping switch, and specifies the frame format to use for the remote-id when information option Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no- subtype keyword to enable use of sub-type and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to...
Page 919
| General Security Measures HAPTER DHCPv4 Snooping When the DHCP Snooping Information Option 82 is enabled, clients can ◆ be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
Page 920
| General Security Measures HAPTER DHCPv4 Snooping OMMAND SAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Page 921
| General Security Measures HAPTER DHCPv4 Snooping OMMAND SAGE If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. XAMPLE This example enables MAC address verification.
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# ELATED OMMANDS ip dhcp snooping (916) ip dhcp snooping trust (923) This command enables the use of DHCP Option 82 information circuit-id ip dhcp snooping suboption.
Page 923
| General Security Measures HAPTER DHCPv4 Snooping access node identifier - ASCII string. Default is the MAC address of ■ the switch’s CPU. This field is set by the ip dhcp snooping information option command, eth - The second field is the fixed string “eth” ■...
Page 924
| General Security Measures HAPTER DHCPv4 Snooping ports within the VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. When an untrusted port is changed to a trusted port, all the dynamic ◆...
| General Security Measures HAPTER DHCPv4 Snooping XAMPLE Console#clear ip dhcp snooping database flash Console# This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
| General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5...
Page 927
| General Security Measures HAPTER DHCPv6 Snooping This command enables DHCPv6 snooping globally. Use the no form to ipv6 dhcp snooping restore the default setting. YNTAX [no] ipv6 dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCPv6 messages are ◆...
Page 928
| General Security Measures HAPTER DHCPv6 Snooping Solicit: Add new entry in binding cache, recording client’s DUID, ■ IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. Decline: If no matching entry is found in binding cache, drop ■...
Page 929
| General Security Measures HAPTER DHCPv6 Snooping XAMPLE This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# ELATED OMMANDS ipv6 dhcp snooping vlan (931) ipv6 dhcp snooping trust (932) This command enables the insertion of remote-id option 37 information ipv6 dhcp snooping into DHCPv6 client messages.
Page 930
| General Security Measures HAPTER DHCPv6 Snooping either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows: If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Page 931
| General Security Measures HAPTER DHCPv6 Snooping OMMAND SAGE When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Page 932
| General Security Measures HAPTER DHCPv6 Snooping XAMPLE This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# ELATED OMMANDS ipv6 dhcp snooping (927) ipv6 dhcp snooping trust (932) This command sets the maximum number of entries which can be stored in ipv6 dhcp snooping the binding database for an interface.
Page 933
| General Security Measures HAPTER DHCPv6 Snooping OMMAND SAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 934
| General Security Measures HAPTER DHCPv6 Snooping OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# This command removes all dynamically learned snooping entries from flash clear ipv6 dhcp memory. snooping database flash OMMAND Privileged Exec XAMPLE Console(config)#clear ipv6 dhcp snooping database flash Console(config)# This command shows the DHCPv6 snooping configuration settings.
Page 935
| General Security Measures HAPTER DHCPv6 Snooping This command shows the DHCPv6 snooping binding table entries. show ipv6 dhcp snooping binding OMMAND Privileged Exec XAMPLE Console#show ipv6 dhcp snooping binding NA - Non-temporary address TA - Temporary address -------------------------------------- ----------- ---- ------- ---- Link-layer Address: 00-13-49-aa-39-26 IPv6 Address Lifetime...
| General Security Measures HAPTER IPv4 Source Guard OURCE UARD IP Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see "DHCPv4 Snooping"...
Page 937
| General Security Measures HAPTER IPv4 Source Guard EFAULT ETTING No configured entries OMMAND Global Configuration OMMAND SAGE If the binding mode is not specified in this command, the entry is bound ◆ to the ACL table by default. Table entries include a MAC address, IP address, lease time, entry type ◆...
Page 938
| General Security Measures HAPTER IPv4 Source Guard This command configures the switch to filter inbound traffic based on ip source-guard source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard...
Page 939
| General Security Measures HAPTER IPv4 Source Guard Filtering rules are implemented as follows: ◆ If DHCPv4 snooping is disabled (see page 916), IP source guard will ■ check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
Page 940
| General Security Measures HAPTER IPv4 Source Guard OMMAND Interface Configuration (Ethernet) OMMAND SAGE This command sets the maximum number of address entries that can ◆ be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.
Page 941
| General Security Measures HAPTER IPv4 Source Guard This command remove all blocked records. clear ip source-guard binding blocked YNTAX clear ip source-guard binding blocked OMMAND Privileged Exec OMMAND SAGE When IP Source-Guard detects an invalid packet it creates a blocked record.
Page 942
| General Security Measures HAPTER IPv4 Source Guard This command shows the source guard binding table. show ip source-guard binding YNTAX show ip source-guard binding [dhcp-snooping | static [acl | mac] | blocked [vlan vlan-id | interface interface] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 915)
| General Security Measures HAPTER IPv6 Source Guard OURCE UARD IPv6 Source Guard is a security feature that filters IPv6 traffic on non- routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see "DHCPv6 Snooping"...
Page 944
| General Security Measures HAPTER IPv6 Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include an associated MAC address, IPv6 global unicast ◆ address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier. Traffic filtering is based only on the source IPv6 address, VLAN ID, and ◆...
Page 945
| General Security Measures HAPTER IPv6 Source Guard This command configures the switch to filter inbound traffic based on the ipv6 source-guard source IP address stored in the binding table. Use the no form to disable this function. YNTAX ipv6 source-guard sip no ipv6 source-guard EFAULT ETTING...
Page 946
| General Security Measures HAPTER IPv6 Source Guard entry type is static IPv6 source guard binding, the packet will be forwarded. If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard ■ will check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
Page 947
| General Security Measures HAPTER IPv6 Source Guard IPv6 source guard maximum bindings must be set to a value higher ◆ than DHCPv6 snooping maximum bindings and ND snooping maximum bindings. If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled ◆...
| General Security Measures HAPTER ARP Inspection This command shows the IPv6 source guard binding table. show ipv6 source-guard binding YNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 926) static - Shows static entries configured with the...
Page 949
| General Security Measures HAPTER ARP Inspection Table 102: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection show ip arp inspection Displays the global configuration settings for ARP...
Page 950
| General Security Measures HAPTER ARP Inspection When ARP Inspection is disabled globally, it is still possible to configure ◆ ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. XAMPLE Console(config)#ip arp inspection Console(config)# This command specifies an ARP ACL to apply to one or more VLANs.
Page 951
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# This command sets the maximum number of entries saved in a log ip arp inspection message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings.
Page 952
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate...
Page 953
| General Security Measures HAPTER ARP Inspection This command enables ARP Inspection for a specified VLAN or range of ip arp inspection VLANs. Use the no form to disable this function. vlan YNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 954
| General Security Measures HAPTER ARP Inspection This command sets a rate limit for the ARP packets received on a port. Use ip arp inspection the no form to restore the default setting. limit YNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Page 955
| General Security Measures HAPTER ARP Inspection XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# This command displays the global configuration settings for ARP show ip Inspection. arp inspection configuration OMMAND Privileged Exec XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval...
Page 956
| General Security Measures HAPTER ARP Inspection This command shows information about entries stored in the log, including show ip the associated VLAN, port, and address components. arp inspection log OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...
| General Security Measures HAPTER Denial of Service Protection XAMPLE Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# ENIAL OF ERVICE ROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 958
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS echo/chargen attacks in which the dos-protection echo service repeats anything sent to it, and the chargen (character echo-chargen generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service.
Page 959
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-flooding attacks in which a dos-protection perpetrator sends a succession of TCP SYN requests (with or without a tcp-flooding spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Page 960
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a dos-protection TCP SYN/FIN scan message is used to identify listening TCP ports. The scan tcp-syn-fin-scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags.
Page 961
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS TCP-xmas-scan in which a so-called dos-protection TCP XMAS scan message is used to identify listening TCP ports. This scan tcp-xmas-scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 962
| General Security Measures HAPTER Denial of Service Protection This command protects against DoS WinNuke attacks in which affected the dos-protection Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, win-nuke the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.”...
| General Security Measures HAPTER Port-based Traffic Segmentation BASED RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
| General Security Measures HAPTER Port-based Traffic Segmentation When traffic segmentation is enabled, the forwarding state for the ◆ uplink and downlink ports assigned to different client sessions is shown below. Table 105: Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2 Normal...
Page 965
| General Security Measures HAPTER Port-based Traffic Segmentation OMMAND Global Configuration Command Usage Use this command to create a new traffic-segmentation client session. ◆ ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#traffic-segmentation session 1 Console(config)#...
Page 966
| General Security Measures HAPTER Port-based Traffic Segmentation A downlink port can only communicate with an uplink port in the same ◆ session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
Page 967
| General Security Measures HAPTER Port-based Traffic Segmentation This command displays the configured traffic segments. show traffic-segmentation OMMAND Privileged Exec XAMPLE Console#show traffic-segmentation Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet Ethernet...
CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.
Page 970
| Access Control Lists HAPTER IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...
Page 971
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source}...
Page 972
| Access Control Lists HAPTER IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 973
| Access Control Lists HAPTER IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) EFAULT ETTING...
| Access Control Lists HAPTER IPv4 ACLs For example, if you configured an access list to deny packets with a ToS of 7 (00001110), the highlighted bit would be ignored, and the access list would drop packets with a ToS of both 6 and 7. Table 108: Priority Bits Processed by Extended IPv4 ACL DSCP Precedence...
Page 975
| Access Control Lists HAPTER IPv4 ACLs This command binds an IPv4 ACL to a port. Use the no form to remove the ip access-group port. YNTAX ip access-group acl-name in [time-range time-range-name] [counter] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in –...
| Access Control Lists HAPTER IPv6 ACLs ELATED OMMANDS ip access-group (975) This command displays the rules for configured IPv4 ACLs. show ip access-list YNTAX show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name –...
Page 977
| Access Control Lists HAPTER IPv6 ACLs This command adds an IP access list and enters configuration mode for access-list ipv6 standard or extended IPv6 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ipv6 {standard | extended} acl-name standard –...
Page 978
| Access Control Lists HAPTER IPv6 ACLs This command adds a rule to a Standard IPv6 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no (Standard IPv6 ACL) form to remove a rule. YNTAX {permit | deny} {any | host source-ipv6-address |...
Page 979
| Access Control Lists HAPTER IPv6 ACLs This command adds a rule to an Extended IPv6 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, or (Extended IPv6 ACL) next header type. Use the no form to remove a rule. YNTAX {permit | deny} {any | host source-ipv6-address |...
Page 980
| Access Control Lists HAPTER IPv6 ACLs Optional internet-layer information is encoded in separate headers that ◆ may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
Page 981
| Access Control Lists HAPTER IPv6 ACLs This command binds a port to an IPv6 ACL. Use the no form to remove the ipv6 access-group port. YNTAX ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in –...
Page 982
| Access Control Lists HAPTER IPv6 ACLs ELATED OMMANDS ipv6 access-group (981) This command displays the rules for configured IPv6 ACLs. show ipv6 access-list YNTAX show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name –...
| Access Control Lists HAPTER MAC ACLs MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Page 984
| Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (984) mac access-group (987) show mac access-list (988) This command adds a rule to a MAC ACL. The rule filters packets matching permit, deny a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
Page 987
| Access Control Lists HAPTER MAC ACLs EFAULT ETTING None OMMAND MAC ACL OMMAND SAGE New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted ◆ packets. A detailed listing of Ethernet protocol types can be found in RFC 1060.
Page 988
| Access Control Lists HAPTER MAC ACLs OMMAND SAGE ◆ Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, ◆ the switch will replace the old binding with the new one. XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in...
| Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (984) mac access-group (987) ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp...
Page 990
| Access Control Lists HAPTER ARP ACLs ELATED OMMANDS permit, deny (990) show access-list arp (991) This command adds a rule to an ARP ACL. The rule filters packets matching permit, deny a specified source or destination address in ARP messages. Use the no (ARP ACL) form to remove a rule.
Page 991
| Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (989) This command displays the rules for configured ARP ACLs.
| Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 112: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified hardware counters ACL.
Page 993
| Access Control Lists HAPTER ACL Information MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list YNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 994
| Access Control Lists HAPTER ACL Information – 994 –...
NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 113: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 996
| Interface Commands HAPTER Interface Configuration Table 113: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver temperature which temperature can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver power level of the tx-power transmitted signal which can be used to trigger an alarm or warning message...
Page 997
| Interface Commands HAPTER Interface Configuration XAMPLE To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)#shutdown This command configures an alias name for the interface. Use the no form alias to remove the alias name. YNTAX alias string no alias string - A mnemonic name to help you remember what is attached...
Page 999
| Interface Commands HAPTER Interface Configuration EFAULT ETTING None OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 1000
| Interface Commands HAPTER Interface Configuration This command enables flow control. Use the no form to disable flow flowcontrol control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 1001
| Interface Commands HAPTER Interface Configuration This command forces the transceiver mode to use for SFP ports. Use the media-type no form to restore the default mode. YNTAX media-type sfp-forced {1000sfp | 100fx} no media-type 1000sfp - Forces the port to use 1000BASE SFP mode 100fx - Forces the port to use 100BASE-FX mode EFAULT ETTING...
Page 1002
| Interface Commands HAPTER Interface Configuration XAMPLE The following example configures port 11 to use auto-negotiation. Console(config)#interface ethernet 1/11 Console(config-if)#negotiation Console(config-if)# ELATED OMMANDS capabilities (997) speed-duplex (1002) This command disables an interface. To restart a disabled interface, use shutdown the no form. YNTAX [no] shutdown EFAULT...
Need help?
Do you have a question about the ECS4110-28T and is the answer not in the manual?
Questions and answers