Digisol DG-GS4826S Management Manual
  1. Manuals
  2. Brands
  3. Digisol Manuals
  4. Switch
  5. DG-GS4826S
  6. Management manual

Digisol DG-GS4826S Management Manual

Layer 3 gigabit ethernet managed switch
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

TM
DG-GS4826S/DG-GS4850S
Layer 3 Gigabit Ethernet Managed Switch
MUSTANG 4000 Managed Switch Series
Management Guide
V1.1
2011-01-12
As our product undergoes continuous development the specifications are subject to change without prior notice

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the DG-GS4826S and is the answer not in the manual?

Questions and answers

Related Manuals for Digisol DG-GS4826S

Summary of Contents for Digisol DG-GS4826S

  • Page 1 DG-GS4826S/DG-GS4850S Layer 3 Gigabit Ethernet Managed Switch MUSTANG 4000 Managed Switch Series Management Guide V1.1 2011-01-12 As our product undergoes continuous development the specifications are subject to change without prior notice...
  • Page 2 DG-GS4826S DG-GS4850S E012011-R01 F1.2.2.0...
  • Page 3 ANAGEMENT UIDE DG-GS4826S G IGABIT THERNET WITCH Layer 3 Switch with 20 10/100/1000BASE-T (RJ-45) Ports, 4 Gigabit Combination Ports (RJ-45/SFP), 2 10-Gigabit Extender Module Slots, and 2 Stacking Transceiver Cable Slots DG-GS4850S G IGABIT THERNET WITCH Layer 3 Switch with 44 10/100/1000BASE-T (RJ-45) Ports,...

  • Page 5: About This Guide

    BOUT UIDE This guide gives specific information on how to operate and use the URPOSE management functions of the switch. The guide is intended for use by network administrators who are UDIENCE responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
  • Page 6 BOUT UIDE – 6 –...

  • Page 7: Table Of Contents

    ONTENTS BOUT UIDE ONTENTS IGURES ABLES ECTION ETTING TARTED NTRODUCTION Key Features Description of Software Features Configuration Backup and Restore Authentication Access Control Lists DHCP Port Configuration Rate Limiting Port Mirroring Port Trunking Broadcast Storm Control Static Addresses IP Address Filtering IEEE 802.1D Bridge Store-and-Forward Switching Spanning Tree Algorithm...

  • Page 8: Contents

    ONTENTS Router Redundancy Address Resolution Protocol Multicast Filtering Multicast Routing System Defaults NITIAL WITCH ONFIGURATION Connecting to the Switch Configuration Options Required Connections Remote Connections Stack Operations Selecting the Stack Master Selecting the Backup Unit Recovering from Stack Failure or Topology Change Renumbering the Stack Ensuring Consistent Code is Used Across the Stack Basic Configuration...
  • Page 9 ONTENTS Configuring Support for Jumbo Frames Displaying Bridge Extension Capabilities Managing System Files Copying Files via FTP/TFTP or HTTP Saving the Running Configuration to a Local File Setting The Start-Up File Showing System Files Setting the System Clock Setting the Time Manually Configuring SNTP Specifying SNTP Time Servers Setting the Time Zone...
  • Page 10 ONTENTS Configuring Uplink and Downlink Ports VLAN Trunking 6 VLAN C ONFIGURATION IEEE 802.1Q VLANs Configuring VLAN Groups Adding Static Members to VLANs Configuring Dynamic VLAN Registration Private VLANs Creating Private VLANs Associating Private VLANs Configuring Private VLAN Interfaces IEEE 802.1Q Tunneling Enabling QinQ Tunneling on the Switch Adding an Interface to a QinQ Tunnel Protocol VLANs...
  • Page 11 ONTENTS 11 C LASS OF ERVICE Layer 2 Queue Settings Setting the Default Priority for Interfaces Selecting the Queue Mode Mapping CoS Values to Egress Queues Layer 3/4 Priority Settings Mapping DSCP Priority Mapping IP Precedence Mapping IP Port Priority 12 Q UALITY OF ERVICE...
  • Page 12 ONTENTS Configuring HTTPS Configuring Global Settings for HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Configuring the SSH Server Generating the Host Key Pair Importing User Public Keys Access Control Lists Setting A Time Range Showing TCAM Utilization Setting the ACL Name and Type Configuring a Standard IPv4 ACL Configuring an Extended IPv4 ACL...
  • Page 13 ONTENTS DHCP Snooping VLAN Configuration Configuring Ports for DHCP Snooping Displaying DHCP Snooping Binding Information 15 B ASIC DMINISTRATION ROTOCOLS Configuring Event Logging System Log Configuration Remote Log Configuration Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol Setting LLDP Timing Attributes Configuring LLDP Interface Attributes Displaying LLDP Local Device Information Displaying LLDP Remote Port Information...
  • Page 14 ONTENTS Setting IGMP Snooping Status per Interface Filtering IGMP Query Packets and Multicast Data Displaying Multicast Groups Discovered by IGMP Snooping Filtering and Throttling IGMP Groups Enabling IGMP Filtering and Throttling Configuring IGMP Filter Profiles Configuring IGMP Filtering and Throttling for Interfaces Layer 3 IGMP (Query used with Multicast Routing) Configuring IGMP Proxy Routing Configuring IGMP Interface Parameters...
  • Page 15 ONTENTS Using the Ping Function Using the Trace Route Function Address Resolution Protocol Basic ARP Configuration Configuring Static ARP Addresses Displaying Dynamic or Local ARP Entries Displaying ARP Statistics Configuring Static Routes Displaying the Routing Table Equal-cost Multipath Routing 19 C ONFIGURING OUTER EDUNDANCY...
  • Page 16 ONTENTS Specifying Static Neighbors Configuring Route Redistribution Specifying an Administrative Distance Configuring Network Interfaces for RIP Displaying RIP Interface Settings Displaying Peer Router Information Resetting RIP Statistics Configuring the Open Shortest Path First Protocol (Version 2) Defining Network Areas Based on Addresses Configuring General Protocol Settings Displaying Administrative Settings and Statistics Adding an NSSA or Stub...
  • Page 17 ONTENTS Displaying RP Mapping Configuring PIMv6 for IPv6 Enabling PIM Globally Configuring PIM Interface Settings Displaying Neighbor Information ECTION OMMAND NTERFACE 23 U SING THE OMMAND NTERFACE Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup...
  • Page 18 ONTENTS exit 25 S YSTEM ANAGEMENT OMMANDS Device Designation hostname switch all renumber System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show tech-support show users show version Frame Size jumbo frame Fan Control fan-speed force-full File Management boot system...
  • Page 19 ONTENTS timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time sntp client...
  • Page 20 ONTENTS snmp-server location show snmp snmp-server enable traps snmp-server host snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view snmp-server notify-filter show nlm oper-status show snmp notify-filter 27 R EMOTE ONITORING OMMANDS...
  • Page 21 ONTENTS 29 A UTHENTICATION OMMANDS User Accounts enable password username Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server tacacs-server host tacacs-server key tacacs-server port show tacacs-server aaa accounting commands aaa accounting dot1x...
  • Page 22 ONTENTS ip http secure-server ip http secure-port Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh...
  • Page 23 ONTENTS show management 30 G ENERAL ECURITY EASURES Port Security mac-learning port security Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter...
  • Page 24 ONTENTS DHCP Snooping ip dhcp snooping ip dhcp snooping database flash ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping trust clear ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IP Source Guard...
  • Page 25 ONTENTS show ip access-group show ip access-list IPv6 ACLs access-list ipv6 permit, deny (Standard IPv6 ACL) permit, deny (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group MAC ACLs access-list mac permit, deny (MAC ACL) mac access-group show mac access-group show mac access-list ARP ACLs access-list arp...
  • Page 26 ONTENTS show interfaces switchport show interfaces transceiver test cable-diagnostics dsp test loop internal show cable-diagnostics dsp show loop internal 33 L GGREGATION OMMANDS channel-group lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) show lacp 34 P IRRORING OMMANDS Local Port Mirroring Commands...
  • Page 27 ONTENTS snmp-server enable port-traps atc multicast-control-release show auto-traffic-control show auto-traffic-control interface 37 A DDRESS ABLE OMMANDS mac-address-table aging-time mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count 38 S PANNING OMMANDS spanning-tree spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method...
  • Page 28 ONTENTS spanning-tree port-bpdu-flooding spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 39 VLAN C OMMANDS GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups...
  • Page 29 ONTENTS Configuring Port-based Traffic Segmentation traffic-segmentation show traffic-segmentation Configuring Private VLANs private-vlan private vlan association switchport mode private-vlan switchport private-vlan host-association switchport private-vlan mapping show vlan private-vlan Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan...
  • Page 30 ONTENTS show queue cos-map show queue mode show queue weight Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) map ip port (Global Configuration) map ip precedence (Global Configuration) map ip dscp (Interface Configuration) map ip port (Interface Configuration) map ip precedence (Interface Configuration) show map ip dscp show map ip port...
  • Page 31 ONTENTS ip igmp snooping tcn-query-solicit 1009 ip igmp snooping unregistered-data-flood 1010 ip igmp snooping unsolicited-report-interval 1011 ip igmp snooping version 1011 ip igmp snooping version-exclusive 1012 ip igmp snooping vlan general-query-suppression 1013 ip igmp snooping vlan immediate-leave 1013 ip igmp snooping vlan last-memb-query-count 1014 ip igmp snooping vlan last-memb-query-intvl 1015...
  • Page 32 ONTENTS Multicast VLAN Registration 1033 1033 mvr upstream-source-ip 1035 mvr immediate-leave 1035 mvr type 1036 mvr vlan group 1037 show mvr 1038 IGMP (Layer 3) 1040 ip igmp 1040 ip igmp last-member-query-interval 1041 ip igmp max-resp-interval 1042 ip igmp query-interval 1043 ip igmp robustval 1044...
  • Page 33 ONTENTS 43 LLDP C 1065 OMMANDS lldp 1066 lldp holdtime-multiplier 1066 lldp notification-interval 1067 lldp refresh-interval 1068 lldp reinit-delay 1068 lldp tx-delay 1069 lldp admin-status 1069 lldp basic-tlv management-ip-address 1070 lldp basic-tlv port-description 1071 lldp basic-tlv system-capabilities 1071 lldp basic-tlv system-description 1072 lldp basic-tlv system-name 1072...
  • Page 34 ONTENTS show hosts 1090 45 DHCP C 1093 OMMANDS DHCP Client 1093 ip dhcp client class-id 1094 ip dhcp restart client 1094 ipv6 dhcp client rapid-commit vlan 1095 DHCP Relay 1096 ip dhcp relay server 1096 ip dhcp restart relay 1097 DHCP Server 1098...
  • Page 35 ONTENTS show vrrp 1116 show vrrp interface 1118 show vrrp interface counters 1119 show vrrp router counters 1120 47 IP I 1121 NTERFACE OMMANDS IPv4 Interface 1121 Basic IPv4 Configuration 1122 ip address 1122 ip default-gateway 1124 show ip interface 1125 traceroute 1125...
  • Page 36 ONTENTS ipv6 hop-limit 1154 ipv6 nd dad attempts 1154 ipv6 nd ns-interval 1156 ipv6 nd reachable-time 1157 clear ipv6 neighbors 1157 show ipv6 neighbors 1158 IPv6 to IPv4 Tunnels 1159 interface tunnel 1161 tunnel destination 1161 tunnel mode ipv6ip 1163 tunnel source vlan 1165 tunnel ttl...
  • Page 37 ONTENTS ip rip receive version 1188 ip rip receive-packet 1189 ip rip send version 1190 ip rip send-packet 1191 ip rip split-horizon 1191 clear ip rip route 1192 show ip protocols rip 1193 show ip rip 1194 Open Shortest Path First (OSPFv2) 1195 router ospf 1196...
  • Page 38 ONTENTS show ip ospf border-routers 1224 show ip ospf database 1225 show ip ospf interface 1231 show ip ospf neighbor 1233 show ip ospf route 1234 show ip ospf virtual-links 1234 show ip protocols ospf 1235 Open Shortest Path First (OSPFv3) 1236 router ipv6 ospf 1238...
  • Page 39 ONTENTS 49 M 1265 ULTICAST OUTING OMMANDS General Multicast Routing 1265 ip multicast-routing 1265 show ip mroute 1266 ipv6 multicast-routing 1268 show ipv6 mroute 1269 Static Multicast Routing 1271 ip igmp snooping vlan mrouter 1271 show ip igmp snooping mrouter 1272 PIM Multicast Routing 1273...
  • Page 40 ONTENTS show ip pim rp-hash 1295 IPv6 PIM Commands 1296 router pim6 1296 ipv6 pim dense-mode 1297 ipv6 pim graft-retry-interval 1298 ipv6 pim hello-holdtime 1298 ipv6 pim hello-interval 1299 ipv6 pim join-prune-holdtime 1300 ipv6 pim lan-prune-delay 1300 ipv6 pim max-graft-retries 1301 ipv6 pim override-interval 1302...

  • Page 41: Figures

    IGURES Figure 1: Home Page Figure 2: Front Panel Indicators Figure 3: System Information Figure 4: General Switch Information Figure 5: Configuring Support for Jumbo Frames Figure 6: Displaying Bridge Extension Configuration Figure 7: Copy Firmware Figure 8: Saving the Running Configuration Figure 9: Setting Start-Up Files Figure 10: Displaying System Files Figure 11: Manually Setting the System Clock...
  • Page 42 IGURES Figure 32: Performing Cable Tests Figure 33: Configuring Static Trunks Figure 34: Creating Static Trunks Figure 35: Adding Static Trunks Members Figure 36: Configuring Connection Parameters for a Static Trunk Figure 37: Displaying Connection Parameters for Static Trunks Figure 38: Configuring Dynamic Trunks Figure 39: Configuring the LACP Aggregator Admin Key Figure 40: Enabling LACP on a Port Figure 41: Configuring LACP Parameters on a Port...
  • Page 43 IGURES Figure 68: Showing Associated VLANs Figure 69: Configuring Interfaces for Private VLANs Figure 70: QinQ Operational Concept Figure 71: Enabling QinQ Tunneling Figure 72: Adding an Interface to a QinQ Tunnel Figure 73: Configuring Protocol VLANs Figure 74: Displaying Protocol VLANs Figure 75: Assigning Interfaces to Protocol VLANs Figure 76: Showing the Interface to Protocol Group Mapping Figure 77: Configuring IP Subnet VLANs...
  • Page 44 IGURES Figure 104: Configuring MSTP Interface Settings Figure 105: Displaying MSTP Interface Settings Figure 106: Configuring Rate Limits Figure 107: Configuring Storm Control Figure 108: Setting the Default Port Priority Figure 109: Setting the Queue Mode (Strict) Figure 110: Setting the Queue Mode (WRR) Figure 111: Setting the Queue Mode (Strict and WRR) Figure 112: Mapping CoS Values to Egress Queues Figure 113: Mapping IP DSCP Priority Values...
  • Page 45 IGURES Figure 140: Configuring AAA Accounting Service for Exec Service Figure 141: Displaying a Summary of Applied AAA Accounting Methods Figure 142: Displaying Statistics for AAA Accounting Sessions Figure 143: Configuring AAA Authorization Methods Figure 144: Showing AAA Authorization Methods Figure 145: Configuring AAA Authorization Methods for Exec Service Figure 146: Displaying the Applied AAA Authorization Method Figure 147: Configuring User Accounts...
  • Page 46 IGURES Figure 176: Configuring a ARP ACL Figure 177: Binding a Port to an ACL Figure 178: Configuring Global Settings for ARP Inspection Figure 179: Configuring VLAN Settings for ARP Inspection Figure 180: Configuring Interface Settings for ARP Inspection Figure 181: Displaying Statistics for ARP Inspection Figure 182: Displaying the ARP Inspection Log Figure 183: Creating an IP Address Filter for Management Access Figure 184: Showing IP Addresses Authorized for Management Access...
  • Page 47 IGURES Figure 212: Configuring a Remote Engine ID for SNMP Figure 213: Showing Remote Engine IDs for SNMP Figure 214: Creating an SNMP View Figure 215: Showing SNMP Views Figure 216: Adding an OID Subtree to an SNMP View Figure 217: Showing the OID Subtree Configured for SNMP Views Figure 218: Creating an SNMP Group Figure 219: Showing SNMP Groups Figure 220: Setting Community Access Strings...
  • Page 48 IGURES Figure 248: Showing Current Interfaces Assigned to a Multicast Service Figure 249: Configuring IGMP Snooping on an Interface Figure 250: Showing Interface Settings for IGMP Snooping Figure 251: Dropping IGMP Query or Multicast Data Packets Figure 252: Showing Multicast Groups Learned by IGMP Snooping Figure 253: Enabling IGMP Filtering and Throttling Figure 254: Creating an IGMP Filtering Profile Figure 255: Showing the IGMP Filtering Profiles Created...
  • Page 49 IGURES Figure 284: Showing IPv6 Statistics (UDP) Figure 285: Showing Reported MTU Values Figure 286: Virtual Interfaces and Layer 3 Routing Figure 287: Pinging a Network Device Figure 288: Tracing the Route to a Network Device Figure 289: Proxy ARP Figure 290: Configuring General Settings for ARP Figure 291: Configuring Static ARP Entries Figure 292: Displaying Static ARP Entries...
  • Page 50 IGURES Figure 320: Configuring DHCP Relay Service Figure 321: DHCP Server Figure 322: Enabling the DHCP Server Figure 323: Configuring Excluded Addresses on the DHCP Server Figure 324: Showing Excluded Addresses on the DHCP Server Figure 325: Configuring DHCP Server Address Pools (Network) Figure 326: Configuring DHCP Server Address Pools (Host) Figure 327: Showing Configured DHCP Server Address Pools Figure 328: Shows Addresses Assigned by the DHCP Server...
  • Page 51 IGURES Figure 356: Showing OSPF Process Identifiers Figure 357: AS Boundary Router Figure 358: Configure General Settings for OSPF Figure 359: Showing General Settings for OSPF Figure 360: Adding an NSSA or Stub Figure 361: Showing NSSAs or Stubs Figure 362: OSPF NSSA Figure 363: Configuring Protocol Settings for an NSSA Figure 364:...
  • Page 52 IGURES Figure 392: Showing PIM Neighbors Figure 393: Configuring Global Settings for PIM-SM Figure 394: Configuring a BSR Candidate Figure 395: Configuring a Static Rendezvous Point Figure 396: Showing Static Rendezvous Points Figure 397: Configuring an RP Candidate Figure 398: Showing Settings for an RP Candidate Figure 399: Showing Information About the BSR Figure 400: Showing RP Mapping Figure 401: Enabling PIMv6 Multicast Routing...

  • Page 53: Tables

    ABLES Table 1: Key Features Table 2: System Defaults Table 3: Web Page Configuration Buttons Table 4: Switch Main Menu Table 5: Port Statistics Table 6: LACP Port Counters Table 7: LACP Internal Configuration Information Table 8: LACP Internal Configuration Information Table 9: Recommended STA Path Cost Range Table 10: Default STA Path Costs Table 11: IEEE 802.1p Egress Queue Priority Mapping...
  • Page 54 ABLES Table 32: VRRP Group Statistics Table 33: OSPF System Information Table 34: General Command Modes Table 35: Configuration Command Modes Table 36: Keystroke Commands Table 37: Command Group Index Table 38: General Commands Table 39: System Management Commands Table 40: Device Designation Commands Table 41: System Status Commands Table 42: Frame Size Commands Table 43: Fan Control Commands...
  • Page 55 ABLES Table 68: Web Server Commands Table 69: HTTPS System Support Table 70: Telnet Server Commands Table 71: Secure Shell Commands Table 72: show ssh - display description Table 73: 802.1X Port Authentication Commands Table 74: Management IP Filter Commands Table 75: General Security Commands Table 76: Management IP Filter Commands Table 77: Network Access Commands...
  • Page 56 ABLES Table 104: VLAN Commands Table 105: GVRP and Bridge Extension Commands Table 106: Commands for Editing VLAN Groups Table 107: Commands for Configuring VLAN Interfaces Table 108: Commands for Displaying VLAN Information Table 109: 802.1Q Tunneling Commands Table 110: Commands for Configuring Traffic Segmentation Table 111: Private VLAN Commands Table 112: Protocol-based VLAN Commands Table 113: IP Subnet VLAN Commands...
  • Page 57 ABLES Table 140: show dns cache - display description 1090 Table 141: show hosts - display description 1091 Table 142: DHCP Commands 1093 Table 143: DHCP Client Commands 1093 Table 144: DHCP Relay Commands 1096 Table 145: DHCP Server Commands 1098 Table 146: VRRP Commands 1111...
  • Page 58 ABLES Table 176: show ip ospf - display description 1257 Table 177: show ip ospf database - display description 1259 Table 178: show ip ospf interface - display description 1259 Table 179: show ipv6 ospf neighbor - display description 1261 Table 180: show ip ospf neighbor - display description 1262 Table 181: Multicast Routing Commands...

  • Page 59: Sectioni

    ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: "Introduction" on page 61 "Initial Switch Configuration"...
  • Page 60 | Getting Started ECTION – 60 –...

  • Page 61: Key Features

    NTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
  • Page 62 | Introduction HAPTER Key Features Table 1: Key Features (Continued) Feature Description Address Table Up to 16K MAC addresses in the forwarding table, 1024 static MAC addresses; Up to 8K IPv4 and 4K IPv6 entries in the host table; 8K entries in the ARP cache, 256 static ARP entries; 8K IPv4 and 4K IPv6 entries in the IP routing table, 512 static IP routes, 512 IP interfaces;...

  • Page 63: Description Of Software Features

    | Introduction HAPTER Description of Software Features ESCRIPTION OF OFTWARE EATURES The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network.

  • Page 64: Port Configuration

    | Introduction HAPTER Description of Software Features dynamic configuration of local clients from a DHCP server located in a different network. You can manually configure the speed and duplex mode, and flow control ONFIGURATION used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device.

  • Page 65: Ieee 802.1D Bridge

    | Introduction HAPTER Description of Software Features addresses or source IP/MAC address pairs based on static entries or entries stored in the DHCP Snooping table. IEEE 802.1D B The switch supports IEEE 802.1D transparent bridging. The address table RIDGE facilitates data switching by learning addresses, and then filtering or forwarding traffic based on this information.

  • Page 66: Virtual Lans

    | Introduction HAPTER Description of Software Features The switch supports up to 4093 VLANs. A Virtual LAN is a collection of IRTUAL network nodes that share the same collision domain regardless of their physical location or connection point in the network. The switch supports tagged VLANs based on the IEEE 802.1Q standard.

  • Page 67: Quality Of Service

    | Introduction HAPTER Description of Software Features Differentiated Services (DiffServ) provides policy-based management UALITY OF ERVICE mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per-hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence or DSCP values, or VLAN lists.

  • Page 68: Router Redundancy

    | Introduction HAPTER Description of Software Features The Virtual Router Redundancy Protocol (VRRP) uses a virtual IP address to OUTER EDUNDANCY support a primary router and multiple backup routers. The backups can be configured to take over the workload if the master fails or to load share the traffic.

  • Page 69: System Defaults

    | Introduction HAPTER System Defaults YSTEM EFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults. Table 2: System Defaults Function Parameter...
  • Page 70 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Port Trunking Static Trunks None LACP (all ports) Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast: Enabled (500 packets/sec) Address Table Aging Time...
  • Page 71 | Introduction HAPTER System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN Any VLAN configured with an IP address IP Address DHCP assigned Default Gateway 0.0.0.0 DHCP Client: Enabled Relay: Disabled Server: Disabled Client/Proxy service: Disabled BOOTP Disabled Enabled...
  • Page 72 | Introduction HAPTER System Defaults – 72 –...

  • Page 73: Initial Switch Configuration

    NITIAL WITCH ONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. ONNECTING TO THE WITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.

  • Page 74: Required Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Control port access through IEEE 802.1X security or static address filtering Filter packets using Access Control Lists (ACLs) Configure up to 4093 IEEE 802.1Q VLANs Enable GVRP automatic VLAN registration Configure IP routing for unicast or multicast traffic Configure router redundancy Configure IGMP multicast filtering Upload and download system firmware or configuration files via HTTP...

  • Page 75: Remote Connections

    | Initial Switch Configuration HAPTER Connecting to the Switch Connect the other end of the cable to the Rj-45 serial port on the switch. Make sure the terminal emulation software is set as follows: Select the appropriate serial port (COM port 1 or COM port 2). Set the data format to 8 data bits, 1 stop bit, and no parity.

  • Page 76: Stack Operations

    | Initial Switch Configuration HAPTER Stack Operations TACK PERATIONS Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode, but can automatically take over management of the stack if the Master unit fails.

  • Page 77: Selecting The Backup Unit

    | Initial Switch Configuration HAPTER Stack Operations Once the Master unit finishes booting up, it continues to synchronize ELECTING THE configuration information to all of the Slave units in the stack. If the Master ACKUP unit fails or is powered off, a new master unit will be selected based on the election rules described in the preceding section.

  • Page 78: Renumbering The Stack

    | Initial Switch Configuration HAPTER Stack Operations IP I ESILIENT NTERFACE FOR ANAGEMENT CCESS The stack functions as one integral system for management and configuration purposes. You can therefore manage the stack through any IP interface configured on the stack. The Master unit does not even have to include an active port member in the VLAN interface used for management access.

  • Page 79: Basic Configuration

    | Initial Switch Configuration HAPTER Basic Configuration In Special Stacking mode, the master unit displays warning messages whenever you log into the system through the CLI that inform you that an image download is required. You can use the CLI, web or SNMP to download the runtime image from a TFTP server to the master unit.

  • Page 80: Setting Passwords

    Console(config)#username admin password 0 [password] Console(config)# * This manual covers the DG-GS4826S and DG-GS4850S switches. Other than the difference in the number of ports, there are no significant differences. Therefore nearly all of the screen display examples are based on the DG-GS4826S.
  • Page 81 | Initial Switch Configuration HAPTER Basic Configuration ANUAL ONFIGURATION You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods.
  • Page 82 | Initial Switch Configuration HAPTER Basic Configuration other ways to assign IPv6 addresses, see "Setting the Switch’s IP Address (IP Version 6)" on page 471. Link Local Address — All link-local addresses must be configured with a prefix of FE80. Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only.
  • Page 83 | Initial Switch Configuration HAPTER Basic Configuration bits (from the left) of the prefix that form the network address, and is expressed as a decimal number. For example, all IPv6 addresses that start with the first byte of 73 (hexadecimal) could be expressed as 73:0:0:0:0:0:0:0/8 or 73::/8.
  • Page 84 | Initial Switch Configuration HAPTER Basic Configuration values can include the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is slow to respond, you may need to use the “ip dhcp restart client” command to re-start broadcasting service requests. Note that the “ip dhcp restart client”...

  • Page 85: Enabling Snmp Management Access

    | Initial Switch Configuration HAPTER Basic Configuration BTAINING AN DDRESS Link Local Address — There are several ways to configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix of FE80). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
  • Page 86 | Initial Switch Configuration HAPTER Basic Configuration “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see "Setting SNMPv3 Views" on page 394).

  • Page 87: Managing System Files

    | Initial Switch Configuration HAPTER Managing System Files where “host-address” is the IP address for the trap receiver, “community- string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv”...

  • Page 88: Saving Or Restoring Configuration Settings

    | Initial Switch Configuration HAPTER Managing System Files uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the master unit will also create a file named “startup1.cfg”...
  • Page 89 | Initial Switch Configuration HAPTER Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup-config”...
  • Page 90 | Initial Switch Configuration HAPTER Managing System Files – 90 –...

  • Page 91: Ection

    ECTION ONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser. This section includes these chapters: "Using the Web Interface" on page 93 "Basic Management Tasks" on page 113 "Interface Configuration"...
  • Page 92 | Web Configuration ECTION "Unicast Routing" on page 539 "Multicast Routing" on page 595 – 92 –...

  • Page 93: Using The Web Interface

    SING THE NTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).

  • Page 94: Navigating The Web Browser Interface

    Ethernet switches. Other than the number of ports supported by these models, there are no significant differences. Therefore nearly all of the screen display examples are based on the DG-GS4826S. The panel graphics for both switch types are shown on the following page.

  • Page 95: Configuration Options

    ISPLAY set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Figure 2: Front Panel Indicators DG-GS4826S DG-GS4850S – 95 –...

  • Page 96: Main Menu

    | Using the Web Interface HAPTER Navigating the Web Browser Interface Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Table 4: Switch Main Menu Menu Description...
  • Page 97 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Cable Test Performs cable diagnostics for selected port to diagnose any cable faults (short, open etc.) and report the cable length Trunk Static Configure Trunk...
  • Page 98 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page VLAN Trunking Allows unknown VLAN groups to pass through the specified interface VLAN Virtual LAN Static Creates VLAN groups Show Displays configured VLAN groups Modify Configures group name and administrative status...
  • Page 99 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page MAC-Based Maps traffic with specified source MAC address to a VLAN Show Shows source MAC address to VLAN mapping MAC Address Learning Status Enables MAC address learning on selected interfaces Static...
  • Page 100 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Priority Default Priority Sets the default priority for each port or trunk Queue Sets queue mode for the switch; sets the service weight for each queue that will use a weighted or hybrid mode CoS to Queue Specifies the hardware output queues to use for CoS priority...
  • Page 101 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Server Configure Server Configures RADIUS and TACACS server message exchange settings Configure Group Specifies a group of authentication servers and sets the priority sequence Show Shows the authentication server groups and priority sequence...
  • Page 102 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Configure Interface General Enables MAC authentication on a port; sets the maximum number of address that can be authenticated, the guest VLAN, dynamic VLAN and dynamic QoS Link Detection Configures detection of changes in link status, and the response...
  • Page 103 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page ARP Inspection Configure General Enables inspection globally, configures validation of additional address components, and sets the log rate for packet inspection Configure VLAN Enables ARP inspection on specified VLANs Configure Interface...
  • Page 104 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Port/Trunk Displays information about each interface Show Remote Device Information Port/Trunk Displays information about a remote device connected to a port on this switch Port/Trunk Details Displays detailed information about a remote device connected to...
  • Page 105 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page RMON Remote Monitoring Configure Global Alarm Sets threshold bounds for a monitored variable Event Creates a response event for an alarm Show Alarm Shows all configured alarms...
  • Page 106 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Routing Static Routes Configures static routing entries Show Shows static routing entries Modify Modifies the selected static routing entry Routing Table Show Information Shows all routing entries, including local, static and dynamic routes...
  • Page 107 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page IP Service Domain Name Service General Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names Add Domain Name Defines a list of domain names that can be appended to incomplete host names...
  • Page 108 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page UDP Helper General Enables UDP helper globally on the switch Forwarding Specifies the UDP destination ports for which broadcast traffic will be forwarded Show Shows the list of UDP ports to which broadcast traffic will be...
  • Page 109 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Add Multicast Group Range Assigns multicast groups to selected profile Show Multicast Group Range Shows multicast groups assigned to a profile Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action...
  • Page 110 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Network Sets the network interfaces that will use RIP Show Shows the network interfaces that will use RIP Passive Interface Stops RIP broadcast and multicast messages from being sent on specified network interfaces Show...
  • Page 111 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Area Configure Area Add Area Adds NSSA or stub Show Area Shows configured NSSA or stub Configure NSSA Area Configures settings for importing routes into or exporting routes out of not-so-stubby areas Configure Stub Area Configures default cost, and settings for importing routes into a...
  • Page 112 | Using the Web Interface HAPTER Navigating the Web Browser Interface Table 4: Switch Main Menu (Continued) Menu Description Page Protocol Independent Multicasting General Enables PIM globally for the switch Interface Enables PIM per interface, and sets the mode to dense or sparse Neighbor Displays information neighboring PIM routers PIM-SM...

  • Page 113: Basic

    ASIC ANAGEMENT ASKS This chapter describes the following topics: Displaying System Information – Provides basic system description, including contact information. Displaying Switch Hardware/Software Versions – Shows the hardware version, power status, and firmware versions Configuring Support for Jumbo Frames – Enables support for jumbo frames.
  • Page 114 | Basic Management Tasks HAPTER Displaying System Information ARAMETERS These parameters are displayed in the web interface: System Description – Brief description of device type. System Object ID – MIB II object ID for switch’s network management subsystem. System Up Time – Length of time the management agent has been System Name –...

  • Page 115: Displaying Switch Hardware/Software Versions

    Thermal Detector – The first detector is near the air flow intake vents on both models. The second detector is near the switch ASIC on the DG-GS4826S and near the physical layer ASIC on the DG-GS4850S. Temperature – Temperature at specified thermal detection point.

  • Page 116: Configuring Support For Jumbo Frames

    | Basic Management Tasks HAPTER Configuring Support for Jumbo Frames Figure 4: General Switch Information ONFIGURING UPPORT FOR UMBO RAMES Use the System > Capability page to configure support for jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10KB for Gigabit Ethernet.

  • Page 117: Displaying Bridge Extension Capabilities

    | Basic Management Tasks HAPTER Displaying Bridge Extension Capabilities Enable or disable support for jumbo frames. Click Apply. Figure 5: Configuring Support for Jumbo Frames ISPLAYING RIDGE XTENSION APABILITIES Use the System > Capability page to display settings based on the Bridge MIB.

  • Page 118: Managing System Files

    | Basic Management Tasks HAPTER Managing System Files Max Supported VLAN Numbers – The maximum number of VLANs supported on this switch. Max Supported VLAN ID – The maximum configurable VLAN identifier supported on this switch. GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register end stations with multicast groups.
  • Page 119 | Basic Management Tasks HAPTER Managing System Files You can also set the switch to use new firmware or configuration settings without overwriting the current version. Just download the file using a different name from the current version, and then set the new file as the startup file.
  • Page 120 | Basic Management Tasks HAPTER Managing System Files NTERFACE To copy firmware files: Click System, then File. Select Copy from the Action list. Select FTP Upgrade, HTTP Upgrade, or TFTP Upgrade as the file transfer method. If FTP or TFTP Upgrade is used, enter the IP address of the file server. If FTP Upgrade is used, enter the user name and password for your account on the FTP server.

  • Page 121: Saving The Running Configuration To A Local File

    | Basic Management Tasks HAPTER Managing System Files Use the System > File (Copy) page to save the current configuration AVING THE UNNING settings to a local file on the switch. The configuration settings are not ONFIGURATION TO A automatically saved by the system for subsequent use when the switch is OCAL rebooted.

  • Page 122: Setting The Start-Up File

    | Basic Management Tasks HAPTER Managing System Files If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. Use the System > File (Set Start-Up) page to specify the firmware or ETTING TART configuration file to use for system initialization.

  • Page 123: Showing System Files

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > File (Show) page to show the files in the system HOWING YSTEM directory, or to delete a file. ILES Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted. CLI R EFERENCES "dir"...

  • Page 124: Setting The Time Manually

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure General - Manual) page to set the ETTING THE system time on the switch manually without using SNTP. ANUALLY CLI R EFERENCES "calendar set" on page 688 "show calendar"...

  • Page 125: Configuring Sntp

    | Basic Management Tasks HAPTER Setting the System Clock SNTP Use the System > Time (Configure General - SNTP) page to configure the ONFIGURING switch to send time synchronization requests to time servers. Set the SNTP polling interval, SNTP servers, and also the time zone. CLI R EFERENCES "Time"...

  • Page 126: Specifying Sntp Time Servers

    | Basic Management Tasks HAPTER Setting the System Clock SNTP Use the System > Time (Configure Time Server) page to specify the IP PECIFYING address for up to three SNTP time servers. ERVERS CLI R EFERENCES "sntp server" on page 686 ARAMETERS The following parameters are displayed in the web interface: SNTP Server IP Address –...

  • Page 127: Setting The Time Zone

    | Basic Management Tasks HAPTER Setting the System Clock Use the System > Time (Configure Time Server) page to set the time zone. ETTING THE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England.

  • Page 128: Console Port Settings

    | Basic Management Tasks HAPTER Console Port Settings ONSOLE ETTINGS Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port.
  • Page 129 | Basic Management Tasks HAPTER Console Port Settings If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly. : If you want to view all the system initialization messages, set the baud rate to 115200 bps.

  • Page 130: Telnet Settings

    | Basic Management Tasks HAPTER Telnet Settings ELNET ETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password.

  • Page 131: Displaying Cpu Utilization

    | Basic Management Tasks HAPTER Displaying CPU Utilization NTERFACE To configure parameters for the console port: Click System, then Telnet. Specify the connection parameters as required. Click Apply Figure 16: Telnet Connection Settings CPU U ISPLAYING TILIZATION Use the System > CPU Utilization page to display information on CPU utilization.

  • Page 132: Displaying Memory Utilization

    | Basic Management Tasks HAPTER Displaying Memory Utilization Figure 17: Displaying CPU Utilization ISPLAYING EMORY TILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI R EFERENCES "show memory" on page 650 ARAMETERS The following parameters are displayed in the web interface: Free Size –...

  • Page 133: Renumbering The Stack

    | Basic Management Tasks HAPTER Renumbering the Stack ENUMBERING THE TACK If the units are no longer numbered sequentially after several topology changes or failures, use the System > Renumbering page to reset the unit numbers. Just remember to save the new configuration settings to a startup configuration file prior to powering off the stack Master.

  • Page 134: Resetting The System

    | Basic Management Tasks HAPTER Resetting the System ESETTING THE YSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI R EFERENCES "reload (Privileged Exec)" on page 644 "reload (Global Configuration)"...
  • Page 135 | Basic Management Tasks HAPTER Resetting the System Regularly – Specifies a periodic interval at which to reload the switch. Time HH - The hour at which to reload. (Range: 0-23) MM - The minute at which to reload. (Range: 0-59) Period Daily - Every day.
  • Page 136 | Basic Management Tasks HAPTER Resetting the System Figure 21: Restarting the Switch (In) Figure 22: Restarting the Switch (At) – 136 –...
  • Page 137 | Basic Management Tasks HAPTER Resetting the System Figure 23: Restarting the Switch (Regularly) – 137 –...
  • Page 138 | Basic Management Tasks HAPTER Resetting the System – 138 –...

  • Page 139: Configuration

    NTERFACE ONFIGURATION This chapter describes the following topics: Port Configuration – Configures connection settings, including auto- negotiation, or manual setting of speed, duplex mode, and flow control. Port Mirroring – Sets the source and target ports for mirroring on the local switch.
  • Page 140 | Interface Configuration HAPTER Port Configuration When using auto-negotiation, the optimal settings will be negotiated between the link partners based on their advertised capabilities. To set the speed, duplex mode, or flow control under auto-negotiation, the required operation modes must be specified in the capabilities list for an interface.
  • Page 141 | Interface Configuration HAPTER Port Configuration 100f - Supports 100 Mbps full-duplex operation 1000f (Gigabit ports only) - Supports 1000 Mbps full-duplex operation 10Gf (10 Gigabit ports only) - Supports 10 Gbps full-duplex operation Sym - Check this item to transmit and receive pause frames. FC - Flow control can eliminate frame loss by “blocking”...

  • Page 142: Configuring By Port Range

    | Interface Configuration HAPTER Port Configuration Figure 24: Configuring Connections by Port List Use the Interface > Port > General (Configure by Port Range) page to ONFIGURING BY enable/disable an interface, set auto-negotiation and the interface ANGE capabilities to advertise, or manually fix the speed, duplex mode, and flow control.

  • Page 143: Displaying Connection Status

    | Interface Configuration HAPTER Port Configuration Figure 25: Configuring Connections by Port Range Use the Interface > Port > General (Show Information) page to display the ISPLAYING current connection status, including link state, speed/duplex mode, flow ONNECTION TATUS control, and auto-negotiation. CLI R EFERENCES "show interfaces status"...

  • Page 144: Configuring Port Mirroring

    | Interface Configuration HAPTER Port Configuration NTERFACE To display port connection parameters: Click Interface, Port, General. Select Show Information from the Action List. Figure 26: Displaying Port Information Use the Interface > Port > Mirror page to mirror traffic from any source ONFIGURING port to a target port for real-time analysis.
  • Page 145 | Interface Configuration HAPTER Port Configuration ARAMETERS These parameters are displayed in the web interface: Source Port – The port whose traffic will be monitored. (Range: 1-26/50) Target Port – The port that will mirror the traffic on the source port. (Range: 1-26/50) Type –...

  • Page 146: Showing Port Or Trunk Statistics

    | Interface Configuration HAPTER Port Configuration Figure 29: Displaying Local Port Mirror Sessions Use the Interface > Port/Trunk > Statistics or Chart page to display HOWING ORT OR standard statistics on network traffic from the Interfaces Group and RUNK TATISTICS Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
  • Page 147 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Received Discarded The number of inbound packets which were chosen to be Packets discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
  • Page 148 | Interface Configuration HAPTER Port Configuration Table 5: Port Statistics (Continued) Parameter Description Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
  • Page 149 | Interface Configuration HAPTER Port Configuration NTERFACE To show a list of port statistics: Click Interface, Port, Statistics. Select the statistics mode to display (Interface, Etherlike or RMON). Select a port from the drop-down list. Use the Refresh button at the bottom of the page if you need to update the screen.

  • Page 150: Performing Cable Diagnostics

    | Interface Configuration HAPTER Port Configuration Figure 31: Showing Port Statistics (Chart) Use the Interface > Port > Cable Test page to test the cable attached to a ERFORMING ABLE port. The cable test will check for any cable faults (short, open, etc.). If a IAGNOSTICS fault is found, the switch reports the length to the fault.
  • Page 151 | Interface Configuration HAPTER Port Configuration Not Supported: This message is displayed for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps, or for any 10G Ethernet ports. Impedance mismatch: Terminating impedance is not in the reference range.

  • Page 152: Trunk Configuration

    You can create up to 13 trunks at a time on the DG-GS4826S, up to 25 on the DG-GS4850S, or up to 32 across the stack.

  • Page 153: Configuring A Static Trunk

    | Interface Configuration HAPTER Trunk Configuration Use the Interface > Trunk > Static page to create a trunk, assign member ONFIGURING A ports, and configure the connection parameters. TATIC RUNK Figure 33: Configuring Static Trunks statically configured active links CLI R EFERENCES "Link Aggregation Commands"...
  • Page 154 | Interface Configuration HAPTER Trunk Configuration Set the unit and port for the initial trunk member. Click Apply. Figure 34: Creating Static Trunks To add member ports to a static trunk: Click Interface, Trunk, Static. Select Configure Trunk from the Step list. Select Add Member from the Action list.

  • Page 155: Configuring A Dynamic Trunk

    | Interface Configuration HAPTER Trunk Configuration Figure 36: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: Click Interface, Trunk, Static. Select Configure General from the Step list. Select Show Information from the Action list. Figure 37: Displaying Connection Parameters for Static Trunks Use the Interface >...
  • Page 156 | Interface Configuration HAPTER Trunk Configuration OMMAND SAGE To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
  • Page 157 | Interface Configuration HAPTER Trunk Configuration By default, the Actor Admin Key is determined by port's link speed, and copied to Oper Key. The Partner Admin Key is assigned to zero, and the Oper Key is set based upon LACP PDUs received from the Partner. System Priority –...
  • Page 158 | Interface Configuration HAPTER Trunk Configuration To enable LACP for a port: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Configure from the Action list. Click General. Enable LACP on the required ports. Click Apply. Figure 40: Enabling LACP on a Port To configure LACP parameters for group members: Click Interface, Trunk, Dynamic.
  • Page 159 | Interface Configuration HAPTER Trunk Configuration Figure 41: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show Member from the Action List. Select a Trunk.

  • Page 160: Displaying Lacp Port Counters

    | Interface Configuration HAPTER Trunk Configuration Figure 43: Configuring Connection Settings for Dynamic Trunks To display connection parameters for a dynamic trunk: Click Interface, Trunk, Dynamic. Select Configure Trunk from the Step List. Select Show from the Action List. Figure 44: Displaying Connection Parameters for Dynamic Trunks LACP Use the Interface >...
  • Page 161 | Interface Configuration HAPTER Trunk Configuration Table 6: LACP Port Counters (Continued) Parameter Description Marker Unknown Pkts Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.

  • Page 162: Displaying Lacp Settings And Status For The Local Side

    | Interface Configuration HAPTER Trunk Configuration LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Internal) page to display the configuration settings and ETTINGS AND TATUS operational state for the local side of a link aggregation. FOR THE OCAL CLI R...

  • Page 163: Displaying Lacp Settings And Status For The Remote Side

    | Interface Configuration HAPTER Trunk Configuration Figure 46: Displaying LACP Port Internal Information LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show ISPLAYING Information - Neighbors) page to display the configuration settings and ETTINGS AND TATUS operational state for the remote side of a link aggregation.

  • Page 164: Sampling Traffic Flows

    | Interface Configuration HAPTER Sampling Traffic Flows NTERFACE To display LACP settings and status for the remote side: Click Interface, Trunk, Dynamic. Select Configure Aggregation Port from the Step list. Select Show Information from the Action list. Click Neighbors. Select a group member from the Port list. Figure 47: Displaying LACP Port Remote Information AMPLING RAFFIC...

  • Page 165: Configuring Sflow Parameters

    | Interface Configuration HAPTER Sampling Traffic Flows As the Collector receives streams from the various sFlow agents (other switches or routers) throughout the network, a timely, network-wide picture of utilization and traffic flows is created. Analysis of the sFlow stream(s) can reveal trends and information that can be leveraged in the following ways: Detecting, diagnosing, and fixing network problems Real-time congestion management...
  • Page 166 | Interface Configuration HAPTER Sampling Traffic Flows Max Datagram Size – Maximum size of the sFlow datagram payload. (Range: 200-1500 bytes; Default: 1400 bytes) Sample Rate – The number of packets out of which one sample will be taken. (Range: 256-16777215 packets, or 0 to disable sampling; Default: Disabled) NTERFACE To configure flow sampling:...

  • Page 167: Traffic Segmentation

    | Interface Configuration HAPTER Traffic Segmentation RAFFIC EGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic between clients on different downlink ports.

  • Page 168: Configuring Uplink And Downlink Ports

    | Interface Configuration HAPTER Traffic Segmentation Use the Interface > Traffic Segmentation (Configure Session) page to ONFIGURING PLINK assign the downlink and uplink ports to use in the segmented group. Ports OWNLINK ORTS designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.

  • Page 169: Vlan Trunking

    | Interface Configuration HAPTER VLAN Trunking VLAN T RUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface. CLI R EFERENCES "vlan-trunking" on page 937 OMMAND SAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
  • Page 170 | Interface Configuration HAPTER VLAN Trunking Trunk – Trunk Identifier. (Range: 1-32) VLAN Trunking Status – Enables VLAN trunking on the selected interface. NTERFACE To enable VLAN trunking on a port or trunk: Click Interface, VLAN Trunking. Click Port or Trunk to specify the interface type. Enable VLAN trunking on any of the Gigibit ports or on a trunk containing Gigabit ports.

  • Page 171: Vlan Configuration

    VLAN C ONFIGURATION This chapter includes the following topics: IEEE 802.1Q VLANs – Configures static and dynamic VLANs. Private VLANs – Configures private VLANs, using primary for unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group.
  • Page 172 | VLAN Configuration HAPTER IEEE 802.1Q VLANs or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: Up to 4093 VLANs based on the IEEE 802.1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol...
  • Page 173 | VLAN Configuration HAPTER IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).

  • Page 174: Configuring Vlan Groups

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 54: Using GVRP Port-based VLAN 10 11 15 16 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
  • Page 175 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Status – Enables or disables the specified VLAN. Show VLAN ID – ID of configured VLAN. VLAN Name – Name of the VLAN. Status – Operational status of configured VLAN. NTERFACE To create VLAN groups: Click VLAN, Static.

  • Page 176: Adding Static Members To Vlans

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: Click VLAN, Static. Select Modify from the Action list. Select the identifier of a configured VLAN. Modify the VLAN name or operational status as required. Click Apply.
  • Page 177 | VLAN Configuration HAPTER IEEE 802.1Q VLANs untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. CLI R EFERENCES "Configuring VLAN Interfaces"...
  • Page 178 | VLAN Configuration HAPTER IEEE 802.1Q VLANs If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
  • Page 179 | VLAN Configuration HAPTER IEEE 802.1Q VLANs The PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page. NTERFACE To configure static members by the VLAN index: Click VLAN, Static.
  • Page 180 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 59: Configuring Static VLAN Members by Interface To configure static members by interface range: Click VLAN, Static. Select Edit Member by Interface Range from the Step list. Set the Interface type to display as Port or Trunk. Enter an interface range.

  • Page 181: Configuring Dynamic Vlan Registration

    | VLAN Configuration HAPTER IEEE 802.1Q VLANs Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to ONFIGURING enable GVRP and adjust the protocol timers per interface. VLAN YNAMIC EGISTRATION CLI R EFERENCES "GVRP and Bridge Extension Commands" on page 926 "Configuring VLAN Interfaces"...
  • Page 182 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN –...
  • Page 183 | VLAN Configuration HAPTER IEEE 802.1Q VLANs Figure 62: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: Click VLAN, Dynamic. Select Show Dynamic VLAN from the Step list. Select Show VLAN from the Action list. Figure 63: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: Click VLAN, Dynamic.

  • Page 184: Private Vlans

    | VLAN Configuration HAPTER Private VLANs VLAN RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other...
  • Page 185 | VLAN Configuration HAPTER Private VLANs Community - Conveys traffic between community ports, and to their promiscuous ports in the associated primary VLAN. NTERFACE To configure private VLANs: Click VLAN, Private. Select Configure VLAN from the Step list. Select Add from the Action list. Enter the VLAN ID to assign to the private VLAN.

  • Page 186: Associating Private Vlans

    | VLAN Configuration HAPTER Private VLANs Use the VLAN > Private (Configure VLAN - Add Community VLAN) page to SSOCIATING RIVATE associate each community VLAN with a primary VLAN. VLAN CLI R EFERENCES "private vlan association" on page 950 ARAMETERS These parameters are displayed in the web interface: Primary VLAN –...

  • Page 187: Configuring Private Vlan Interfaces

    | VLAN Configuration HAPTER Private VLANs Figure 68: Showing Associated VLANs Use the VLAN > Private (Configure Interface) page to set the private VLAN ONFIGURING RIVATE interface type, and assign the interfaces to a private VLAN. VLAN I NTERFACES CLI R EFERENCES "switchport private-vlan mapping"...
  • Page 188 | VLAN Configuration HAPTER Private VLANs NTERFACE To configure a private VLAN port or trunk: Click VLAN, Private. Select Configure Interface from the Step list. Set the Interface type to display as Port or Trunk. Set the Port Mode to Promiscuous. For an interface set the Promiscuous mode, select an entry from the Primary VLAN list.

  • Page 189: Ieee 802.1Q Tunneling

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling IEEE 802.1Q T UNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
  • Page 190 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 70: QinQ Operational Concept Customer A Customer A (VLANs 1-10) (VLANs 1-10) QinQ Tunneling Service Provider Service Provider VLAN 10 VLAN 10 (edge switch B) (edge switch A) Tunnel Access Port Tunnel Access Port Tunnel...
  • Page 191 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: Untagged One tag (CVLAN or SPVLAN) Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory.
  • Page 192 | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.

  • Page 193: Enabling Qinq Tunneling On The Switch

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Use the VLAN > Tunnel (Configure Global) page to configure the switch to NABLING operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing UNNELING ON THE Layer 2 traffic across a service provider’s metropolitan area network. You WITCH can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to...

  • Page 194: Adding An Interface To A Qinq Tunnel

    | VLAN Configuration HAPTER IEEE 802.1Q Tunneling Figure 71: Enabling QinQ Tunneling Follow the guidelines in the preceding section to set up a QinQ tunnel on DDING AN NTERFACE the switch. Then use the VLAN > Tunnel (Configure Interface) page to set TO A UNNEL the tunnel mode for any participating interface.

  • Page 195: Protocol Vlans

    | VLAN Configuration HAPTER Protocol VLANs NTERFACE To add an interface to a QinQ tunnel: Click VLAN, Tunnel. Select Configure Interface from the Step list. Set the mode for any tunnel access port to Tunnel and the tunnel uplink port to Tunnel Uplink. Click Apply.

  • Page 196: Configuring Protocol Vlan Groups

    | VLAN Configuration HAPTER Protocol VLANs OMMAND SAGE To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 930). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
  • Page 197 | VLAN Configuration HAPTER Protocol VLANs NTERFACE To configure a protocol group: Click VLAN, Protocol. Select Configure Protocol from the Step list. Select Add from the Action list. Select an entry from the Frame Type list. Select an entry from the Protocol Type list. Enter an identifier for the protocol group.

  • Page 198: Mapping Protocol Groups To Interfaces

    | VLAN Configuration HAPTER Protocol VLANs Use the VLAN > Protocol (Configure Interface - Add) page to map a APPING ROTOCOL protocol group to a VLAN for each interface that will participate in the ROUPS TO group. NTERFACES CLI R EFERENCES "protocol-vlan protocol-group (Configuring Interfaces)"...
  • Page 199 | VLAN Configuration HAPTER Protocol VLANs Enter the corresponding VLAN to which the protocol traffic will be forwarded. Click Apply. Figure 75: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: Click VLAN, Protocol. Select Configure Interface from the Step list.

  • Page 200: Configuring Ip Subnet Vlans

    | VLAN Configuration HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
  • Page 201 | VLAN Configuration HAPTER Configuring IP Subnet VLANs NTERFACE To map an IP subnet to a VLAN: Click VLAN, IP Subnet. Select Add from the Action list. Enter an address in the IP Address field. Enter a mask in the Subnet Mask field. Enter the identifier in the VLAN field.

  • Page 202: Configuring Mac-Based Vlans

    | VLAN Configuration HAPTER Configuring MAC-based VLANs MAC- VLAN ONFIGURING BASED Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
  • Page 203 | VLAN Configuration HAPTER Configuring MAC-based VLANs Click Apply. Figure 79: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: Click VLAN, MAC-Based. Select Show from the Action list. Figure 80: Showing MAC-Based VLANs – 203 –...
  • Page 204 | VLAN Configuration HAPTER Configuring MAC-based VLANs – 204 –...

  • Page 205: Address Table Settings

    DDRESS ABLE ETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port.
  • Page 206 | Address Table Settings HAPTER Configuring MAC Address Learning Also note that MAC address learning cannot be disabled if any of the following conditions exist: 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 347).

  • Page 207: Setting Static Addresses

    | Address Table Settings HAPTER Setting Static Addresses ETTING TATIC DDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.

  • Page 208: Changing The Aging Time

    | Address Table Settings HAPTER Changing the Aging Time Click Apply. Figure 82: Configuring Static MAC Addresses To show the static addresses in MAC address table: Click MAC Address, Static. Select Show from the Action list. Figure 83: Displaying Static MAC Addresses HANGING THE GING Use the MAC Address >...

  • Page 209: Displaying The Dynamic Address Table

    | Address Table Settings HAPTER Displaying the Dynamic Address Table NTERFACE To set the aging time for entries in the dynamic address table: Click MAC Address, Dynamic. Select Configure Aging from the Action list. Modify the aging status if required. Specify a new aging time.

  • Page 210: Clearing The Dynamic Address Table

    | Address Table Settings HAPTER Clearing the Dynamic Address Table NTERFACE To show the dynamic address table: Click MAC Address, Dynamic. Select Show Dynamic MAC from the Action list. Select the Sort Key (MAC Address, VLAN, or Interface). Enter the search parameters (MAC Address, VLAN, or Interface). Click Query.
  • Page 211 | Address Table Settings HAPTER Clearing the Dynamic Address Table Select the method by which to clear the entries (i.e., All, MAC Address, VLAN, or Interface). Enter information in the additional fields required for clearing entries by MAC Address, VLAN, or Interface. Click Clear.
  • Page 212 | Address Table Settings HAPTER Clearing the Dynamic Address Table – 212 –...
  • Page 213 PANNING LGORITHM This chapter describes the following basic topics: Loopback Detection – Configures detection and response to loopback BPDUs. Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.

  • Page 214: Spanning Tree Algorithm

    | Spanning Tree Algorithm HAPTER Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Figure 87: STP Root Ports and Designated Ports Designated Root...
  • Page 215 | Spanning Tree Algorithm HAPTER Overview Figure 88: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees"...

  • Page 216: Configuring Loopback Detection

    | Spanning Tree Algorithm HAPTER Configuring Loopback Detection ONFIGURING OOPBACK ETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode.

  • Page 217: Configuring Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA NTERFACE To configure loopback detection: Click Spanning Tree, Loopback Detection. Click Port or Trunk to display the required interface type. Modify the required loopback detection attributes. Click Apply Figure 90: Configuring Port Loopback Detection ONFIGURING LOBAL ETTINGS FOR...
  • Page 218 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA connected to an 802.1D bridge and starts using only 802.1D BPDUs. RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
  • Page 219 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA device with the lowest MAC address will then become the root device. (Note that lower numeric values indicate higher priority.) Default: 32768 Range: 0-61440, in steps of 4096 Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440 BPDU Flooding –...
  • Page 220 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.) Default: 20 Minimum: The higher of 6 or [2 x (Hello Time + 1)]...
  • Page 221 | Spanning Tree Algorithm HAPTER Configuring Global Settings for STA Click Apply Figure 91: Configuring Global Settings for STA (STP) Figure 92: Configuring Global Settings for STA (RSTP) – 221 –...

  • Page 222: Displaying Global Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Global Settings for STA Figure 93: Configuring Global Settings for STA (MSTP) ISPLAYING LOBAL ETTINGS FOR Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.

  • Page 223: Configuring Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.

  • Page 224: Table 9: Recommended Sta Path Cost Range

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA CLI R EFERENCES "Spanning Tree Commands" on page 899 ARAMETERS These parameters are displayed in the web interface: Interface – Displays a list of ports or trunks. Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled...

  • Page 225: Table 10: Default Sta Path Costs

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA Table 10: Default STA Path Costs Port Type Short Path Cost (IEEE Long Path Cost 802.1D-1998) (802.1D-2004) Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Admin Link Type – The link type attached to this interface. Point-to-Point –...
  • Page 226 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: If spanning tree mode is set to STP (page 217), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting.

  • Page 227: Displaying Interface Settings For Sta

    | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Click Apply. Figure 95: Configuring Interface Settings for STA ISPLAYING NTERFACE ETTINGS FOR Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI R EFERENCES "show spanning-tree"...
  • Page 228 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA The rules defining port status are: A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
  • Page 229 | Spanning Tree Algorithm HAPTER Displaying Interface Settings for STA Figure 96: STA Port Roles R: Root Port Alternate port receives more A: Alternate Port useful BPDUs from another D: Designated Port bridge and is therefore not B: Backup Port selected as the designated port.

  • Page 230: Configuring Multiple Spanning Trees

    | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees ONFIGURING ULTIPLE PANNING REES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI R EFERENCES "Spanning Tree Commands" on page 899 OMMAND SAGE MSTP generates a unique spanning tree for each instance.
  • Page 231 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees NTERFACE To create instances for MSTP: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add from the Action list. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree >...
  • Page 232 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To modify the priority for an MST instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Modify from the Action list. Modify the priority for an MSTP Instance. Click Apply.
  • Page 233 | Spanning Tree Algorithm HAPTER Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: Click Spanning Tree, MSTP. Select Configure Global from the Step list. Select Add Member from the Action list. Select an MST instance from the MST ID list. Enter the VLAN group to add to the instance in the VLAN ID field.

  • Page 234: Configuring Interface Settings For Mstp

    | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP MSTP ONFIGURING NTERFACE ETTINGS FOR Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI R EFERENCES "Spanning Tree Commands" on page 899 ARAMETERS These parameters are displayed in the web interface: MST Instance ID –...
  • Page 235 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP The recommended range is listed in Table 9 on page 224. The default path costs are listed in Table 10 on page 225. NTERFACE To configure MSTP parameters for a port or trunk: Click Spanning Tree, MSTP.
  • Page 236 | Spanning Tree Algorithm HAPTER Configuring Interface Settings for MSTP Figure 105: Displaying MSTP Interface Settings – 236 –...

  • Page 237: Rate Limit Configuration

    IMIT ONFIGURATION Use the Traffic > Rate Limit page to apply rate limiting to ingress or egress ports. This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 238 | Rate Limit Configuration HAPTER Figure 106: Configuring Rate Limits – 238 –...

  • Page 239: Storm Control Configuration

    TORM ONTROL ONFIGURATION Use the Traffic > Storm Control page to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
  • Page 240 | Storm Control Configuration HAPTER Multicast – Specifies storm control for multicast traffic. Broadcast – Specifies storm control for broadcast traffic. Status – Enables or disables storm control. (Default: Enabled for broadcast storm control, disabled for multicast and unknown unicast storm control) Rate –...

  • Page 241: Class Of Service

    LASS OF ERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 242: Selecting The Queue Mode

    | Class of Service HAPTER Layer 2 Queue Settings If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. ARAMETERS These parameters are displayed in the web interface: Interface –...
  • Page 243 | Class of Service HAPTER Layer 2 Queue Settings WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue.
  • Page 244 | Class of Service HAPTER Layer 2 Queue Settings NTERFACE To configure the queue mode: Click Traffic, Priority, Queue. Select the interface type to display (Port or Trunk). Set the queue mode. If any of the weighted queue modes is selected, the queue weight can be modified if required.

  • Page 245: Mapping Cos Values To Egress Queues

    | Class of Service HAPTER Layer 2 Queue Settings Figure 111: Setting the Queue Mode (Strict and WRR) Use the Traffic > Priority > CoS to Queue page to specify the hardware APPING output queues to use for Class of Service (CoS) priority tagged traffic. ALUES TO GRESS UEUES...

  • Page 246: Table 12: Cos Priority Levels

    | Class of Service HAPTER Layer 2 Queue Settings Table 12: CoS Priority Levels Priority Level Traffic Type Background (Spare) 0 (default) Best Effort Excellent Effort Controlled Load Video, less than 100 milliseconds latency and jitter Voice, less than 10 milliseconds latency and jitter Network Control CLI R EFERENCES...

  • Page 247: Layer 3/4 Priority Settings

    | Class of Service HAPTER Layer 3/4 Priority Settings Figure 112: Mapping CoS Values to Egress Queues 3/4 P AYER RIORITY ETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.

  • Page 248: Table 13: Mapping Dscp Priority Values

    | Class of Service HAPTER Layer 3/4 Priority Settings OMMAND SAGE The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant devices will not conflict with the DSCP mapping.

  • Page 249: Mapping Ip Precedence

    | Class of Service HAPTER Layer 3/4 Priority Settings Figure 113: Mapping IP DSCP Priority Values Use the Traffic > Priority > IP Precedence to CoS page to map IP APPING Precedence priorities found in ingress packets to CoS values for internal RECEDENCE priority processing.

  • Page 250: Mapping Ip Port Priority

    | Class of Service HAPTER Layer 3/4 Priority Settings IP Precedence settings apply to all interfaces. ARAMETERS These parameters are displayed: IP Precedence Mapping Status – Enables or disables the use of IP Precedence priorities and the mapping of these priority values to CoS values.
  • Page 251 | Class of Service HAPTER Layer 3/4 Priority Settings OMMAND SAGE This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110. No default mapping is defined for ingress TCP/UDP port types.
  • Page 252 | Class of Service HAPTER Layer 3/4 Priority Settings To show the TCP/UDP port number to CoS priority map: Click Traffic, Priority, IP Port to DSCP. Select Show from the Action list. Figure 116: Showing IP Port Number Priority Map –...

  • Page 253: Quality Of Service

    UALITY OF ERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port –...

  • Page 254: Configuring A Class Map

    | Quality of Service HAPTER Configuring a Class Map OMMAND SAGE To create a service policy for a specific category or ingress traffic, follow these steps: Use the Configure Class (Add) page to designate a class name for a specific category of traffic. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
  • Page 255 | Quality of Service HAPTER Configuring a Class Map Description – A brief description of a class map. (Range: 1-64 characters) Add Rule Class Name – Name of the class map. Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
  • Page 256 | Quality of Service HAPTER Configuring a Class Map To show the configured class maps: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show from the Action list. Figure 118: Showing Class Maps To edit the rules for a class map: Click Traffic, DiffServ.

  • Page 257: Creating Qos Policies

    | Quality of Service HAPTER Creating QoS Policies To show the rules for a class map: Click Traffic, DiffServ. Select Configure Class from the Step list. Select Show Rule from the Action list. Figure 120: Showing the Rules for a Class Map REATING OLICIES Use the Traffic >...
  • Page 258 | Quality of Service HAPTER Creating QoS Policies Policing is based on a token bucket, where bucket depth (that is, the maximum burst before the bucket overflows) is specified by the “burst” field (BC), and the average rate tokens are removed from the bucket is specified by the “rate”...
  • Page 259 | Quality of Service HAPTER Creating QoS Policies if Te(t)-B0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: If the packet has been precolored as green and Tc(t)-B0, the packet is green and Tc is decremented by B down to the minimum...
  • Page 260 | Quality of Service HAPTER Creating QoS Policies respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) = BP and the token count Tc(0) = BC.
  • Page 261 | Quality of Service HAPTER Creating QoS Policies Add Rule Policy Name – Name of policy map. Class Name – Name of a class map that defines a traffic classification upon which a policy can act. Action – Configures the service provided to ingress traffic. Packets matching the rule settings for a class map can be remarked as follows: Set CoS –...
  • Page 262 | Quality of Service HAPTER Creating QoS Policies Violate – Specifies whether the traffic that exceeds the maximum rate (CIR) will be dropped or the DSCP service level will be reduced. Set IP DSCP – Decreases DSCP priority for out of conformance traffic.
  • Page 263 | Quality of Service HAPTER Creating QoS Policies Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic. Violate – Specifies whether the traffic that exceeds the excess burst size (BE) will be dropped or the DSCP service level will be reduced.
  • Page 264 | Quality of Service HAPTER Creating QoS Policies Conform – Specifies whether that traffic conforming to the maximum rate (CIR) will be transmitted without any change to the DSCP service level, or if the DSCP service level will be modified. Transmit –...
  • Page 265 | Quality of Service HAPTER Creating QoS Policies To show the configured policy maps: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show from the Action list. Figure 122: Showing Policy Maps To edit the rules for a policy map: Click Traffic, DiffServ.
  • Page 266 | Quality of Service HAPTER Creating QoS Policies Figure 123: Adding Rules to a Policy Map To show the rules for a policy map: Click Traffic, DiffServ. Select Configure Policy from the Step list. Select Show Rule from the Action list. Figure 124: Showing the Rules for a Policy Map –...

  • Page 267: Attaching A Policy Map To A Port

    | Quality of Service HAPTER Attaching a Policy Map to a Port TTACHING A OLICY AP TO A Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to an ingress port. CLI R EFERENCES "Quality of Service Commands" on page 981 OMMAND SAGE First define a class map, define a policy map, and bind the service...
  • Page 268 | Quality of Service HAPTER Attaching a Policy Map to a Port – 268 –...

  • Page 269: Oip Traffic Configuration

    IP T RAFFIC ONFIGURATION This chapter covers the following topics: Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
  • Page 270 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic CLI R EFERENCES "Configuring Voice VLANs" on page 960 ARAMETERS These parameters are displayed in the web interface: Auto Detection Status – Enables the automatic detection of VoIP traffic on switch ports. (Default: Disabled) Voice VLAN –...

  • Page 271: Configuring Telephony Oui

    | VoIP Traffic Configuration HAPTER Configuring Telephony OUI ONFIGURING ELEPHONY VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.

  • Page 272: Configuring Voip Traffic Ports

    | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 127: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: Click Traffic, VoIP. Select Configure OUI from the Step list. Select Show from the Action list. Figure 128: Showing an OUI Telephony List IP T ONFIGURING...
  • Page 273 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Auto – The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port. You must select a method for detecting VoIP traffic, either OUI or 802.1ab (LLDP). When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list.
  • Page 274 | VoIP Traffic Configuration HAPTER Configuring VoIP Traffic Ports Figure 129: Configuring Port Settings for a Voice VLAN – 274 –...

  • Page 275: Security Measures

    ECURITY EASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.

  • Page 276: Aaa Authorization And Accounting

    | Security Measures HAPTER AAA Authorization and Accounting DHCP Snooping – Filter IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping. The priority of execution for the filtering commands is Port Security, Port Authentication, Network Access, Web Authentication, Access Control Lists, IP Source Guard, and then DHCP Snooping.

  • Page 277: Configuring Local/Remote Logon Authentication

    | Security Measures HAPTER AAA Authorization and Accounting Define a method name for each service to which you want to apply accounting or authorization and specify the RADIUS or TACACS+ server groups to use. Apply the method names to port or line interfaces. This guide assumes that RADIUS and TACACS+ servers have already been configured to support AAA.

  • Page 278: Configuring Remote Logon Authentication Servers

    | Security Measures HAPTER AAA Authorization and Accounting [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. NTERFACE To configure the method(s) of controlling management access: Click Security, AAA, System Authentication. Specify the authentication sequence (i.e., one to three methods). Click Apply.
  • Page 279 | Security Measures HAPTER AAA Authorization and Accounting CLI R EFERENCES "RADIUS Client" on page 732 "TACACS+ Client" on page 736 "AAA" on page 739 OMMAND SAGE If a remote authentication server is used, you must specify the message exchange parameters for the remote authentication protocol. Both local and remote logon authentication control management access via the console port, web browser, or Telnet.
  • Page 280 | Security Measures HAPTER AAA Authorization and Accounting Set Key – Mark this box to set or modify the encryption key. Authentication Key – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) Confirm Authentication Key –...
  • Page 281 | Security Measures HAPTER AAA Authorization and Accounting Select RADIUS or TACACS+ server type. Select Global to specify the parameters that apply globally to all specified servers, or select a specific Server Index to specify the parameters that apply to a specific server. To set or modify the authentication key, mark the Set Key box, enter the key, and then confirm it Click Apply.
  • Page 282 | Security Measures HAPTER AAA Authorization and Accounting Select Add from the Action list. Select RADIUS or TACACS+ server type. Enter the group name, followed by the index of the server to use for each priority level. Click Apply. Figure 134: Configuring AAA Server Groups To show the RADIUS or TACACS+ server groups used for accounting and authorization: Click Security, AAA, Server.

  • Page 283: Configuring Aaa Accounting

    | Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Accounting page to enable accounting of ONFIGURING requested services for billing or security purposes, and also to display the CCOUNTING configured accounting methods, the methods applied to specific interfaces, and basic accounting information recorded for user sessions.
  • Page 284 | Security Measures HAPTER AAA Authorization and Accounting Configure Service Accounting Type – Specifies the service as 802.1X, Command or Exec as described in the preceding section. 802.1X Method Name – Specifies a user defined accounting method to apply to an interface. This method must be defined in the Configure Method page.
  • Page 285 | Security Measures HAPTER AAA Authorization and Accounting Figure 136: Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Add from the Action list.
  • Page 286 | Security Measures HAPTER AAA Authorization and Accounting To show the accounting method applied to various service types and the assigned server group: Click Security, AAA, Accounting. Select Configure Method from the Step list. Select Show from the Action list. Figure 138: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or...
  • Page 287 | Security Measures HAPTER AAA Authorization and Accounting Figure 140: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: Click Security, AAA, Accounting. Select Show Information from the Step list. Click Summary.

  • Page 288: Configuring Aaa Authorization

    | Security Measures HAPTER AAA Authorization and Accounting Use the Security > AAA > Authorization page to enable authorization of ONFIGURING requested services, and also to display the configured authorization UTHORIZATION methods, and the methods applied to specific interfaces. CLI R EFERENCES "AAA"...
  • Page 289 | Security Measures HAPTER AAA Authorization and Accounting Interface - Displays the console or Telnet interface to which these rules apply. (This field is null if the authorization method and associated server group has not been assigned to an interface.) NTERFACE To configure the authorization method applied to the Exec service type and the assigned server group:...
  • Page 290 | Security Measures HAPTER AAA Authorization and Accounting To configure the authorization method applied to local console, Telnet, or SSH connections: Click Security, AAA, Authorization. Select Configure Service from the Step list. Enter the required authorization method. Click Apply. Figure 145: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: Click Security, AAA, Authorization.

  • Page 291: Configuring User Accounts

    | Security Measures HAPTER Configuring User Accounts ONFIGURING CCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords. CLI R EFERENCES "User Accounts" on page 727 OMMAND SAGE The default guest name is “guest”...

  • Page 292: Web Authentication

    | Security Measures HAPTER Web Authentication Figure 147: Configuring User Accounts To show user accounts: Click Security, User Accounts. Select Show from the Action list. Figure 148: Showing User Accounts UTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
  • Page 293 | Security Measures HAPTER Web Authentication RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 277.) Web authentication cannot be configured on trunk ports. Use the Security > Web Authentication (Configure Global) page to edit the ONFIGURING LOBAL global parameters for web authentication.

  • Page 294: Configuring Global Settings For Web Authentication

    | Security Measures HAPTER Web Authentication Figure 149: Configuring Global Settings for Web Authentication Use the Security > Web Authentication (Configure Interface) page to ONFIGURING enable web authentication on a port, and display information for any NTERFACE ETTINGS connected hosts. UTHENTICATION CLI R EFERENCES...

  • Page 295: Configuring Interface Settings For Web Authentication

    | Security Measures HAPTER Network Access (MAC Address Authentication) Click Apply. Figure 150: Configuring Interface Settings for Web Authentication (MAC A ETWORK CCESS DDRESS UTHENTICATION Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points.

  • Page 296: Table 15: Dynamic Qos Profiles

    | Security Measures HAPTER Network Access (MAC Address Authentication) must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires.

  • Page 297: Configuring Global Settings For Network Access

    | Security Measures HAPTER Network Access (MAC Address Authentication) If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used. For example, if the attribute is “service-policy-in=p1;service-policy- in=p2”, then the switch applies only the DiffServ profile “p1.” Any unsupported profiles in the Filter-ID attribute are ignored.

  • Page 298: Configuring Network Access For Ports

    | Security Measures HAPTER Network Access (MAC Address Authentication) This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 349).
  • Page 299 | Security Measures HAPTER Network Access (MAC Address Authentication) ARAMETERS These parameters are displayed in the web interface: MAC Authentication Status – Enables MAC authentication on a port. (Default: Disabled) Intrusion – Sets the port response to a host MAC authentication failure, to either block access to the port or to pass traffic through.

  • Page 300: Configuring Port Link Detection

    | Security Measures HAPTER Network Access (MAC Address Authentication) exempt from authentication on the specified port (as described under "Configuring a MAC Address Filter"). (Range: 1-64; Default: None) NTERFACE To configure MAC authentication on switch ports: Click Security, Network Access. Select Configure Interface from the Step list.

  • Page 301: Configuring Amac Address Filter

    | Security Measures HAPTER Network Access (MAC Address Authentication) Link down – Only link down events will trigger the port action. Link up and down – All link up and link down events will trigger the port action. Action – The switch can respond in three ways to a link up or down trigger event.
  • Page 302 | Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND SAGE Specified MAC addresses are exempt from authentication. Up to 65 filter tables can be defined. There is no limitation on the number of entries used in a filter table. ARAMETERS These parameters are displayed in the web interface: Filter ID –...

  • Page 303: Displaying Secure Mac Address Information

    | Security Measures HAPTER Network Access (MAC Address Authentication) Figure 155: Showing the MAC Address Filter Table for Network Access Use the Security > Network Access (Show Information) page to display the ISPLAYING ECURE authenticated MAC addresses stored in the secure MAC address table. MAC A DDRESS Information on the secure MAC entries can be displayed and selected...

  • Page 304: Configuring Https

    | Security Measures HAPTER Configuring HTTPS Select Show Information from the Step list. Use the sort key to display addresses based MAC address, interface, or attribute. Restrict the displayed addresses by entering a specific address in the MAC Address field, specifying a port in the Interface field, or setting the address type to static or dynamic in the Attribute field.

  • Page 305: Table 16: Https System Support

    | Security Measures HAPTER Configuring HTTPS If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] When you start HTTPS, the connection is established in this way: The client authenticates the server using the server’s digital certificate.

  • Page 306: Replacing The Default Secure-Site Certificate

    | Security Measures HAPTER Configuring HTTPS Figure 157: Configuring HTTPS Use the Security > HTTPS (Copy Certificate) page to replace the default EPLACING THE secure-site certificate. EFAULT ECURE SITE ERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
  • Page 307 | Security Measures HAPTER Configuring HTTPS Private Key Source File Name – Name of private key file stored on the TFTP server. Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch.

  • Page 308: Configuring The Secure Shell

    | Security Measures HAPTER Configuring the Secure Shell ONFIGURING THE ECURE HELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
  • Page 309 | Security Measures HAPTER Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 313, or use the copy tftp public-key command (page 659) to copy a file containing the public key for all the SSH client’s granted management access to the switch.

  • Page 310: Configuring The Ssh Server

    | Security Measures HAPTER Configuring the Secure Shell If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
  • Page 311 | Security Measures HAPTER Configuring the Secure Shell Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.

  • Page 312: Generating The Host Key Pair

    | Security Measures HAPTER Configuring the Secure Shell Use the Security > SSH (Configure Host Key - Generate) page to generate ENERATING THE a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public...

  • Page 313: Importing User Public Keys

    | Security Measures HAPTER Configuring the Secure Shell Figure 160: Generating the SSH Host Key Pair To display or clear the SSH host key pair: Click Security, SSH. Select Configure Host Key from the Step list. Select Show from the Action list. Select the host-key type to clear.
  • Page 314 | Security Measures HAPTER Configuring the Secure Shell ARAMETERS These parameters are displayed in the web interface: User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts"...

  • Page 315: Access Control Lists

    | Security Measures HAPTER Access Control Lists To display or clear the SSH user’s public key: Click Security, SSH. Select Configure User Key from the Step list. Select Show from the Action list. Select a user from the User Name list. Select the host-key type to clear.

  • Page 316: Settinga Time Range

    | Security Measures HAPTER Access Control Lists OMMAND SAGE The following restrictions apply to ACLs: The maximum number of ACLs is 32. The maximum number of rules per ACL is also 32. The maximum number of rules that can be bound to the ports is 96 for each of the following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
  • Page 317 | Security Measures HAPTER Access Control Lists Periodic – Specifies a periodic interval. Start/To – Specifies the days of the week, hours, and minutes at which to start or end. NTERFACE To configure a time range: Click Security, ACL. Select Configure Time Range from the Step list. Select Add from the Action list.
  • Page 318 | Security Measures HAPTER Access Control Lists Select Add Rule from the Action list. Select the name of time range from the drop-down list. Select a mode option of Absolute or Periodic. Fill in the required parameters for the selected mode. Click Apply.

  • Page 319: Showing Tcam Utilization

    | Security Measures HAPTER Access Control Lists TCAM Use the Security > ACL (Configure ACL - Show TCAM) page to show HOWING utilization parameters for TCAM (Ternary Content Addressable Memory), TILIZATION including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.

  • Page 320: Setting The Acl Name And Type

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add) page to create an ACL. ETTING THE AME AND CLI R EFERENCES "access-list ip" on page 824 "show ip access-list" on page 829 ARAMETERS These parameters are displayed in the web interface: ACL Name –...

  • Page 321: Configuring A Standard Ipv4 Acl

    | Security Measures HAPTER Access Control Lists Figure 169: Creating an ACL To show a list of ACLs: Click Security, ACL. Select Configure ACL from the Step list. Select Show from the Action list. Figure 170: Showing a List of ACLs Use the Security >...
  • Page 322 | Security Measures HAPTER Access Control Lists Source IP Address – Source IP address. Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match”...

  • Page 323: Configuring An Extended Ipv4 Acl

    | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to ONFIGURING AN configure an Extended IPv4 ACL. 4 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv4 ACL)" on page 826 "show ip access-list"...
  • Page 324 | Security Measures HAPTER Access Control Lists where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be specified: 1 (fin) – Finish 2 (syn) – Synchronize 4 (rst) – Reset 8 (psh) –...

  • Page 325: Configuring A Standard Ipv6 Acl

    | Security Measures HAPTER Access Control Lists Figure 172: Configuring an Extended IPv4 ACL Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to ONFIGURING A configure a Standard IPv6ACL. 6 ACL TANDARD CLI R EFERENCES "permit, deny (Standard IPv6 ACL)"...
  • Page 326 | Security Measures HAPTER Access Control Lists Time Range – Name of a time range. NTERFACE To add rules to a Standard IPv6 ACL: Click Security, ACL. Select Configure ACL from the Step list. Select Add Rule from the Action list. Select IPv6 Standard from the Type list.
  • Page 327 | Security Measures HAPTER Access Control Lists Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page ONFIGURING AN to configure an Extended IPv6 ACL. 6 ACL XTENDED CLI R EFERENCES "permit, deny (Extended IPv6 ACL)" on page 832 "show ipv6 access-list"...
  • Page 328 | Security Measures HAPTER Access Control Lists Flow Label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-1048575) A flow label is assigned to a flow by the flow's source node.

  • Page 329: Configuring Amac Acl

    | Security Measures HAPTER Access Control Lists Figure 174: Configuring an Extended IPv6 ACL Use the Security > ACL (Configure ACL - Add Rule - MAC) page to ONFIGURING A configure a MAC ACL based on hardware addresses, packet format, and Ethernet type.
  • Page 330 | Security Measures HAPTER Access Control Lists Packet Format – This attribute includes the following packet types: Any – Any Ethernet packet type. Untagged-eth2 – Untagged Ethernet II packets. Untagged-802.3 – Untagged Ethernet 802.3 packets. tagged-eth2 – Tagged Ethernet II packets. Tagged-802.3 –...

  • Page 331: Configuring An Arp Acl

    | Security Measures HAPTER Access Control Lists Figure 175: Configuring a MAC ACL Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ONFIGURING AN ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection"...
  • Page 332 | Security Measures HAPTER Access Control Lists Source/Destination IP Subnet Mask – Subnet mask for source or destination address. (See the description for Subnet Mask on page 321.) Source/Destination MAC Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Mask fields.
  • Page 333 | Security Measures HAPTER Access Control Lists Figure 176: Configuring a ARP ACL After configuring ACLs, use the Security > ACL (Configure Interface) page INDING A ORT TO AN to bind the ports that need to filter traffic to the appropriate ACLs. You can CCESS ONTROL assign one IP access list and one MAC access list to any port.

  • Page 334: Arp Inspection

    | Security Measures HAPTER ARP Inspection NTERFACE To bind an ACL to a port: Click Security, ACL. Select Configure Interface from the Step list. Select IP or MAC from the Type list. Select the name of an ACL from the ACL list. Click Apply.

  • Page 335: Configuring Global Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection OMMAND SAGE Enabling & Disabling ARP Inspection ARP Inspection is controlled on a global and VLAN basis. By default, ARP Inspection is disabled both globally and on all VLANs. If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
  • Page 336 | Security Measures HAPTER ARP Inspection with different MAC addresses are classified as invalid and are dropped. IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.

  • Page 337: Configuring Vlan Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. Log Message Number – The maximum number of entries saved in a log message.
  • Page 338 | Security Measures HAPTER ARP Inspection ARP Inspection ACLs can be applied to any configured VLAN. ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.

  • Page 339: Configuring Interface Settings For Arp Inspection

    | Security Measures HAPTER ARP Inspection Figure 179: Configuring VLAN Settings for ARP Inspection Use the Security > ARP Inspection (Configure Interface) page to specify ONFIGURING the ports that require ARP inspection, and to adjust the packet inspection NTERFACE ETTINGS rate.

  • Page 340: Displaying Arp Inspection Statistics

    | Security Measures HAPTER ARP Inspection Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. Click Apply. Figure 180: Configuring Interface Settings for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Statistics) ISPLAYING page to display statistics about the number of ARP packets processed, or NSPECTION...

  • Page 341: Displaying The Arp Inspection Log

    | Security Measures HAPTER ARP Inspection NTERFACE To display statistics for ARP Inspection: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Statistics from the Step list. Figure 181: Displaying Statistics for ARP Inspection Use the Security > ARP Inspection (Show Information - Show Log) page to ISPLAYING THE show information about entries stored in the log, including the associated NSPECTION...

  • Page 342: Filtering Ip Addresses For Management Access

    | Security Measures HAPTER Filtering IP Addresses for Management Access NTERFACE To display the ARP Inspection log: Click Security, ARP Inspection. Select Configure Information from the Step list. Select Show Log from the Step list. Figure 182: Displaying the ARP Inspection Log IP A ILTERING DDRESSES FOR...
  • Page 343 | Security Measures HAPTER Filtering IP Addresses for Management Access You can delete an address range just by specifying the start address, or by specifying both the start address and end address. ARAMETERS These parameters are displayed in the web interface: Mode Web –...

  • Page 344: Configuring Port Security

    | Security Measures HAPTER Configuring Port Security To show a list of IP addresses authorized for management access: Click Security, IP Filter. Select Show from the Action list. Figure 184: Showing IP Addresses Authorized for Management Access ONFIGURING ECURITY Use the Security > Port Security page to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
  • Page 345 | Security Measures HAPTER Configuring Port Security OMMAND SAGE A secure port has the following restrictions: It cannot be used as a member of a static or dynamic trunk. It should not be connected to a network interconnection device. The default maximum number of MAC addresses allowed on a secure port is zero.

  • Page 346: Configuring 802.1X Port Authentication

    | Security Measures HAPTER Configuring 802.1X Port Authentication Figure 185: Configuring Port Security 802.1X P ONFIGURING UTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data.

  • Page 347: Configuring 802.1X Global Settings

    | Security Measures HAPTER Configuring 802.1X Port Authentication hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Figure 186: Configuring Port Security 802.1x client 1. Client attempts to access a switch port. 2. Switch sends client an identity request. RADIUS 3.
  • Page 348 | Security Measures HAPTER Configuring 802.1X Port Authentication ARAMETERS These parameters are displayed in the web interface: Port Authentication Status – Sets the global setting for 802.1X. (Default: Disabled) EAPOL Pass Through – Passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled.

  • Page 349: Configuring Port Settings For 802.1X

    | Security Measures HAPTER Configuring 802.1X Port Authentication Use the Security > Port Authentication (Configure Interface) page to ONFIGURING configure 802.1X port settings for the switch as the local authenticator. 802.1X ETTINGS FOR When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server.
  • Page 350 | Security Measures HAPTER Configuring 802.1X Port Authentication In this mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
  • Page 351 | Security Measures HAPTER Configuring 802.1X Port Authentication Intrusion Action – Sets the port’s response to a failed authentication. Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) Guest VLAN – All traffic for the port is assigned to a guest VLAN. The guest VLAN must be separately configured (See "Configuring VLAN Groups"...
  • Page 352 | Security Measures HAPTER Configuring 802.1X Port Authentication Figure 188: Configuring Interface Settings for 802.1X Port Authenticator – 352 –...

  • Page 353: Displaying 802.1X Statistics

    | Security Measures HAPTER Configuring 802.1X Port Authentication 802.1X Use the Security > Port Authentication (Show Statistics) page to display ISPLAYING statistics for dot1x protocol exchanges for any port. TATISTICS CLI R EFERENCES "show dot1x" on page 771 ARAMETERS These parameters are displayed in the web interface: Table 19: 802.1X Statistics Parameter Description...

  • Page 354: Ip Source Guard

    | Security Measures HAPTER IP Source Guard NTERFACE To display port authenticator statistics for 802.1X: Click Security, Port Authentication. Select Show Statistics from the Step list. Click Authenticator. Figure 189: Showing Statistics for 802.1X Port Authenticator IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see...
  • Page 355 | Security Measures HAPTER IP Source Guard OMMAND SAGE Setting source guard mode to SIP (Source IP) or SIP-MAC (Source IP and MAC) enables this function on the selected port. Use the SIP option to check the VLAN ID, source IP address, and port number against all entries in the binding table.

  • Page 356: Configuring Static Bindings For Ip Source Guard

    | Security Measures HAPTER IP Source Guard SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Max Binding Entry – The maximum number of entries that can be bound to an interface. (Range: 1-5; Default: 5) This parameter sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping (see...
  • Page 357 | Security Measures HAPTER IP Source Guard OMMAND SAGE Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself. Static bindings are processed as follows: If there is no entry with the same VLAN ID and MAC address, a new entry is added to the binding table using the type “static IP source guard binding.”...
  • Page 358 | Security Measures HAPTER IP Source Guard NTERFACE To configure static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration. Select Add from the Action list. Enter the required bindings for each port. Click Apply Figure 191: Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard: Click Security, IP Source Guard, Static Configuration.

  • Page 359: Displaying Information For Dynamic Ip Source Guard Bindings

    | Security Measures HAPTER IP Source Guard Use the Security > IP Source Guard > Dynamic Binding page to display the ISPLAYING source-guard binding table for a selected interface. NFORMATION FOR IP S YNAMIC OURCE CLI R EFERENCES UARD INDINGS "show ip dhcp snooping binding"...

  • Page 360: Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for IP Source Guard: Click Security, IP Source Guard, Dynamic Binding. Mark the search criteria, and enter the required values. Click Query Figure 193: Showing the IP Source Guard Binding Table DHCP S NOOPING The addresses assigned to DHCP clients on insecure ports can be carefully...
  • Page 361 | Security Measures HAPTER DHCP Snooping The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
  • Page 362 | Security Measures HAPTER DHCP Snooping DHCP server, any packets received from untrusted ports are dropped. DHCP Snooping Option 82 DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.

  • Page 363: Dhcp Snooping Configuration

    | Security Measures HAPTER DHCP Snooping DHCP S Use the IP Service > DHCP > Snooping (Configure Global) page to enable NOOPING DHCP Snooping globally on the switch, or to configure MAC Address ONFIGURATION Verification. CLI R EFERENCES "DHCP Snooping" on page 800 ARAMETERS These parameters are displayed in the web interface: DHCP Snooping Status –...

  • Page 364: Dhcp Snooping Vlan Configuration

    | Security Measures HAPTER DHCP Snooping Figure 194: Configuring Global Settings for DHCP Snooping DHCP S Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or NOOPING disable DHCP snooping on specific VLANs. VLAN ONFIGURATION CLI R EFERENCES "ip dhcp snooping vlan"...

  • Page 365: Configuring Ports For Dhcp Snooping

    | Security Measures HAPTER DHCP Snooping Enable DHCP Snooping on any existing VLAN. Click Apply Figure 195: Configuring DHCP Snooping on a VLAN Use the IP Service > DHCP > Snooping (Configure Interface) page to ONFIGURING ORTS configure switch ports as trusted or untrusted. DHCP S NOOPING CLI R...

  • Page 366: Displaying Dhcp Snooping Binding Information

    | Security Measures HAPTER DHCP Snooping Set any ports within the local network or firewall to trusted. Click Apply Figure 196: Configuring the Port Mode for DHCP Snooping DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display ISPLAYING entries in the binding table.
  • Page 367 | Security Measures HAPTER DHCP Snooping NTERFACE To display the binding table for DHCP Snooping: Click Security, IP Source Guard, DHCP Snooping. Select Show Information from the Step list. Use the Store or Clear function if required. Figure 197: Displaying the Binding Table for DHCP Snooping –...
  • Page 368 | Security Measures HAPTER DHCP Snooping – 368 –...

  • Page 369: Basic Administration Protocols

    ASIC DMINISTRATION ROTOCOLS This chapter describes basic administration tasks including: Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).

  • Page 370: Table 20: Logging Levels

    | Basic Administration Protocols HAPTER Configuring Event Logging ARAMETERS These parameters are displayed in the web interface: System Log Status – Enables/disables the logging of debug or error messages to the logging process. (Default: Enabled) Flash Level – Limits log messages saved to the switch’s permanent flash memory for all levels up to the specified level.
  • Page 371 | Basic Administration Protocols HAPTER Configuring Event Logging Figure 198: Configuring Settings for System Memory Logs To show the error messages logged to system memory: Click Administration, Log, System. Select Show System Logs from the Step list. Click RAM or Flash. This page allows you to scroll through the logged system and event messages.

  • Page 372: Remote Log Configuration

    | Basic Administration Protocols HAPTER Configuring Event Logging Use the Administration > Log > Remote page to send log messages to EMOTE syslog servers or other management stations. You can also limit the event ONFIGURATION messages sent to only those messages below a specified level. CLI R EFERENCES "Event Logging"...

  • Page 373: Sending Simple Mail Transfer Protocol Alerts

    | Basic Administration Protocols HAPTER Configuring Event Logging Figure 200: Configuring Settings for Remote Logging of Error Messages Use the Administration > Log > SMTP page to alert system administrators ENDING IMPLE of problems by sending SMTP (Simple Mail Transfer Protocol) email RANSFER ROTOCOL messages when triggered by logging events of a specified level.

  • Page 374: Link Layer Discovery Protocol

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol NTERFACE To configure SMTP alert messages: Click Administration, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. Specify the source and destination email addresses, and one or more SMTP servers.

  • Page 375: Setting Lldp Timing Attributes

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol LLDP T Use the Administration > LLDP (Configure Global) page to set attributes for ETTING IMING general functions such as globally enabling LLDP on the switch, setting the TTRIBUTES message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB.
  • Page 376 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.

  • Page 377: Configuring Lldp Interface Attributes

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol LLDP Use the Administration > LLDP (Configure Interface) page to specify the ONFIGURING message attributes for individual interfaces, including whether messages NTERFACE are transmitted, received, or both transmitted and received, whether SNMP TTRIBUTES notifications are sent, and the type of information advertised.
  • Page 378 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV. Port Description – The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.

  • Page 379: Displaying Lldp Local Device Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. NTERFACE To configure LLDP interface attributes: Click Administration, LLDP. Select Configure Interface from the Step list. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages.

  • Page 380: Table 21: Chassis Id Subtype

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol used to indicate the type of component being referenced by the chassis ID field. Table 21: Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Interface alias IfAlias (IETF RFC 2863)
  • Page 381 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Interface Settings The attributes listed below apply to both port and trunk interface types. When a trunk is listed, the descriptions apply to the first port of the trunk. Port/Trunk Description – A string that indicates the port or trunk description.

  • Page 382: Displaying Lldp Remote Port Information

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol LLDP Use the Administration > LLDP (Show Remote Device Information) page to ISPLAYING display information about devices connected directly to the switch’s ports EMOTE which are advertising information through LLDP, or to display detailed NFORMATION information about an LLDP-enabled device connected to a specific port on the local switch.

  • Page 383: Table 23: Port Id Subtype

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Table 23: Port ID Subtype ID Basis Reference Interface alias IfAlias (IETF RFC 2863) Chassis component EntPhysicalAlias when entPhysClass has a value of ‘chassis(3)’ (IETF RFC 2737) Port component EntPhysicalAlias when entPhysicalClass has a value ‘port(10)’ or ‘backplane(4)’...

  • Page 384: Table 24: Remote Port Auto-Negotiation Advertised Capability

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Port Auto-Neg Adv-Capability – The value (bitmap) of the ifMauAutoNegCapAdvertisedBits object (defined in IETF RFC 3636) which is associated with a port on the remote system. Table 24: Remote Port Auto-Negotiation Advertised Capability Capability other or unknown 10BASE-T half duplex mode...
  • Page 385 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Remote Power Pair Controlable – Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system. Remote Power Classification – This classification is used to tag different terminals on the Power over LAN network according to their power consumption.

  • Page 386: Displaying Device Statistics

    | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Figure 207: Displaying Remote Device Information for LLDP (Port Details) Use the Administration > LLDP (Show Device Statistics) page to display ISPLAYING EVICE statistics for LLDP-capable devices attached to the switch, and for LLDP TATISTICS protocol messages transmitted or received on all local interfaces.
  • Page 387 | Basic Administration Protocols HAPTER Link Layer Discovery Protocol Neighbor Entries Deleted Count – The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason. Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources.

  • Page 388: Simple Network Management Protocol

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 208: Displaying LLDP Device Statistics (General) Figure 209: Displaying LLDP Device Statistics (Port) IMPLE ETWORK ANAGEMENT ROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.

  • Page 389: Table 25: Snmpv3 Security Models And Levels

    | Basic Administration Protocols HAPTER Simple Network Management Protocol The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using network management software.

  • Page 390: Configuring Global Settings For Snmp

    | Basic Administration Protocols HAPTER Simple Network Management Protocol OMMAND SAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. Use the Administration >...

  • Page 391: Setting The Local Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Agent Status – Enables SNMP on the switch. (Default: Enabled) Authentication Traps – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process.

  • Page 392: Specifying A Remote Engine Id

    | Basic Administration Protocols HAPTER Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. ARAMETERS These parameters are displayed in the web interface: Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format).
  • Page 393 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Remote Engine ID – The engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.

  • Page 394: Setting Snmpv3 Views

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 213: Showing Remote Engine IDs for SNMP SNMP Use the Administration > SNMP (Configure View) page to configure ETTING SNMPv3 views which are used to restrict user access to specified portions IEWS of the MIB tree.
  • Page 395 | Basic Administration Protocols HAPTER Simple Network Management Protocol Select Add View from the Action list. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view.
  • Page 396 | Basic Administration Protocols HAPTER Simple Network Management Protocol Click Apply Figure 216: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: Click Administration, SNMP. Select Configure View from the Step list. Select Show OID Subtree from the Action list.

  • Page 397: Configuring Snmpv3 Groups

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Group) page to add an SNMPv3 ONFIGURING group which can be used to set the access policy for its assigned users, SNMP ROUPS restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
  • Page 398 | Basic Administration Protocols HAPTER Simple Network Management Protocol Table 26: Supported Notification Messages (Continued) Model Level Group SNMPv2 Traps coldStart 1.3.6.1.6.3.1.1.5.1 A coldStart trap signifies that the SNMPv2 entity, acting in an agent role, is reinitializing itself and that its configuration may have been altered.
  • Page 399 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure an SNMP group: Click Administration, SNMP. Select Configure Group from the Step list. Select Add from the Action list. Enter a group name, assign a security model and level, and then select read, write, and notify views.

  • Page 400: Setting Community Access Strings

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 218: Creating an SNMP Group To show SNMP groups: Click Administration, SNMP. Select Configure Group from the Step list. Select Show from the Action list. Figure 219: Showing SNMP Groups Use the Administration >...
  • Page 401 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: Community String – A community string that acts like a password and permits access to the SNMP protocol. Range: 1-32 characters, case sensitive Default strings: “public”...

  • Page 402: Configuring Local Snmpv3 Users

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 221: Showing Community Access Strings Use the Administration > SNMP (Configure User - Add SNMPv3 Local User) ONFIGURING OCAL page to authorize management access for SNMPv3 clients, or to identify SNMP SERS the source of SNMPv3 trap messages sent from the local switch.
  • Page 403 | Basic Administration Protocols HAPTER Simple Network Management Protocol Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available. Privacy Password – A minimum of eight plain text characters is required. NTERFACE To configure a local SNMPv3 user: Click Administration, SNMP.

  • Page 404: Configuring Remote Snmpv3 Users

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 223: Showing Local SNMPv3 Users Use the Administration > SNMP (Configure User - Add SNMPv3 Remote ONFIGURING EMOTE User) page to identify the source of SNMPv3 inform messages sent from SNMP SERS the local switch.
  • Page 405 | Basic Administration Protocols HAPTER Simple Network Management Protocol AuthPriv – SNMP communications use both authentication and encryption. Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required.
  • Page 406 | Basic Administration Protocols HAPTER Simple Network Management Protocol Figure 224: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: Click Administration, SNMP. Select Configure User from the Step list. Select Show SNMPv3 Remote User from the Action list. Figure 225: Showing Remote SNMPv3 Users –...

  • Page 407: Specifying Trap Managers

    | Basic Administration Protocols HAPTER Simple Network Management Protocol Use the Administration > SNMP (Configure Trap) page to specify the host PECIFYING devices to be sent traps and the types of traps to send. Traps indicating ANAGERS status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
  • Page 408 | Basic Administration Protocols HAPTER Simple Network Management Protocol ARAMETERS These parameters are displayed in the web interface: SNMP Version 1 IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
  • Page 409 | Basic Administration Protocols HAPTER Simple Network Management Protocol SNMP Version 3 IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps.
  • Page 410 | Basic Administration Protocols HAPTER Simple Network Management Protocol NTERFACE To configure trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Add from the Action list. Fill in the required parameters based on the selected SNMP version. Click Apply Figure 226: Configuring Trap Managers (SNMPv1) Figure 227: Configuring Trap Managers (SNMPv2c)

  • Page 411: Remote Monitoring

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 228: Configuring Trap Managers (SNMPv3) To show configured trap managers: Click Administration, SNMP. Select Configure Trap from the Step list. Select Show from the Action list. Figure 229: Showing Trap Managers EMOTE ONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis.

  • Page 412: Configuring Rmon Alarms

    | Basic Administration Protocols HAPTER Remote Monitoring The switch supports mini-RMON, which consists of the Statistics, History, Event and Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol.
  • Page 413 | Basic Administration Protocols HAPTER Remote Monitoring Rising Threshold – If the current value is greater than or equal to the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold.
  • Page 414 | Basic Administration Protocols HAPTER Remote Monitoring Figure 230: Configuring an RMON Alarm To show configured RMON alarms: Click Administration, RMON. Select Configure Global from the Step list. Select Show from the Action list. Click Alarm. Figure 231: Showing Configured RMON Alarms –...

  • Page 415: Configuring Rmon Events

    | Basic Administration Protocols HAPTER Remote Monitoring RMON Use the Administration > RMON (Configure Global - Add - Event) page to ONFIGURING set the action to take when an alarm is triggered. The response can include VENTS logging the alarm or sending a message to a trap manager. Alarms and corresponding events provide a way of immediately responding to critical network problems.
  • Page 416 | Basic Administration Protocols HAPTER Remote Monitoring NTERFACE To configure an RMON event: Click Administration, RMON. Select Configure Global from the Step list. Select Add from the Action list. Click Event. Enter an index number, the type of event to initiate, the community string to send with trap messages, the name of the person who created this event, and a brief description of the event.

  • Page 417: Configuring Rmon History Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 233: Showing Configured RMON Events RMON Use the Administration > RMON (Configure Interface - Add - History) page ONFIGURING to collect statistics on a physical interface to monitor network utilization, ISTORY AMPLES packet types, and errors.
  • Page 418 | Basic Administration Protocols HAPTER Remote Monitoring Owner - Name of the person who created this entry. (Range: 1-127 characters) NTERFACE To periodically sample statistics on a port: Click Administration, RMON. Select Configure Interface from the Step list. Select Add from the Action list. Click History.

  • Page 419: Configuring Rmon Statistical Samples

    | Basic Administration Protocols HAPTER Remote Monitoring Figure 235: Showing Configured RMON History Samples To show collected RMON history samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list. Click History.
  • Page 420 | Basic Administration Protocols HAPTER Remote Monitoring The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, CRC alignment errors, jabbers, fragments, collisions, drop events, and frames of various sizes. ARAMETERS These parameters are displayed in the web interface: Port –...
  • Page 421 | Basic Administration Protocols HAPTER Remote Monitoring Select a port from the list. Click Statistics. Figure 238: Showing Configured RMON Statistical Samples To show collected RMON statistical samples: Click Administration, RMON. Select Configure Interface from the Step list. Select Show Details from the Action list. Select a port from the list.
  • Page 422 | Basic Administration Protocols HAPTER Remote Monitoring – 422 –...
  • Page 423 ULTICAST ILTERING This chapter describes how to configure the following multicast services: Layer 2 IGMP – Configures snooping and query parameters. Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. Layer 3 IGMP –...

  • Page 424: Multicast Filtering

    | Multicast Filtering HAPTER IGMP Protocol This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.

  • Page 425: Layer 2 Igmp (Snooping And Query)

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) across different subnetworks. Therefore, when PIM routing is enabled for a subnet on the switch, IGMP is automatically enabled. Figure 241: IGMP Protocol Network core (multicast routing) Edge switches (snooping and query) Switch to end nodes (snooping on IGMP clients) 2 IGMP (S...
  • Page 426 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. IGMP snooping will not function unless a multicast router port is enabled on the switch.

  • Page 427: Configuring Igmp Snooping And Query Parameters

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) IGMP Use the Multicast > IGMP Snooping > General page to configure the switch ONFIGURING to forward multicast traffic intelligently. Based on the IGMP query and NOOPING AND UERY report messages, the switch forwards multicast traffic only to the ports ARAMETERS that request it.
  • Page 428 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Reporting Status – Enables IGMP Snooping with Proxy Reporting. (Default: Disabled) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
  • Page 429 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) (or query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it immediately issues an IGMP general query.
  • Page 430 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) This attribute configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.

  • Page 431: Specifying Static Interfaces For A Multicast Router

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > Multicast Router (Add Static PECIFYING TATIC Multicast Router) page to statically attach an interface to a multicast NTERFACES FOR A router/switch. ULTICAST OUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
  • Page 432 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Select Show Static Multicast Router from the Action list. Select the VLAN for which to display this information. Figure 244: Showing Static Interfaces Attached a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet.

  • Page 433: Assigning Interfaces To Multicast Services

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Use the Multicast > IGMP Snooping > IGMP Member (Add Static Member) SSIGNING page to statically assign a multicast service to an interface. NTERFACES TO ULTICAST ERVICES Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages (see "Configuring IGMP Snooping and Query Parameters"...
  • Page 434 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 246: Assigning an Interface to a Multicast Service To show the static interfaces assigned to a multicast service: Click Multicast, IGMP Snooping, IGMP Member. Select Show Static Member from the Action list. Select the VLAN for which to display this information.

  • Page 435: Setting Igmp Snooping Status Per Interface

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 248: Showing Current Interfaces Assigned to a Multicast Service IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to ETTING configure IGMP snooping attributes for a VLAN interface. To configure NOOPING TATUS snooping globally, refer to...
  • Page 436 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) forwarding is enabled. They are sent upon the occurrence of these events: Upon the expiration of a periodic (randomized) timer. As a part of a router's start up procedure. During the restart of a multicast forwarding interface. On receipt of a Solicitation message.
  • Page 437 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) When IGMP snooping is disabled globally, snooping can still be configured per VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally. Version Exclusive – Discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the IGMP Version attribute.
  • Page 438 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) If proxy reporting is disabled, report suppression can still be configured by a separate attribute as described above. Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports.
  • Page 439 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.

  • Page 440: Filtering Igmp Query Packets And Multicast Data

    | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) To show the interface settings for IGMP snooping: Click Multicast, IGMP Snooping, Interface. Select Show VLAN Information from the Action list. Figure 250: Showing Interface Settings for IGMP Snooping IGMP Use the Multicast >...
  • Page 441 | Multicast Filtering HAPTER Layer 2 IGMP (Snooping and Query) Figure 251: Dropping IGMP Query or Multicast Data Packets Use the Multicast > IGMP Snooping > Forwarding Entry page to display the ISPLAYING forwarding entries learned through IGMP Snooping. ULTICAST ROUPS IGMP ISCOVERED BY...

  • Page 442: Filtering And Throttling Igmp Groups

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups Figure 252: Showing Multicast Groups Learned by IGMP Snooping IGMP G ILTERING AND HROTTLING ROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.

  • Page 443: Configuring Igmp Filter Profiles

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups ARAMETERS These parameters are displayed in the web interface: IGMP Filter Status – Enables IGMP filtering and throttling globally for the switch. (Default: Disabled) NTERFACE To enables IGMP filtering and throttling on the switch: Click Multicast, IGMP Snooping, Filtering.
  • Page 444 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups When the access mode is set to deny, IGMP join reports are only processed when the multicast group is not in the controlled range. Add Multicast Group Range Profile ID – Selects an IGMP profile to configure. Start Multicast IP Address –...
  • Page 445 | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups To add a range of multicast groups to an IGMP filter profile: Click Multicast, IGMP Snooping, Filtering. Select Add Multicast Group Range from the Action list. Select the profile to configure, and add a multicast group address or range of addresses.

  • Page 446: Configuring Igmp Filtering And Throttling For Interfaces

    | Multicast Filtering HAPTER Filtering and Throttling IGMP Groups IGMP Use the Multicast > IGMP Snooping > Configure Interface page to assign ONFIGURING and IGMP filter profile to interfaces on the switch, or to throttle multicast ILTERING AND traffic by limiting the maximum number of multicast groups an interface HROTTLING FOR can join at the same time.

  • Page 447: Layer 3 Igmp (Query Used With Multicast Routing)

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Select a profile to assign to an interface, then set the maximum number of allowed multicast groups and the throttling response. Click Apply. Figure 258: Configuring IGMP Filtering and Throttling Interface Settings 3 IGMP (Q AYER UERY USED WITH...

  • Page 448: Configuring Igmp Proxy Routing

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) IGMP Use the Multicast > IGMP > Proxy page to configure IGMP Proxy Routing. ONFIGURING ROXY OUTING In simple network topologies, it is sufficient for a device to learn multicast requirements from its downstream interfaces and proxy this group membership information to the upstream router.
  • Page 449 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) The IGMP proxy routing tree must be manually configured by designating one upstream interface and multiple downstream interfaces on each proxy device. No other multicast routers except for the proxy devices can exist within the tree, and the root of the tree must be connected to a wider multicast infrastructure.

  • Page 450: Configuring Igmp Interface Parameters

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routing protocols are not supported when IGMP proxy service is enabled. Only one upstream interface is supported on the system. A maximum of 1024 multicast entries are supported. ARAMETERS These parameters are displayed in the web interface: VLAN –...
  • Page 451 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) that interface from the multicast tree. A host can also submit a join message at any time without waiting for a query from the router. Hosts can also signal when they no longer want to receive traffic for a specific group by sending a leave-group message.
  • Page 452 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Multicast routers send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service. Only the designated multicast router for a subnet sends host query messages, which are addressed to the multicast address 224.0.0.1, and use a time-to-live (TTL) value of 1.
  • Page 453 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Figure 261: Configuring IGMP Interface Settings Use the Multicast > IGMP > Static Group page to manually propagate ONFIGURING TATIC traffic from specific multicast groups onto the specified VLAN interface. IGMP G ROUP EMBERSHIP...
  • Page 454 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Static Group Address – An IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 - 239.255.255.255.) Source Address – The source address of a multicast server transmitting traffic to the specified multicast group address.

  • Page 455: Displaying Multicast Group Information

    | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > ISPLAYING Group Information pages to display the current multicast groups learned ULTICAST ROUP through IGMP.
  • Page 456 | Multicast Filtering HAPTER Layer 3 IGMP (Query used with Multicast Routing) Show Detail The following additional information is displayed on this page: VLAN – VLAN identifier. The selected entry must be a configured IP interface. (Range: 1-4093) Group Address – IP multicast group address with subscribers directly attached or downstream from the switch, or a static multicast group assigned to this interface.

  • Page 457: Multicast Vlan Registration

    | Multicast Filtering HAPTER Multicast VLAN Registration Figure 264: Displaying Multicast Groups Learned from IGMP (Information) To display detailed information about the current multicast groups learned through IGMP: Click Multicast, IGMP, Group Information. Select Show Detail from the Action list. Select a VLAN.
  • Page 458 | Multicast Filtering HAPTER Multicast VLAN Registration 802.1Q or private VLANs cannot exchange any information (except through upper-level routing services). Figure 266: MVR Concept Multicast Router Satellite Services Service Network Multicast Server Layer 2 Switch Source Port Receiver Ports Set-top Box Set-top Box OMMAND SAGE...

  • Page 459: Configuring Global Mvr Settings

    | Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure General) page to enable MVR globally ONFIGURING LOBAL on the switch, and select the VLAN that will serve as the sole channel for MVR S ETTINGS common multicast streams supported by the service provider. CLI R EFERENCES "Multicast VLAN Registration"...

  • Page 460: Configuring The Mvr Group Range

    | Multicast Filtering HAPTER Multicast VLAN Registration Figure 267: Configuring Global Settings for MVR Use the Multicast > MVR (Configure Group Range) page to assign the ONFIGURING THE multicast group address for each service to the MVR VLAN. MVR G ROUP ANGE CLI R...

  • Page 461: Configuring Mvr Interface Status

    | Multicast Filtering HAPTER Multicast VLAN Registration NTERFACE To configure multicast groups for the MVR VLAN: Click Multicast, MVR. Select Configure Group Range from the Step list. Select Add from the Action list. Add the multicast groups that will stream traffic to participating hosts. Click Apply.
  • Page 462 | Multicast Filtering HAPTER Multicast VLAN Registration OMMAND SAGE A port configured as an MVR receiver or source port can join or leave multicast groups configured under MVR. However, note that these ports can also use IGMP snooping to join or leave any other multicast groups using the standard rules for multicast filtering.
  • Page 463 | Multicast Filtering HAPTER Multicast VLAN Registration designated multicast services supported by the MVR VLAN. Just remember that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned (see "Assigning Static Multicast Groups to Interfaces"...

  • Page 464: Assigning Static Multicast Groups To Interfaces

    | Multicast Filtering HAPTER Multicast VLAN Registration Use the Multicast > MVR (Configure Static Group Member) page to SSIGNING TATIC statically bind multicast groups to a port which will receive long-term ULTICAST ROUPS multicast streams associated with a stable set of hosts. NTERFACES CLI R EFERENCES...

  • Page 465: Showing Multicast Groups Assigned To Interfaces

    | Multicast Filtering HAPTER Multicast VLAN Registration Select the port for which to display this information. Figure 272: Showing the Static MVR Groups Assigned to a Port Use the Multicast > MVR (Show Member) page to show the multicast HOWING ULTICAST groups either statically or dynamically assigned to the MVR VLAN on each ROUPS...
  • Page 466 | Multicast Filtering HAPTER Multicast VLAN Registration Figure 273: Showing All MVR Groups Assigned to a Port – 466 –...

  • Page 467: Ip Configuration

    IP C ONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.

  • Page 468: Setting The Switch's Ip Address (Ip Version 4)

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) To enable routing between interfaces defined on this switch and external network interfaces, you must configure static routes (page 501) or use dynamic routing; i.e., RIP, OSPFv2 or OSPFv3 (page 540, 1232...
  • Page 469 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) NTERFACE To set a static address for the switch: Click IP, General, Routing Interface. Select Add from the Action list. Select any configured VLAN, set IP Address Mode to “Static,” set IP Address Type to “Primary”...
  • Page 470 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 4) Figure 275: Configuring a Dynamic IPv4 Address The switch will also broadcast a request for IP configuration settings on each power reset. If you lose the management connection, make a console connection to the switch and enter “show ip interface”...

  • Page 471: Setting The Switch's Ip Address (Ip Version 6)

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 276: Showing the Configured IP Address for an Interface ’ IP A (IP V ETTING THE WITCH DDRESS ERSION This section describes how to configure an initial IPv6 interface for management access over the network, or for creating an interface to multiple subnets.

  • Page 472: Configuring An Ipv6 Address

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) If a routing protocol is enabled (page 539), you can still define a static route (page 501) to ensure that traffic to the designated address or subnet passes through a preferred gateway. An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
  • Page 473 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) network segment, and the interval between neighbor solicitations used to verify reachability information. ARAMETERS These parameters are displayed in the web interface: VLAN – ID of a configured VLAN which is to be used for management access, or as a standard interface for a subnet.
  • Page 474 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state. Duplicate address detection is automatically restarted when the interface is administratively re-activated.
  • Page 475 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) the MTU size, the maximum number of duplicate address detection messages, and the neighbor solicitation message interval. Click Apply. Figure 278: Configuring General Settings for an IPv6 Interface Use the IP >...
  • Page 476 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) identifier to automatically create the low-order 64 bits in the host portion of the address. You can also manually configure the global unicast address by entering the full address and prefix length. You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface.
  • Page 477 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
  • Page 478 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the HOWING IPv6 addresses assigned to an interface. DDRESSES CLI R EFERENCES "show ipv6 interface" on page 1140 ARAMETERS These parameters are displayed in the web interface: VLAN –...

  • Page 479: Table 27: Showipv6 Neighbors - Display Description

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) NTERFACE To show the configured IPv6 addresses: Click IP, IPv6 Configuration. Select Show IPv6 Address from the Action list. Select a VLAN from the list. Figure 280: Showing Configured IPv6 Addresses Use the IP >...
  • Page 480 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 27: ShowIPv6 Neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: Incomplete - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.

  • Page 481: Table 28: Show Ipv6 Statistics - Display Description

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Use the IP > IPv6 Configuration (Show Statistics) page to display statistics HOWING about IPv6 traffic passing through this switch. TATISTICS CLI R EFERENCES "show ipv6 traffic" on page 1142 OMMAND SAGE This switch provides statistics for the following traffic types:...
  • Page 482 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 28: Show IPv6 Statistics - display description (Continued) Field Description Address Errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
  • Page 483 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 28: Show IPv6 Statistics - display description (Continued) Field Description Generated Fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. Fragment Succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
  • Page 484 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Table 28: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable The number of ICMP Destination Unreachable messages sent by Messages the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages sent by the interface.
  • Page 485 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 282: Showing IPv6 Statistics (IPv6) Figure 283: Showing IPv6 Statistics (ICMPv6) – 485 –...

  • Page 486: Showing The Mtu For Responding Destinations

    | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 284: Showing IPv6 Statistics (UDP) Use the IP > IPv6 Configuration (Show MTU) page to display the maximum HOWING THE transmission unit (MTU) cache for destinations that have returned an ICMP ESPONDING packet-too-big message along with an acceptable MTU to this switch.
  • Page 487 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) Figure 285: Showing Reported MTU Values – 487 –...
  • Page 488 | IP Configuration HAPTER Setting the Switch’s IP Address (IP Version 6) – 488 –...

  • Page 489: General Ip Routing

    IP R ENERAL OUTING This chapter provides information on network functions including: Ping – Sends ping message to another node on the network. Trace – Sends ICMP echo request packets to another node on the network. Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses.

  • Page 490: Ip Routing And Switching

    | General IP Routing HAPTER IP Routing and Switching Figure 286: Virtual Interfaces and Layer 3 Routing Inter-subnet traffic (Layer 3 switching) Routing Untagged Untagged VLAN 1 VLAN 2 Tagged or Untagged Tagged or Untagged Tagged or Untagged Tagged or Untagged Intra-subnet traffic (Layer 2 switching) IP R OUTING AND...

  • Page 491: Routing Path Management

    | General IP Routing HAPTER IP Routing and Switching broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address. If the destination belongs to a different subnet on this switch, the packet can be routed directly to the destination node.

  • Page 492: Routing Protocols

    | General IP Routing HAPTER Configuring IP Routing Interfaces The switch supports both static and dynamic routing. OUTING ROTOCOLS Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch.

  • Page 493: Using The Ping Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces unknown destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets. To configure a default gateway for IPv4, use the static routing table as described on page...

  • Page 494: Using The Trace Route Function

    | General IP Routing HAPTER Configuring IP Routing Interfaces Click Apply. Figure 287: Pinging a Network Device Use the IP > General > Trace Route page to show the route packets take to SING THE RACE the specified destination. OUTE UNCTION CLI R EFERENCES...

  • Page 495: Address Resolution Protocol

    | General IP Routing HAPTER Address Resolution Protocol NTERFACE To trace the route to another device on the network: Click IP, General, Trace Route. Specify the target device. Click Apply. Figure 288: Tracing the Route to a Network Device DDRESS ESOLUTION ROTOCOL If IP routing is enabled (page 539), the router uses its routing tables to...

  • Page 496: Basic Arp Configuration

    | General IP Routing HAPTER Address Resolution Protocol If there is no entry for an IP address in the ARP cache, the router will broadcast an ARP request packet to all devices on the network. The ARP request contains the following fields similar to that shown in this example: Table 30: Address Resolution Protocol destination IP address 10.1.0.19...
  • Page 497 | General IP Routing HAPTER Address Resolution Protocol ARAMETERS These parameters are displayed in the web interface: Timeout – Sets the aging time for dynamic entries in the ARP cache. (Range: 300 - 86400 seconds; Default: 1200 seconds or 20 minutes) The ARP aging timeout can be set for any configured VLAN.

  • Page 498: Configuring Static Arp Addresses

    | General IP Routing HAPTER Address Resolution Protocol For devices that do not respond to ARP requests or do not respond in a ONFIGURING TATIC timely manner, traffic will be dropped because the IP address cannot be ARP A DDRESSES mapped to a physical address.

  • Page 499: Displaying Dynamic Or Local Arp Entries

    | General IP Routing HAPTER Address Resolution Protocol Figure 291: Configuring Static ARP Entries To display static entries in the ARP cache: Click IP, ARP. Select Configure Static Address from the Step List. Select Show from the Action List. Figure 292: Displaying Static ARP Entries The ARP cache contains static entries, and entries for local interfaces, ISPLAYING YNAMIC...

  • Page 500: Displaying Arp Statistics

    | General IP Routing HAPTER Address Resolution Protocol Figure 293: Displaying Dynamic ARP Entries To display all local entries in the ARP cache: Click IP, ARP. Select Show Information from the Step List. Click Other Address. Figure 294: Displaying Local ARP Entries Use the IP >...

  • Page 501: Configuring Static Routes

    | General IP Routing HAPTER Configuring Static Routes NTERFACE To display ARP statistics: Click IP, ARP. Select Show Information from the Step List. Click Statistics. Figure 295: Displaying ARP Statistics ONFIGURING TATIC OUTES This router can dynamically configure routes to other network segments using dynamic routing protocols (i.e., RIP or OSPF).
  • Page 502 | General IP Routing HAPTER Configuring Static Routes Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by RIP or OSPF (see page 577, respectively). ARAMETERS These parameters are displayed in the web interface: Destination IP Address –...

  • Page 503: Displaying The Routing Table

    | General IP Routing HAPTER Displaying the Routing Table Figure 297: Displaying Static Routes ISPLAYING THE OUTING ABLE Use the IP > Routing > Routing Table page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.

  • Page 504: Equal-Cost Multipath Routing

    | General IP Routing HAPTER Equal-cost Multipath Routing ARAMETERS These parameters are displayed in the web interface: VLAN – VLAN identifier (i.e., configure as a valid IP subnet). Destination IP Address – IP address of the destination network, subnetwork, or host. Note that the address 0.0.0.0 indicates the default gateway for this router.
  • Page 505 | General IP Routing HAPTER Equal-cost Multipath Routing manually configured in the static routing table, or equal-cost multipaths dynamically generated by the Open Shortest Path Algorithm (OSPF). In other words, it uses either static or OSPF entries, not both. Normal unicast routing simply selects the path to the destination that has the lowest cost.
  • Page 506 | General IP Routing HAPTER Equal-cost Multipath Routing NTERFACE To configure the maximum ECMP number: Click IP, Routing, Routing Table. Select Configure ECMP Number from the Action List. Enter the maximum number of equal-cost paths used to route traffic to the same destination that are permitted on the switch.
  • Page 507 ONFIGURING OUTER EDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load.

  • Page 508: Configuring Router Redundancy

    | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 302: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing Router 1 Router 2 VRID 23 (Master) VRID 23 (Backup) IP(R1) = 192.168.1.3 IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VR Priority = 100...
  • Page 509 | Configuring Router Redundancy HAPTER Configuring VRRP Groups priority. In cases where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group.
  • Page 510 | Configuring Router Redundancy HAPTER Configuring VRRP Groups VLAN – ID of a VLAN configured with an IP interface. (Range: 1-4093; Default: 1) Adding a Virtual IP Address VLAN ID – ID of a VLAN configured with an IP interface. (Range: 1-4093) VRID –...
  • Page 511 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Authentication Mode – Authentication mode used to verify VRRP packets received from other routers. (Options: None, Simple Text; Default: None) If simple text authentication is selected, then you must also enter an authentication string.
  • Page 512 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 303: Configuring the VRRP Group ID To show the configured VRRP groups: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show from the Action List. Figure 304: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: Click IP, VRRP.
  • Page 513 | Configuring Router Redundancy HAPTER Configuring VRRP Groups Figure 305: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: Click IP, VRRP. Select Configure Group ID from the Step List. Select Show IP Addresses from the Action List.

  • Page 514: Displaying Vrrp Global Statistics

    | Configuring Router Redundancy HAPTER Displaying VRRP Global Statistics Figure 307: Configuring Detailed Settings for a VRRP Group VRRP G ISPLAYING LOBAL TATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets. CLI R EFERENCES "show vrrp router counters"...

  • Page 515: Displaying Vrrp Group Statistics

    | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Figure 308: Showing Counters for Errors Found in VRRP Packets VRRP G ISPLAYING ROUP TATISTICS Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface.
  • Page 516 | Configuring Router Redundancy HAPTER Displaying VRRP Group Statistics Table 32: VRRP Group Statistics (Continued) Parameter Description Received Invalid Type Number of VRRP packets received by the virtual router with an VRRP Packets invalid value in the “type” field. Received Error Address Number of packets received for which the address list does not List VRRP Packets match the locally configured list for the virtual router.

  • Page 517: Ip Services

    IP S ERVICES This chapter describes the following IP services: – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. DHCP Client – Specifies the DHCP client identifier for an interface. DHCP Relay –...

  • Page 518: Domain Name Service

    | IP Services HAPTER Domain Name Service ARAMETERS These parameters are displayed in the web interface: Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name.
  • Page 519 | IP Services HAPTER Domain Name Service When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified, the switch will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers"...

  • Page 520: Configuring A List Of Name Servers

    | IP Services HAPTER Domain Name Service Use the IP Service > DNS - General (Add Name Server) page to configure a ONFIGURING A list of name servers to be tried in sequential order. ERVERS CLI R EFERENCES "ip name-server" on page 1083 "show dns"...

  • Page 521: Configuring Static Dns Host To Address Entries

    | IP Services HAPTER Domain Name Service Figure 314: Showing the List of Name Servers for DNS Use the IP Service > DNS - Static Host Table (Add) page to manually ONFIGURING TATIC configure static entries in the DNS table that are used to map domain DNS H OST TO names to IP addresses.

  • Page 522: Displaying The Dns Cache

    | IP Services HAPTER Domain Name Service Figure 315: Configuring Static Entries in the DNS Table To show static entries in the DNS table: Click IP Service, DNS, Static Host Table. Select Show from the Action list. Figure 316: Showing Static Entries in the DNS Table Use the IP Service >...

  • Page 523: Dynamic Host Configuration Protocol

    | IP Services HAPTER Dynamic Host Configuration Protocol ARAMETERS These parameters are displayed in the web interface: No. – The entry number for each resource record. Flag – The flag is always “4” indicating a cache entry and therefore unreliable. Type –...

  • Page 524: Specifyinga Dhcp Client Identifier

    | IP Services HAPTER Dynamic Host Configuration Protocol A DHCP Use the IP Service > DHCP > Client page to specify the DHCP client PECIFYING identifier for a VLAN interface. LIENT DENTIFIER CLI R EFERENCES "ip dhcp client class-id" on page 1090 OMMAND SAGE The class identifier is used identify the vendor class and configuration of...

  • Page 525: Configuring Dhcp Relay Service

    | IP Services HAPTER Dynamic Host Configuration Protocol DHCP Use the IP Service > DHCP > Relay page to configure DHCP relay service ONFIGURING for attached host devices. If DHCP relay is enabled, and this switch sees a ELAY ERVICE DHCP request broadcast, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.

  • Page 526: Configuring The Dhcp Server

    | IP Services HAPTER Dynamic Host Configuration Protocol Figure 320: Configuring DHCP Relay Service This switch includes a Dynamic Host Configuration Protocol (DHCP) server ONFIGURING THE that can assign temporary IP addresses to any attached host requesting DHCP S ERVER service.
  • Page 527 | IP Services HAPTER Dynamic Host Configuration Protocol CLI R EFERENCES "service dhcp" on page 1096 ARAMETERS These parameters are displayed in the web interface: DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) NTERFACE To enable the DHCP server: Click IP Service, DHCP, Server.
  • Page 528 | IP Services HAPTER Dynamic Host Configuration Protocol NTERFACE To configure IP addresses excluded for DHCP clients: Click IP Service, DHCP, Server. Select Configure Excluded Addresses from the Step list. Select Add from the Action list. Enter a single address or an address range. Click Apply.
  • Page 529 | IP Services HAPTER Dynamic Host Configuration Protocol OMMAND SAGE First configure address pools for the network interfaces. Then you can manually bind an address to a specific client if required. However, note that any static host address must fall within the range of an existing network address pool.
  • Page 530 | IP Services HAPTER Dynamic Host Configuration Protocol Client-Identifier – A unique designation for the client device, either a text string (1-15 characters) or hexadecimal value. The information included in the identifier is based on RFC 2132 Option 60, and must be unique for all clients in the same administrative domain.
  • Page 531 | IP Services HAPTER Dynamic Host Configuration Protocol Click Apply. Figure 325: Configuring DHCP Server Address Pools (Network) Figure 326: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: Click IP Service, DHCP, Server. Select Configure Pool from the Step list. –...
  • Page 532 | IP Services HAPTER Dynamic Host Configuration Protocol Select Show from the Action list. Figure 327: Showing Configured DHCP Server Address Pools ISPLAYING DDRESS INDINGS Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server.

  • Page 533: Forwarding Udp Service Requests

    | IP Services HAPTER Forwarding UDP Service Requests UDP S ORWARDING ERVICE EQUESTS This section describes how this switch can forward UDP broadcast packets originating from host applications to another part of the network when an local application server is not available. OMMAND SAGE Network hosts occasionally use UDP broadcasts to determine...

  • Page 534: Specifying Udp Destination Ports

    | IP Services HAPTER Forwarding UDP Service Requests Figure 329: Enabling the UDP Helper Use the IP Service > UDP Helper > Forwarding page to specify the UDP PECIFYING destination ports for which broadcast traffic will be forwarded when the ESTINATION ORTS UDP helper is enabled.

  • Page 535: Specifying The Target Server Or Subnet

    | IP Services HAPTER Forwarding UDP Service Requests Figure 330: Specifying UDP Destination Ports To show the configured UDP destination ports: Click IP Service, UDP Helper, Forwarding. Select Show from the Action list. Figure 331: Showing the UDP Destination Ports Use the IP Service >...
  • Page 536 | IP Services HAPTER Forwarding UDP Service Requests The IP time-to-live (TTL) value must be at least 2. The IP protocol must be UDP (17). The UDP destination port must be TFTP, Domain Name System (DNS), Time, NetBIOS, BOOTP or DHCP packet, or a UDP port specified on the IP Service >...
  • Page 537 | IP Services HAPTER Forwarding UDP Service Requests Figure 333: Showing the Target Server or Subnet for UDP Requests – 537 –...
  • Page 538 | IP Services HAPTER Forwarding UDP Service Requests – 538 –...

  • Page 539: Unicast Routing

    NICAST OUTING This chapter describes how to configure the following unicast routing protocols: – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. VERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol.

  • Page 540: Configuring The Routing Information Protocol

    | Unicast Routing HAPTER Configuring the Routing Information Protocol To coexist with a network built on multilayer switches, the subnetworks for non-IP protocols must follow the same logical boundary as that of the IP subnetworks. A separate multi-protocol router can then be used to link the subnetworks by connecting to one port from each available VLAN on the network.

  • Page 541: Configuring General Protocol Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur, and its small hop count limitation of 15 restricts its use to smaller networks.
  • Page 542 | Unicast Routing HAPTER Configuring the Routing Information Protocol RIP send/receive versions set on the RIP Interface settings screen (page 552) always take precedence over the settings for the Global RIP Version. However, when the Global RIP Version is set to “By Interface,” any VLAN interface not previously set to a specific receive or send version is set to the following default values: Receive: Accepts RIPv1 or RIPv2 packets.
  • Page 543 | Unicast Routing HAPTER Configuring the Routing Information Protocol access list that filters networks according to the IP address of the router supplying the routing information. Number of Route Changes – The number of route changes made to the IP route database by RIP. Number of Queries –...

  • Page 544: Clearing Entries From The Routing Table

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 335: Configuring General Settings for RIP Use the Routing Protocol > RIP > General (Clear Route) page to clear LEARING NTRIES entries from the routing table based on route type or a specific network FROM THE OUTING address.

  • Page 545: Specifying Network Interfaces

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Clear Route By Network – Clears a specific route based on its IP address and prefix length. Network IP Address – Deletes all related entries for the specified network address. Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
  • Page 546 | Unicast Routing HAPTER Configuring the Routing Information Protocol ARAMETERS These parameters are displayed in the web interface: By Address – Adds a network to the RIP routing process. Subnet Address – IP address of a network directly connected to this router.

  • Page 547: Specifying Passive Interfaces

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 338: Showing Network Interfaces Using RIP Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP PECIFYING ASSIVE from sending routing updates on the specified interface. NTERFACES CLI R EFERENCES...

  • Page 548: Specifying Static Neighbors

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 339: Specifying a Passive RIP Interface To show the passive RIP interfaces: Click Routing Protocol, RIP, Passive Interface. Select Show from the Action list. Figure 340: Showing Passive RIP Interfaces Use the Routing Protocol >...

  • Page 549: Configuring Route Redistribution

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Add the address of any static neighbors which may not readily to discovered through RIP. Click Apply. Figure 341: Specifying a Static RIP Neighbor To show static RIP neighbors: Click Routing Protocol, RIP, Neighbor Address. Select Show from the Action list.
  • Page 550 | Unicast Routing HAPTER Configuring the Routing Information Protocol Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 541.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.

  • Page 551: Specifying An Administrative Distance

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 344: Showing External Routes Redistributed into RIP Use the Routing Protocol > RIP > Distance (Add) page to define an PECIFYING AN administrative distance for external routes learned from other routing DMINISTRATIVE protocols.

  • Page 552: Configuring Network Interfaces For Rip

    | Unicast Routing HAPTER Configuring the Routing Information Protocol NTERFACE To define an administrative distance for external routes learned from other routing protocols: Click Routing Protocol, RIP, Distance. Select Add from the Action list. Enter the distance, the external route, and optionally enter the name of an ACL to filter networks according to the IP address of the router supplying the routing information.
  • Page 553 | Unicast Routing HAPTER Configuring the Routing Information Protocol "ip rip authentication mode" on page 1183 "ip rip authentication string" on page 1184 "ip rip split-horizon" on page 1187 OMMAND SAGE Specifying Receive and Send Protocol Types Specify the protocol message type accepted (that is, RIP version) and the message type sent (that is, RIP version or compatibility mode) for each RIP interface.
  • Page 554 | Unicast Routing HAPTER Configuring the Routing Information Protocol password. If any incoming protocol messages do not contain the correct password, they are simply dropped. For authentication to function properly, both the sending and receiving interface must be configured with the same password or authentication key.
  • Page 555 | Unicast Routing HAPTER Configuring the Routing Information Protocol Authentication Type – Specifies the type of authentication required for exchanging RIPv2 protocol messages. (Default: No Authentication) No Authentication: No authentication is required. Simple Password: Requires the interface to exchange routing information with other routers based on an authorized password.

  • Page 556: Displaying Rip Interface Settings

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Figure 347: Configuring a Network Interface for RIP To show the network interface settings configured for RIP: Click Routing Protocol, RIP, Interface. Select Show from the Action list. Figure 348: Showing RIP Network Interface Settings Use the Routing Protocol >...

  • Page 557: Displaying Peer Router Information

    | Unicast Routing HAPTER Configuring the Routing Information Protocol Rcv Bad Routes – Number of bad routes received. Send Updates – Number of route changes. NTERFACE To display RIP interface configuration settings: Click Routing Protocol, RIP, Statistics. Select Show Interface Information from the Action list. Figure 349: Showing RIP Interface Settings Use the Routing Protocol >...

  • Page 558: Resetting Rip Statistics

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 350: Showing RIP Peer Information Use the Routing Protocol > RIP > Statistics (Reset Statistics) page to reset ESETTING all statistics for RIP protocol messages. TATISTICS CLI R EFERENCES no comparable command...
  • Page 559 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 352: Configuring OSPF isolated stub area virtual link backbone normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B OMMAND SAGE OSPF looks at more than just the simple hop count.

  • Page 560: Defining Network Areas Based On Addresses

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) You can further optimize the exchange of OSPF traffic by specifying an area range that covers a large number of subnetwork addresses. This is an important technique for limiting the amount of traffic exchanged between Area Border Routers (ABRs).
  • Page 561 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1192 "network area" on page 1208 OMMAND SAGE Specify an Area ID and the corresponding network address range for each OSPF broadcast area. Each area identifies a logical group of OSPF routers that actively exchange Link State Advertisements (LSAs) to ensure that they share an identical view of the network topology.
  • Page 562 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NTERFACE To define an OSPF area and the interfaces that operate within this area: Click Routing Protocol, OSPF, Network Area. Select Add from the Action list. Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces.

  • Page 563: Configuring General Protocol Settings

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 356: Showing OSPF Process Identifiers To implement dynamic OSPF routing, first assign VLAN groups to each IP ONFIGURING subnet to which this router will be attached (as described in the preceding ENERAL ROTOCOL section), then use the Routing Protocol >...
  • Page 564 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Auto Cost – Calculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth. The reference bandwidth is defined in Mbits per second. (Range: 1-4294967) By default, the cost is 0.1 for Gigabit ports, and 0.01 for 10 Gigabit ports.
  • Page 565 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 357: AS Boundary Router AS 1 AS 2 ASBR ASBR Advertise Default Route – The router can advertise a default external route into the autonomous system (AS). (Options: Not Always, Always;...

  • Page 566: Table 33: Ospf System Information

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 358: Configure General Settings for OSPF Use the Routing Protocol > OSPF > System (Show) page to display general ISPLAYING administrative settings and statistics for OSPF. DMINISTRATIVE ETTINGS AND CLI R...
  • Page 567 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Table 33: OSPF System Information (Continued) Parameter Description ABR Status Indicates if this router connects directly to networks in two or (Area Border Router) more areas. An area border router runs a separate copy of the Shortest Path First algorithm, maintaining a separate routing database for each area.
  • Page 568 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page DDING AN to add a not-so-stubby area (NSSA) or a stubby area (Stub). CLI R EFERENCES "router ospf"...

  • Page 569: Configuring Nssa Settings

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: Click Routing Protocol, OSPF, Area. Select Configure Area from the Step list. Select Show Area from the Action list. Select a Process ID.
  • Page 570 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1192 "area default-cost" on page 1197 "area nssa" on page 1203 OMMAND SAGE Before creating an NSSA, first specify the address range for the area (see "Defining Network Areas Based on Addresses"...
  • Page 571 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Redistribute – Disable this option when the router is an NSSA Area Border Router (ABR) and routes only need to be imported into normal areas (see "Redistributing External Routes" on page 577), but not into the NSSA.
  • Page 572 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Click Apply Figure 363: Configuring Protocol Settings for an NSSA Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub ONFIGURING Area) page to configure protocol settings for a stub. ETTINGS A stub does not accept external routing information.
  • Page 573 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) A stub can have multiple ABRs or exit points. However, all of the exit points and local routers must contain the same external routing data so that the exit point does not need to be determined for each external destination.
  • Page 574 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 365: Configuring Protocol Settings for a Stub Use the Routing Protocol > OSPF > Area (Show Information) page to ISPLAYING protocol information on NSSA and Stub areas. NFORMATION ON NSSA CLI R...

  • Page 575: Configuring Area Ranges (Route Summarization For Abrs)

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 366: Displaying Information on NSSA and Stub Areas An OSPF area can include a large number of nodes. If the Area Border ONFIGURING Router (ABR) has to advertise route information for each of these nodes, ANGES OUTE this wastes a lot of bandwidth and processor time.
  • Page 576 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 560). Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295.

  • Page 577: Redistributing External Routes

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Select the process ID. Figure 369: Showing Configured Route Summaries Use the Routing Protocol > OSPF > Redistribute (Add) page to import EDISTRIBUTING external routing information from other routing protocols, static routes, or XTERNAL OUTES directly connected routes into the autonomous system, and to generate...
  • Page 578 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain. (Options: RIP, Static; Default: RIP) Metric Type –...

  • Page 579: Configuring Summary Addresses For External As Routes

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 371: Importing External Routes To show the imported external route types: Click Routing Protocol, OSPF, Redistribute. Select Show from the Action list. Select the process ID. Figure 372: Showing Imported External Route Types Redistributing routes from other protocols into OSPF normally requires the ONFIGURING...
  • Page 580 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1192 "summary-address" on page 1202 OMMAND SAGE If you are not sure what address ranges to consolidate, first enable external route redistribution via the Redistribute configuration screen, view the routes imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for advertising into the local domain.

  • Page 581: Configuring Ospf Interfaces

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show the summary addresses for external routes: Click Routing Protocol, OSPF, Summary Address. Select Show from the Action list. Select the process ID. Figure 374: Showing Summary Addresses for External Routes OSPF You should specify a routing interface for any local subnet that needs to ONFIGURING...
  • Page 582 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) IP Address – Address of the interfaces assigned to a VLAN on the Network Area (Add) page. This parameter only applies to the Configure by Address page. Cost –...
  • Page 583 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Transmit Delay – Sets the estimated time to send a link-state update packet over an interface. (Range: 1-65535 seconds; Default: 1 second) LSAs have their age incremented by this delay before transmission. You should consider both the transmission and propagation delays for an interface when estimating this delay.
  • Page 584 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) the OSPF header when routing protocol packets are originated by this device. A different password can be assigned to each network interface, but the password must be used consistently on all neighboring routers throughout a network (that is, autonomous system).
  • Page 585 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 375: Configuring Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN: Click Routing Protocol, OSPF, Interface. Select Configure by Address from the Action list.
  • Page 586 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 376: Configuring Settings for a Specific Area Assigned to a VLAN To show the configuration settings for OSPF interfaces: Click Routing Protocol, OSPF, Interface. Select Show from the Action list. Select the VLAN ID.

  • Page 587: Configuring Virtual Links

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 378: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Virtual Link (Add) and (Configure ONFIGURING IRTUAL Detailed Settings) pages to configure a virtual link from an area that does INKS not have a direct physical connection to the OSPF backbone.
  • Page 588 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "router ospf" on page 1192 "area virtual-link" on page 1206 OMMAND SAGE Use the Add page to create a virtual link, and then use the Configure Detailed Settings page to set the protocol timers and authentication settings for the link.
  • Page 589 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) To show virtual links: Click Routing Protocol, OSPF, Virtual Link. Select Show from the Action list. Select the process ID. Figure 381: Showing Virtual Links To configure detailed settings for a virtual link: Click Routing Protocol, OSPF, Virtual Link.

  • Page 590: Displaying Link State Database Information

    | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 383: Showing MD5 Authentication Keys Use the Routing Protocol > OSPF > Information (LSDB) page to show the ISPLAYING Link State Advertisements (LSAs) sent by OSPF routers advertising routes. TATE ATABASE The full collection of LSAs collected by a router interface from the attached...
  • Page 591 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) CLI R EFERENCES "show ip ospf database" on page 1221 ARAMETERS These parameters are displayed in the web interface: Process ID – Process ID as configured in the Network Area configuration screen (see page 560).
  • Page 592 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Figure 384: Displaying Information in the Link State Database Use the Routing Protocol > OSPF > Information (Neighbor) page to display ISPLAYING information about neighboring routers on each interface. NFORMATION ON EIGHBORING CLI R...
  • Page 593 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) Attempt – Connection down, but attempting contact (non-broadcast networks) Init – Have received Hello packet, but communications not yet established Two-way – Bidirectional communications established ExStart – Initializing adjacency between neighbors Exchange –...
  • Page 594 | Unicast Routing HAPTER Configuring the Open Shortest Path First Protocol (Version 2) – 594 –...

  • Page 595: Multicast Routing

    ULTICAST OUTING This chapter describes the following multicast routing topics: Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. Displaying the Multicast Routing Table – Describes how to display the multicast routing table. Configuring PIM for IPv4 –...

  • Page 596: Overview

    | Multicast Routing HAPTER Overview PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast source- group pair. As mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface.
  • Page 597 | Multicast Routing HAPTER Overview group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR and all the routers receiving these messages use the same hash algorithm to elect an RP for each multicast group.

  • Page 598: Configuring Global Settings For Multicast Routing

    | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups. ONFIGURING LOBAL ETTINGS FOR ULTICAST OUTING...

  • Page 599: Displaying The Multicast Routing Table

    | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Use the Multicast > Multicast Routing > Information page to display ISPLAYING THE information on each multicast route it has learned through PIM. The router ULTICAST OUTING learns multicast routes from neighboring routers, and also advertises these ABLE routes to its neighbors.
  • Page 600 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Show Details Group Address – IP group address for a multicast service. Source Address – Subnetwork containing the IP multicast source. Source Mask – Network mask for the IP multicast source. Upstream Neighbor –...
  • Page 601 | Multicast Routing HAPTER Configuring Global Settings for Multicast Routing Pruned – This route has been terminated. Registering - A downstream device is registering for a multicast source. NTERFACE To display the multicast routing table: Click Multicast, Multicast Routing, Information. Select Show Summary from the Action List.

  • Page 602: Configuring Pim For Ipv4

    | Multicast Routing HAPTER Configuring PIM for IPv4 ONFIGURING This section describes how to configure PIM-DM and PIM-SM for IPv4. Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing NABLING globally on the router. LOBALLY CLI R EFERENCES "router pim"...
  • Page 603 | Multicast Routing HAPTER Configuring PIM for IPv4 PIM and IGMP proxy cannot be used at the same time. When an interface is set to use PIM Dense mode or Sparse mode, IGMP proxy cannot be enabled on any interface of the device (see "Configuring IGMP Snooping and Query Parameters"...
  • Page 604 | Multicast Routing HAPTER Configuring PIM for IPv4 Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. PIM-SM routers use these messages not only to inform neighboring routers of their presence, but also to determine which router for each LAN segment will serve as the Designated Router (DR).
  • Page 605 | Multicast Routing HAPTER Configuring PIM for IPv4 The override interval and the propagation delay are used to calculate the LAN prune delay. If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the...
  • Page 606 | Multicast Routing HAPTER Configuring PIM for IPv4 of each router in the tree. This also enables PIM routers to recognize topology changes (sources joining or leaving a multicast group) before the default three-minute state timeout expires. This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to the sources of multicast groups.
  • Page 607 | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 390: Configuring PIM Interface Settings (Dense Mode) Figure 391: Configuring PIM Interface Settings (Sparse Mode) – 607 –...

  • Page 608: Displaying Neighbor Information

    | Multicast Routing HAPTER Configuring PIM for IPv4 Use the Routing Protocol > PIM > Neighbor page to display all neighboring ISPLAYING EIGHBOR PIM routers. NFORMATION CLI R EFERENCES "show ip pim neighbor" on page 1278 ARAMETERS These parameters are displayed in the web interface: Address –...
  • Page 609 | Multicast Routing HAPTER Configuring PIM for IPv4 Register Source – Configures the IP source address of a register message to an address other than the outgoing interface address of the DR that leads back toward the RP. (Range: VLAN 1-4094; Default: The IP address of the DR’s outgoing interface that leads back to the RP) When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to...

  • Page 610: Configuring Absr Candidate

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 393: Configuring Global Settings for PIM-SM Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure ONFIGURING A the switch as a Bootstrap Router (BSR) candidate. ANDIDATE CLI R EFERENCES "ip pim bsr-candidate"...

  • Page 611: Configuring A Static Rendezvous Point

    | Multicast Routing HAPTER Configuring PIM for IPv4 with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) Priority –...
  • Page 612 | Multicast Routing HAPTER Configuring PIM for IPv4 If an IP address is specified that was previously used for an RP, then the older entry is replaced. Multiple RPs can be defined for different groups or group ranges. If a group is matched by more than one entry, the router will use the RP associated with the longer group prefix length.

  • Page 613: Configuring An Rp Candidate

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 395: Configuring a Static Rendezvous Point To display static rendezvous points: Click Multicast, Multicast Routing, SM. Select RP Address from the Step list. Select Show from the Action list. Figure 396: Showing Static Rendezvous Points Use the Routing Protocol >...
  • Page 614 | Multicast Routing HAPTER Configuring PIM for IPv4 The election process for each group is based on the following criteria: Find all RPs with the most specific group range. Select those with the highest priority (lowest priority value). Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages.

  • Page 615: Displaying The Bsr Router

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 397: Configuring an RP Candidate To display settings for an RP candidate: Click Multicast, Multicast Routing, PIM-SM. Select RP Candidate from the Step list. Select Show from the Action list. Select an interface from the VLAN list. Figure 398: Showing Settings for an RP Candidate Use the Routing Protocol >...
  • Page 616 | Multicast Routing HAPTER Configuring PIM for IPv4 Priority – Priority value used by this BSR candidate. Hash Mask Length – The number of significant bits used in the multicast group comparison mask by this BSR candidate. Expire – The time before the BSR is declared down. Role –...

  • Page 617: Displaying Rp Mapping

    | Multicast Routing HAPTER Configuring PIM for IPv4 Figure 399: Showing Information About the BSR Use the Routing Protocol > PIM > SM (Show Information – Show RP ISPLAYING Mapping) page to display active RPs and associated multicast routing APPING entries.

  • Page 618: Configuring Pimv6 For Ipv6

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Figure 400: Showing RP Mapping ONFIGURING This section describes how to configure PIM-DM for IPv6. Use the Routing Protocol > PIM6 > General page to enable IPv6 PIM NABLING routing globally on the router. LOBALLY CLI R EFERENCES...

  • Page 619: Configuring Pim Interface Settings

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Use the Routing Protocol > PIM6 > Interface page configure the routing ONFIGURING protocol’s functional attributes for each interface. NTERFACE ETTINGS CLI R EFERENCES "IPv6 PIM Commands" on page 1292 OMMAND SAGE PIM-DM functions similar to DVMRP by periodically flooding the network with traffic from any active multicast server.
  • Page 620 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 a router does not hear from a neighbor for the period specified by the Hello Holdtime, that neighbor is dropped. This hold time is included in each hello message received from a neighbor. Also note that hello messages also contain the DR priority of the router sending the message.
  • Page 621 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 Propagation Delay – The time required for a LAN prune delay message to reach downstream routers. (Range: 100-5000 milliseconds; Default: 500 milliseconds) The override interval and pro po gat ion delay are used to calculate the LAN prune delay.

  • Page 622: Displaying Neighbor Information

    | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To configure PIMv6 interface settings: Click Routing Protocol, PIM6, Interface. Modify any of the protocol parameters as required. Click Apply. Figure 402: Configuring PIMv6 Interface Settings (Dense Mode) Use the Routing Protocol > PIM6 > Neighbor page to display all ISPLAYING EIGHBOR neighboring PIMv6 routers.
  • Page 623 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 NTERFACE To display neighboring PIMv6 routers: Click Routing Protocol, PIM6, Neighbor. Figure 403: Showing PIMv6 Neighbors – 623 –...
  • Page 624 | Multicast Routing HAPTER Configuring PIMv6 for IPv6 – 624 –...

  • Page 625: Ection

    ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: "General Commands" on page 639 "System Management Commands" on page 647 "SNMP Commands" on page 693 "Remote Monitoring Commands"...
  • Page 626 | Command Line Interface ECTION "Multicast Filtering Commands" on page 999 "LLDP Commands" on page 1061 "Domain Name Service Commands" on page 1079 "DHCP Commands" on page 1089 "VRRP Commands" on page 1107 "IP Interface Commands" on page 1117 "IP Routing Commands" on page 1165 "Multicast Routing Commands"...

  • Page 627: Using The Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the DG-GS4850S/DG-GS4826S is opened. To end the CLI session, enter [Exit]. Console# – 627 –...

  • Page 628: Telnet Connection

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the DG-GS4850S/DG-GS4826S is opened. To end the CLI session, enter [Exit]. Vty-0# – 628 –...

  • Page 629: Entering Commands

    | Using the Command Line Interface HAPTER Entering Commands You can open up to four sessions to the device via Telnet or SSH. NTERING OMMANDS This section describes how to enter CLI commands. A CLI command is a series of keywords and arguments. Keywords identify EYWORDS AND a command, and arguments specify configuration parameters.

  • Page 630: Getting Help On Commands

    | Using the Command Line Interface HAPTER Entering Commands You can display a brief description of the help system by entering the help ETTING ELP ON command. You can also display command syntax by using the “?” character OMMANDS to list keywords or parameters. HOWING OMMANDS If you enter a “?”...

  • Page 631: Partial Keyword Lookup

    | Using the Command Line Interface HAPTER Entering Commands Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system System information tacacs-server TACACS server information tech-support Technical information time-range Time range traffic-segmentation Traffic segmentation information users Information about users logged in version System hardware and software versions...

  • Page 632: Using Command History

    | Using the Command Line Interface HAPTER Entering Commands The CLI maintains a history of commands that have been entered. You can SING OMMAND scroll back through the history of commands by pressing the up arrow key. ISTORY Any command displayed in the history list can be executed again, or first modified and then executed.

  • Page 633: Configuration Commands

    Entering Commands To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the DG-GS4850S/DG-GS4826S is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the DG-GS4850S/DG-GS4826S is opened.

  • Page 634: Table 35: Configuration Command Modes

    | Using the Command Line Interface HAPTER Entering Commands Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance. Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. Router Configuration - These commands configure global settings for unicast and multicast routing protocols.

  • Page 635: Command Line Processing

    | Using the Command Line Interface HAPTER Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Commands are not case sensitive. You can abbreviate commands and OMMAND parameters as long as they contain enough letters to differentiate them ROCESSING...

  • Page 636: Cli Command Groups

    | Using the Command Line Interface HAPTER CLI Command Groups CLI C OMMAND ROUPS The system commands can be broken down into the functional groups shown below Table 37: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes...
  • Page 637 | Using the Command Line Interface HAPTER CLI Command Groups Table 37: Command Group Index (Continued) Command Group Description Page Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for TCP/UDP traffic types, IP precedence, and DSCP Quality of Service...
  • Page 638 | Using the Command Line Interface HAPTER CLI Command Groups – 638 –...

  • Page 639: General Commands

    ENERAL OMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions. Table 38: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...

  • Page 640: Reload (Global Configuration)

    | General Commands HAPTER XAMPLE Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or Configuration) you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.

  • Page 641: Enable

    | General Commands HAPTER OMMAND SAGE This command resets the entire system. Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config...

  • Page 642: Quit

    | General Commands HAPTER XAMPLE Console>enable Password: [privileged level password] Console# ELATED OMMANDS disable (644) enable password (728) quit This command exits the configuration program. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec OMMAND SAGE The quit and exit commands can both exit the configuration program. XAMPLE This example shows how to quit a CLI session: Console#quit...

  • Page 643: Configure

    | General Commands HAPTER XAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history...

  • Page 644: Disable

    | General Commands HAPTER disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes"...

  • Page 645: Show Reload

    | General Commands HAPTER show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. OMMAND Privileged Exec XAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
  • Page 646 | General Commands HAPTER XAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 646 –...

  • Page 647: Commands

    YSTEM ANAGEMENT OMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 39: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...

  • Page 648: Hostname

    | System Management Commands HAPTER Device Designation hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. YNTAX hostname name no hostname name - The name of this host. (Maximum length: 255 characters) EFAULT ETTING None...

  • Page 649: System Status

    | System Management Commands HAPTER System Status YSTEM TATUS This section describes commands used to display system information. Table 41: System Status Commands Command Function Mode show access-list tcam- Shows utilization parameters for TCAM utilization show memory Shows memory utilization parameters NE, PE show process cpu Shows CPU utilization parameters...

  • Page 650: Show Memory

    | System Management Commands HAPTER System Status show memory This command shows memory utilization parameters. OMMAND Normal Exec, Privileged Exec OMMAND SAGE This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, and the total amount of system memory.

  • Page 651: Interface Settings

    | System Management Commands HAPTER System Status OMMAND SAGE Use the interface keyword to display configuration data for the specified interface. Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory.

  • Page 652: Show Startup-Config

    | System Management Commands HAPTER System Status interface vlan 1 ip address dhcp no ip igmp snooping proxy-reporting interface vlan 1 line console line vty Console#show running-config interface ethernet 1/1 interface ethernet 1/1 switchport allowed vlan add 1 untagged switchport native vlan 1 queue weight 1 2 4 6 8 10 12 14 Console# ELATED...

  • Page 653: Show System

    There are two thermal detectors in both models The first detector is near the air flow intake vents on both models. The second detector is near the switch ASIC on the DG-GS4826S and near the physical layer ASIC on the DG-GS4850S.

  • Page 654: Show Tech-Support

    XAMPLE Console#show tech-support Vty-0#show system System Description : DG-GS4850S/DG-GS4826S System OID String : 1.3.6.1.4.1.36293.1.1.2.3 System Information System Up Time : 0 days, 0 hours, 8 minutes, and 40.72 seconds...
  • Page 655 | System Management Commands HAPTER System Status XAMPLE Console#show users User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- admin 15 None guest 0 None steve Online Users: Line User Name Idle time (h:m:s) Remote IP addr ------- -------------------------------- ----------------- --------------- * Console admin 0:00:00 SSH 0...

  • Page 656: Frame Size

    | System Management Commands HAPTER Frame Size RAME This section describes commands used to configure the Ethernet frame size on the switch. Table 42: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports.

  • Page 657: Fan Control

    | System Management Commands HAPTER Fan Control ONTROL This section describes the command used to force fan speed. Table 43: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed.

  • Page 658: Boot System

    | System Management Commands HAPTER File Management Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it.

  • Page 659: Copy

    | System Management Commands HAPTER File Management ELATED OMMANDS dir (663) whichboot (664) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
  • Page 660 | System Management Commands HAPTER File Management You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. To replace the startup configuration, you must use startup-config as the destination.
  • Page 661 | System Management Commands HAPTER File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...

  • Page 662: Delete

    | System Management Commands HAPTER File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete...

  • Page 663: Dir

    | System Management Commands HAPTER File Management This command displays a list of files in flash memory. YNTAX dir [unit:] {boot-rom: | config: | opcode:} [filename]} unit - Stack unit. (Range: 1-8) boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file.

  • Page 664: Whichboot

    | System Management Commands HAPTER Line whichboot This command displays which files were booted when the system powered YNTAX whichboot [unit] unit - Stack unit. (Range: 1-8) EFAULT ETTING None OMMAND Privileged Exec XAMPLE This example shows the information displayed by the whichboot command.
  • Page 665 | System Management Commands HAPTER Line Table 46: Line Commands (Continued) Command Function Mode password-thresh Sets the password intrusion threshold, which limits the number of failed logon attempts Sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password- thresh...

  • Page 666: Databits

    | System Management Commands HAPTER Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. YNTAX databits {7 | 8} no databits 7 - Seven data bits per character.

  • Page 667: Login

    | System Management Commands HAPTER Line OMMAND SAGE If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. This command applies to both the local console and Telnet connections. The timeout for Telnet cannot be disabled. Using the command without specifying a timeout restores the default setting.

  • Page 668: Parity

    | System Management Commands HAPTER Line This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. XAMPLE Console(config-line)#login local Console(config-line)# ELATED OMMANDS...

  • Page 669: Password

    | System Management Commands HAPTER Line password This command specifies the password for a line. Use the no form to remove the password. YNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password.

  • Page 670: Password-Thresh

    | System Management Commands HAPTER Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. YNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...

  • Page 671: Speed

    | System Management Commands HAPTER Line OMMAND Line Configuration (console only) XAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# ELATED OMMANDS password-thresh (670) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds.

  • Page 672: Stopbits

    | System Management Commands HAPTER Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. YNTAX stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits EFAULT ETTING...

  • Page 673: Disconnect

    | System Management Commands HAPTER Line Using the command without specifying a timeout restores the default setting. XAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. YNTAX disconnect session-id session-id –...

  • Page 674: Event Logging

    | System Management Commands HAPTER Event Logging XAMPLE To show all lines, enter this command: Console#show line Console Configuration: Password Threshold : 3 times Inactive Timeout : Disabled Login Timeout : Disabled Silent Time : Disabled Baud Rate : 115200 Data Bits Parity : None...

  • Page 675: Logging Facility

    | System Management Commands HAPTER Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. YNTAX logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.

  • Page 676: Logging Host

    | System Management Commands HAPTER Event Logging Table 48: Logging Levels (Continued) Level Severity Name Description warnings Warning conditions (e.g., return false, unexpected return) errors Error conditions (e.g., invalid input, default used) critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) alerts Immediate action needed...

  • Page 677: Logging On

    | System Management Commands HAPTER Event Logging XAMPLE Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. YNTAX [no] logging on EFAULT ETTING None...

  • Page 678: Clear Log

    | System Management Commands HAPTER Event Logging EFAULT ETTING Disabled Level 7 OMMAND Global Configuration OMMAND SAGE Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default.

  • Page 679: Show Log

    | System Management Commands HAPTER Event Logging show log This command displays the log messages stored in local memory. YNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).

  • Page 680: Table 49: Show Logging Flash/Ram - Display Description

    | System Management Commands HAPTER Event Logging XAMPLE The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: Enabled...

  • Page 681: Smtp Alerts

    | System Management Commands HAPTER SMTP Alerts SMTP A LERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 51: Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling logging sendmail host SMTP servers to receive alert messages logging sendmail level...

  • Page 682: Logging Sendmail Level

    | System Management Commands HAPTER SMTP Alerts OMMAND Global Configuration OMMAND SAGE You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.

  • Page 683: Logging Sendmail Destination-Email

    | System Management Commands HAPTER SMTP Alerts XAMPLE This example will send email alerts for system errors from level 3 through Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to remove a recipient.

  • Page 684: Show Logging Sendmail

    | System Management Commands HAPTER Time OMMAND SAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. XAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail OMMAND Normal Exec, Privileged Exec...

  • Page 685: Sntp Client

    | System Management Commands HAPTER Time Table 52: Time Commands (Continued) Command Function Mode Manual Configuration Commands clock timezone Sets the time zone for the switch’s internal clock calendar set Sets the system date and time show calendar Displays the current date and time setting NE, PE sntp client This command enables SNTP client requests for time synchronization from...

  • Page 686: Sntp Poll

    | System Management Commands HAPTER Time sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. YNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.

  • Page 687: Show Sntp

    | System Management Commands HAPTER Time XAMPLE Console(config)#sntp server 10.1.0.19 Console# ELATED OMMANDS sntp client (685) sntp poll (686) show sntp (687) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.

  • Page 688: Calendar Set

    | System Management Commands HAPTER Time EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.

  • Page 689: Show Calendar

    | System Management Commands HAPTER Time Range XAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock. EFAULT ETTING None OMMAND Normal Exec, Privileged Exec XAMPLE...

  • Page 690: Absolute

    | System Management Commands HAPTER Time Range EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE This command sets a time range for use by other functions, such as Access Control Lists. XAMPLE Console(config)#time-range r&d Console(config-time-range)# ELATED OMMANDS Access Control Lists (823) absolute This command sets the time range for the execution of a command.

  • Page 691: Periodic

    | System Management Commands HAPTER Time Range XAMPLE This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command.

  • Page 692: Show Time-Range

    | System Management Commands HAPTER Time Range show time-range This command shows configured time ranges. YNTAX show time-range [name] name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic Daily 01:01 to...

  • Page 693: Snmp Commands

    SNMP C OMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.

  • Page 694: Snmp-Server

    | SNMP Commands HAPTER Table 54: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs ATC Trap Commands...

  • Page 695: Snmp-Server Community

    | SNMP Commands HAPTER snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to community remove the specified community string. YNTAX snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.

  • Page 696: Snmp-Server Location

    | SNMP Commands HAPTER XAMPLE Console(config)#snmp-server contact Paul Console(config)# ELATED OMMANDS snmp-server location (696) snmp-server This command sets the system location string. Use the no form to remove the location string. location YNTAX snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) EFAULT ETTING...

  • Page 697: Snmp-Server Enable Traps

    | SNMP Commands HAPTER Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled Link-up-down : Enabled SNMP Communities : 1. public, and the access level is read-only 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied...

  • Page 698: Snmp-Server Host

    | SNMP Commands HAPTER no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. The snmp-server enable traps command is used in conjunction with snmp-server host command.
  • Page 699 | SNMP Commands HAPTER prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
  • Page 700 | SNMP Commands HAPTER To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 694). Create a view with the required notification messages (page 704). Create a group that includes the required notify view (page 702).

  • Page 701: Snmp-Server Engine-Id

    | SNMP Commands HAPTER snmp-server This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. engine-id YNTAX snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device.

  • Page 702: Snmp-Server Group

    | SNMP Commands HAPTER ELATED OMMANDS snmp-server host (698) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. YNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group.

  • Page 703: Snmp-Server User

    | SNMP Commands HAPTER XAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.

  • Page 704: Snmp-Server View

    | SNMP Commands HAPTER Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch. The SNMP engine ID is used to compute the authentication/privacy digests from the password.

  • Page 705: Table 55: Show Snmp Engine-Id - Display Description

    | SNMP Commands HAPTER OMMAND SAGE Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. XAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr.

  • Page 706: Show Snmp Group

    | SNMP Commands HAPTER Table 55: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. show snmp group Four default groups are provided –...

  • Page 707: Show Snmp User

    | SNMP Commands HAPTER Table 56: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view.

  • Page 708: Show Snmp View

    | SNMP Commands HAPTER show snmp view This command shows information on the SNMP views. OMMAND Privileged Exec XAMPLE Console#show snmp view View Name : mib-2 Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : nonvolatile Row Status : active View Name : defaultview...

  • Page 709: Snmp-Server Notify-Filter

    | SNMP Commands HAPTER Disabling logging with this command does not delete the entries stored in the notification log. XAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server notify- This command creates an SNMP notification log. Use the no form to remove this log.

  • Page 710: Show Nlm Oper-Status

    | SNMP Commands HAPTER To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.

  • Page 711: Show Snmp Notify-Filter

    | SNMP Commands HAPTER show snmp notify- This command displays the configured notification logs. filter OMMAND Privileged Exec XAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------- 10.1.19.23 Console# –...
  • Page 712 | SNMP Commands HAPTER – 712 –...

  • Page 713: Remote Monitoring Commands

    EMOTE ONITORING OMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.

  • Page 714: Rmon Alarm

    | Remote Monitoring Commands HAPTER rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. YNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon event index index –...

  • Page 715: Rmon Event

    | Remote Monitoring Commands HAPTER If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.

  • Page 716: Rmon Collection History

    | Remote Monitoring Commands HAPTER The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. XAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface.

  • Page 717: Rmon Collection Rmon1

    | Remote Monitoring Commands HAPTER XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection history 21 buckets 24 interval 60 owner mike Console(config-if)# rmon collection This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection. rmon1 YNTAX rmon collection rmon1 controlEntry index [owner name]...

  • Page 718: Show Rmon Alarms

    | Remote Monitoring Commands HAPTER show rmon alarms This command shows the settings for all configured alarms. OMMAND Privileged Exec XAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds Taking delta samples, last value was 0 Rising threshold is 892800, assigned to event 0 Falling threshold is 446400, assigned to event 0 show rmon events...

  • Page 719: Show Rmon Statistics

    | Remote Monitoring Commands HAPTER show rmon This command shows the information collected for all configured entries in the statistics group. statistics OMMAND Privileged Exec XAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 which has Received 164289 octets, 2372 packets, 120 broadcast and 2211 multicast packets, 0 undersized and 0 oversized packets,...
  • Page 720 | Remote Monitoring Commands HAPTER – 720 –...

  • Page 721: Flow Sampling Commands

    AMPLING OMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.

  • Page 722: Sflow Max-Datagram-Size

    | sFlow Sampling Commands HAPTER One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. destination-udp-port - The UDP port on which the Collector is listening for sFlow streams. (Range: 0-65534) EFAULT ETTING IP Address: null...

  • Page 723: Sflow Max-Header-Size

    | sFlow Sampling Commands HAPTER sflow max-header- This command configures the maximum size of the sFlow datagram header. Use the no form to restore the default setting. size YNTAX sflow max-header-size max-header-size no max-header-size max-header-size - The maximum size of the sFlow datagram header.

  • Page 724: Sflow Sample

    | sFlow Sampling Commands HAPTER sflow sample This command configures the packet sampling rate. Use the no form to restore the default rate. YNTAX sflow sample rate no sflow sample rate - The packet sampling rate, or the number of packets out of which one sample will be taken.

  • Page 725: Sflow Timeout

    | sFlow Sampling Commands HAPTER sflow timeout This command configures the length of time samples are sent to the Collector before resetting all sFlow port parameters. Use the no form to restore the default time out. YNTAX sflow timeout seconds no sflow timeout seconds - The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters.
  • Page 726 | sFlow Sampling Commands HAPTER OMMAND Privileged Exec XAMPLE Console#show sflow interface ethernet 1/9 Interface of Ethernet Interface status : Enabled Owner name : Lamar Owner destination : 192.168.0.4 Owner socket port : 6343 Time out : 9994 Maximum header size : 256 Maximum datagram size : 1500 Sample rate...

  • Page 727: Authentication

    UTHENTICATION OMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.

  • Page 728: Enable Password

    | Authentication Commands HAPTER User Accounts enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.

  • Page 729: Username

    | Authentication Commands HAPTER User Accounts username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.

  • Page 730: Authentication Sequence

    | Authentication Commands HAPTER Authentication Sequence UTHENTICATION EQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 64: Authentication Sequence Commands Command Function Mode...

  • Page 731: Authentication Login

    | Authentication Commands HAPTER Authentication Sequence XAMPLE Console(config)#authentication enable radius Console(config)# ELATED OMMANDS enable password - sets the password for changing command modes (728) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. YNTAX authentication login {[local] [radius] [tacacs]} no authentication login...

  • Page 732: Radius Client

    | Authentication Commands HAPTER RADIUS Client ELATED OMMANDS username - for setting the local user names and passwords (729) RADIUS C LIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.

  • Page 733: Radius-Server Auth-Port

    | Authentication Commands HAPTER RADIUS Client radius-server auth- This command sets the RADIUS server network port. Use the no form to restore the default. port YNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.

  • Page 734: Radius-Server Key

    | Authentication Commands HAPTER RADIUS Client EFAULT ETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 OMMAND Global Configuration XAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server key This command sets the RADIUS encryption key.

  • Page 735: Radius-Server Timeout

    | Authentication Commands HAPTER RADIUS Client EFAULT ETTING OMMAND Global Configuration XAMPLE Console(config)#radius-server retransmit 5 Console(config)# radius-server This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. timeout YNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a...

  • Page 736: Tacacs+ Client

    | Authentication Commands HAPTER TACACS+ Client Retransmit Times Request Timeout Server 1: Server IP Address : 192.168.1.1 Auth-port : 1812 Acct-port : 1813 Retransmit Times Request Timeout Radius Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ C LIENT Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to...

  • Page 737: Tacacs-Server Host

    | Authentication Commands HAPTER TACACS+ Client key - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) EFAULT ETTING 10.11.12.13...

  • Page 738: Tacacs-Server Port

    | Authentication Commands HAPTER TACACS+ Client EFAULT ETTING None OMMAND Global Configuration XAMPLE Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. YNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.

  • Page 739: Aaa

    | Authentication Commands HAPTER Server 1: Server IP Address : 10.11.12.13 Server Port Number : 49 Tacacs Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.

  • Page 740: Aaa Accounting Dot1X

    | Authentication Commands HAPTER method-name - Specifies an accounting method for service requests. (Range: 1-255 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.

  • Page 741: Aaa Accounting Exec

    | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.

  • Page 742: Aaa Accounting Update

    | Authentication Commands HAPTER group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius- server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.

  • Page 743: Aaa Authorization Exec

    | Authentication Commands HAPTER Using the command without specifying an interim interval enables updates, but does not change the current interval setting. XAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form to disable the authorization service.

  • Page 744: Aaa Group Server

    | Authentication Commands HAPTER aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. YNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.

  • Page 745: Accounting Dot1X

    | Authentication Commands HAPTER XAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. YNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the accounting dot1x...

  • Page 746: Authorization Exec

    | Authentication Commands HAPTER XAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. YNTAX authorization exec {default | list-name} no authorization exec...

  • Page 747: Web Server

    | Authentication Commands HAPTER Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (EC-S4626F: 1-26, EC-S4650F: 1-50) EFAULT ETTING None OMMAND Privileged Exec XAMPLE...
  • Page 748 | Authentication Commands HAPTER Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. YNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.

  • Page 749: Ip Http Secure-Server

    | Authentication Commands HAPTER Web Server ip http secure- This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted server connection) to the switch’s web interface. Use the no form to disable this function.
  • Page 750 | Authentication Commands HAPTER Web Server To specify a secure-site certificate, see “Replacing the Default Secure- site Certificate” on page 306. Also refer to the copy tftp https-certificate command. XAMPLE Console(config)#ip http secure-server Console(config)# ELATED OMMANDS ip http secure-port (750) copy tftp https-certificate (659) show system (653)

  • Page 751: Telnet Server

    | Authentication Commands HAPTER Telnet Server ELNET ERVER This section describes commands used to configure Telnet management access to the switch. Table 70: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...

  • Page 752: Ip Telnet Port

    | Authentication Commands HAPTER Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. YNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.

  • Page 753: Show Ip Telnet

    | Authentication Commands HAPTER Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. OMMAND Normal Exec, Privileged Exec XAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# ECURE HELL...
  • Page 754 | Authentication Commands HAPTER Secure Shell Table 71: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
  • Page 755 | Authentication Commands HAPTER Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.

  • Page 756: Ip Ssh Authentication-Retries

    | Authentication Commands HAPTER Secure Shell The client sends a signature generated using the private key to the switch. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct.

  • Page 757: Ip Ssh Server-Key Size

    | Authentication Commands HAPTER Secure Shell OMMAND Global Configuration OMMAND SAGE The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.

  • Page 758: Ip Ssh Timeout

    | Authentication Commands HAPTER Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. YNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) EFAULT ETTING...
  • Page 759 | Authentication Commands HAPTER Secure Shell XAMPLE Console#delete public-key admin dsa Console# ip ssh crypto host- This command generates the host key pair (i.e., public and private). key generate YNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...

  • Page 760: Ip Ssh Crypto Zeroize

    | Authentication Commands HAPTER Secure Shell ip ssh crypto This command clears the host key from memory (i.e. RAM). zeroize YNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. EFAULT ETTING Clears both the DSA and RSA key.

  • Page 761: Show Ip Ssh

    | Authentication Commands HAPTER Secure Shell ELATED OMMANDS ip ssh crypto host-key generate (759) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. OMMAND Privileged Exec XAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...

  • Page 762: Show Ssh

    | Authentication Commands HAPTER Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# show ssh This command displays the current SSH server connections. OMMAND Privileged Exec XAMPLE Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5...

  • Page 763: Port Authentication

    | Authentication Commands HAPTER 802.1X Port Authentication 802.1X P UTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).

  • Page 764: Dot1X Eapol-Pass-Through

    | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the through default. YNTAX [no] dot1x eapol-pass-through EFAULT...

  • Page 765: Dot1X Intrusion-Action

    | Authentication Commands HAPTER 802.1X Port Authentication OMMAND Global Configuration XAMPLE Console(config)#dot1x system-auth-control Console(config)# dot1x intrusion- This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the action no form to reset the default.

  • Page 766: Dot1X Operation-Mode

    | Authentication Commands HAPTER 802.1X Port Authentication EFAULT OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single mode host.

  • Page 767: Dot1X Port-Control

    | Authentication Commands HAPTER 802.1X Port Authentication XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. YNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto –...

  • Page 768: Dot1X Timeout Quiet-Period

    | Authentication Commands HAPTER 802.1X Port Authentication transparently by the dot1x client software. Only if re-authentication fails is the port blocked. The connected client is re-authenticated after the interval specified by dot1x timeout re-authperiod command. The default is 3600 seconds. XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication...

  • Page 769: Dot1X Timeout Supp-Timeout

    | Authentication Commands HAPTER 802.1X Port Authentication EFAULT 3600 seconds OMMAND Interface Configuration XAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout supp- This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP timeout packet.

  • Page 770: Dot1X Timeout Tx-Period

    | Authentication Commands HAPTER 802.1X Port Authentication dot1x timeout tx- This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no period form to reset to the default value. YNTAX dot1x timeout tx-period seconds no dot1x timeout tx-period...

  • Page 771: Show Dot1X

    | Authentication Commands HAPTER 802.1X Port Authentication show dot1x This command shows general port authentication related settings on the switch or a specific interface. YNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Stack unit.
  • Page 772 | Authentication Commands HAPTER 802.1X Port Authentication Operation Mode– Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. Port Control–Shows the dot1x mode on a port as auto, force- authorized, or force-unauthorized (page 767). Intrusion Action– Sets the port response to intrusion when authentication fails (page 765).

  • Page 773: Management Ip Filter

    | Authentication Commands HAPTER Management IP Filter Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries Max Request Operation Mode : Multi-host Port Control : Auto Intrusion Action : Block traffic Supplicant : 00-17-7c-94-34-65 Authenticator PAE State Machine...

  • Page 774: Management

    | Authentication Commands HAPTER Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. YNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups.

  • Page 775: Show Management

    | Authentication Commands HAPTER Management IP Filter show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. YNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group.
  • Page 776 | Authentication Commands HAPTER Management IP Filter – 776 –...

  • Page 777: General Security Measures

    ENERAL ECURITY EASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.

  • Page 778: Port Security

    | General Security Measures HAPTER Port Security ECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.

  • Page 779: Port Security

    | General Security Measures HAPTER Port Security The mac-learning commands cannot be used if 802.1X Port Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface.
  • Page 780 | General Security Measures HAPTER Port Security addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.

  • Page 781: Network Access (Mac Address Authentication)

    | General Security Measures HAPTER Network Access (MAC Address Authentication) (MAC A ETWORK CCESS DDRESS UTHENTICATION Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.

  • Page 782: Network-Access Aging

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to aging disable address aging. YNTAX [no] network-access aging EFAULT...

  • Page 783: Mac-Authentication Reauth-Time

    | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Global Configuration OMMAND SAGE Specified addresses are exempt from network access authentication. This command is different from configuring static addresses with the mac-address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter...

  • Page 784: Network-Access Dynamic-Qos

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. dynamic-qos YNTAX [no] network-access dynamic-qos EFAULT ETTING Disabled OMMAND Interface Configuration OMMAND...

  • Page 785: Network-Access Dynamic-Vlan

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment. dynamic-vlan YNTAX [no] network-access dynamic-vlan...

  • Page 786: Network-Access Guest-Vlan

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication is rejected. Use the no form of this command to guest-vlan disable guest VLAN assignment. YNTAX network-access guest-vlan vlan-id no network-access guest-vlan...

  • Page 787: Network-Access Link-Detection Link-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of link-detection link- this command to disable this feature.

  • Page 788: Network-Access Link-Detection Link-Up-Down

    | General Security Measures HAPTER Network Access (MAC Address Authentication) XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, link-detection link- or both.

  • Page 789: Network-Access Mode Mac-Authentication

    | General Security Measures HAPTER Network Access (MAC Address Authentication) OMMAND Interface Configuration OMMAND SAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.

  • Page 790: Network-Access Port-Mac-Filter

    | General Security Measures HAPTER Network Access (MAC Address Authentication) When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...

  • Page 791: Mac-Authentication Intrusion-Action

    | General Security Measures HAPTER Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the intrusion-action default. YNTAX mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action EFAULT ETTING...

  • Page 792: Show Network-Access

    | General Security Measures HAPTER Network Access (MAC Address Authentication) show network- Use this command to display the MAC authentication settings for port interfaces. access YNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.

  • Page 793: Show Network-Access Mac-Address-Table

    | General Security Measures HAPTER Network Access (MAC Address Authentication) show network- Use this command to display secure MAC address table entries. access mac- address-table YNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries.

  • Page 794: Show Network-Access Mac-Filter

    | General Security Measures HAPTER Web Authentication show network- Use this command to display information for entries in the MAC filter tables. access mac-filter YNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) EFAULT ETTING Displays all filters.

  • Page 795: Web-Auth Login-Attempts

    | General Security Measures HAPTER Web Authentication Table 79: Web Authentication (Continued) Command Function Mode web-auth system-auth- Enables web authentication globally for the switch control web-auth Enables web authentication for an interface web-auth re-authenticate Ends all web authentication sessions on the port and (Port) forces the users to re-authenticate web-auth re-authenticate (IP)

  • Page 796: Web-Auth Quiet-Period

    | General Security Measures HAPTER Web Authentication web-auth quiet- This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web period authentication again. Use the no form to restore the default. YNTAX web-auth quiet-period time no web-auth quiet period...

  • Page 797: Web-Auth System-Auth-Control

    | General Security Measures HAPTER Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the no form to restore the default. auth-control YNTAX [no] web-auth system-auth-control EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.

  • Page 798: Web-Auth Re-Authenticate (Port)

    | General Security Measures HAPTER Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. authenticate (Port) YNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.

  • Page 799: Show Web-Auth

    | General Security Measures HAPTER Web Authentication show web-auth This command displays global web authentication parameters. OMMAND Privileged Exec XAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth This command displays interface-specific web authentication parameters...

  • Page 800: Table 80: Dhcp Snooping Commands

    | General Security Measures HAPTER DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary OMMAND Privileged Exec XAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ---- ------ ------------------------...

  • Page 801: Dhcp Snooping

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. YNTAX [no] ip dhcp snooping EFAULT ETTING Disabled OMMAND Global Configuration OMMAND SAGE Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
  • Page 802 | General Security Measures HAPTER DHCP Snooping If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the...

  • Page 803: Ip Dhcp Snooping Database Flash

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash OMMAND Privileged Exec OMMAND SAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.

  • Page 804: Ip Dhcp Snooping Information Policy

    | General Security Measures HAPTER DHCP Snooping Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information. XAMPLE This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP...

  • Page 805: Ip Dhcp Snooping Verify Mac-Address

    | General Security Measures HAPTER DHCP Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no verify mac-address form to disable this function. YNTAX [no] ip dhcp binding verify mac-address EFAULT...

  • Page 806: Ip Dhcp Snooping Trust

    | General Security Measures HAPTER DHCP Snooping When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled. When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.

  • Page 807: Clear Ip Dhcp Snooping Database Flash

    | General Security Measures HAPTER DHCP Snooping When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.

  • Page 808: Show Ip Dhcp Snooping

    | General Security Measures HAPTER DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping OMMAND Privileged Exec XAMPLE Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable Interface...

  • Page 809: Ip Source Guard

    | General Security Measures HAPTER IP Source Guard IP S OURCE UARD IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see "DHCP Snooping"...
  • Page 810 | General Security Measures HAPTER IP Source Guard OMMAND Global Configuration OMMAND SAGE Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...
  • Page 811 | General Security Measures HAPTER IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. YNTAX ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding...

  • Page 812: Ip Source-Guard Max-Binding

    | General Security Measures HAPTER IP Source Guard Filtering rules are implemented as follows: If DHCP snooping is disabled (see page 801), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.

  • Page 813: Show Ip Source-Guard

    | General Security Measures HAPTER IP Source Guard OMMAND SAGE This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the source-guard command.

  • Page 814: Arp Inspection

    | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP I NSPECTION ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.

  • Page 815: Ip Arp Inspection

    | General Security Measures HAPTER ARP Inspection Table 82: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation...

  • Page 816: Ip Arp Inspection Filter

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. filter YNTAX ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL.

  • Page 817: Ip Arp Inspection Log-Buffer Logs

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form log-buffer logs to restore the default settings. YNTAX ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs...

  • Page 818: Ip Arp Inspection Validate

    | General Security Measures HAPTER ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate YNTAX ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...

  • Page 819: Ip Arp Inspection Limit

    | General Security Measures HAPTER ARP Inspection EFAULT ETTING Disabled on all VLANs OMMAND Global Configuration OMMAND SAGE When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.

  • Page 820: Ip Arp Inspection Trust

    | General Security Measures HAPTER ARP Inspection OMMAND Interface Configuration (Port) OMMAND SAGE This command only applies to untrusted ports. When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection limit 150...

  • Page 821: Show Ip Arp Inspection Interface

    | General Security Measures HAPTER ARP Inspection XAMPLE Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number Need Additional Validation(s) : Yes Additional Validation Type : Destination MAC address Console# show ip arp...

  • Page 822: Show Ip Arp Inspection Statistics

    | General Security Measures HAPTER ARP Inspection show ip arp This command shows statistics about the number of ARP packets processed, or dropped for various reasons. inspection statistics OMMAND Privileged Exec XAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address Src MAC Address...

  • Page 823: Access Control Lists

    CCESS ONTROL ISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port.

  • Page 824: Access-List Ip

    | Access Control Lists HAPTER IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. YNTAX [no] access-list ip {standard | extended} acl-name standard –...

  • Page 825: Permit, Deny (Standard Ip Acl)

    | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no (Standard IP ACL) form to remove a rule. YNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name]...

  • Page 826: Permit, Deny (Extended Ipv4 Acl)

    | Access Control Lists HAPTER IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, (Extended IPv4 ACL) protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
  • Page 827 | Access Control Lists HAPTER IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...

  • Page 828: Ip Access-Group

    | Access Control Lists HAPTER IPv4 ACLs XAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.

  • Page 829: Show Ip Access-Group

    | Access Control Lists HAPTER IPv4 ACLs OMMAND SAGE Only one ACL can be bound to a port. If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. XAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...

  • Page 830: Ipv6 Acls

    | Access Control Lists HAPTER IPv6 ACLs XAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# ELATED OMMANDS permit, deny (825) ip access-group (828) 6 ACL The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.

  • Page 831: Permit, Deny (Standard Ipv6 Acl)

    | Access Control Lists HAPTER IPv6 ACLs OMMAND Global Configuration OMMAND SAGE When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.

  • Page 832: Permit, Deny (Extended Ipv6 Acl)

    | Access Control Lists HAPTER IPv6 ACLs EFAULT ETTING None OMMAND Standard IPv6 ACL OMMAND SAGE New rules are appended to the end of the list. XAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
  • Page 833 | Access Control Lists HAPTER IPv6 ACLs routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-16777215) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range. (Range: 1-30 characters) EFAULT ETTING...
  • Page 834 | Access Control Lists HAPTER IPv6 ACLs XAMPLE This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the flow label is 43.”...

  • Page 835: Show Ipv6 Access-List

    | Access Control Lists HAPTER IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. YNTAX ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...

  • Page 836: Mac Acls

    | Access Control Lists HAPTER MAC ACLs ELATED OMMANDS ipv6 access-group (835) MAC ACL The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
  • Page 837 | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# ELATED OMMANDS permit, deny (837) mac access-group (839) show mac access-list (840) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), (MAC ACL) or Ethernet protocol type.
  • Page 838 | Access Control Lists HAPTER MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3...

  • Page 839: Mac Access-Group

    | Access Control Lists HAPTER MAC ACLs OMMAND SAGE New rules are added to the end of the list. The ethertype option can only be used to filter Ethernet II formatted packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP 0806 - ARP...

  • Page 840: Show Mac Access-Group

    | Access Control Lists HAPTER MAC ACLs XAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# ELATED OMMANDS show mac access-list (840) Time Range (689) show mac access- This command shows the ports assigned to MAC ACLs. group OMMAND Privileged Exec XAMPLE Console#show mac access-group Interface ethernet 1/5...

  • Page 841: Arp Acls

    | Access Control Lists HAPTER ARP ACLs ARP ACL The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan...

  • Page 842: Permit, Deny (Arp Acl)

    | Access Control Lists HAPTER ARP ACLs permit, deny (ARP This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no ACL) form to remove a rule. YNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask}...

  • Page 843: Show Arp Access-List

    | Access Control Lists HAPTER ARP ACLs XAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# ELATED OMMANDS access-list arp (841) show arp access-list This command displays the rules for configured ARP ACLs.

  • Page 844: Acl Information

    | Access Control Lists HAPTER ACL Information ACL I NFORMATION This section describes commands used to display ACL information. Table 88: ACL Information Commands Command Function Mode show access-group Shows the ACLs assigned to each port show access-list Show all ACLs and associated rules show access-group This command shows the port assignments of ACLs.

  • Page 845: Interface Commands

    NTERFACE OMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 89: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
  • Page 846 | Interface Commands HAPTER interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface.
  • Page 847 | Interface Commands HAPTER OMMAND SAGE The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. XAMPLE The following example adds an alias to port 4.
  • Page 848 | Interface Commands HAPTER The 1000BASE-T and 10GBASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T and 10GBASE-T port or trunk. When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command.

  • Page 849: Flowcontrol

    | Interface Commands HAPTER XAMPLE The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# flowcontrol This command enables flow control. Use the no form to disable flow control. YNTAX [no] flowcontrol EFAULT ETTING Disabled OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND...

  • Page 850: Media-Type

    | Interface Commands HAPTER Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (850) capabilities (flowcontrol, symmetric) (847) media-type This command forces the port type selected for combination ports 25-26. Use the no form to restore the default mode. YNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port.

  • Page 851: Shutdown

    | Interface Commands HAPTER OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE 1000BASE-T and 10GBASE-T do not support forced mode. Auto- negotiation should always be used to establish a connection over any 1000BASE-T and 10GBASE-T port or trunk. When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.

  • Page 852: Speed-Duplex

    | Interface Commands HAPTER XAMPLE The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default. YNTAX speed-duplex {1000full | 100full | 100half | 10full | 10half} no speed-duplex...

  • Page 853: Switchport Packet-Rate

    | Interface Commands HAPTER XAMPLE The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# ELATED OMMANDS negotiation (850) capabilities (847) switchport packet- This command configures broadcast, multicast and unknown unicast storm control.

  • Page 854: Clear Counters

    | Interface Commands HAPTER control is set to 500 pps by the command “switchport broadcast packet-rate 500" and the rate limit is set to 200 Mbps by the command “rate-limit input 20" on a port. Since 200 Mbps is 1/5 of line speed (1000 Mbps), the received rate will actually be 100 pps, or 1/5 of the 500 pps limit set by the storm control command.

  • Page 855: Show Interfaces Counters

    | Interface Commands HAPTER show interfaces This command displays interface statistics. counters YNTAX show interfaces counters [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (EC-S4626F: 1-26, EC-S4650F: 1-50) port-channel channel-id (Range: 1-32) EFAULT ETTING Shows the counters for all interfaces.

  • Page 856: Show Interfaces Status

    | Interface Commands HAPTER 0 Drop Events 959114 Octets 3259 Packets 212 Broadcast PKTS 1381 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 2142 Packet Size <= 64 Octets 303 Packet Size 65 to 127 Octets 140 Packet Size 128 to 255 Octets 75 Packet Size 256 to 511 Octets 140 Packet Size 512 to 1023 Octets...

  • Page 857: Show Interfaces Switchport

    | Interface Commands HAPTER Port Type : 1000T Mac Address : 00-17-7C-93-82-A1 Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Flow Control : Disabled VLAN Trunking : Disabled...

  • Page 858: Table 90: Show Interfaces Switchport - Display Description

    | Interface Commands HAPTER Ingress Rate Limit : Disabled, 1000M bits per second Egress Rate Limit : Disabled, 1000M bits per second VLAN Membership Mode : Hybrid Ingress Rule : Disabled Acceptable Frame Type : All frames Native VLAN Priority for Untagged Traffic : 0 GVRP Status : Disabled Allowed VLAN...

  • Page 859: Show Interfaces Transceiver

    Eth Compliance Codes : 1000BASE-LX Tx Central Wavelength : 1310 nm Baud Rate : 1300 MBd Vendor OUI : 00-17-7C Vendor Name : DIGISOL Vendor PN : DG-SA1133 Vendor Rev : V1.0 Vendor SN : AX10350010309 Date Code : 10-09-03...

  • Page 860: Test Cable-Diagnostics Dsp

    | Interface Commands HAPTER Temperature : 32 degrees C : 3.19 V Bias Current : 10.41 mA TX Power : 548 uW RX Power : 0 uW Console# test cable- This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length.

  • Page 861: Test Loop Internal

    | Interface Commands HAPTER Pair B OK, length 2 meters Pair C Short, length 1 meters Pair D Short, length 2 meters Last Update 0n 2010-04-23 07:59:26 Console# test loop internal This command performs an internal loop back test on the specified port. YNTAX test loop internal interface interface interface...

  • Page 862: Show Loop Internal

    | Interface Commands HAPTER XAMPLE Console#show cable-diagnostics dsp interface ethernet 1/1 Cable Diagnostics on interface Ethernet 1/1: Cable OK with accuracy 0 meters. Pair A OK, length 0 meters Pair B OK, length 0 meters Pair C OK, length 1 meters Pair D OK, length 1 meters Last Update 0n 2009-10-21 15:08:20 Console#...

  • Page 863: Table 91: Link Aggregation Commands

    GGREGATION OMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.

  • Page 864: Link Aggregation Commands

    | Link Aggregation Commands HAPTER Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel. STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
  • Page 865 | Link Aggregation Commands HAPTER XAMPLE The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. YNTAX [no] lacp EFAULT...

  • Page 866: Lacp Admin-Key (Ethernet Interface)

    | Link Aggregation Commands HAPTER Mac Address : 12-34-12-34-12-3F Configuration: Name Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled Port Security : Disabled Max MAC Count Current status: Created By : LACP Link Status : Up...

  • Page 867: Lacp Port-Priority

    | Link Aggregation Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link.

  • Page 868: Lacp System-Priority

    | Link Aggregation Commands HAPTER lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. YNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.

  • Page 869: Show Lacp

    | Link Aggregation Commands HAPTER EFAULT ETTING OMMAND Interface Configuration (Port Channel) OMMAND SAGE Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).

  • Page 870: Table 92: Show Lacp Counters - Display Description

    | Link Aggregation Commands HAPTER XAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------------- LACPDUs Sent : 12 LACPDUs Received Marker Sent Marker Received LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 Table 92: show lacp counters - display description Field Description LACPDUs Sent...

  • Page 871: Table 94: Show Lacp Neighbors - Display Description

    | Link Aggregation Commands HAPTER Table 93: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Administrative or operational values of the actor’s state parameters: Oper State Expired –...

  • Page 872: Table 95: Show Lacp Sysid - Display Description

    | Link Aggregation Commands HAPTER Table 94: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner.

  • Page 873: Port Mirroring Commands

    IRRORING OMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.

  • Page 874: Show Port Monitor

    | Port Mirroring Commands HAPTER Local Port Mirroring Commands When enabled for an interface, default mirroring is for both received and transmitted packets. OMMAND Interface Configuration (Ethernet, destination port) OMMAND SAGE You can mirror traffic from any source port to a destination port for real-time analysis.
  • Page 875 | Port Mirroring Commands HAPTER Local Port Mirroring Commands OMMAND SAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). XAMPLE The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
  • Page 876 | Port Mirroring Commands HAPTER Local Port Mirroring Commands – 876 –...

  • Page 877: Rate Limit Commands

    IMIT OMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
  • Page 878 | Rate Limit Commands HAPTER command. It is therefore not advisable to use both of these commands on the same interface. XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)# ELATED OMMAND show interfaces switchport (857) – 878 –...

  • Page 879: Table 99: Atc Commands

    UTOMATIC RAFFIC ONTROL OMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port. Table 99: ATC Commands Command Function Mode Threshold Commands auto-traffic-control Sets the time at which to apply the control apply-timer...

  • Page 880: Automatic Traffic Control Commands

    | Automatic Traffic Control Commands HAPTER Table 99: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when multicast traffic exceeds the IC (Port) port-traps atc upper threshold for automatic storm control and multicast-control- the apply timer expires apply snmp-server enable Sends a trap when multicast traffic falls beneath...

  • Page 881: Auto-Traffic-Control Apply-Timer

    | Automatic Traffic Control Commands HAPTER expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. When traffic falls below the alarm clear threshold after the release timer expires, traffic control will be stopped and a Traffic Control Release Trap sent and logged.

  • Page 882: Auto-Traffic-Control Release-Timer

    | Automatic Traffic Control Commands HAPTER EFAULT ETTING 300 seconds OMMAND Global Configuration OMMAND SAGE After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp-server enable port-traps atc multicast-control-apply...
  • Page 883 | Automatic Traffic Control Commands HAPTER XAMPLE This example sets the release timer to 800 seconds for all ports. Console(config)#auto-traffic-control broadcast release-timer 800 Console(config)# auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. YNTAX [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic.

  • Page 884: Auto-Traffic-Control Action

    | Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting. action YNTAX auto-traffic-control {broadcast | multicast} action {rate-control | shutdown} no auto-traffic-control {broadcast | multicast} action broadcast - Specifies automatic storm control for broadcast traffic.
  • Page 885 | Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent. Use the no form to restore the default alarm-clear- setting. threshold YNTAX auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold no auto-traffic-control {broadcast | multicast} alarm-clear-threshold...

  • Page 886: Auto-Traffic-Control Alarm-Fire-Threshold

    | Automatic Traffic Control Commands HAPTER auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. Use the alarm-fire-threshold no form to restore the default setting. YNTAX auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold no auto-traffic-control {broadcast | multicast}...

  • Page 887: Auto-Traffic-Control Auto-Control-Release

    | Automatic Traffic Control Commands HAPTER auto-traffic-control This command automatically releases a control response after the time specified in the auto-traffic-control release-timer command has expired. auto-control-release YNTAX auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.

  • Page 888: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Fire

    | Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. broadcast-alarm- clear YNTAX [no] snmp-server enable port-traps atc broadcast-alarm-clear...
  • Page 889 | Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. broadcast-control- apply YNTAX [no] snmp-server enable port-traps atc broadcast-control-apply...

  • Page 890: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire

    | Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no port-traps atc form to disable this trap. multicast-alarm- clear YNTAX [no] snmp-server enable port-traps atc multicast-alarm-clear...
  • Page 891 | Automatic Traffic Control Commands HAPTER snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the port-traps atc no form to disable this trap. multicast-control- apply YNTAX [no] snmp-server enable port-traps atc multicast-control-apply...
  • Page 892 | Automatic Traffic Control Commands HAPTER show auto-traffic- This command shows global configuration settings for automatic storm control. control OMMAND Privileged Exec XAMPLE Console#show auto-traffic-control Storm-control: Broadcast Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console#...

  • Page 893: Address Table Commands

    DDRESS ABLE OMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 100: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...

  • Page 894: Mac-Address-Table Static

    | Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. static YNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.

  • Page 895: Clear Mac-Address-Table Dynamic

    | Address Table Commands HAPTER XAMPLE Console(config)#mac-address-table static 00-17-7c-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic EFAULT ETTING None OMMAND Privileged Exec XAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.

  • Page 896: Show Mac-Address-Table Aging-Time

    | Address Table Commands HAPTER OMMAND SAGE The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries Config - Static entry The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
  • Page 897 | Address Table Commands HAPTER show mac-address- This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. table count YNTAX show mac-address-table count [interface interface] interface ethernet unit/port unit - Stack unit.
  • Page 898 | Address Table Commands HAPTER – 898 –...

  • Page 899: Table 101: Spanning Tree Commands

    PANNING OMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 101: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...

  • Page 900: Spanning Tree Commands

    | Spanning Tree Commands HAPTER Table 101: Spanning Tree Commands (Continued) Command Function Mode spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST priority spanning-tree port-bpdu- Floods BPDUs to other ports when global spanning tree flooding...

  • Page 901: Spanning-Tree Forward-Time

    | Spanning Tree Commands HAPTER XAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. forward-time YNTAX spanning-tree forward-time seconds...

  • Page 902: Spanning-Tree Max-Age

    | Spanning Tree Commands HAPTER EFAULT ETTING 2 seconds OMMAND Global Configuration OMMAND SAGE This command sets the time interval (in seconds) at which the root device transmits a configuration message. XAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# ELATED OMMANDS spanning-tree forward-time (901) spanning-tree max-age (902) spanning-tree max- This command configures the spanning tree bridge maximum age globally...

  • Page 903: Spanning-Tree Mode

    | Spanning Tree Commands HAPTER ELATED OMMANDS spanning-tree forward-time (901) spanning-tree hello-time (901) spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. YNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w)

  • Page 904: Spanning-Tree Pathcost Method

    | Spanning Tree Commands HAPTER A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.

  • Page 905: Spanning-Tree Priority

    | Spanning Tree Commands HAPTER spanning-tree This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. priority YNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) EFAULT...

  • Page 906: Spanning-Tree System-Bpdu-Flooding

    | Spanning Tree Commands HAPTER revision (910) max-hops (907) spanning-tree This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is system-bpdu- disabled globally on the switch or disabled on a specific port.

  • Page 907: Max-Hops

    | Spanning Tree Commands HAPTER OMMAND SAGE This command limits the maximum transmission rate for BPDUs. XAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. YNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.

  • Page 908: Mst Priority

    | Spanning Tree Commands HAPTER mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. YNTAX mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.

  • Page 909: Name

    | Spanning Tree Commands HAPTER OMMAND MST Configuration OMMAND SAGE Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.

  • Page 910: Revision

    | Spanning Tree Commands HAPTER XAMPLE Console(config-mstp)#name R&D Console(config-mstp)# ELATED OMMANDS revision (910) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. YNTAX revision number number - Revision number of the spanning tree.

  • Page 911: Spanning-Tree Bpdu-Guard

    | Spanning Tree Commands HAPTER OMMAND SAGE This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.

  • Page 912: Table 102: Recommended Sta Path Cost Range

    | Spanning Tree Commands HAPTER XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard Console(config-if)# ELATED OMMANDS spanning-tree edge-port (913) spanning-tree spanning-disabled (920) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. YNTAX spanning-tree cost cost no spanning-tree cost...

  • Page 913: Spanning-Tree Edge-Port

    | Spanning Tree Commands HAPTER OMMAND SAGE This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

  • Page 914: Spanning-Tree Link-Type

    | Spanning Tree Commands HAPTER spanning-tree link- This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. type YNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.

  • Page 915: Spanning-Tree Loopback-Detection Release-Mode

    | Spanning Tree Commands HAPTER OMMAND SAGE If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.

  • Page 916: Spanning-Tree Loopback-Detection Trap

    | Spanning Tree Commands HAPTER When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. XAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree...

  • Page 917: Spanning-Tree Mst Port-Priority

    | Spanning Tree Commands HAPTER shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.

  • Page 918: Spanning-Tree Port-Bpdu-Flooding

    | Spanning Tree Commands HAPTER OMMAND SAGE This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.

  • Page 919: Spanning-Tree Port-Priority

    | Spanning Tree Commands HAPTER spanning-tree port- This command configures the priority for the specified interface. Use the no form to restore the default. priority YNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) EFAULT ETTING OMMAND...

  • Page 920: Spanning-Tree Spanning-Disabled

    | Spanning Tree Commands HAPTER OMMAND SAGE A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period.

  • Page 921: Spanning-Tree Loopback-Detection Release

    | Spanning Tree Commands HAPTER spanning-tree This command manually releases a port placed in discarding state by loopback-detection. loopback-detection release YNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) OMMAND Privileged Exec...

  • Page 922: Show Spanning-Tree

    | Spanning Tree Commands HAPTER XAMPLE Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). YNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Stack unit.
  • Page 923 | Spanning Tree Commands HAPTER Instance VLANs Configuration : 1-4093 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max.

  • Page 924: Show Spanning-Tree Mst Configuration

    | Spanning Tree Commands HAPTER show spanning-tree This command shows the configuration of the multiple spanning tree. mst configuration OMMAND Privileged Exec XAMPLE Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4093 Console# –...

  • Page 925: Vlan Commands

    VLAN C OMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.

  • Page 926: Gvrp And Bridge Extension Commands

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands GVRP RIDGE XTENSION OMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.

  • Page 927: Garp Timer

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. YNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.

  • Page 928: Switchport Forbidden Vlan

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. forbidden vlan YNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.

  • Page 929: Show Bridge-Ext

    | VLAN Commands HAPTER GVRP and Bridge Extension Commands XAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. EFAULT ETTING None OMMAND Privileged Exec OMMAND SAGE "Displaying Bridge Extension Capabilities" on page 117 for a description of the displayed items.

  • Page 930: Show Gvrp Configuration

    | VLAN Commands HAPTER Editing VLAN Groups XAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# ELATED OMMANDS garp timer (927) show gvrp This command shows if GVRP is enabled.

  • Page 931: Vlan Database

    | VLAN Commands HAPTER Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. EFAULT ETTING None OMMAND Global Configuration OMMAND SAGE Use the VLAN database command mode to add, change, and delete VLANs.

  • Page 932: Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING By default only VLAN 1 exists and is active. OMMAND VLAN Database Configuration OMMAND SAGE no vlan vlan-id deletes the VLAN. no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active).

  • Page 933: Interface Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Use the no form to change a Layer 3 normal VLAN back to a Layer 2 interface. YNTAX [no] interface vlan vlan-id vlan-id - ID of the configured VLAN.

  • Page 934: Switchport Allowed Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces EFAULT ETTING All frame types OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN. XAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1...

  • Page 935: Switchport Ingress-Filtering

    | VLAN Commands HAPTER Configuring VLAN Interfaces Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress. If none of the intermediate network devices nor the host at the other end of the connection supports VLANs, the interface should be added to these VLANs as an untagged member.

  • Page 936: Switchport Mode

    | VLAN Commands HAPTER Configuring VLAN Interfaces XAMPLE The following example shows how to set the interface to port 1 and then enable ingress filtering: Console(config)#interface ethernet 1/1 Console(config-if)#switchport ingress-filtering Console(config-if)# switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.

  • Page 937: Switchport Native Vlan

    | VLAN Commands HAPTER Configuring VLAN Interfaces switchport native This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. vlan YNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) EFAULT ETTING...
  • Page 938 | VLAN Commands HAPTER Configuring VLAN Interfaces OMMAND SAGE Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong. The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E.

  • Page 939: Displaying Vlan Information

    | VLAN Commands HAPTER Displaying VLAN Information VLAN I ISPLAYING NFORMATION This section describes commands used to display VLAN information. Table 108: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan show interfaces...

  • Page 940: Configuring Ieee 802.1Q Tunneling

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Eth1/26(S) Console# IEEE 802.1Q T ONFIGURING UNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer- specific VLAN IDs.

  • Page 941: Dot1Q-Tunnel System-Tunnel-Control

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same.

  • Page 942: Switchport Dot1Q-Tunnel Mode

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. tunnel mode YNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...

  • Page 943: Switchport Dot1Q-Tunnel Service Match Cvid

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to delete a VLAN mapping entry. tunnel service match cvid YNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID).

  • Page 944: Switchport Dot1Q-Tunnel Tpid

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling XAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# In the following examples, ports 1 and 2 are configured as follows: Port 1 = Access, PVID = 100, VLAN = 100(u), 101(u)

  • Page 945: Show Dot1Q-Tunnel

    | VLAN Commands HAPTER Configuring IEEE 802.1Q Tunneling OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.

  • Page 946: Configuring Port-Based Traffic Segmentation

    | VLAN Commands HAPTER Configuring Port-based Traffic Segmentation Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100. The dot1q-tunnel mode of the set interface 1/3 is Normal mode, TPID is 0x8100.
  • Page 947 | VLAN Commands HAPTER Configuring Port-based Traffic Segmentation EFAULT ETTING Disabled globally No segmented port groups are defined. OMMAND Global Configuration OMMAND SAGE Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s).

  • Page 948: Configuring Private Vlans

    | VLAN Commands HAPTER Configuring Private VLANs Ethernet 1/8 Console# VLAN ONFIGURING RIVATE Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups. This switch supports two types of private VLANs – primary and community groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the associated private VLAN groups, while a community (or secondary) VLAN contains community ports that can only communicate with other...
  • Page 949 | VLAN Commands HAPTER Configuring Private VLANs Use the switchport mode private-vlan command to configure ports as promiscuous (i.e., having access to all ports in the primary VLAN) or host (i.e., community port). Use the switchport private-vlan host-association command to assign a port to a community VLAN.

  • Page 950: Private Vlan Association

    | VLAN Commands HAPTER Configuring Private VLANs XAMPLE Console(config)#vlan database Console(config-vlan)#private-vlan 2 primary Console(config-vlan)#private-vlan 3 community Console(config)# private vlan Use this command to associate a primary VLAN with a secondary (i.e., community) VLAN. Use the no form to remove all associations for the association specified primary VLAN.
  • Page 951 | VLAN Commands HAPTER Configuring Private VLANs promiscuous – This port type can communicate with all other promiscuous ports in the same primary VLAN, as well as with all the ports in the associated secondary VLANs. EFAULT ETTING Normal VLAN OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND...

  • Page 952: Switchport Private-Vlan Mapping

    | VLAN Commands HAPTER Configuring Private VLANs switchport private- Use this command to map an interface to a primary VLAN. Use the no form to remove this mapping. vlan mapping YNTAX switchport private-vlan mapping primary-vlan-id no switchport private-vlan mapping primary-vlan-id – ID of primary VLAN. (Range: 1-4093, no leading zeroes).

  • Page 953: Configuring Protocol-Based Vlans

    | VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE Console#show vlan private-vlan Primary Secondary Type Interfaces -------- ----------- ---------- ------------------------------ primary Eth1/ 3 community Eth1/ 4 Eth1/ 5 Console# VLAN ONFIGURING ROTOCOL BASED The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.

  • Page 954: Protocol-Vlan Protocol-Group (Configuring Groups)

    | VLAN Commands HAPTER Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group. protocol-group (Configuring Groups) YNTAX protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group.

  • Page 955: Show Protocol-Vlan Protocol-Group

    | VLAN Commands HAPTER Configuring Protocol-based VLANs OMMAND Interface Configuration (Ethernet, Port Channel) OMMAND SAGE When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.

  • Page 956: Show Interfaces Protocol-Vlan Protocol-Group

    | VLAN Commands HAPTER Configuring Protocol-based VLANs XAMPLE This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------- ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected interfaces.

  • Page 957: Configuring Ip Subnet Vlans

    | VLAN Commands HAPTER Configuring IP Subnet VLANs IP S VLAN ONFIGURING UBNET When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.

  • Page 958: Show Subnet-Vlan

    | VLAN Commands HAPTER Configuring IP Subnet VLANs mapping is found, the PVID of the receiving port is assigned to the frame. The IP subnet cannot be a broadcast or multicast IP address. When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.

  • Page 959: Configuring Mac Based Vlans

    | VLAN Commands HAPTER Configuring MAC Based VLANs MAC B VLAN ONFIGURING ASED When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.

  • Page 960: Show Mac-Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. XAMPLE The following example assigns traffic from source MAC address 00-00-00- 11-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10 Console(config)# show mac-vlan...
  • Page 961 | VLAN Commands HAPTER Configuring Voice VLANs Table 115: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings voice vlan This command enables VoIP traffic detection and defines the Voice VLAN...

  • Page 962: Voice Vlan Aging

    | VLAN Commands HAPTER Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. YNTAX voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) EFAULT ETTING...

  • Page 963: Switchport Voice Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs OMMAND SAGE VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.

  • Page 964: Switchport Voice Vlan Priority

    | VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port.

  • Page 965: Switchport Voice Vlan Security

    | VLAN Commands HAPTER Configuring Voice VLANs EFAULT ETTING OUI: Enabled LLDP: Disabled OMMAND Interface Configuration OMMAND SAGE When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command.

  • Page 966: Show Voice Vlan

    | VLAN Commands HAPTER Configuring Voice VLANs XAMPLE The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list.

  • Page 967: Table 116: Priority Commands

    LASS OF ERVICE OMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port.

  • Page 968: Class Of Service Commands

    | Class of Service Commands HAPTER Priority Commands (Layer 2) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values.

  • Page 969: Queue Mode

    | Class of Service Commands HAPTER Priority Commands (Layer 2) ELATED OMMANDS show queue cos-map (972) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.

  • Page 970: Queue Weight

    | Class of Service Commands HAPTER Priority Commands (Layer 2) A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.

  • Page 971: Switchport Priority Default

    | Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ge1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# ELATED OMMANDS...

  • Page 972: Show Queue Mode

    | Class of Service Commands HAPTER Priority Commands (Layer 2) XAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# ELATED OMMANDS show interfaces switchport (857) show queue cos- This command shows the class of service priority map.

  • Page 973: Show Queue Weight

    | Class of Service Commands HAPTER Priority Commands (Layer 2) OMMAND Privileged Exec XAMPLE Console#show queue mode ethernet 1/1 Unit Port queue mode ---- ---- --------------- Weighted Round Robin Console# show queue weight This command displays the weights used for the weighted queues. YNTAX show queue mode interface interface...

  • Page 974: Priority Commands (Layer 3 And 4)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) RIORITY OMMANDS AYER This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 119: Priority Commands (Layer 3 and 4) Command Function Mode...

  • Page 975: Map Ip Port (Global Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip port (Global This command enables IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Configuration) YNTAX [no] map ip port EFAULT...

  • Page 976: Map Ip Dscp (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip dscp This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority).

  • Page 977: Map Ip Port (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# map ip port This command sets IP port priority (i.e., TCP/UDP port priority).

  • Page 978: Map Ip Precedence (Interface Configuration)

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) map ip precedence This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. (Interface Configuration) YNTAX map ip precedence ip-precedence-value cos cos-value no map ip precedence precedence-value - 3-bit precedence value.

  • Page 979: Show Map Ip Dscp

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) show map ip dscp This command shows the IP DSCP priority map. YNTAX show map ip dscp [interface] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number. (Range: 1-26/50) port-channel channel-id (Range: 1-32) EFAULT ETTING...

  • Page 980: Show Map Ip Precedence

    | Class of Service Commands HAPTER Priority Commands (Layer 3 and 4) XAMPLE The following shows that HTTP traffic has been mapped to CoS value 0: Console#show map ip port TCP port mapping status: disabled Port IP Port --------- -------- --- Eth 1/ 5 Console# show map ip...

  • Page 981: Table 122: Quality Of Service Commands

    UALITY OF ERVICE OMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.

  • Page 982: Quality Of Service Commands

    | Quality of Service Commands HAPTER To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an...

  • Page 983: Description

    | Quality of Service Commands HAPTER OMMAND SAGE First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. One or more class maps can be assigned to a policy map (page 985).

  • Page 984: Match

    | Quality of Service Commands HAPTER match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. YNTAX [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list.

  • Page 985: Rename

    | Quality of Service Commands HAPTER This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
  • Page 986 | Quality of Service Commands HAPTER OMMAND SAGE Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. A policy map can contain multiple class statements that can be applied to the same interface with the service-policy...

  • Page 987: Police Flow

    | Quality of Service Commands HAPTER police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map. XAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,”...
  • Page 988 | Quality of Service Commands HAPTER The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option.

  • Page 989: Police Srtcm-Color

    | Quality of Service Commands HAPTER police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. YNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind...
  • Page 990 | Quality of Service Commands HAPTER The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and BC, but not the BE, and red otherwise.

  • Page 991: Police Trtcm-Color

    | Quality of Service Commands HAPTER srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the excess burst size. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set ip dscp 3...
  • Page 992 | Quality of Service Commands HAPTER EFAULT ETTING None OMMAND Policy Map Class Configuration OMMAND SAGE You can configure up to 16 policers (i.e., class maps) for ingress ports. The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes.
  • Page 993 | Quality of Service Commands HAPTER When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode: If the packet has been precolored as red or if Tp(t)-B < 0, the packet is red, else if the packet has been precolored as yellow or if Tc(t)-B <...

  • Page 994: Service-Policy

    | Quality of Service Commands HAPTER OMMAND SAGE The set cos command is used to set the CoS value in the VLAN tag for matching packets. The set ip dscp and set ip precedence commands are used to set these priority values in the packet’s ToS field for matching packets. Each of these commands function at the same level of priority.

  • Page 995: Show Class-Map

    | Quality of Service Commands HAPTER The switch does not allow a policy map to be bound to an interface for egress traffic. XAMPLE This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd-policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria...

  • Page 996: Show Policy-Map

    | Quality of Service Commands HAPTER show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. YNTAX show policy-map [policy-map-name [class class-map-name]] policy-map-name - Name of the policy map. (Range: 1-16 characters) class-map-name - Name of the class map.
  • Page 997 | Quality of Service Commands HAPTER XAMPLE Console#show policy-map interface 1/5 input Service-policy rd-policy Console# – 997 –...
  • Page 998 | Quality of Service Commands HAPTER – 998 –...

  • Page 999: Table 123: Multicast Filtering Commands

    ULTICAST ILTERING OMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.

  • Page 1000: Multicast Filtering Commands

    | Multicast Filtering Commands HAPTER IGMP Snooping IGMP S NOOPING This section describes commands used to configure IGMP snooping on the switch. Table 124: IGMP Snooping Commands Command Function Mode ip igmp snooping Enables IGMP snooping ip igmp snooping proxy- Enables IGMP Snooping with Proxy Reporting reporting ip igmp snooping querier...

  • Page 1001: Ip Igmp Snooping

    | Multicast Filtering Commands HAPTER IGMP Snooping Table 124: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Configures the IGMP version for snooping vlan version ip igmp snooping Discards received IGMP messages which use a version different to that currently configured vlan version-exclusive show ip igmp snooping Shows the IGMP snooping, proxy, and query...

This manual is also suitable for:

Dg-gs4850s

Table of Contents